Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Jim McInnis

 

May 2003

 

Terry McQuay, Nymity's President recently spoke with Jim McInnis, AVP Compliance & Chief Privacy Officer of Sun Life Financial Canada about privacy at Canada's leader in retirement savings products, life and health insurance products, trsut services and investment funds.  www.sunlife.ca

 

Nymity:  Jim, I understand marketing played a major role in your privacy initiatives. Can you comment on how a Privacy Officer can best work with marketing.

 

McInnis:  Our advisors are the face of our company to Canadians and Canadians have clearly shown that they are concerned about privacy. We have developed customer facing 'marketing' pieces, but more of our effort is directed towards ensuring that our advisors understand the key role they play in the collection, use and disclosure of personal data. We want to ensure that every customer engagement demonstrates how seriously we take our role in the protection of personal information.

 

Nymity:  What do you see as the biggest exposure PIPEDA brings to Sun Life Financial?

 

McInnis:   Privacy officers at all types of companies, whether financial services or another industry, are struggling with building as many safeguards as possible into the process to guard against human error.

 

Nymity:  What approach did you take when writing your privacy policies?

 

McInnis:   Sun Life Financial had a privacy policy in place at the time of the acquisition, so I was not involved in that process. Thus, we choose to carry that policy forward into the new merged organization. However, I can tell you that this policy was developed using the ten principles of PIPEDA as its foundation. We have since taken this policy and developed training material that is accessible to all employees to make sure that everyone in the company has a basic understanding of the privacy policy. As well, different business units are developing guidelines for their employees that support the policy and are tailored specifically to their business processes.

 

Nymity:  You have an email address and a phone number on your privacy policies. How many calls do you get and what is the majority of the calls regarding?

 

McInnis:   Not many! And most of those calls are not really privacy inquiries, but rather people who are looking for information on their business with us.

 

Nymity:  What do you expect for call volumes and concerns next year?

 

McInnis:  I wish that I could predict the future. I do expect that as the public becomes more aware of their rights under PIPEDA we will see an increase in volumes. In particular, those who want to access their information that we have on file.

 

Nymity:  Did the recent event at ISM where a disk containing customer information was stolen have any impact on your business?

 

McInnis:   Fortunately there was no direct impact as no Sun Life Financial files were involved. We do keep a close eye on these situations so we learn from the experience of others.

 

Nymity:  How do you handle the issues of retention (i.e. how long to retain customer information)?

 

McInnis:   Retention is a significant issue and it is one where instituting a policy of the prudent (based on business, legal and legislative parameters) destruction of records can be demonstrated in dollar figures as a savings for the company. We are fortunate to have a team of experts dedicated to this task. We have an internal policy that is being integrated across the full operations (including all our Financial Centers) of Sun Life Financial. It deals with shredding and storage, computer and paper. As a company we have over 150 record 'types' that have been categorized and programmed into a document management system.

 

Nymity:  Your web policies outline a "justified complaint". What is a justified complaint? How do you anticipate working with the Privacy Commissioner office with complaints?

 

McInnis:  All complaints are investigated by our ombudsman's office. While we have yet to work with the Privacy Commissioner's office on a complaint, we are used to dealing with regulatory bodies on consumer complaints.

 

Nymity:  Jim, I understand you have taken on an initiative to create a united, enterprise-wide privacy culture. How did you accomplish this and was it a success?

 

McInnis:   Culture is never finished evolving, but I believe that we have taken important first steps to ensuring that employees understand their role in caring for individual information that they deal with as part of their jobs. Compliance is ingrained as part of our culture. We've built a strong link in our Code of Business Conduct that is read and signed by employees on a regular basis. Privacy is part of the curriculum of the University of Sun Life that new employees 'graduate' from when they join the company. We have excellent internal communication tools available and have committed to privacy refreshers to keep reminding our employees of their responsibilities.

 
Nymity:  Jim, what was your role in the Sun Life Financial recent acquisition of Clarica?

 

McInnis:   Quite early on in the process, senior management from both Sun Life Financial and Clarica were involved in planning for the proposed acquisition if it was approved by shareholders. Privacy was identified as a significant compliance project by both management teams and was staffed with specifically dedicated employees to ensure its successful integration into the new combined company.

 

Nymity:  How has the merger impacted privacy at the systems level?

 

McInnis:  Generally, new systems have not been built, but instead the focus has been on ensuring that the systems going forward have the capabilities required to support existing and future customers. A high level file that holds general customer information (non-product specific) existed at Sun and includes consent data.

 

Nymity:  How have you aligned policies and procedures to ensure consistent privacy management?

 

McInnis:  In reality, we weren't that far apart. Both Clarica and Sun Life Financial have long, strong histories of dealing with sensitive customer information in a way that protected our customers. Sun Life Financial had already publicly posted a privacy policy, which remains in place. Clarica had focused more internally prior to the merger, creating more directive implementation strategies to ensure harmonized approaches were possible. The two prior histories have actually proven to be quite complementary and have allowed us to continue to move forward and pay attention to the implementation rather than focus on developing policy.

 
Nymity:  In closing, what would your recommend to an organization that is just starting to prepare for PIPEDA?

 

McInnis:   Get moving! The legislation is pervasive into an enormous number of business processes. We have engaged literally hundreds of people in this project to help attain our goals of developing knowledge and awareness. We are a huge organization and consistency of approach in our many offices is important to the success of our implementation.

 

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY