Privacy & Security

Click on a topic below to be taken directly to the section.

Privacy code

In order to serve our members, we need to collect specific personal information. Personal information is typically considered to be any information that can be traced back to an identifiable individual.

We collect this information to satisfy our regulatory requirements as a financial institution, and to help provide a positive member experience. Personal information helps us develop greater insight into the products and services members require now, and in the future, and to build member knowledge and awareness of complimentary products, resulting in an enhanced member experience.

Our Privacy Code applies the 10 fair information principles outlined in the Government of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). These 10 principles form the foundation of rules for how we collect, use, disclose, and provide access to personal information. We may make changes to this Privacy Code and information handling practices from time to time. We will publish those changes on our website and update our Privacy Code.

Principle 1 – Accountability
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.

Principle 2 - Identifying purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 - Limiting collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.

Principle 5 - Limiting use, disclosure, and retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.

Principle 6 – Accuracy
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.

Principle 7 – Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.

Principle 8 – Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

Principle 9 - Individual access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 - Challenging compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.

Privacy practices

The security of our members and their personal information is of utmost importance to us. We regularly work with banking-industry regulators to refine our security practices and ensure we meet the highest standards.

What information we collect

In the course of business, we collect personal information that allows us to provide informed, reliable financial products, services and advice, and meets our regulatory requirements. In all cases, we only collect the information we require and only use it for the purposes explained to you.

For every product or service we offer, we require basic information such as your name, address, and identification. Depending on the purpose of your membership and the products and services you select, various information may be requested to complete the application process.

Birth Date

Your birth date helps us ensure no one is trying to impersonate you, and helps us determine your eligibility for products and services designed for particular age groups.

Social Insurance Number (also referred to as Tax ID)

Your SIN is unique to you, so having this on file means we can keep your information separate from that of other members with a similar name. In addition, we require your SIN for Canada Revenue Agency's income reporting requirements.

Financial Information

We want to give you the best advice possible. That starts with understanding your current financial situation.

Health Information

For some products, such as insurance, we are required to collect health information as part of the application process, to determine your eligibility for the selected product.

Contact Information

In addition to your mailing address, we also collect your phone number as another means to communicate with you and provide important information about the products you hold with us. You have the option to provide us with your email address, which will help you access and use our digital services. We will also use your email address as an alternate form of communication to reach out to you about your accounts and to keep you informed about products and services that may be of interest to you. You can learn more about how we use email and the options available to you here.

We also ask you provide a next of kin and their address and telephone number, so we know who to alert in a critical or emergency situation.

Gender Preference

We record your gender preference to align with other governing bodies and to match the information on your proofs of identification (ex. your license).

Purpose of membership and accounts or services

As part of our FINTRAC reporting requirements, we are required to collect information that helps us understand the types of transactions we should expect to occur within your membership and accounts. This protects you and helps us monitor attempts at fraud or other illegal activities. This information includes:

Reason for opening membership: Why you chose to open a membership at SCU.
- Purpose of business relationship: How you or your business intend to interact with us.
- Intended use: The type of transactions we should expect you to make within a specific account or product.
- Occupation and current employer
- Third-party Determination: Are you acting on behalf or opening an account on behalf of any other person or will the account be used by a third party?
- Politically Exposed Person or Head of an International Organization: We are required to determine whether you, or a member of your family (or close associate) is a politically exposed person (PEP) or head of international organization (HIO).
- Declaration of Tax Residency: In compliance with the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS), we are required to determine the tax resident country for all members. You will be asked to complete a declaration at membership opening and when a change of circumstance occurs.

Biometric Data

We collect biometric data for the purpose of verifying your identity, to guard against fraud and to create a smoother in branch experience for our members. You will be asked to give consent to the collection of your biometric data (whether that is your signature, a palm vein scan or otherwise), before we collect it from you. As with other personal information we collect from you, biometric data will be protected with safeguards that are appropriate to its sensitivity, and used and disclosed only for those purposes that are set out in these Privacy Practices or otherwise communicated to you by our staff.

Why we collect your information

The financial services industry is heavily regulated to protect individuals and prevent money laundering and other criminal activity. Much of the information we collect is to satisfy these regulatory requirements, however, it also allows us to serve you better. By collecting current, accurate personal information we can provide you with the best possible financial advice, as well as products and services you may find valuable.

The personal information we collect will only be used, disclosed or retained for the intended purpose for which it was gathered, as authorized by you or as required by law.

We will not gather, use, retain, or disclose your information without your consent, and we will never sell your information to a third-party.

We collect your information to:

Verify your identity when you are in the branch, on the phone or banking digitally;
Understand your banking requirements, including personal and business financial products and services;
Provide you with the products and services you request or that may benefit you;
Develop, offer, manage, and provide products and services that meet your needs;
Determine your eligibility for our products and services;
Contact you directly about the products you have with us, or inform you about products or services that may be of interest to you;
Conduct member research and member satisfaction surveys;
Detect and prevent fraud, and help safeguard your and our financial interests;
Help us collect debts or enforce obligations which are owed or guaranteed by you to us;
Respond to lawful requests for information about you;
Meet our regulatory requirements; and
Carry out any other purpose that you authorize or that is required by law.

How we protect your personal information

We have comprehensive safeguards in place to protect our systems and your personal information so you can bank with confidence.

Employee training

All employees go through training on how to safeguard member information and are required to pass privacy and security tests each year. Staff are only permitted to access member information as required by their role or specific duty. We only gather and retain information for the intended purpose and we have procedures on how information is collected, stored, handled, and destroyed.

Employees do not have access to member information such as passwords, access codes or ATM Personal Identification Codes (PIN) and will not ask you to reveal them.

Technology

We invest in technology to protect member information, ensure online security measures are in place and to provide a secure experience. We use the newest security standards to protect our systems, digital properties and services, and your information. Incorporating security features including firewalls, encryption, and cookies ensure the security and privacy of our members by taking steps to unauthorized access to our internal systems.

We also use biometric data to help safeguard your personal information. This includes palm vein scanning technology, which recognizes the vein pattern in your palm and uses it to verify your identity, when you carry on activity related to your account. The scan is immediately converted into an encrypted string of numbers, meaning that the image is not stored and cannot be re-produced by anyone else. Unlike a password, a vein scan cannot be forgotten, stolen or lost. Further, only you can produce your palm vein pattern, which does not change over time, as might your face, fingerprints or other physical attributes that can be used to identify you.

Secure email

We always use encrypted or protected email when sending sensitive or confidential information or documents. Encrypted emails are managed through a secure web-based portal and may be initiated by a member of our staff. When you receive an encrypted email from us, you will be prompted to select read the message, and you will be able to reply like a regular email and add attachments as necessary.

Learn more about using encrypted email — Outlook (microsoft.com).

When we share your information

Personal information may be shared or disclosed in limited circumstances and with certain organizations, subject to duties of confidentiality towards our members and subject to the Government of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Examples of those organizations are:

credit reporting agencies;
debt collection agencies;
regulatory bodies, government agencies (local, provincial and federal), law enforcement bodies, regulatory organizations and courts;
other parties as required by law;
your authorized representative or person acting on your behalf;
mortgage insurers and any re-insurer of any such mortgage insurance;
our auditors to ensure the integrity of our operations;
affiliated and external product and service providers (so they may provide you with the product or service you seek); and
organizations, advisors and trustees where credit facilities are pooled and sold.

We also may share personal information with affiliated and external product and service providers, when necessary, to provide and administer products and services. This may include card and cheque book production, market research, member surveys, statement production, payment services, and information technology support (including with respect to our biometrics measures). We take our obligations to protect personal information very seriously and deal only with parties who share and demonstrate the same attitude.

Your access to your personal information

We want you to feel secure about the personal information we have on file, and can assure members that the information collected is being used for the purposes outlined . You can contact us to inquire about:

the personal information we have collected;
the use or disclosure of your personal information;
how to request access to your personal information;
how to correct your personal information;
requesting a copy of the personal information we have in our records; and
the length of time we retain your information.

Requests for access to limited amounts of personal information, such as checking to see what address or telephone number we have recorded, can generally be handled in a branch or over the telephone. Requests for access to more substantial amounts of personal information may take longer and may require you to submit a formal request.

In a limited number of circumstances, we may not be able to tell you what personal information is held about you including where:

it will threaten the privacy of other individuals;
the information relates to anticipated legal proceedings;
the information would reveal our commercially sensitive decision making process; or
the law prevents us from disclosing the information.

Limiting or withdrawing your consent

Serving our members well and providing them with expert advice is fundamental to how we do business. To deliver on this, we may use personal information we have collected to contact you in order to inform you of a new, existing or improved product or service that may benefit you.

You have the choice to limit or withdraw your consent to receive marketing information from us and may ask us not to contact you by telephone, mail, or email, for marketing purposes. If you would like to change or limit your consent, please ask us for our Privacy Exception Form.

Please note there are communications we are required by law to provide, and you cannot opt out of these. For example, communications containing information about changes to products or services, or material on or accompanying your regular account statements.

We have processes in place to securely destroy, delete, erase or de-identify your personal information, when it is no longer needed for the purposes for which it was collected. For example, if you withdraw from our palm vein scan initiative, we will delete the mathematical summary of your palm vein pattern from our systems.

Online privacy and security

We want to provide all members with a safe and secure online experience when using our digital banking platforms, visiting our website or other web pages, and communicating with us electronically. Though technology allows us to interact in new and different ways, our promise of providing member-focused, knowledgeable, and secure banking experience is at the core of our business, as it has been for 80 years and counting.

Secure digital banking | Personal and business

*Please note the information directly below pertains to digital banking for personal and business use accessed at online.scu.mb.ca. If you would like to learn about the privacy and security features of MemberDirect^®Business Services, our online enterprise banking service for larger organizations, please click here.

Our digital banking platform for personal and business use is designed to make accessing and managing your finances convenient, intuitive and secure. As always, we advise that you take additional precautions while browsing online and practice good cyber hygiene like strong passwords, safe browsing and regularly monitoring your accounts.

Let’s work together to protect your accounts and keep your money safe.

Our security protections

Our digital banking system has industry-leading security capabilities, including robust fraud prevention, cyber security features, and high-risk transaction protections to ensure that your transactions are secure while data is transmitted between your device and our banking server.

Encryption

We use 256-bit TLS encryption on our desktop online banking site and mobile app, enabling you to easily and securely complete banking transactions on your phone, tablet or computer.

Controlled account access

You have control over your account access – only you should know your username and password. Our employees do not know your password, nor will they ever require it from you.

Two-factor authentication

To help protect you and secure your transactions within online banking and our mobile app, we use authentication codes as a form of two-factor identification. When conducting higher risk transactions in digital banking, such as adding a new bill payee, you will receive an authentication code via text or email. You will also receive an authentication code when you log in for the very first time if the email address or mobile number information you enter is not on file with us.

Account alerts

You will receive an email alert anytime your digital banking password is changed, new biometric access is added, or there is a password attempt lock. With the touch of a button, you can easily set up additional alerts to help you manage your finances and provide an additional layer of security.

Password protection

There is a maximum number of attempts to input your digital banking password. If you exceed this number, your digital access will lock, as a safety measure. You can unlock your digital access by clicking the Forgotten password link, which will send an authentication code so you can create a new password. The authentication code will come to the email address or mobile number associated with your digital banking profile.

Secure sign out

To ensure the security of your banking session, we recommend that you always sign out. To protect your privacy and information, the banking system will automatically end your online banking session after a set period of inactivity. At that time a pop-up box will appear, asking if you are still using the site. If no activity occurs after one minute, the system will automatically log you out.

Secure digital banking | Enterprise

MemberDirect^® Business Services is our enterprise online banking platform. It is tailored to meet the needs of larger organizations or organizations with robust business banking needs.

Our security protections

We take many precautions to protect the online banking environment and ensure your information is safe. MemberDirect Business Services offers you the best security currently available in a commercial online banking environment so that your personal and financial information is protected while in transit between your computer and our server.

Access to our databases is strictly managed and systems are in place to ensure security is not breached, including the physical security of our computer hardware and communications.

Encryption

To access MemberDirect Business Services, your browser must support 128-bit Secure Sockets Layer (SSL) encryption. Encryption ensures that information cannot be changed or read in transit, by scrambling the data using a complex mathematical formula. Some browsers can create a more secure channel than others, owing to the ‘strength’ of their encryption.

Controlled access to your information

You have control over your account access – only you know your sign-in credentials and password. Our employees do not have access to your Personal Identification Code (PAC), nor will they ever require it from you. Access to MemberDirect Business Services requires you to enter your MemberCard number and PAC to log in. If someone does ask you to provide your PAC to them, we ask that you refuse to do so, and contact us immediately. We recommend that use your MemberDirect Business Services password for online banking purposes only. Select a different password for other secure logins uses.

Transactional services

By nature, the MemberDirect Business Services online banking site has many transactional functions, such as transfers between accounts and bill payment functions. These transactions are all logged to ensure that your accounts are debited or credited appropriately, and a history of each transaction is available to verify your account. We store and use your transactional information in the same fashion as if you performed the transaction at a branch or any other service channel. We may also use transactional information for servicing your account. For example, billing you for the particular transactions that you perform, or for the services that you use.

Enhanced security feature

On the login screen of MemberDirect Business Services, our enhanced security feature provides you even greater control over your privacy. When you select the Enhanced Security checkbox, it will prevent your browser from caching (storing in the computer's memory) those pages that you have viewed. Should you click on the Back button to view a previous page during a session, the page will be recalled directly from our server. Therefore, when you logout, no one will be able to view your information by clicking on the Back button, or by viewing the browser's history. Use the enhanced security features function if you are accessing your accounts from a publicly available computer such as in a library or airport, or from an unknown computer in a new location.

Secure logout

When you exit using the logout button, MemberDirect Business Services deletes your session cookie so that your session cannot be resumed unless your MemberCard number and PAC are re-entered. We encourage you to always use the logout button to end your session to ensure no one else can access your personal information.

In the event you leave your computer without logging out, the MemberDirect site has been designed to end your session automatically if our system detects you haven't provided any instructions or used the browser buttons to navigate for several minutes. To restart the session, you will need to provide your PAC again.

Cookies

As you use MemberDirect Business Services, cookies are passed back and forth between our server and your browser. While cookies can be used for a variety of reasons, we only use them where they are of benefit to you.

Specifically, we use two kinds of cookies, session cookies and persistent cookies. A session cookie exists only for the length of your browsing session and is deleted when you close your browser. A persistent cookie is a cookie that stays on your computer after you close your browser. A persistent cookie may or may not expire on a given date.

We use a session cookie to maintain the integrity of your online banking session. With each page that you visit, the cookie is passed back and forth between our server and your browser. We use the cookie to distinguish your session from the many others that may be happening at the same time. Our session cookies never store any personal information, such as your name, date of birth, or financial information such as your accounts and balances.

We use a persistent cookie to store information to help you personalize the MemberDirect site and to make it easier to use. For example, we allow you to make the MemberDirect login easier by remembering your MemberCard number. Since this feature is optional, this cookie only contains information that you have entered into it.

Most recent browser versions allow the user to set some level of control over which cookies are accepted and how your browser uses them. Many browsers will allow you to accept cookies from only known, reliable sites that you select, such as the MemberDirect site. If you are concerned about cookies, we encourage you to upgrade your browser to a recent version and review the Help section of your browser to learn more about its specific control features.

Links to other sites

The MemberDirect site may contain links to other websites or online resources. We have no liability for or control over these other websites or online resources or their collection, use and disclosure of your personal information. Always review the privacy policies of the sites that you are visiting.

Service partners

In providing our complete online banking service, we often use external service partners and suppliers to assist us. In performing their duties, these service partners may handle components of your personal information on our behalf. We ensure, through our contracts with these partners, that they handle your information with the same standard of care that you have come to expect from us. Our suppliers, like our employees, are bound to maintain your confidentiality and may not use the information for unauthorized purposes.

Some of our partners require that you first register with their service to permit us to tie their functionality into the MemberDirect Business Services site. Registration for these external services will always be at your discretion. We may append personally identifiable data to this registration for the partner to use to compare and validate the registration. You will always be notified of such an action during the registration process.

Email

We use email to communicate directly with our members. We may store your correspondence and exact email address for future communications directly with you. Under no circumstances do we sell email addresses to any other party.

Secure email

When you receive an encrypted email from us, you will be prompted to select Read the Message, and you will be able to reply like a regular email and add attachments as necessary.

Learn more about using encrypted email — Outlook (microsoft.com).

Do not use unencrypted email to send sensitive and confidential information or documents. It’s important to remember we will not ask you to share any personal information without using the secure web portal.

For tips on email best practices, visit our fraud prevention centre.

Marketing emails

As a member of SCU, your email, if provided, is added to our member database to receive emails regarding SCU products, services and general notices and information. These emails are sent via third-party online software. You can opt out of these emails at any time by clicking ‘Unsubscribe’ within an email communication, or by asking an SCU representative to update your email consent.

Website and webpages

Usage statistics
To continually improve our website and web pages, we collect statistics about how people use them. These usage statistics are only viewed in aggregate and are not associated with you as an individual. We use this information for purposes such as improving pages to be more user friendly.

The information collected may include your IP address, your browser type and your operating system, as well as data such as the number and types of pages visited, and the length of time spent per page and on the site overall.

Cookies
‘Cookies’ are small text files that are stored on your digital device when you visit a website. ‘Session cookies’ are deleted when you close your browser. ‘Persistent cookies’ stay on your device until you delete them from your cache, or until they expire. We use both types of cookies to help us provide you with a better overall digital experience. By continuing to browse our site, you are agreeing to our use of cookies. You have the option to block cookies through the settings feature of your browser, but please note this may have a negative impact on your experience with our website.

Use of Third Parties
SCU may use third party providers, such as Google Analytics, to help collect and compile website information like the number of visitors to our site, where visitors came from to enter the site, and the pages they visit while on the site. We also use these services to help measure the effectiveness of our advertising and communication efforts. Third-party providers may also use cookies to deliver content that is relevant and of interest to you under their own cookie and privacy policies .

Your IP address may be collected along with identifying the device type you are using on the date you visited our site. These third-party providers can supply non-identifying, aggregate data only, and do not collect or provide personal identifying information. SCU may layer this aggregate data with our own analytical information, but do not connect any of this data to an individual member.

Contact forms
Our website and web pages offer contact forms that allow you to communicate with us. Our contact forms may ask you to provide contact information such as your name, email address, phone number, and city. This is so we can respond to your request.

We may also ask you to identify if you are an existing member, your preferred branch, and other information that will help us best respond to you. We will not share any personal information obtained on our website with any other organization without your consent.

Please note that the contact forms on our website scu.mb.ca and other web pages should not be used to communicate private information such as your member number, account numbers, or other confidential information.

Links to other sites
Our website or web pages may contain links to other websites or online resources. We have no control over these other websites or online resources and do not control their collection, use, and disclosure of your personal information. Always review the privacy policies of the sites that you are visiting.

Report fraud

To learn more about recent scams or to report you are a victim of an actual or attempted scam, please visit the Canadian Anti-Fraud Centre and the Government of Canada’s Competition Bureau.

For more information on fraud, visit our fraud prevention centre.

Contact our Privacy Officer

We welcome any questions or concerns about our Privacy Code or our privacy practices. Please contact us in writing or by email:

Privacy Officer, Steinbach Credit Union
333 Main Street
Steinbach, Manitoba R5G 1B1

Email: scu@scu.mb.ca
Please use the subject line, Attn: Privacy Officer

How you can protect your information

Protecting our members is our top priority, and the first step is to provide you with the information you need to protect your information from fraud. Our fraud prevention centre contains great tips, resources, and advice to help protect yourself and others from becoming a victim of fraud.