For reference purposes only
LAST UPDATED: [April 8, 2019]
VERIFIED.ME SERVICE – PRIVACY NOTICE
The Verified.Me service is an information management and sharing service provided by SecureKey Technologies Inc. (“SecureKey”, “us”, “we” or “our”). SecureKey is committed to respecting and protecting your privacy and the security of your Personal Information. This Privacy Notice explains how information about an identifiable individual (“Personal Information”) is collected, used, disclosed, stored and safeguarded in connection with use of the Verified.Me service and the Verified.Me mobile application (collectively, the “Service”). By using the Service, you agree and consent to the collection, use, disclosure, storage and retention of your personal information in accordance with this Privacy Notice.
About the Service
The Service allows you to authorize your selected Identity & Data Providers to share certain of your information with Relying Parties.
You, you or your means the person who wishes to use the Service, and whose Credentials (as defined below) have been used to register for the Service.
Identity & Data Providers (which may sometimes be referred to as ‘connections’) are eligible organizations in Canada that participate in the Service that generate or hold certain information about you. Examples of Identity & Data Providers include financial institutions, credit bureaus, telecommunications providers, government departments and agencies and other eligible third parties.
Relying Parties are eligible organizations in Canada that participate in the Service that ask you to provide certain of your User Information through the Service to facilitate interactions with you, for example, to help verify your identity and/or eligibility for product or service offerings. Examples of potential Relying Parties include financial institutions (e.g., for online bank account applications), telecommunications service providers (e.g., for account opening and service or device eligibility), online merchants (e.g., for hotel bookings), government departments and agencies (e.g., for program eligibility) and other eligible third parties. When sharing information with a new Identity & Data Provider in order to add it as a new connection on your Verified.Me profile, that Identity & Data Provider will be deemed to be a Relying Party.
Two main types of Personal Information are involved in the Service: (1) the information you authorize Identity & Data Providers to share with Relying Parties and, as applicable, other Identity & Data Providers that you wish to add as connections, such as your name, email address, mobile or home phone number(s), mailing address, date of birth and certain of your account, profile or other information (“User Information”) and (2) certain information that is collected or generated by SecureKey and its authorized service providers for purposes of operating and maintaining the Service (“Activity Data”).
You will be asked to give your consent every time you wish to have one of your Identity & Data Providers share your User Information with a Relying Party or another Identity & Data Provider.
How we collect and use your information
The Service registration process requires you to select the financial institution in Canada that is participating in the Service (“Financial Institution” or “FI”) that you have an active and existing business relationship with to create your Verified.Me profile, which will form the basis of your Canadian Verified.Me account (the “Verified.Me account”). This FI will become your first Identity & Data Provider. During your initial registration, your FI will authenticate you using your existing banking credentials that you use for authentication purposes to access services at your FI or which are otherwise required by your FI to access the Service, such as username, password, card number, biometric identifiers (including fingerprints, voice patterns and facial recognition), one-time passcode or other information (collectively, “Credentials”). Once you are initially authenticated by your FI, your FI will create and store an individualized Verified.Me account identifier for you which is distinct from your Credentials, and will register this identifier with the Service. You will be authenticated by your FI using your Credentials each time you want to log in to the Service.
The Service has no access to your Credentials.
Following your successful authentication using your Credentials during the registration process, your selected FI will provide a summary of your User Information available for you to share with Relying Parties. If any of your User Information displayed during registration is incorrect, you must discontinue the registration process and contact your FI to update your User Information in its files, to the extent required.
CONSENT TO SHARE YOUR INFORMATION
SecureKey may, but is not obligated to, monitor the Service in an effort to identify unauthorized use and to protect users and Service participants (namely, FIs and other Identity & Data Providers and Relying Parties). Activity Data collected for this purpose includes general information about your transactions, such as the type of Relying Party with whom you consented to share your User Information, as well as the type and the sensitivity level of the information you are sharing.
Activity Data collected or generated by the Service also includes information about activities that occur with your Verified.Me account, including, for example, your registration with the Service, successful and failed logins from your electronic access device (as defined below), information about your electronic access device, such as its model, operating system, device ID and MAC address, connections established with new Identity & Data Providers, and consents to share your User Information. (For the purposes of this Privacy Notice, “electronic access device” includes your cell phone, smart phone, mobile device, personal computer, tablet or other electronic device that you can use to access the Service.) Certain details about these activities are stored and viewable in your Verified.Me mobile application activity log. This activity log does not contain your Credentials or any of your User Information that you have agreed to have an Identity & Data Provider send to a Relying Party through the Service.
MOBILE PHONE NUMBER COLLECTION AND USE BY RELYING PARTY IN RELATION TO VERIFIED.ME
Protecting your information
All of your User Information that you authorize an Identity & Data Provider to share with a Relying Party through the Service will be protected with security mechanisms intended to prevent your User Information from being identified, accessed or misused when it is sent through the Service.
Your Activity Data is stored in protected form. Only authorized personnel within the Service will have the ability to retrieve Activity Data from the Service audit systems. Details of certain activities are available to you through the activity log in your Verified.Me mobile application.
Disclosing your information
The Service facilitates the disclosure of your User Information from Identity & Data Providers to Relying Parties with your consent. Because your User Information may include private or confidential Personal Information, please ensure that you understand how it will be used and further disclosed by a Relying Party before giving your consent to share any of your User Information.
SecureKey may report suspected fraudulent activity to Service participants, including the FI you selected when first registering for the Service, or other parties as permitted or required by law, and certain of your Personal Information may be included in those reports to assist with fraud prevention, detection, investigation and remediation.
In connection with providing the Service, SecureKey may transfer or provide access to your Personal Information to outside agents or service providers that perform services on our behalf (e.g., data hosting or processing services), or that otherwise collect, use, disclose, store or process information on our behalf for the purposes described in this Privacy Notice. SecureKey requires such service providers to maintain comparable protections over Personal Information shared with them.
We may also disclose Personal Information: (a) to any governmental authority where required by law, (b) in response to a court order, subpoena, discovery rule, or other lawful request, (c) as otherwise required under any applicable law, rule, or regulation, (d) in good faith, if an investigation is required (for example, as a result of a potential privacy breach or unauthorized transaction(s)), and (e) to protect or defend our rights or property or those of other persons.
If we sell our business or the part thereof that operates the Service, we may transfer Activity Data to prospective purchasers to the extent necessary to enable consideration of the transaction. We may also transfer any Personal Information in our control at the time of such a transaction to the purchaser so that the purchaser can continue to operate the Service after the transaction has been completed.
Storing and retaining your information
When you consent to the sharing of your User Information from an Identity & Data Provider to a Relying Party through the Service, your User Information is temporarily held in our networks to facilitate the successful transfer. Information is purged from the network in accordance with our record retention policies.
User Information that is made available on your electronic access device for your review before you consent to having it shared with a Relying Party by the applicable Identity & Data Provider(s) is maintained within the Identity & Data Provider’s systems, and is not stored locally on your electronic access device.
Other information that we generate or collect in order to provide the Service, such as account identifiers and other Activity Data, is only retained for as long as necessary to administer the Service.
Activity Data is stored by the Service for legal, regulatory, suspected fraudulent activity investigations and dispute resolution purposes in accordance with our record retention rules.
Personal Information that is stored by the Service is maintained on our servers, or those of our service providers, and is accessible only by our authorized employees, representatives and service providers who require access in connection with their responsibilities.
Suspending or Closing your Verified.Me account
Authorized personnel of SecureKey or its service providers supporting the operation of the Service have the ability to suspend or delete (close) your Verified.Me account in accordance with the Verified.Me Terms and Conditions governing your use of the Service. In the event your Verified.Me account is suspended and you wish to have it re-activated, you can obtain information at https://verified.me/support/knowledge-base/. You may also wish to contact your FI’s Customer Support team to obtain additional details and required steps in order to reactivate your Verified.Me account.
You may discontinue your use of the Service at any time by closing your Verified.Me account.
You may close your Verified.Me account by following the steps listed in the ‘Delete Verified.Me Profile’ section of the Verified.Me mobile application. You may also be able to close your Verified.Me account through your FI. Closing your Verified.Me account will mean that you no longer have an active Verified.Me account, you will not be able to initiate new transactions to share your User Information with Relying Parties, sharing transactions that you previously authorized may not be completed, and you will no longer have access to any transaction records that summarize previous Verified.Me account activities. However, closing your Verified.Me account will not affect (1) any of your User Information held by your Identity & Data Providers or previously shared with your Relying Parties, or (2) any transaction records or other Activity Data maintained by the Service.
If you wish to use the Service in the future after closing your Verified.Me account, you will need to complete the Service registration process again and set up a new Verified.Me account. You can use your existing Credentials to open your new Verified.Me account.
Deleting the Verified.Me mobile application from your electronic access device will not close your Verified.Me account and will not affect any sharing transaction that you previously authorized. You will be able to access your Verified.Me account in the future by reinstalling the Verified.Me mobile application on your electronic access device and re-entering your then current Credentials for your FI.
Accessing and correcting your information
Your User Information resides with your applicable Identity & Data Providers and with Relying Parties with whom you have chosen to share it. Although your User Information may be shared with Relying Parties (with your consent) via the Service, SecureKey is not an Identity & Data Provider, and cannot access your User Information to correct or modify it. Requests for access to your User Information, including requests to correct or modify it, must therefore be made by you directly to your Identity & Data Providers or Relying Parties.
In connection with sharing transactions, you will have an opportunity to view a summary of certain of your User Information within the Verified.Me mobile application before you authorize your User Information to be shared with a Relying Party. Even when you are not engaged in a sharing transaction, you will have an opportunity to view certain of your User Information that is maintained by Identity & Data Providers that you have connected to. The viewable User Information will be displayed within the Verified.Me mobile application or by clicking on the link of the applicable Identity & Data Provider within your Verified.Me account, which will take you to that Identity & Data Provider’s website or mobile application. The Identity & Data Providers may provide you with details on how to update or correct your User Information within the Identity & Data Provider’s files, or you may have to contact them to update or correct your User Information.
You may access your activity log information through your Verified.Me mobile application.
You can obtain additional information on how to access or correct your Personal Information by visiting our Support Centre at https://verified.me/kb/020-how-do-i-update-personal-information-in-the-app/.
Depending on the FI you select to associate your Verified.Me account with, you may receive notifications of some of your Service activities from your FI, such as registration completion and on authentication events occurring within your Verified.Me account. These notifications are intended to provide you with information on Service usage so that you may act upon notifications that you do not recognize as yours. None of the Relying Parties or Identity & Data Providers that participate in the Service are permitted to send you unprompted emails or text messages asking for personal details through the Service.
Dispute resolution, questions or concerns
In the event you identify transaction(s) that you have not authorized or receive a notification from your FI regarding (or otherwise become aware of) unauthorized activity in your Verified.Me account activity log, please contact customer support of your FI with which you associated your Verified.Me account. Upon your authorization, your FI’s customer support personnel will be able to retrieve your Verified.Me activity information and work with you to report unauthorized transactions to SecureKey and/or its service providers.
General queries or concerns on the privacy aspects of the Service may be directed to the SecureKey Privacy Officer. Contact details are provided below.
Third Party participants
This Privacy Notice applies to the collection, use, disclosure, storage and retention of Personal Information in connection with the operation of the Service by SecureKey and its service providers, including third parties that host and operate certain components of the Verified.Me Service on behalf of SecureKey. This Privacy Notice does not apply to your FI or any of the Identity & Data Providers and Relying Parties that use, handle, disclose or retain your Personal Information in connection with your dealings with them that are distinct from the Service, and such parties will be governed by their own privacy policies and agreements with you when they collect, use, disclose, store and handle your User Information in the ordinary course of their dealings with you outside of the Service.
Privacy Notice changes
This Privacy Notice is effective as of the date shown above and may be revised from time to time. We encourage you to review this Privacy Notice frequently to obtain the current version. Your continued use of the Service following any changes to this Privacy Notice constitutes your acceptance of any such changes.
For more information
If you require clarification about this Privacy Notice, or would like to request more information about the Service, including who to contact to request access for your Verified.Me account information, please contact our Chief Privacy Officer online at https://verified.me/privacy-request or by mail at:
SecureKey Privacy Officer
501 – 4101 Yonge Street
Toronto, Ontario M2P 1N6