In the insurance area of the industry—and I'm speaking for all of the insurers—there are training programs in place in each of the institutions. I know that at least one member institution of the CLHIA has training in place on a yearly basis for all new employees. They go through a rigorous privacy module, a Breeze module training program. They're scored on how they do on that test, which is given yearly. Frequently privacy tips are left on the Intranet site. There's a business code of conduct that all employees are required to sign every year, which says they have to comply with privacy regulations and only use the personal information they need to do their jobs.
The insurers each have a privacy policy that their employees are bound to comply with. There are individual supplemental privacy processes in place for each area of the company in disability claims, health claims, underwriting, finance, and IT. They all have differing needs to see information and use it for their jobs. There is restricted access to help prevent unauthorized access to information they don't need across the company.
The employees who are adjudicating claims for those thousand group insurance employees are bound by this business code of conduct. They have regular training and their team leads are monitored. Their quality assurance involves continued inspecting or auditing of their compliance with privacy as well.