Back to blog
Posted by Martin Papillon, FSA, FCIA, MBA, September 27 2023
Data Security, Protection and Confidentiality: Priorities for AGA

Data security, protection and confidentiality

Data security, protection and privacy are a paramount priority for AGA Benefit Solutions. Beyond complying with the main privacy regulations, we stay on top of industry standards to provide maximum protection to our clients.  

We keep improving our security practices and framework, whether by adhering to policies such as Law 25 which modernizes Quebec privacy legislation, or by adopting best-in-class cybersecurity practices. 

Respect, a Core Value  

At AGA, respect materializes through our commitment to abide by cybersecurity and data privacy legislation and best practices. We implemented stringent governance and procedures to ensure compliance with the requirements of Law 25 in Quebec, PIPA in Alberta and PIPEDA in the other Canadian provinces.  

Our philosophy can be summed up in a single sentence: 

Keep as little data as possible, for as little time as possible, with as little access as possible. 

New: Our Privacy Portal 

For greater transparency, our Privacy Policy details the situations where we must collect personal information and the circumstances under which this data will be used.  

We are now adding a new Privacy Portal, through which members can contact our Chief Privacy Officer to:  

  • Ask a question or file a complaint when a situation is considered unacceptable;
  • Access the sensitive information we hold about them; 
  • Have their data deleted whenever possible. 

For How Long Do We Keep Personal Information? 

We collect the personal information required for performing the services provided by AGA such as insurance plan enrolment, plan administration or support during the effective period of the plans. 

A data retention calendar specifies the retention timeline for each type of information collected, as required under the various pieces of legislation governing AGA Benefit Solutions. For example, the data on the employees of an organization, used in the sales and enrolment processes, are retained for a period of 2 years following the performance of the service. The data on brokers are retained for a period of 5 years following the end of the fiscal year to which the data is pertaining. Other situations may require a longer retention period. 

How Do We Control Data Privacy? 

AGA Benefit Solutions uses the platform to inventory, categorize, classify and monitor sensitive data to ensure their sound and safe use. This same platform also forms the backbone of our Privacy Portal

Beyond controlling sensitive data, AGA has implemented a series of measures to secure its daily operations and protect the use of its technology platforms. For example:

  • We perform background checks on all employees upon hiring and all our employees are provided with continuous training on cybersecurity and on the best data and access management practices. Mandatory training sessions and phishing simulations are conducted to raise employee awareness on an ongoing basis. 

  • We rigorously select and carefully replace our products and suppliers, which must be well-known and reputable, and validate their compliance and track record in terms of data security and protection; 

  • We have implemented a process for qualifying and validating the skills of intermediaries who deal with our organization, as well as validating their background, before entering into a contractual agreement, to ensure compliance with the rules in force;

  • We have implemented a policy and a procedure for responding to security incidents, whether minor or major. 

  • The data included in member files and plan sponsor files are stored on servers located in Canada. Some data used to support the conduct of AGA business processes can be stored on servers located in North America, and more specifically in Canada or the United States. 

  • Employees log in to our systems with designated accounts secured by password and 2-factor connection

  • A response team monitors environment security on a 24/7 basis and a Dark Web monitoring tool detects any data leaks.  

  • We take many other measures, which are all listed on the Data Security page of our website. 

Would you like to update your knowledge of cybersecurity and data security issues to better protect your employees? If so, consider taking a cybersecurity training course. Having a defined plan for your corporate cybersecurity is essential, and will save you from many risks!

Read Our Personal Information Protection Policy

Martin Papillon is a Fellow of the Canadian Institute of Actuaries and holds an MBA from HEC Montréal. Throughout his career, he has been working in the group insurance and retirement sector. Before joining AGA in 2013, he held advisory and senior management positions with world-class consulting actuarial firms.
Martin Papillon, FSA, FCIA, MBA