PRA Group Canada Inc. (“PRA” or the “Company”) is committed to protecting personal information entrusted to the Company by ensuring and maintaining its accuracy, security, and confidentiality. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner, in accordance with applicable legislation and the specific contractual obligations towards its business partners, is part of PRA’s Core Values and fundamental to PRA’s daily operations. All employees receive ongoing training on the importance of respecting the security and confidentiality of personal information, to ensure ongoing compliance to this Policy.
This Policy applies specifically to all PRA employees and any worker contracted through an agency, with the expectation of compliance to the requirements, guidelines and standards listed in this Policy when processing and handling personal information in Canada in relation to the business activities of the Company.
This Policy applies to all information the Company has under its control that relates to customers, or other third parties, that may be used to identify an individual. PRA maintains the confidentiality of this information and applies the following principles with respect to protecting personal information at all times.
PRA is a well-established debt buyer in Canada. Being a debt buyer means we buy, manage, and service a large number of accounts and portfolios. In doing so, PRA follows these principles:
Accountability: PRA is responsible for personal information under its custody and control including information provided by or obtained from third parties. PRA uses contractual and other appropriate means to ensure that a high level of protection is provided by third parties to whom PRA has entrusted personal information. PRA has designated a Director of Privacy and Records Management who is responsible for PRA compliance with this Policy.
Purposes and limiting collection, use or disclosure: PRA collects, uses, and discloses personal information of customers for purposes limited to those related to our business operations. PRA may collect, use, or disclose your information for those purposes:
PRA collects your information to:
- Service your account;
- Help you work out a payment plan; and,
- Ensure your information is accurate and up to date.
PRA uses your information to:
- Conduct business activities;
- Verify we are discussing the right account with the right person;
- Update your credit report; and,
- Process payments relating to an account.
PRA may disclose your information to:
- Satisfy information requests from federal, or provincial regulators;
- Third parties contracted by PRA to collect/act on our behalf;
- Where requested to do so by the individual;
- Comply with an investigation made by a law enforcement agency; and,
- Where otherwise required and allowed by law.
Consent: Obtaining an individual’s consent to the collection, use, and disclosure of their personal information is fundamental in ensuring appropriate data processing and handling practices. Consent to the collection, use, or disclosure of personal information can be expressed or implied. Generally, by providing PRA with personal information, PRA will assume that consent is given to the collection, use, and disclosure of such information for the purposes described at the time of collection, or for the purposes identified or described in this Policy.
PRA may collect, use, or disclose personal information without knowledge or consent in certain circumstances, which include:
- When personal information is already publicly available;
- When performing due diligence in relation to a prospective business transaction;
- When required to comply with a subpoena, warrant, or other court order;
- When disclosure is required to investigate a breach of an agreement or a contravention of a law, or when PRA is a party in a lawsuit and needs to comply with the rules of court regarding evidence and production of records; or,
- Where otherwise permitted or required by law.
Safeguards: All personal information collected by PRA, is protected through physical, organizational, or security measures to reduce the risk of unauthorized access, use, disclosure, or destruction. PRA is a wholly owned subsidiary of PRA Group, Inc. (USA) and is affiliated with other entities globally. PRA makes use of those other entities’ global resources and joint systems. This may involve personal information of customers being accessed outside Canada. PRA uses contractual and other means to ensure that information collected on our behalf by third parties or accessed by third parties is protected by the same or similar measures.
The level of protection depends on the sensitivity of the personal information and may include:
- Password protected computers;
- Industry standard firewall, software solutions, and encryption technology;
- Locked cabinets;
- Restricted access;
- Annual employee training.
In addition, access to personal information is limited on a “need-to-know” basis to PRA employees who are required to have access to that information. All employees are bound by confidentiality clauses in their employment agreements.
Confidentiality and security are not assured when information is transmitted over the Internet, using a contact request form, through email or other electronic communication. PRA will not be responsible for any loss or damage due to a breach of security and/or confidentiality during transmission. However, once PRA receives personal information, every effort is made to ensure its security.
Accuracy: PRA will make all reasonable efforts to ensure that personal information within its custody is as accurate, complete, and up to date as necessary for the purposes it is to be used. If PRA become aware that the information it collects is inaccurate, or where information is shown to be inaccurate by the individual, PRA will amend/update the information as required.
Access Right: Upon written request by an individual and the authentication of its identity, PRA will provide that individual with access to the personal information under PRA’s control. Where requested, PRA will also provide information about the ways in which this information is being used, and a list of the individuals, and organizations to whom that information has been disclosed.
PRA will make the information available within 30 days after authenticating an individual’s identity. If PRA requires longer than 30 days to provide this information, PRA will provide written notice outlining the reasons for the delay. PRA may charge reasonable fee for providing information in response to an access request and may require a deposit for all or part of the fee. If PRA is not able to provide access to certain personal information, PRA will notify the individual in writing, document the reasons for refusal and outline further steps available.
Some reasons for exceptions are below:
- The information contains information about another individual, and that information cannot be adequately severed to protect their information;
- Information that cannot be disclosed for commercial, legal, or security purposes; and,
- Information that is protected by solicitor-client privilege.
Data Breach: In case of breach of security safeguards that may cause significant harm to customers, PRA will investigate the breach, report to the respective privacy commissioner, notify the affected individuals, and take all appropriate measures to mitigate the breach and avoid future breaches.
Retention Limitation: PRA will retain personal information only for the duration to fulfill the identified purposes and as authorized or required by law. When no longer needed, the personal information that is no longer relevant or required to fulfill the identified purposes will be destroyed, purged, or erased, as soon as reasonably possible. PRA will take due care when destroying personal information to prevent unauthorized access to the information.
Openness and Compliance: PRA is open about the policies and procedures it uses to protect personal information. For further information about this Policy, if you would like to make a request to access your personal information, or a complaint concerning compliance with this Policy, use the Contact Us web link or contact:
PRA will investigate all complaints concerning compliance with this Policy. If a complaint is justified, PRA will take appropriate measures to resolve the complaint, including, if necessary, updating its policies and procedures. The individual who made the complaint will be informed of the outcome, and the changes implemented as a result of the investigation regarding its complaint.
4. Website and Cookies
Upon a visit of PRA websites, certain traffic data, with no personal identification, is recorded. The purpose is to ascertain the number of visits, the average amount of time spent on each website and the number of pages that are visited, and ultimately, to improve PRA websites.
“Cookies” are used to ensure that the browser remembers website visitors’ preferences. The data gathered by the cookies are anonymous.