Last revision: November 2018
Firm: North East Financial Inc.
Firm’s compliance officer: Anton Ivanov, email@example.com
1. Privacy and our business
Clients provide personal information that is essential to the firm’s business. Protecting this information is important to maintaining client trust and confidence. The relevant federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the provincial privacy laws of Alberta, British Columbia and Quebec govern the collection, use and disclosure of personal information. Personal information is defined as any information about an identifiable individual, including health and financial information, as well as business information unless it’s classified as “business contact information.” This includes business title, business telephone number and email, and information that’s used in relation to the individual’s employment, business or profession.
The firm is responsible for personal information under its control and for taking appropriate steps to safeguard the personal and confidential information in its possession. In some situations, this will mean adopting new business practices to safeguard personal information.
The firm makes information regarding its policies and procedures available to the public and abides by the privacy guidelines of the companies it represents (company).
2. Concerns and general inquiries or requests
Any concerns, general inquiries or requests related to privacy and the firm are forwarded to the Firm’s compliance officer. The compliance officer will review and acknowledge requests within 24 hours or if away, redirect appropriately for handling. The client will be updated on the compliance officer’s progress with regard to the concern with complete documentation of the concern and related activities kept in the client file.
The firm’s compliance officer forwards any privacy concerns, general inquiries or requests related to the company’s products and services to that company’s chief compliance officer.
2.1 Client requests to access personal information
Under privacy laws, clients have the right to request access to their personal information held in client files maintained by either the firm or the company and to challenge its accuracy, if need be.
Any client access requests for personal information held in the firm’s client files are forwarded to the firm’s compliance officer to accommodate the client request as quickly as possible and no later than 30 days after receipt of the request.
Correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient. Note any disagreement on the file and advise third parties where appropriate.
Follow the company’s process if a client requests access to his/her personal information held with the company.
2.2 Misuse of personal information:
Any misuse of personal information or potential breach of security safeguards relating to the company’s products and services are reported immediately to the firm’s compliance officer.
2.3 Privacy incident/breach process
A privacy breach occurs when there is the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of security safeguards. A privacy breach also includes information that is retained in ways which are not in accordance with applicable privacy legislation, such as retaining information that is no longer needed for the identified purpose.
Examples of privacy breaches:
- Copies of client personal information statements are stolen from a vehicle
- Advisor laptop is lost/stolen and it contains client personal information
- Client information on an advisor’s computer hard drive is compromised/hacked
- Client information not emailed to the intended recipient either internal or external
- Client information going to the wrong address (someone else opening the mail)
- Release of personal information without proper authorization or use of personal information without proper consent
- Keeping inactive customer information for longer than the retention period
Suspected breaches, complaints or any other concern relating to a privacy issue, whether they involve an individual or a supplier, are reported immediately to the firm’s compliance officer and/or the company. The firm’s compliance officer will assess, contain, remediate and help enhance controls to prevent the breach from reoccurring in the future.
Lost, stolen or hacked electronic devices:
- Engage the firm’s IT support
- Scan computers for malware before accessing systems again
- Immediately contact the company’s service desk to have systems passwords changed.
- File a report with the police.
- Change other system passwords (e.g., online banking).
Lost or stolen paper documents (e.g., policy contracts, applications, client files):
- Notify the firm’s compliance officer, the company’s chief compliance officer and the firm’s regional director/business services manager if applicable.
- Report stolen materials to the police.
- Recall email immediately.
- If not successful, contact unintended recipient to obtain written confirmation that email has been deleted
- Notify the firm’s compliance officer.
Incident/breach determination and assessment
- Answer the following questions:
- Was personal information involved? Is there proof/likelihood or is it indeterminable that personal information was involved?
- Has an unauthorized disclosure or transfer of an individual’s personal information occurred? Unauthorized disclosure, whether it is intentional, inadvertent or as a result of criminal activity, constitutes a privacy breach.
- Was personal information collected or used without authorization?
- If the answer to questions above is “yes”, a privacy breach has occurred.
- Complete risk assessment questions:
- Assess the situation
- Type/Sensitivity and amount of personal information data elements disclosed (e.g. bank account number, SIN, health information/claims data)
- To whom was the information disclosed/who obtained it
- Number of individuals affected
- Was the information fully recovered
- Time Lag from incident discovery to remediate
- Written Confirmation that there was no disclosure or misuse of duplication
- Potential harm to the individual (e.g. identity theft, fraud or other harm including pain and suffering or loss of reputation) or No known harm of affected individuals
- Potential Street Value of Data
- Was the personal information compromised in a malicious manner i.e. was this targeted or a technical /human error
- The incident is as a result of a systemic problem or a similar incident previously occurred
- Whether or not the individuals affected have been notified
- The impacted individual is vulnerable (e.g. a minor)
- Expectation that the Privacy Commissioner may receive complaints or inquiries (e.g. public awareness)
- Considering the sensitivity of the information involved and the probability that the information will be misused determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”).
- Based on the risk assessment conducted in section 3.1. is there a real risk of significant harm?
- Assess the situation
2.4 Mandatory data breach reporting under PIPEDA
- When the firm considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Office of the Privacy Commissioner of Canada (the Commissioner) or provincial regulators where required as soon as feasible, even if only one individual is impacted;
- The firm must notify any other organization/company that may be able to mitigate harm to affected individuals
2.4.1 Notification to Affected Individual(s)
A notification provided by the firm to an affected individual with respect to a breach of security safeguards must contain:
- a description of the circumstances of the breach;
- the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
- a description of the personal information that is the subject of the breach to the extent that the information is known;
- a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
- a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
- contact information that the affected individual can use to obtain further information about the breach.
2.4.2 Notification to Regulators
- Report to the Commissioner using the PIPEDA breach report form
- British Columbia – legislation recommends notification to the Privacy Commissioner if there is a real risk of significant harm. See BC’s privacy breach checklist for the reporting.
- Alberta – Office of the information and privacy commissioner of Alberta (OIPC)
- Quebec – notify the Autorité des marchés financiers (the “AMF”) of any breach of personal information that will jeopardize the interests or rights of consumers and the institution’s reputation.
2.5 Enhance controls
Review all processes, systems updates, employee training and enhance where required to help prevent reoccurrence.
2.6 Record keeping
Keep records of all privacy breaches for 24 months and provide it to the Commissioner upon request.
3. Obtaining valid, informed client consent
Consent is considered valid only if it is reasonable to expect that individuals understand the nature, purpose and consequences of the collection, use or disclosure of their personal information to which they are consenting.
At the beginning of a relationship with a client, the firm will obtain client consent for the collection, use and disclosure of their personal information and notify them of potential out-of-country storage.
When collecting information from clients and prospects, explain the purposes behind the collection of this information and provide information about the firm’s privacy policies.
Only disclose personal information about clients to another person or company if verbal or written consent from the client has been obtained or if otherwise allowed or required to do so by law. If information is sensitive, written consent should be obtained.
The firm will recommend other professionals or advisors to clients if the client asks or if the client may benefit from such services. The firm never provides any client names or other information to third parties to market their services unless the client has first been informed and consented.
Review the Privacy commitment and your client file form with the client, keeping the signed copy in the client file for future reference. Cover the:
- Purposes for the collection,
- Who has access – staff access, other advisors
- This covers a short-term or temporary absence from the firm. At times when the firm is unable to provide service to clients for an extended period of time and help from another advisor or new administrative support person is required
- Use of external suppliers (e.g., information processors which includes; client relationship managers and cloud-based storage services)
- Likelihood that information will be stored outside Canada and is subject to regulation, including public authority access laws in that country
- Sharing spousal information consent; joint files and access to that information
- Individual’s ability to withdraw consent at all times
3.1 New uses/access to client information
The firm will obtain client’s written consent if the purpose for the collection, access, use and disclosure of the client’s personal information ever changes.
Review the new purpose, access, use and disclosure with the client and keep a copy of the new consent in the client file.
If a client objects to a transfer or new access, the client has the right to:
- Request that his/her information not be disclosed
- Request a new advisor
- Receive the names of other advisors to contact or be provided with the name and number of the regional director where they can request another advisor
3.1.1 Supplier contracts
The firm requires client consent prior to transferring client information to a supplier and retains control of the information when transferring personal information to a supplier for processing.
Information transfers to suppliers for processing, including cloud computing, is done for a variety of reasons including information storage, processing or manipulating client personal information.
3.2. Business transactions consent exception
Business transactions include, for example, the sale of a business, a merger or amalgamation of two or more organizations or any other prescribed arrangement between two or more organizations to conduct a business activity.
The firm transfers personal information where necessary to determine whether to proceed with a transaction, or in order to complete a transaction. The information must be used or disclosed solely for purposes related to the transaction, safeguarded appropriately, returned or destroyed when no longer needed for that purpose and the affected clients must be notified that their personal information has been transferred to another organization.
When receiving personal information the firm will enter into an agreement to use or disclose the information for the sole purpose of the transaction, to protect it and to return or destroy the information if the transaction does not proceed. If the transaction proceeds, the firm will notify affected clients that their personal information has been transferred to another organization.
3.2.1 Buy/sell agreements
The firm will use, disclose and protect client information during the valuation process and when seeking a buyer for the book of business or looking to purchase a book of business.
The firm limits identifying client information on documents shared with third parties and contacts legal counsel to draft a suitable confidentiality agreement that should be signed by third parties involved in the process of valuing the book for potential sale or purchase.
3.2.2 Agent of Record (AOR) changes
For client initiated AORs, the firm assumes consent to transfer access to the client’s information and files, if applicable to the new advisor.
4. Collection of personal information
When collecting personal information:
- Limit the amount and type of the information gathered to only what is necessary, for the identified purposes.
- Take reasonable efforts to ensure client and prospect information held in client files is accurate and is updated or corrected as needed.
- Take appropriate measures to ensure that information collected is used for the purposes identified and that it’s not used for another purpose or disclosed to a third party without the client’s or prospect’s consent, except as may otherwise be allowed by law.
4.1 Recording client telephone calls
Any recording of client calls involves the collection of personal information and therefore requires the callers consent.
- Recording may only take place with the individual’s consent. If the caller objects to the recording, provide the caller with meaningful alternatives and if the caller continues to refuse, cease recording the conversation immediately and destroy any recordings that may have been created.
- Only record calls for specified purposes.
- The individual must be informed that the conversation is being recorded at the beginning of the call and will ensure the individual is advised as to the purposes for which the information will be used.
- Ensure compliance with applicable privacy legislation.
- If a copy of the client file is requested, provide the recording or transcription of the recording of calls with the client.
5. Use, disclosure and retention
Personal information is not, without consent, used or disclosed to a third party for any purpose other than that for which it was collected, unless such use or disclosure is required or allowed by law.
The firm retains personal information only as long as necessary to fulfill the identified purpose or as otherwise required or allowed by law and is solely responsible for the safe keeping of this material and for maintaining its confidentiality.
Personal information that is no longer required to fulfill the purpose(s) identified when collected is securely destroyed or erased.
5.1 Secure disposal
- When paper materials containing any client or prospect personal information are to be destroyed, this is done by shredding, not recycling.
- Information is deleted from all business technology before the technology is destroyed. Storage devices must be destroyed when being disposed of to ensure the information is not retrievable.
- When disposing of or destroying personal information, take appropriate measures to prevent unauthorized parties from gaining access.
- When disposing of equipment or devices used for storing personal information (such as filing cabinets, computers, diskettes, and audio tapes), take appropriate measures to remove or delete any stored information or otherwise to prevent access by unauthorized parties.
5.2 Record retention
The firm’s clients, files and records are maintained for at least any minimum period required by law.
Appropriate safeguards must be taken in the storage and disposal of client information. Anyone attached to or employed by the firm is required to follow the procedures outlined in this section.
The firm uses technology, physical and organizational safeguards to protect client personal information from theft or misuse, as well as unauthorized access, disclosure, copying, use or modification.
6.1 Technological safeguards
Technology examples requiring safeguards can include:
- Computers – desktops, laptops, servers and personal digital assistants (tablets/smartphones)
- Hardware and software
- Mobile devices
- Portable media –USB/thumb drives, CDs and DVDs
- Printers, scanners, fax machines and photocopiers with secure print options
- Email and internet services (e.g., cloud computing)
6.1.2 Encryption, antivirus and firewalls
- Encryption and antivirus software and firewalls are installed and kept up-to-date on all business technology as means to ensure client data remains secure. This includes encryption of sensitive data while stored and in transit including transmission to backup servers.
- Business technology safeguards are reviewed on an annual basis and upgraded as necessary.
- When technology is unattended or is being transported, all devices are shut down (powered off). Logging off, locking or leaving the device in standby or sleep mode could render additional security measures ineffective.
Security program details
|Encryption||Mac OS FileVault|
Win 10 Device Encryption
|On automatic updates|
|Antivirus/Malware protection||Avast||On automatic updates|
|Firewall||Mac OS Firewall|
Windows Defender Firewall
|On automatic updates|
6.1.3 Screen savers, user ID and passwords
Encryption does not eliminate the need for strong passwords.
- Protect user ID and passwords and never share either with anyone.
- Pick strong passwords (use capitals, lowercase, numbers and symbols with a minimum length of eight characters).
- Avoid using proper names and words found in dictionaries (e.g., insurance, password) and personal information, like family and pet names, birthdays, government ID numbers or words associated with hobbies and interests.
- Use password-protected screensavers to prevent unauthorized access to unattended computers.
- Lock computers by clicking on “lock computer” when away from your computer temporarily.
6.2 Physical safeguards
Consideration is given to the following safeguards:
6.2.1 Office design
- Desks/workspaces are arranged out of the traffic flow within the office.
- Fax machines, photocopiers, printers, etc. are located in areas where access is reasonably limited.
- Associates/staff dealing with sensitive client information are located, where possible, in an area where conversations will not be easily overheard.
- Personal client information files are located out of the traffic flow within the area.
- Locked file cabinets are used for files containing personal information.
6.2.2 Computers and consumer devices
Always take steps to protect against the theft of laptop computers and mobile devices by using an anti-theft security device (e.g., locking cable), whether at the office, at home, in a meeting room or hotel room, etc.
- Lock your device away in a secure place when not using it.
- To prevent theft, avoid leaving laptops in vehicles. If you must, keep your laptop in your trunk or another out-of-sight area.
- Shut down and power off your laptop – this will ensure that all applications have been properly closed.
- Log out of any websites or programs when you are finished using them. And remember, don’t “save” your information so that you can automatically log in the next time – if your mobile device is lost or stolen, someone may be able to access your accounts or files.
- Computers and consumer devices (and if applicable associate/staff computers) are stored securely to prevent access during all absences (evenings, weekends, illnesses and vacations).
In the office during the day – Laptops are locked using a locking cable and securely anchored to an immovable piece of furniture or a secure docking station. The lock key is stored in a safe place away from the laptop.
When leaving work at the end of the business day – Laptops are stored in a locked cabinet or drawer, and the lock key is stored in a safe place away from the laptop.
Laptop security rules described above still apply when office doors are locked.
On the road:
- Be cautious of public Wi-Fi hotspots as someone may be eavesdropping on them. Avoid banking, shopping online or accessing corporate resources from such connections. It’s best to save sensitive transactions for when you’re on a network that you trust. Also be wary of using your mobile device outside your home country. Eavesdropping and traffic analysis maybe more prevalent on a foreign network. While working, position laptops so only the user can see the personal information on the screen.
- Record laptop serial and model numbers and keep them in a separate location.
- Carry laptops in a discreet bag. Use a padded bag, such as a backpack, instead of the normal laptop tote, to securely and safely transport a laptop.
- Keep laptops out of sight by storing in car’s locked compartment during travel to prevent theft.
- Never place laptops in a taxi or limousine trunk since most hired drivers do not lock their trunks.
- Never check laptops with hotels or airlines.
- After placing laptop on an airport’s x-ray conveyer belt, watch the bag and don’t let anyone cut ahead of you in line.
- At home or in a hotel room, secure laptops as you would at work. Have the locking cable on hand, lock the laptop down and store it out of sight.
- Card-access hotel rooms produce an accurate audit trail of who has visited the room and when. Metal keys can be lost and copied. If the hotel room uses metal keys, consider not leaving the laptop in the hotel room.
6.2.3 Desks and files
- Sensitive personal information or other client documentation should never be left unattended. When personal information needs to be accessible in paper format for active business purposes, all files and file contents should be placed so the contents are protected from the view of those who are unauthorized to see them.
- Ensure all sensitive personal information is secured in locked rooms, cabinets and/or desk drawers when not actively in use and that access is appropriately restricted.
Documents outside of business premises
Client information must be safeguarded whether in the office, car or other location. Paper files containing personal information should be removed from the office only when absolutely necessary or required to appropriately service clients.
For tracking purposes, all files/documents are recorded before being removed from the premises for reference if lost or stolen. All associates/staff must be made aware of and comply with this requirement.
6.3 Communicating confidential information with others
- Never discuss clients in public places such as elevators, cafeterias or restaurants.
- When sharing client or employee personal information on cellular phones, take precautions to avoid being overheard.
- When reading a client’s personal information on public transit such as trains, planes or buses, position documents so as to prevent anyone else from reading them.
Messages left for clients should not contain personal information unless the client is informed in advance that the message may contain personal information. The client must also confirm that he/she wants this information to be provided on his/her voice message service.
6.3.2 Caller authentication
If a request is made by phone, it is necessary to authenticate that person before providing them with any personal information.
To authenticate the caller, the person must successfully answer three of the following questions. Always ask the questions in this order.
- Full name of owner(s)
- For person calling on behalf of the estate, ask for full name of the deceased owner
- For owner – in-trust for, ensure the caller’s name matches the trustee name on the system
- For power of attorney, caller must provide name of power of attorney that matches name on file in addition to the name of the policyowner
- Policy number
- Apartment number, street number, street name and city
- Date of birth of the life insured/annuitant
- Full name of life insured/annuitant
If the validation is not successful inform, the caller that the firm is responsible for protecting the privacy and confidentiality of personal client information and therefore cannot disclose any details without first validating that the caller is the person who should be receiving this information. Ask them to submit their request in writing.
Messages should not contain personal information unless the client is informed of this in advance and has confirmed that he/she wants this information to be provided by email.
The following disclaimer is added to all email containing client personal information:
“The contents of this communication, including any attachment(s), are confidential and may be privileged. If you are not the intended recipient (or are not receiving this communication on behalf of the intended recipient), please notify the sender immediately and delete or destroy this communication without reading it, and without making, forwarding, or retaining any copy or record of it or its contents. Thank you. Note: We have taken precautions against viruses, but take no responsibility for loss or damage caused by any virus present.”
Sensitive information should not be communicated by email unless it’s at the client’s request. If a request is made by email, it’s necessary to authenticate that person before providing personal information through email.
- Call the client and confirm they requested the information.
- Ensure the email is being sent to the correct recipient as names on address listings may be similar.
- Authenticate the client and obtain and document consent to communicate via email.
- Encrypt/password protect files when disclosure of identifiable client information is requested via email.
Faxes should not contain personal information unless the client is informed in advance that the fax may contain personal information and has confirmed that he/she wants this information to be provided by fax.
The following disclaimer is added to the cover sheet of all faxes containing client personal information:
“The contents of this fax, including any attachment(s), are confidential and may be privileged. If you are not the intended recipient (or are not receiving this fax on behalf of the intended recipient), please notify the sender immediately and delete or destroy this fax without reading it, and without making, forwarding, or retaining any copy or record of it or its contents. Thank you.”
Confirm fax number before sending client personal information
- Pay careful attention to the different long distance prefixes (i.e., 1-866, 1-888, 1-800) and take time to confirm the fax number before hitting send. Personal or confidential information can easily be misdirected by using the incorrect long distance prefix.
- For commonly used fax numbers, consider preprogramming your fax machine to avoid errors.
- Reconfirm the fax number before you hit send.
- Contact recipient once the fax is sent to confirm receipt.
6.4 Organizational safeguards
6.4.1 Authorization and limiting access on a “need-to-know” basis
- Authorization is only granted for access to personal information on a “need-to-know basis” (i.e., information required to perform defined job functions). Access to files (physical, system and electronic) is reviewed when associates/staff are hired or moved to a different job function.
- When an associate/staff member’s employment is in the process of being terminated, access to client information, including electronic information from computers and all other material from work areas is suspended.
6.4.2 Confidentiality agreements
Employees are made aware of the importance of maintaining security and privacy of personal information. Where personal information is sensitive or where the potential consequences of improper disclosures are significant, the firm:
- Uses confidentiality agreements with employees
- Takes appropriate precautions to safeguard client information from third parties who may have access to the premises i.e., security, cleaning services and suppliers.
- Obtains, if appropriate, a non-disclosure agreement from the individual or corporation servicing the device if confidential information cannot be removed from a device before releasing it for repairs.
7. Training program
All advisors and staff, permanent and temporary, are trained as outlined in this training program.
- Training is mandatory prior to the individual being given access to personal information.
- Training is an ongoing process with refresher training conducted annually or more frequently if needed based on changes to legislation, technology, service providers as well as new use/access to personal information, etc.
- Training is completed through circulation and review of the policies and procedures section of this compliance program which are reviewed as part of the program self-review to ensure materials are accurate and up-to-date.
- Optional/additional training may include modules provided by insurers, circulation of insurer privacy communications and updates, news articles, industry communications and training modules etc.
- Staff not able to attend refresher training on the originally scheduled date(s) will need to have alternate arrangements made to meet this requirement.