The Institutional Investors Risk Management Council is dedicated to advancing security and transparency in the financial industry. We are committed to protecting the privacy of all information we obtain in the course of carrying out our functions.
The protection of personal information provided to us by investment managers, investors, employees and volunteers, including information that is subject to investor-client privilege, is guided by the following principles:
- All personal information in our custody and control will be collected, used, and disclosed in accordance with the Freedom of Information and Protection of Privacy Act (FIPPA), and any other applicable legislation governing the sharing and security of private information.
- We embody a culture in which personal information is protected and respected. All members, employees, volunteers, interns, and service providers working on our behalf are responsible for maintaining the security of sensitive information.
All members, employees, volunteers and service providers working on our behalf are responsible for securing and protecting personal information in our custody and control.
All managers are responsible for overseeing the collection, use, disclosure, retention and disposal of personal information within their departments to ensure compliance with our policies. Management will provide effective leadership on privacy. The Information and Privacy Officer, under the supervision of management, has overall responsibility for dealing with requests for access to information under FIPPA and for:
- Ensuring that we have appropriate policies and processes in place to safeguard the personal information in our custody and control; and
- Monitoring our compliance with privacy policies and legislative requirements.
4. What is Personal Information?
Schedule 1 of FIPPA defines “personal information” as recorded information about an identifiable individual other than “contact information”. Examples of personal information include an individual’s name, home address and phone number, age, financial information, and family status. The definition of “contact information” includes an individual’s name or title, business telephone number, business address, business e-mail and business fax number.
5. Purposes for Collecting, Using, Disclosing and Retaining Personal Information
We collect, use, disclose and retain personal information about investment managers, investors, applicants, employees, volunteer and third parties in order to perform our duties and functions to protect the interests our clients and to:
- assess and administer applications for the collection of data;
- receive, investigate and manage complaints and conduct disciplinary investigations regarding misuse of private information;
- act in an advisory capacity for clients;
- audit and investigate financial records and accounts;
- investigate client policies and procedures;
- research and development;
- enable our employees to carry out their functions;
- research and analysis data;
- ensure compliance with any and all legal requirements;
- inform and protect the public and clients in accordance with our duties under FIPPA;
- receive and respond to requests for access to information in compliance with the law; and
- establish, manage and terminate the employment and volunteer relationships between our organization and its employees, interns, and volunteers.
6. Collecting Personal Information
We are authorized under FIPPA and other applicable law to collect personal information for certain purposes.
When collecting personal information, we will:
- limit the collection of personal information to what is necessary to undertake our functions or as permitted by applicable law;
- be open and transparent about the information that is being collected by communicating a clear and lawful purpose for the collection;
- ensure that all individuals and clients have the right to request access to the personal information we hold about them, and the right to seek correction if that personal information is incorrect; and
- only collect personal information directly from the subject of the information, unless consent is given to collect information from other sources or collection from another source is permitted by applicable law.
7. Collecting Personal Information Over the Internet
In some instances, we may collect personal information over the internet. The online forms on our website use SSL encryption to protect the data stream. Upon its submission, the personal information is retained in a secure database.
8. Using or Disclosing Personal Information
We will only access, use or disclose personal information for the purposes for which it was collected, or for a use that is consistent with that purpose, unless consent for another access, use or disclosure has been obtained, is permitted by FIPPA Rules, or is otherwise authorized by law. Personal information will not be accessed, used or disclosed by our employees, interns, or volunteers except as authorized in the course of fulfilling their duties and responsibilities.
9. Retaining and Disposing of Personal Information
We will only retain personal information for as long as necessary to fulfill the purposes for which the personal information was collected, including for the purpose of meeting any legal, accounting or other reporting requirements or obligations.
If we use personal information to make a decision that directly affects an individual or client, we will keep that information for at least one year after using it so that individuals or clients have a reasonable opportunity to obtain access to it.
We have a file classification system that sets out specific retention periods for different types of information within our custody and control. These schedules will be reviewed periodically to ensure that personal information is not kept for longer than necessary to serve the original purpose. When personal information is no longer required, we will dispose of it securely.
10. Safeguarding Personal Information
We protect personal information in accordance with applicable law. Our organization has made reasonable security arrangements to secure against the unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of personal information. All of our employees, interns, and volunteers are required to comply with our policies and procedures, in relation to the security, management and protection of all personal information within our custody and control. Service providers working on behalf of our company are required to comply with FIPPA and will be made aware of and reminded as necessary about our privacy policies.
11. Certain Matters Privileged
In conducting crisis prevention practices, we handle information subject to privilege or confidentiality between Investment managers and the investors. When we obtain information from any client relating to a current or former client, we assume all obligations in relation to the protection of privilege and disclosure of that information, subject to FIPPA Rules.
12. Third parties
We will not sell or rent personal information. Where we are permitted by FIPPA Rules, or otherwise authorized by law to disclose personal information to a third party, we will inform the third party that it must not disclose the personal information for any purpose other than the purpose for which we gave the personal information to the third party.
13. Service providers
Privacy protections will be in place for all service providers. All contracts entered into by our company with service providers that may have access to personal or confidential information will contain specific provisions requiring compliance with FIPPA and applicable law relating to the security and privacy of personal information. Managers may determine it is adequate for service providers to sign a confidentiality agreement if service providers do not have access to personal or confidential information or managers consider it is appropriate in the circumstances. All service providers that may have access to personal information in our custody or control will be advised and reminded as necessary of our privacy policies and our obligations to ensure the security and protection of personal information.
14. Right to Request Access to Personal Information
Information or records available to the public through routine channels, such as our website and publications, may be disclosed to individuals without requiring the submission of a formal request. Formal requests for access to information are processed under FIPPA. Any individual can formally request access to personal information in the custody or control of our organization by submitting a request in writing to our Information and Privacy Officer.
Before providing the personal information, we may need to ask individuals to verify their identity. Under FIPPA, we have 30 business days after the information is requested to respond to a request. If we need more time to process the request, we will give an individual written notice before the expiry of the 30 business days. We may refuse access to certain personal information where authorized or required by law to refuse access. In the event that access is refused, we will notify the individual of this decision in writing and outline the reasons for the refusal.
15. Right to Seek Correction of Personal Information
When an individual’s or clients personal information is in the custody and control of our company and the personal information will be used by us to make a decision that directly affects the individual, we will make every reasonable effort to ensure that the personal information is accurate and complete. Individuals may write to us and request that any errors or omissions be corrected. If we are satisfied that a request for correction is reasonable, we will correct the personal information as soon as reasonably possible. If we do not agree with the request, we will advise the requesting party accordingly and note both the request and our reason for not making the requested change on our file.
If individuals are dissatisfied with the way we have handled their personal information, they are entitled to submit a complaint to us.Our Privacy Compliance Officer will investigate all complaints concerning compliance with our privacy policies and information and privacy law. The Privacy Compliance Officer will make every reasonable effort to resolve complaints including, if necessary, recommending changes to policies and procedures. The complainant will be informed of the outcome of the investigation regarding his or her complaint.