Privacy Code & Principles
Payment Source is committed to keeping customers' personal information accurate, confidential, secure and private. The Payment Source Group Privacy Code builds on this commitment.
This Code is based on the Federal Personal Information Protection and Electronic Documents Act ('PIPEDA'). It describes how Payment Source subscribes to the principles of PIPEDA Privacy Principles throughout the company.
The Scope of this Code & Principles
Payment Source encompasses all products, services, partners engaged in the following services to the public: purchase of prepaid products or services; cash, payment services; Interac e-Transfer acquiring services; account loading; and bill payment services.
This Code describes the principles Payment Source will use to protect the privacy of individual customers' personal information in the carrying out commercial activities throughout the company, no matter how the information is collected, used or disclosed.
This Code applies to Payment Source as defined within this Code with respect to our operations company wide. Where Payment Source is subject to laws or industry regulation or self-regulatory requirements which impose greater or additional obligations with respect to the protection of personal information, Payment Source also complies with those additional obligations.
Principle # 1 - Accountability
Payment Source is accountable for all personal information in its possession or custody, including any personal information disclosed to third parties for processing or other administrative functions. Payment Source has established policies and procedures to comply with this Code, and has designated one or more persons to be accountable for compliance.
- Payment Source’s senior management has accountability for protecting its customers' personal information. Senior management, however, delegates the day-to-day procedures of compliance to others.
- Payment Source will identify internally and to its customers the person or persons who are responsible for overall privacy protection and compliance.
- Payment Source is accountable for personal information in its possession or custody that is disclosed to a third party for processing or other administrative functions.
- Payment Source will safeguard this personal information through means such as a contract or other agreement with the relevant third party.
- To put the principles of this Code into practice, Payment Source:
- Has policies and procedures to protect the privacy of personal information.
- Has policies and procedures to receive and respond to customers' questions and complaints.
- Informs customers and staff of Payment Source's policies and procedures.
- Trains staff to understand and follow Payment Source’s policies and procedures.
Payment Source also oversees compliance with these policies and procedures through normal risk-based review, and through ongoing compliance policies and procedures reviews.
Principle # 2 - Identifying the Purposes of Collecting Personal Information
Payment Source will identify the purposes for which it collects the personal information, before or when the information is collected.
When a customer applies for a product or service provided by or through Payment Source, Payment Source will make sure the customer is made aware of:
- Why Payment Source needs the personal information it is requesting;
- How the personal information may be used with customer consent for other purposes; and;
- The fact that the customer can refuse, at any time, permission for Payment Source to use personal information for these other purposes.
In some cases Payment Source may not explain or obtain customer consent for the other
purposes for which the information has been collected.
Payment Source will collect and use personal information for the following purposes:
- To meet legal and regulatory requirements;
- To provide the services the customer has requested;
- To analyze the suitability of our products or services for the customer;
- To determine the customer's eligibility for our products and services;
- To set up, manage and offer products and services that meet the customer's needs; and/or;
- To provide ongoing service related to the offerings by and through Payment Source.
Payment Source will identify the purposes for which it intends to use the personal information, in writing, orally in person or over the telephone, electronically or by any other alternative format or means it uses to communicate with its customers. Payment Source will use words that customers can easily understand when identifying these purposes.
Payment Source will distinguish the purposes from other information so that customers will be
made aware of them. For instance, on an online application form, Payment Source may identify the purposes using bolder type or a box, or a confirmation box. Over the telephone,
Payment Source will identify the purposes as a distinct part of the conversation with respect to the personal information that is required as well as the purpose for gathering the information.
Payment Source staff, its affiliates, partners and other related parties who collect personal information will be able to explain the purposes to customers. Customers will also be able to ask for information about the purposes when they email, phone or write to Payment Source with respect to the use and collection of their personal information.
Payment Source will explain all the purposes for which personal information is collected including any purposes which may not appear to be as obvious as others. The purposes for collecting a name or address are obvious and do not need to be explained. For the purposes of collecting other information that may not be obvious Payment Source will inform the customers that:
- Social Insurance Number is used to facilitate government tax payments;
- A valid government issued identification number and related information is used where legislation requires it for the customer's reporting and record keeping requirements;
- Credit information is requested from credit bureaus to maintain the integrity of the credit-granting process and identification purposes;
- Other services/utility bills is requested for identification purposes relating to legislative requirements;
- Personal information is required for the creation of a digital certificate, API Keys,and other private keys are required with online services to authenticate the customer to the web site and their account information;
- Bank account information is required for settlement and payment purposes; and/or;
- Personal information, including without limitation, telephone number, the customer's date of birth, occupation, source of funds, or other information as required for regulatory compliance.
Principle # 3 - Customer Consent
Payment Source will make all reasonable effort to make sure customers understand how their personal information will be used by Payment Source. Payment Source will obtain consent from its customers before, when it collects, or uses the personal information. Payment Source will not attempt to deceive a customer into giving consent.
A customer's consent can be express, implied, or given through an authorized representative at Payment Source, its affiliates, or partners.
A customer can withdraw consent at any time, with certain exceptions.
Payment Source, however, may collect, use or disclose personal information without the customer's knowledge or consent in exceptional circumstances where such collection, use or disclosure is permitted or as required by law.
Generally, Payment Source will seek consent to use and disclose personal information at the same time it is collected. Sometimes, however, Payment Source may identify a new purpose and it will seek consent to use and disclose personal information for that purpose after the information has been collected.
Payment Source will not obtain consent through deceptive practices. It will explain to customers how personal information will be used before they give their consent, except where applicable laws do not require consent.
Customers can give consent orally, in writing or electronically. They can imply consent through action or inaction. They can also give consent through an authorized representative. Express consent is the preferred form at Payment Source.
Customers can grant consent:
- Orally, such as when information is collected over the telephone or at an affiliate or partner;
- In writing, such as when completing and signing an application; or
- Electronically, such as when applying through a computer or electronic communicating device.
Customers can grant implied consent by:
- Using a product or service offered by or through Payment Source; and/or
- Not responding to Payment Source’s offer to have their personal information removed from a direct marketing list. In this case, Payment Source may assume that the customer consents to the use of personal information.
Customers can also give consent through an authorized representative, such as a legal guardian or a person with a power of attorney. This is necessary, for example, if Payment Source cannot obtain express consent from a customer who is a minor, seriously ill, or mentally incapacitated.
Before deciding what form of consent is appropriate, Payment Source will consider the type of personal information it needs, the reason for its use, and the type of customer contact that is involved.
Customers always have the option to withdraw consent to the use of personal information for marketing purposes.
Payment Source can collect or use personal information without the knowledge and consent of the customer in exceptional circumstances where such collection or use is permitted or as required by law.
For example, Payment Source will not ask for consent when personal information is collected used, or disclosed:
- In the clear best interests of the customer and consent cannot be obtained in a timely way;
- When asking for consent may compromise the information sought and collection relates to an investigation of a breach of an agreement or a contravention of Canadian laws, as for example to detect and prevent criminal activity and dealings in proceeds of crime;
- When the information is publicly available, as defined in applicable laws; or
- When Payment Source obtains customer lists from another regulated organization, on the assumption that the organization providing the personal information has obtained each customer's consent before disclosing the information to Payment Source.
Payment Source can disclose personal information without the knowledge and consent of the customer in exceptional circumstances where such disclosure is permitted or required by law. For example Payment Source will not ask for consent when personal information is:
- Given to affiliates or partners of Payment Source who need it to carry out business-related functions, such as fulfilment (e.g. mailing follow-up information packages), data processing or the sending prepaid payment cards/vouchers/PINs, and/or gift cards;
- Given to its legal representatives;
- Disclosed for the purpose of collecting an overdue account; and/or
- Disclosed in order to:
- comply with a subpoena or warrant;
- respond to a governmental authority that has lawful authority to obtain the information;
- facilitate the activities of an investigative body or government institution in dealing with a past, potential or actual breach of an agreement or contravention of the laws of Canada or a province or a foreign jurisdiction; or
- comply with the law; and/or
- process or otherwise administer products or services and/or to transfer personal information to other companies that have acquired the rights to such offerings.
Subject to legal and contractual restrictions, customers can refuse or withdraw consent at any time as long as:
- Payment Source is given reasonable notice of the withdrawal;
- Consent does not relate to a product or service where Payment Source must collect and report information after the product or services has been used. This is to maintain the integrity of the payment system; or
- Consent does not relate to legal or regulatory requirements for reporting and record keeping; or
- Payment Source will let the customer know the consequences of refusing or withdrawing consent when customers seek to do so. Refusing or withdrawing consent for Payment Source to collect, use or disclose personal information could mean that Payment Source cannot provide the customer with some product, service or information of value to the customer.
Principle # 4 - Limiting Collection of Personal Information
Payment Source limits the amount and type of personal information it collects. Payment Source will collect personal information for the purposes it identifies to the customer at time of collection. Payment Source will inform the customer if the information collected will be used for new purposes.
Payment Source collects personal information using policies and procedures which are fair and lawful.
Although Payment Source will collect personal information primarily from customers, it may
also collect personal information from external sources such as third party service providers, credit bureaus, government records, and partners as required by law or confirmation that the personal information collected is correct.
Principle #5: Limiting Use, Disclosure and Retention of Personal Information
Payment Source will use or disclose personal information only for the reasons it was collected, unless consent is obtained from the customer to use or disclose the personal information for another reason, or is permitted/required by law.
Under certain exceptional circumstances, Payment Source has a legal duty or right to disclose personal information without customer knowledge or consent, including to protect Payment Source’s or the public interest.
Payment Source will keep personal information only as long as necessary for the identified purposes for which it was collected.
Payment Source may disclose personal information without consent where permitted/required by law. For example:
- production orders
- search warrants;
- other court and government orders; or
- demands from other parties who have a legal right to the personal information.
In these circumstances, Payment Source will protect the interests of its customers by making reasonable efforts to ensure that:
- orders or demands comply with the laws under which they were issued;
- it discloses only the personal information that is legally required, and nothing more; and
- it does not comply with casual requests for personal information from government or law enforcement authorities.
Payment Source may notify customers that an order has been received, if permitted by law.
Payment Source may notify customers of such orders to the last know telephone, electronic mail, or letter.
Payment Source may want to use personal information to market products and services to its customers, either directly or through Payment Source or its affiliates. Payment Source will obtain the consent of the customer before using personal information for such purposes.
When a customer uses a Payment Source product or service and provides personal information, Payment Source will:
- Tell the customer that this personal information may be used by it or other Payment Source affiliates to market other products and services to the customer;
- Describe the types of Payment Source affiliates who might market their products or services; and
- Ask the customer for consent, and advise them that this use of personal information is optional.
The first time a new type of Payment Source affiliate provides promotional information about its product or service, the Payment Source affiliate will:
- Explain the proposed use of the customer's personal information to the customer; and
- Give the customer an opportunity to withdraw consent for further use of their personal information.
Payment Source specifies in its policies and procedures the periods of time it will keep personal information. Some of these time periods are determined by legislation. If personal information has been used to make a decision about a customer, Payment Source will keep the personal information long enough for the customer to have access to it after the decision has been made, subject to any regulated record retention period.
Payment Source will destroy or erase any personal information no longer needed for its identified purposes or for legal requirements.
Payment Source’s policies and procedures explain how Payment Source will destroy personal information so that unauthorized persons or organizations do not gain access to it.
Principle #6: Accuracy of Personal Information
Payment Source will keep personal information as accurate, complete and current as necessary for the identified purposes for which it was collected.
Customers may, in writing, challenge the accuracy and completeness of their personal information and request that it be amended as appropriate.
Payment Source will make reasonable efforts to minimize the possibility of using inaccurate, incomplete, or outdated personal information to make a decision about the customer.
Payment Source will update personal information only if it is necessary for the purposes for which it was collected.
Payment Source will make reasonable efforts to keep customers' personal information accurate and current if the information is used on an ongoing basis. This includes personal information disclosed to third parties for processing.
Payment Source will also rely on customers to keep certain personal information (such as customer addresses) accurate, complete, and current. If a customer shows that personal information is inaccurate, incomplete, out of date, or irrelevant, Payment Source will revise its records. If necessary, Payment Source will disclose the revised personal information to third parties which were provided with the information to revise their records as well.
If Payment Source does not agree to revise personal information as requested by the customer, the customer may challenge Payment Source’s decision. Payment Source will make a record of this challenge, and if necessary, disclose the challenge to the third parties who also possess the personal information, and advise the customer of the relevant complaint procedures.
Principle #7: Safeguarding Personal Information
Payment Source protects personal information with safeguards appropriate to the sensitivity of
the information. These safeguards include protecting personal information from loss or theft, from unauthorized access, disclosure, duplication, use, or modification.
Payment Source’s safeguards vary depending on the sensitivity, amount, distribution, format, and storage of the personal information. Payment Source gives the highest level of protection to the most sensitive personal information.
Payment Source safeguards personal information through security measures. For example:
- Physical security, such as secure locks on filing cabinets and restricted access to offices;
- Organizational security, such as controlled entry in data centres and limited access to relevant information; and
- Electronic security, such as passwords, personal identification numbers, and encryption.
Payment Source informs its staff regularly about Payment Source’s policies and procedures for
protecting customers' personal information, and emphasizes the importance of complying with them. As a condition of employment, employees are required to conform to Payment Source’s policies and procedures.
Payment Source may disclose personal information to third parties for fraud screening, credit worthiness, data processing services or administrative services, collection of debts, or for other goods and services. Payment Source requires these third parties to safeguard all personal information in a way that is consistent with Payment Source’s measures, or as regulated by law.
Payment Source may, with the customer's consent, disclose personal information to businesses such as, credit bureaus, and third party payment providers, its partners and issuers of prepaid products or accounts, advisory organizations, and regulatory organizations. Payment Source uses procedures and/or contracts to protect the privacy of that personal information.
As referred to in Principle 5, Payment Source uses care when disposing of or destroying personal information, to prevent unauthorized access to the information.
Principle #8: Openness to Personal Information
Payment Source is open about the policies and procedures it uses to manage personal information. Customers have access to information about these policies and procedures. The information will be made available in a manner that is generally easy to understand.
Payment Source makes available to customers information about the policies and procedures it uses to manage personal information. Copies of this Code are available in printed format upon request.
Information about Payment Source’s policies and procedures has been written so that it is generally easy to understand and it is readily available to customers. Through printed format or other related documents, customers will be able to find out:
- The title and mailing address of the representative of Payment Source who is responsible for protecting the privacy of customers' personal information, so customers know where to address complaints and questions;
- How to access personal information held by Payment Source;
- What type of personal information is held by Payment Source and for what purpose it is used; and
- The personal information made available to Payment Source or its affiliates.
Payment Source makes information about its policies and procedures available in a variety of ways, depending on the nature of the service customers are using and the sensitivity of the personal information. For example, Payment Source may make printed format or other information available upon request, mail information to its customers, establish a toll-free telephone service, use electronic mail, or provide online access.
If you have a question about Payment Source's privacy policies, please contact us toll free at 1-844-241-2991. You may also email our Chief Privacy Officer at firstname.lastname@example.org.
Alternatively, you may write to us at:
Payment Source Inc.
c/o Chief Privacy Officer
365 Evans Avenue
Suite 301 Toronto
ON M8Z 1K2
Principle #9: Access to Personal Information
When customers make a request in writing, Payment Source will, within a reasonable time, inform them of what personal information Payment Source has, what it is being used for, and/or to whom it has been disclosed, depending on what details the customers have requested and that is not restricted by law, and/or from a contractual perspective.
When customers request it in writing, Payment Source will give them access to their personal information. Payment Source will respond to the written customer request within 30 days. In certain situations, however, Payment Source may not be able to give customers access to all their personal information. Payment Source will explain the reasons for this limitation on access and any recourse the customer may have, except where prohibited by law, and/or from a contractual perspective.
A customer has the right to know, by written request, what personal information is held by Payment Source. Customers have a right, upon written request, to access personal information, and to know to which third parties the information has been disclosed, except where prohibited by law, and/or from a contractual perspective.
Payment Source has policies and procedures for responding to customers' requests for access to personal information. When customers ask, Payment Source will make these policies and procedures known to the customers. To respond to a customer's request certain information may be required, for example, customers have to be specific about the type of personal information that may be held by Payment Source.
Payment Source will attempt to be as specific as possible about the persons from whom it collected the personal information, to whom it has disclosed the personal information, and how and when the information was disclosed. Payment Source will take this information from its records, and will provide it to the customer in a form that is generally easy to understand, providing explanations for abbreviations and codes. Payment Source will provide the information to the customer within 30 days following a written request, and for a cost commensurate with the effort to retrieve the information, or at no cost.
Payment Source will not charge the customer without first informing the customer of the cost of providing the requested information and giving the customer the option to withdraw the request.
Payment Source will, on request, give a customer who has a sensory disability, access to personal information to which the customer is entitled, in an alternative format if a version of the information already exists in the alternative format, or if conversion into that format is reasonable and necessary in order for the customer to access the personal information.
Payment Source will not provide the personal information that is in its control if:
- In so doing, it would reveal personal information about a third party and such personal information is not severable from the requesting individual's personal information;
- It is subject to solicitor-client or litigation privilege;
- It contains Payment Source’s own confidential commercial information and such confidential commercial information is not severable from the requesting individual's personal information. For example, Payment Source may use a scoring formula, form an assessment of risk, or make a collection recommendation that is confidential to Payment Source;
- In so doing, it would reveal information that would reasonably be expected to threaten the life or security of another individual and such information is not severable from the requesting individual's personal information;
- It is information that was generated in the course of a formal dispute resolution process;
- It cannot be disclosed for legal reasons. For example, Payment Source may not legally be able to provide the customer with information relating to disclosures to lawful authorities for law enforcement or crime prevention purposes. In some provinces Payment Source cannot legally provide a customer's credit bureau report to that customer; and/or
- It is used for the detection and prevention of criminal activity and dealings in proceeds of crime.
Payment Source will not record in customers' individual files when personal information was disclosed to third parties for routine purposes. For example:
- Reporting to tax authorities;
- Reporting to other authorities and/or related parties;
- Reporting to regulators;
- Regular updating of credit information to credit bureaus;
- Indicating to third parties when items are returned for NSF (not sufficient funds);
- Preparation and mailing of customer statements; or
- Record keeping for various regulated transactions.
If Payment Source denies the customer's request for access to personal information, Payment Source will explain the decision to the customer, except where prohibited by law. The customer may then challenge Payment Source’s decision (See Principle 10).
A customer may challenge the reasonableness of the cost of providing personal information.
Payment Source will inform customers of these policies and procedures, which are generally easy to understand and use. The complaint resolution process and the appropriate contact person are part of these policies and procedures.
Payment Source will investigate all complaints received in writing and if it finds a complaint justified, Payment Source will try to resolve it. If necessary, Payment Source will take appropriate measures, including changing its policies or procedures, to ensure that other customers will not experience the same problem.
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Phone: (819) 994-5444
Fax: (819) 994-5424