PRA Group Canada Inc. (“PRA” or the “Company”) is committed to protecting personal information entrusted to the Company by ensuring and maintaining its accuracy, security, and confidentiality. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner, in accordance with applicable legislation and the specific contractual obligations towards its business partners, is part of PRA’s Core Values and fundamental to PRA’s daily operations. All employees receive ongoing training on the importance of respecting the security and confidentiality of personal information, to ensure ongoing compliance to this Policy.
This Policy outlines the principles PRA, and all its employees follow when collecting, using, and disclosing personal information in Canada in relation to the business activities of the Company.
This Policy applies to all information the Company has under its control that relates to customers, or other third parties, and that may be used to identify an individual. PRA maintains the confidentiality of this information and applies the following principles with respect to protecting information, at all times.
PRA is a well-established debt buyer in Canada. Being a debt buyer means we buy, manage, and service a large number of accounts and portfolios. In doing so, PRA follows the following principles:
Accountability: PRA is responsible for personal information under its custody and control including information provided by or obtained from third parties. PRA uses contractual and other appropriate means to ensure that a high level of protection is provided by third parties to whom PRA has entrusted personal information. PRA has designated a Compliance Specialist who is responsible for PRA compliance with this Policy.
Purposes and limiting collection, use or disclosure: PRA collects, uses, and discloses personal information of customers for purposes limited to those related to our business operations. Some examples of the way PRA may collect, use, or disclose your information are outlined below.
PRA collects your information to:
- Service your account;
- Help you work out a payment plan; and,
- Ensure your information is accurate and up to date.
PRA uses your information to:
- Manage and develop our business, and operations;
- Verify we are discussing the right account with the right person;
- Update your credit report; and,
- Process payments relating to an account.
PRA may disclose your information to:
- Satisfy information requests from federal, or provincial regulators;
- Third parties contracted by PRA to collect/act on our behalf;
- Where requested to do so by the individual;
- Comply with an investigation made by a law enforcement agency; and,
- Where otherwise required, and allowed by law.
Consent: Obtaining an individual’s consent to the collection, use, and disclosure of their personal information is fundamental in ensuring appropriate data handling practices. Consent to the collection, use, or disclosure of personal information can be expressed or implied. Generally, by providing PRA with personal information, PRA will assume that consent is given to the collection, use, and disclosure of such information for the purposes described at the time of collection, or for the purposes identified or described in this Policy.
PRA may collect, use, or disclose personal information without knowledge or consent in certain circumstances, which include, but are not limited to:
- When personal information is already publicly available;
- When performing due diligence in relation to a prospective business transaction;
- When required to comply with a subpoena, warrant, or other court order;
- When disclosure is required to investigate a breach of an agreement or a contravention of a law, or when PRA is a party in a lawsuit and needs to comply with the rules of court regarding evidence and production of records; or,
- Where otherwise permitted or required by law.
Safeguards: All personal information collected by PRA, is protected through physical, organizational, or electronic measures in order to reduce the risk of unauthorized access, use, disclosure, or destruction. PRA is a wholly owned subsidiary of PRA Group, Inc. (USA) and is affiliated with other entities globally. PRA makes use of those other entities’ global resources and joint systems. This may involve personal information of customers being accessed outside Canada. PRA uses contractual and other means to ensure that information collected on our behalf by third parties or accessed by third parties is protected by the same or similar measures.
The level of protection depends on the sensitivity of the personal information and may include:
- Password protected computers;
- Industry standard firewall, software solutions, and encryption technology;
- Locked cabinets;
- Restricted access;
- Annual employee training; and,
- Other physical, electronic, and organizational procedures.
In addition, access to personal information is limited on a “need-to-know” basis to PRA employees who are required to have access to that information. All employees are bound by confidentiality clauses in their employment agreements.
In case of breach of security safeguards that may cause significant harm to customers, PRA will investigate the breach, report to the respective privacy commissioner, notify the affected individuals, and take all appropriate measures to mitigate the breach and avoid future breaches.
Confidentiality and security are not assured when information is transmitted over the Internet, using a contact request form, through email or other electronic communication. PRA will not be responsible for any loss or damage due to a breach of security and/or confidentiality during transmission. However, once PRA receives personal information, every effort is made to ensure its security.
Accuracy: PRA will make all reasonable efforts to ensure that personal information within its custody is as accurate, complete, and up to date as is necessary for the purposes for which it is to be used. If PRA learns that the information it has is inaccurate, or where information is shown to be inaccurate by the individual, PRA will amend/update the information as required.
Providing Access: Upon written request by an individual and the authentication of his or her identity, PRA will provide said individual with access to the personal information under PRA’s control. Where requested, PRA will also provide information about the ways in which this information is being used, and a list of the individuals, and organizations to whom that information has been disclosed.
PRA will make the information available within 30 days after authenticating an individual’s identity. If PRA requires longer than 30 days to provide this information, PRA will provide written notice outlining the reasons for the delay. PRA may charge reasonable fee for providing information in response to an access request and may require a deposit for all or part of the fee. If PRA is not able to provide access to certain personal information, PRA will notify the customer in writing, document the reasons for refusal and outline further steps available. Some reasons for exceptions are below:
- Where the information contains information about another individual, and that information cannot be adequately severed to protect their information;
- Information that cannot be disclosed for commercial, legal, or security purposes; and,
- Information that is protected by solicitor-client privilege.
Retention of Personal Information: PRA will retain personal information only as long as necessary for the fulfillment of the identified purposes and as authorized or required by law. Personal information that is no longer relevant or required to fulfill the identified purposes will be destroyed, purged, or erased, as soon as reasonably possible. PRA will take due care when destroying personal information to prevent unauthorized access to the information.
Openness and Compliance: PRA is open about the policies and procedures it uses to protect personal information. For further information about this Policy, if you would like to make a request to access your personal information, or a complaint concerning compliance with this Policy, use the Contact Us webpage or contact:
PRA will investigate all complaints concerning compliance with this Policy. If a complaint is found to be justified, PRA will take appropriate measures to resolve the complaint, including, if necessary, amending its policies and procedures. The individual who made the complaint will be informed of the outcome, and the changes implemented as a result of the investigation regarding his or her complaint.
4. Website Use
Upon a visit of PRA websites, certain traffic data, with no personal identification, is recorded. The purpose is to ascertain the number of visits, the average amount of time spent on each website and the number of pages that are visited, and ultimately, to improve PRA websites.
“Cookies” are used to ensure that the browser remembers website visitors’ preferences.