Canada Life has implemented an Information Security Policy which is supported by standards designed to establish a system of internal controls and accountability for the safeguarding of information assets.
Supporting standards outline the requirements determined necessary to comply with legal, regulatory or contractual obligations and will be approved using an auditable process.
Data retention policies
We will keep your personal data only for so long as is necessary and for the purpose for which it was originally collected. In particular we will keep data for as long as there is any possibility that either you or we may wish to bring a legal claim, or where we are required to keep your personal data due to legal or regulatory reasons.
Each Canada Life department has a departmental ‘Records Retention and Disposal Guide’ (RRDG), which defines the length of time that records processed by that department are retained before deletion.
Data storage and transfer
Data is not normally transferred during routine administration and is stored on secure servers in the UK and Ireland. Personal data may be accessed by our parent company in Canada, which is a whitelisted country and currently has the equivalent level of protection to the EU / EEA.
Information security
Canada life has an Information Security Policy setting out how we protect our assets (e.g. computers) as well as the information given to us by our customers, advisers, employees and business partners. This includes how we:
- Classify information
- Manage risk
- Control access to information
- Building security
- Define who is involved in information security and what they are responsible for
Access control
Canada Life limits the access employees have to data according to their job profiles which set out the level of security they require to do their job. A central security administration team controls requests from security coordinators and access is reviewed using daily and monthly reports. We have minimum password requirements and strict controls around sharing passwords.
Data protection
As well as only giving employees access to the information they need to do their job, we have well-managed firewalls which prevent any unauthorised or unintended exposure of data. Where anyone is given a laptop, we use two-factor authentication and an encrypted Virtual Private Network (VPN).
Secure data storage
All data is stored on secure servers in building owned and used exclusively by Canada Life. The European production datacentre is located at a Canada Life Group owned facility in the UK (Potters Bar). The European DR datacentre is located at a Canada Life Group owned facility in Ireland (Dublin). The data centres are located internally within the respective buildings with no external doors. Both are built to Uptime Institute Tier II standards.
Physical security
- Security staff who work 24 hours a day
- CCTV
- Identification cards that control access to Canada Life offices
- All information received electronically is retained
- Printed information is shredded on site when it is no longer needed
- Use of USB / memory sticks is strictly controlled
- Regular tests take place of environmental controls including power supply and generators, fire suppression systems, smoke detectors and manual extinguishers
Asset management
The security of any information sent to Canada Life relies on secure management of assets (such as PCs) which our employees use. We have a register of all equipment and assets and all changes are recorded. Our technology assets are secured and monitored so only authorised, licensed and supported hardware is used.
Software security
All software we use is licensed and the ability to install unauthorised software has been removed. Installing new or updated software must be authorised by our Information Security teams. Updates to security are done monthly or more frequently, if necessary, following a risk-based assessment.
Privacy controls
Our privacy controls reflect current laws and regulations governing the privacy of data. This includes:
- Enforcing a clear desk policy
- Limiting the use of personal portable media e.g. mobile phones
- Restricting access depending on an individual’s role
- Use of appropriate encryption
- Use of secure data communications (e.g. secure mail, Transport Layer Security and Secure File Transfer Protocol)