Shelemey Financial is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). This federal act, governed by the Privacy Commissioner of Canada (PCC) requires certain minimum standards for protecting personal information that we collect, use, disclose and hold in the course of carrying on business. The act is based upon 10 principles. This is a highly summarized version of the principles and some basic guidelines that we will follow.
PRINCIPLE 1 – ACCOUNTABILITY
We are responsible for the proper management of all personal information under our control, and shall designate one or more persons to be accountable for compliance.
Must have a designated person who has responsibility for compliance, training, awareness, control and decisions on releasing information to clients, changing procedures, interfacing with authorities, third parties and so forth. The person responsible will be Troy Shelemey.
PRINCIPLE 2 – IDENTIFYING THE PURPOSES OF PERSONAL INFORMATION
We shall identify the purposes of collecting information before or at the time the information is collected.
We must disclose why we need information, what we will do with it and what information we need.
PRINCIPLE 3 – OBTAINING CONSENT
The knowledge and consent of the client are required for the collection, use or disclosure of personal information except where inappropriate.
PRINCIPLE 4 – LIMITING COLLECTION OF PERSONAL INFORMATION
We shall limit the collection of personal information to that which is necessary for the purposes identified.
PRINCIPLE 5 – LIMITING USE, DISCLOSURE AND RETENTION OF PERSONAL INFORMATION We shall use or disclose personal information only for the reason it was collected, except with the consent of the client or as required by law.
As with personal tax information, the MFDA and IDA require client records to be maintained for seven years. It is necessary that we return a client’s personal information at their request.
PRINCIPLE 6 – ACCURACY OF PERSONAL INFORMATION
We shall keep personal information as accurate, complete, current and relevant as necessary for its identified purpose.
We must update what we need and we may not update what we do not need. We will need to make some decisions and design a process to deal with this.
PRINCIPLE 7 – PROTECTING INFORMATION
We shall protect personal information with safeguards appropriate to the sensitivity of the information.
PRINCIPLE 8 – OPENNESS CONCERNING POLICIES AND PRACTICES
We shall make readily available to clients specific information about our policies and practices relating to the management of personal information.
We have a corporate brochure that describes this in great detail.
PRINCIPLE 9 – CONSUMER ACCESS TO PERSONAL INFORMATION
Upon request, we shall inform a client of the existence, use and disclosure of his or her personal information and shall give the individual access to that information.
PRINCIPLE 10 – CHALLENGING COMPLIANCE
A client shall be able to address a challenge concerning compliance with the above principles to the designated accountable person or persons.
Putting it all into practice
Obviously, the principles and the related technical details to comply with the act will have some effects on how we do business.
The principal concerns now are: We are required to avoid the possibility of inadvertent disclosure of private information.
There needs to be care taken regarding at least the following:
- Work in progress files in offices should not contain personal information unless it is hidden from any visitor.
- Files are not in plain view if they are not relevant to the client or visitor in the room
- Lock filing cabinets and offices – ensure that locks work and keys are secure.
- Photocopies of old documents files must be shredded.
- Visitors may not use our offices unless supervised.
- Speakerphones should be used carefully.
- Refrain from use of client’s names in what could remotely be considered a public place, such as the reception area or office kitchen.
- All client files must be signed out of their respective hanging files.
- Laptop computers should not contain client personal information unless they are protected in the event of loss. A password is not enough.
- Ensure that back up files are properly stored.
- Ensure security on Palm Pilots and other hand-held devices.
Client communication – telephone
- Clearly identify the client prior to giving information.
- Only give information to the policyowner unless prior written consent to share information has been provided by the policyowner.
- Do not participate in cross marketing campaigns without prior client consent.
Client communication – meetings
- Ensure that private discussions do not take place in public areas in front of others such as reception areas, lobbies or public washrooms.
Client communication – e-mail, fax, mail
E-mail: Establish a secure e-mail system or password protect all documents.
- Only send secure e-mail to the owner of the mutual fund/policy.
Fax: Ensure that the fax is going to a private line or call ahead to confirm that the client is the only one who will have access to the information.
- Fax may only be used for “non-sensitive” personal information.
- Do not leave open mail addressed to you.
Letters – send letters to the mutual fund/policyowner; do not combine family information without written approval from the policyowner.
- Mail and fax is out of sight.
- Never send any important documents by regular postal service.
- E-mail may not be used for personal information.
- Offsite backup must be encrypted or stored securely – like in a safety deposit box.
Client trade processing and record keeping
- File paperwork in individual files, do not blend files by family unless the product is jointly owned.
- Ensure that all paperwork is placed in a locked filing cabinet or desk prior to leaving the office.
- Ensure you are aware of all other industry record keeping regulations.
- Photocopies of documents cannot be made without a specific purpose, such as to being able to return the client’s original will
Client and trade documents
- Ensure that all documents clearly specify who will have access to the information and if /how the information will be shared with others. (Third parties and regulators)
- Train your staff on the 10 privacy principles.
- Have your staff sign a confidentiality agreement.
- Limit access to private information to only those who need it.
- Must have third-party agreements to protect privacy with anyone we disclose information to in the course of business.
- Establish a complaint resolution process.
- Respond to all privacy complaints promptly in writing.
Policies and procedures regarding compliance with PIPEDA © Wealth Enhancement Academy Inc. Advocis Best Practices Manual © TFAAC