At ICICI Bank Canada (hereinafter referred to as “ICICI Bank”, “Bank”, “we”, “our” or “us”), an important part of our commitment to provide our clients1 with excellent service is our respect for your right to privacy. While information is the cornerstone of our ability to provide excellent service, our most important asset is our clients’ trust. Your personal information (information that refers to you specifically as an individual) being kept secure, and being used only as you would want us to, is a priority for us. It is important for you to understand what personal information we will collect, how we will use it, and who may see it.
ICICI Bank is committed to maintaining the accuracy, confidentiality and security of your personal and financial information. As part of this commitment, we adhere to the following principles:
All of our employees are committed to maintaining and protecting client information under our control. To help fulfill this mandate, we have designated a Chief Privacy Officer who has overall responsibility and accountability for compliance by the Bank with applicable privacy requirements Contact information for the Chief Privacy Officer is provided in part J of this section of the Privacy Statement. The Bank has designed an annual comprehensive training program for all the employees of the Bank so they can understand the Statement and related procedures fully.
- Identifying Purposes:
We identify and document the purposes of collecting personal information of our clients at or before the time such information is collected. The information that we may request will depend on the product(s) or service(s) selected by you.
Some examples of the types of information that we might collect are:
- For deposit-related services like opening a deposit or business account, applying for credit cards, making money transfers, or purchasing a guaranteed investment certificate, you will be asked to provide information such as your name, date of birth, address and telephone number (business name and address in the case of business clients), occupation and acceptable identification documents required for establishing and verifying your identity under the Canadian anti-money laundering and anti-terrorist financing law.
- For deposit-related services we may also ask information about your transactions, including payment history, account activity and how you intend to use the account and the source of any incoming funds or assets
- Information about beneficial owners, intermediaries and other parties, which is required by law. For legal entities such as businesses, partnerships, trusts, estates, clubs or other organizations, we may collect the information referred to above from each authorized person, signatory, partner, trustee, executor and club member, as appropriate.
- If you are applying for credit in the form of a loan, credit card or a mortgage, you will also be asked for specific information about your current financial situation or the financial situation of your business, based on the credit evaluation requirements of the Bank.
- If you have an account that earns interest or if you are buying registered investment products, we are required to keep a record of your social insurance number for income tax reporting purposes.
- If you open an account then you may be also asked to provide your foreign tax identification number to comply with Foreign Account Tax Compliance Act and/or the Common Reporting Standards requirements, if applicable.
Most of the information comes directly from you when you apply for financial products or services. We may also need information from credit bureaus, income sources and personal references you have provided to us. Obtaining additional information about you from such third parties helps us assess your eligibility for our products/services. Of course, we will obtain consent from you before we contact anyone for information about you and we will only request information that is required for providing the service or product selected by you. If you withhold your consent, the Bank will not be able to assess your application and complete the transaction.
We obtain your consent for the collection, use or disclosure of your personal information, except as otherwise required or permitted by law. As a general matter, we will obtain your consent through our client agreement with you or the application form for the relevant product or services, and for making promotional /marketing offers. You can withdraw your consent subject to legal and contractual requirements.
If you do not wish to receive promotional materials from us or you do not want your personal information shared among the members of ICICI Bank Group of companies (i.e., ICICI Bank Limited and subsidiary companies) for the purpose of marketing, you can choose to opt-out (unsubscribe) from our marketing and/or shared information lists. Please note that it may take up to 7 business days to fulfill your request to unsubscribe from promotional electronic messages.
We prefer to notify you about the purpose of collecting, using, and disclosing personal information and seek consent in explicit and meaningful manner, where possible. However, depending on the sensitivity of the information or the means of collection, your consent could be expressed or implied.
With your explicit consent, we may share your personal information within the ICICI Bank Group, including locations outside of Canada where the ICICI Bank Group does business, for legal and regulatory purposes, to perform analytics, to better manage your relationship with us or for the purpose of marketing, so that the ICICI Bank Group can offer you a broader range of product and service solutions to meet your needs. You may withdraw your consent to this use of your personal information.
- Limiting Collection
We only collect such personal information that is required to provide the service(s)/product(s) selected by you. With your consent, we will gather personal information from you (in person, at a branch, over the telephone, by corresponding via mail or electronic mail or by otherwise obtaining it from you by electronic means directly or with the assistance of merchants or agents) or from the person(s)/entity(ies) that have been authorized by you (such as personal or professional references provided by you, your financial advisor or mortgage broker) or by corresponding with third parties (such as credit bureaus).
We may monitor, record and retain the information collected from you over telephone or by electronic means. Recording of telephonic conversations are done primarily for training, fraud prevention and investigations, and quality assurance purposes. Information collected by other electronic means is retained to establish a record of the information you provide, to ensure that your instructions are followed properly and to ensure customer service levels are maintained.
- Limiting Use, Disclosure and Retention
Information gathered from you will only be used or disclosed for the purpose for which it was collected, except as you otherwise consent to or as otherwise required or permitted by law.
Depending upon the product(s)/service(s) you have applied for, we will review your credit history and information about your personal finances. With your consent, we will also disclose your credit history with us to other lenders or credit bureaus to support a credit approval process.
In connection with limiting the use, disclosure and retention of your personal information, we bring to your attention the following:
- We sometimes require services from suppliers and agents, such as cheque printers and market research and computer data-processing companies within and outside Canada. Before disclosing any personal information to them, we obtain their contractual commitment to keep all such information secure and confidential, and we ensure that only necessary information is disclosed.
- Our client lists are for use by the Bank only and we never sell or give lists to other companies other than as provided herein.
- We are required to share personal or other information subject to various government reporting requirements.
- We may receive subpoenas, search warrants, and court or government orders such as production orders. In such cases, we will release only such information that is legally required to be released.
- To protect the public interest, we may disclose personal information to public authorities without requesting an individual’s consent.
- In keeping with applicable requirements, we may disclose your personal information without requesting your consent to protect and defend ICICI Bank's and its affiliates' rights, interests or property; or, to enforce the terms and conditions of the products or services provided by ICICI Bank; or, to protect the interests of ICICI Bank or its affiliates.
- The Bank may disclose personal information, without your knowledge or consent, to an investigative body when there are reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed and the information is used for the purpose of investigating that contravention.
- The Bank may use and disclose personal information, without requesting your consent, for the purpose of engaging in a due diligence process for a prospective business transaction where such information is necessary to determine whether to proceed with the transaction.
- Some of our agents, suppliers and service providers may be located outside of Canada and the data shared with the agents, suppliers and service providers may be processed and stored outside of Canada. Personal information transferred and stored outside Canada is subject to the laws of those countries and if so, may be shared with foreign authorities as required by valid demands, requests or orders by courts, regulators, government authorities and law enforcement authorities in those countries.
- The Bank will take measures to provide a comparable level of protection to your personal information that is transferred by the Bank to any third party for the purpose of supporting the Bank in providing a service or product to its clients or to comply with a legislative or regulatory requirement applicable to it. Some of examples where we may use or disclose your information are:
- To protect against fraud and manage risk;
- To determine your eligibility for certain of our products and services as permitted by law;
- To comply with legal or regulatory requirements, or as otherwise permitted by law; and
- To respond to any questions, you may have.
Your personal information will only be retained for the period of time required to fulfill the purpose for which it was collected or as may be required by relevant laws, whichever is greater. Following this period of time, your personal information will either be destroyed or erased.
If you have not opted out of the use or disclosure of your personal information for marketing purposes, we may also use your personal information for marketing additional products and services including special promotional offers, which may be of interest to you. As stated in the “Consent” section, you may be able to withhold or withdraw consent to the use of personal information for promotional purposes.
We will make every reasonable effort to keep your personal information accurate and up-to-date as required to fulfil the purposes for which the information was collected. To help us achieve this, we encourage you to keep us informed of any changes, such as if you move or change telephone numbers. We also encourage you to keep us informed of any changes, such as if you move or change telephone numbers. Notifying us of changes to your personal information will help us improve the way we that communicate or provide services to you.
You have the right to access, verify and amend the information held in your personal and financial files. If you find any errors in our information about you, let us know and we will make the corrections as soon as reasonably possible and transmit the amended information to related parties, where appropriate.
- Safeguarding Client Information
We will protect your personal information with appropriate safeguards and security measures. We may use video surveillance in and around our branches, bank machines and other locations for the purpose of safeguarding our clients and employees and protecting against theft, fraud and vandalism. We may also record our telephone communication with you for the same purpose. We will also retain your information only for the time it is required for the purposes we explain.
We use various physical security measures such as restricting employee access to files and data centers, using fireproof and locked file cabinets, and a variety of electronic security measures for safeguarding confidentiality and integrity of personal information as defined in the Bank’s Information Security Policy, Standards and Procedures. We also have agreements in place with the third party service providers for the same purpose.
The Bank has also implemented a Records Maintenance Policy that facilitates the proper disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
- Openness and Your Refusal or Withdrawal of Consent
At your request, we will make available additional information concerning the policies and practices relating to the management of your information. Our Privacy Statement is available on the website and also in our branches as a printed brochure.
We will also explain your options of refusing or withdrawing consent to the collection, use or release of your information, and we will record and respect your choices.
In most cases you are free to refuse or withdraw your consent at any time. You may do so by contacting the branch or office where your account is held. Our staff will be pleased to explain your options and any consequences of refusing or withdrawing your consent, and record your choices.
As earlier noted under the “Consent” heading, if you don't want us to share information within the ICICI Bank Group of companies or contact you with product information, you can tell us so at any time. However, agreeing to let us share your information within businesses of ICICI Bank Group may help us to serve you better.
- Client Access
At any time, you can find out what personal information we have, what it is being used for and to whom it has been disclosed. However, in some specific circumstances, disclosure of your personal information to you can or must by law be denied, for example, when:
- The information is protected by solicitor/ client privilege;
- Disclosure of the information would also reveal personal information about another person; or
- Disclosure would reveal confidential commercial information.
We will do our best to provide the required information to you within 30 days and will provide an explanation if we are unable to meet your request. A fee may be charged for certain inquiries due to the time and resources required, in which case we will provide an estimate of the amount in advance.
- Client Concerns
If you have any questions, concerns or problems about privacy, confidentiality or how a request for information was handled, please write to/e-mail us at the below noted address or call/fax us at the below noted numbers:
ICICI Bank Canada
Don Valley Business Park
150 Ferrand Drive, Suite 1200
Toronto, ON M3C 3E5
Telephone: (416) 360 0909
Fax: (647) 436 1178
Privacy Online – General
When you visit our website and move from page to page, read pages or download content onto your computer, we learn which pages are visited, what content is downloaded, and the address of websites that you visited immediately before coming to our website. However, none of this is associated with you as an individual. Rather, it is for statistical purposes. We use this information to find out how many people visit our websites and which sections of the sites are visited most frequently.
When you register for one of our digital banking services such as online banking or mobile banking, we compile your profile for that service. Each time you use our digital banking services, we collect your login ID, information about the transactions that you complete and the informational pages of the web that you visit while using the service. We use your profile in responding to your enquiries on the service. We use your login ID to identify you as a user of the service. We use the transaction information to assess and improve the service. We use specific transaction information for servicing purposes (e.g. billing). We do not install any computer programs automatically on your electronic device when you access the Bank’s website or conduct a transaction over the internet.
In some cases, we may collect other information about you that is not personally-identifiable. Examples of this type of information include the type of Internet browser you are using, the type of computer operating system you are using, internet connection or telephone account, settings, IP address, device locational data and the domain name of the website from which you linked to our website or advertisement.
When you send us an email or when you ask us to respond to you by email, we learn your exact email address and any information you have included in the email. We use your email address to acknowledge your comments and/or reply to your questions, and we will store your communication and our reply in case we correspond further.
ICICI Bank will not be held liable for disclosure of the personal information when this is done in accordance with this Privacy Statement or pursuant to the terms of any agreement with you.
ICICI Bank is strongly committed to protecting your privacy and has taken all appropriate measures to protect the confidentiality of your personal information and its transmission through the worldwide web and it shall not be held liable for disclosure of the confidential information when this is done in accordance with this Privacy Statement or pursuant to the terms of any agreement with you.
ICICI Bank uses 128-bit encryption, for the transmission of the information for the logged in pages. When the information provided by you is not transmitted through this encryption, your system (if configured accordingly) will display an appropriate message ensuring the best level of security for this information.
You are required to cooperate with ICICI Bank in order to ensure the security of the information, and it is recommended, for example, that you choose passwords carefully such that no unauthorized access is made by a third party. You should undertake not to disclose your password to anyone or keep any written or other record of the password such that a third party could access it.
The Client shall not disclose to any other person, in any manner whatsoever, any information relating to ICICI Bank of a confidential nature obtained in the course of availing the services through the website. Failure to comply with this obligation shall be deemed a serious breach of the terms herein and shall entitle ICICI Bank to terminate the services, without prejudice to any damages, to which the Client may be entitled otherwise.
Other Web Sites
Our website(s) may contain links to other third party sites that are not governed by this Privacy Statement. Although we endeavor to only link to sites with high privacy standards, our Privacy Statement will no longer apply once you leave the ICICI Bank website. Additionally, we are not responsible for the privacy practices employed by other third party website. Therefore, we suggest that you examine the privacy statements of those sites to learn how your information may be collected, used, shared and disclosed.
Privacy Breach Notification
A privacy breach occurs when there is unauthorized access to or the collection, use or disclosure of personal information. There are several possible causes of a privacy breach including but not limited to stolen data, mistaken disclosures, faulty business procedures or operational break-downs. When we come to know about the occurrence of a privacy breach the following steps will be taken:
- Breach Containment and Preliminary Assessment
The Bank will take immediate steps to contain any potential breach and thereby reduce the risk of re-occurrence by taking such steps as putting on hold the existing process, recovering the records and shutting down the affected systems temporarily. In case of a breach, the Bank will designate an appropriate individual to conduct the preliminary breach assessment. If a breach appears to involve theft or other criminal activity the appropriate law enforcement authority will be immediately notified.
- Risk Evaluation
Subsequent to the preliminary assessment, the Bank will assess the risks associated with the breach. The steps may include checking the extent of involvement of personal information, the cause and extent of the breach, identification of individuals affected by the breach and the assessment of foreseeable real risk of significant harm2 from the breach.
The Bank recognizes that notification can be an important mitigation strategy that has the potential to benefit both the organization and the individuals affected by a breach. The notification procedures involve the consideration of factors leading to real risk of significant harm that would become relevant for notification. The risk assessment assists in identifying who should be notified and when and how the notification should happen. All such notifications will be done by the Chief Privacy Officer of the Bank. The notification will include appropriate information including but not limited to information about the incident, the extent of personal information involved in the breach and contact information of the Privacy Officer of the Bank and the Office of Privacy Commissioner (“OPC”) of Canada.
As mandated by the law, a breach notification will be made by the Bank as soon as feasible after a breach has occurred and where there is real risk of significant harm to individuals affected by the breach. Such notification will be in the prescribed manner, content, form and will include (i) a description of the circumstances of the breach, (ii) a description of the personal information that is the subject of the breach, and (iii) details of the Privacy Officer of the Bank that the affected individual can use to obtain further information about the breach. The notification would be directly given to affected individuals in the prescribed manner and form, except in prescribed circumstances wherein the notification shall be given indirectly in the form and manner as per the law.
The Bank will notify any other organization such as a government institution or a part of a government institution, insurers, professional or other regulatory bodies, or credit reporting agencies, wherein the Bank believes that notifying these other organizations may help reduce the risk of harm or mitigate that harm, if any.
The Bank has developed a Reportable Privacy Breach Framework to assess the materiality of risk involved in the privacy breach in accordance with PIPEDA and guidelines issued by the OPC.
The Bank will maintain a record of every breach of security safeguards as per Record Maintenance Policy for at least 24 months after the day on which the Bank determines that the breach has occurred, and that record will contain any information pertaining to the breach that enables the OPC to verify compliance with the reports to the Commissioner and notification to affected individuals.
- Prevention of Future Breaches
Once the Bank has taken the requisite immediate steps, it will conduct root cause analysis with a view to preventing a re-occurrence of the breach. The level of efforts to be put in prevention will depend upon the significance and extent of the breach and whether it was a systemic breach or an isolated instance. The preventive steps may include the conducting of a security audit, a review of applicable policies and procedures, a review of employee training practices and a review of service delivery partners.