We have established and implemented governance policies and procedures approved by the Global Privacy Officer and owned by the Enterprise Privacy Office regarding personal information to ensure its protection. These documents provide a framework for the retention and destruction of the information, define the roles and responsibilities of personnel, and provide a process for responding to inquiries regarding the protection of the information. A list of the policies and procedures is below:
1. Privacy Risk Management Framework - Provides an overview of the key governance components for the oversight and management of Privacy Risk. Serves as an overarching framework for material elements of Privacy Risk management activities and is a source document to which all other Privacy Risk policies and procedures are aligned.
2. Privacy Risk Management Policy - Provides a description of the general policies and principles applicable to Privacy Risk Management. It is part of the effective management and mitigation of Privacy Risk.
3. Roles and Responsibilities Matrix of the Privacy Risk Management Program - This tool identifies roles and responsibilities associated with tasks.
4. Access to Personal Information Procedures – Sets out the framework for handling access requests and requests to amend personal information pursuant to applicable laws. The Procedures are part of the Privacy Risk Management Program.
5. Privacy Case Management Tool Governance Procedures – A privacy case management tool is a system used to track privacy-related incidents in a centralized location and to report that data to the relevant personnel. The governance procedures outline the structure and process for decision-making, accountability, and control relating to the relevant privacy-related incidents tracked by the tool.
6. Guidelines for Use of PII in Digital Initiatives - Provides an overview of the privacy implications that must be considered when devising a digital initiative involving personal information. These Guidelines assist employees to distinguish between permissible and impermissible uses of personal information.
7. Incident & Breach Management Procedures – Provides steps for handling Privacy Concerns that impact the Bank and its customers, employees or other individuals.
8. Privacy Impact Assessment Procedures - Outlines the processes involved to complete a Privacy Impact Assessment. These Procedures are part of the Bank’s Privacy Risk Management Program.
9. Employee Privacy Policy - Sets out how the Bank collects, uses, discloses and otherwise manages personal information of its employees while administering and managing the employment relationship.
10. Enterprise Records Management Policy—Establishes foundational principles applied across the Bank to facilitate the creation, retrieval, use, maintenance, retention, and disposition of records in a manner consistent with the Bank’s business priorities and applicable legal and regulatory requirements.
For more information on how we protect your information, please refer to our Cyber Security and Fraud Hub and Code of Conduct