Privacy standards

Your Responsibilities under the Act:

1. Accountability:

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the privacy principles.

Tip: A good understanding of Canada’ Personal Information Protection and Electronic Documents Act (PIPEDA) will help offset privacy issues. For further information visit the Office of the Privacy Commissioner of Canada..

2. Identifying Purposes:

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Tip: Define your purpose for collecting data as clearly and narrowly as possible so the individual can understand how the information will be used or disclosed.

3. Consent:

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.

Tip: Consent is only meaningful if the individuals understand how their information will be used.

4. Limiting Collection:

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Tip: Only obtain the information necessary for the service or product being provided.

5. Limiting Use, Disclosure, and Retention:

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfilment of those purposes.

Tip: Conduct regular reviews to help determine whether information is still required.

6. Accuracy:

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Tip: One way to determine if information needs to be updated is to ask whether the use or disclosure of out of date or incomplete information would harm the individual.

7. Safeguards:

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Tip: Keep sensitive information files in a secure area or computer system and limit access to individuals on a "need-to-know" basis only.

8. Openness:

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Tip: Information about policies and practices may be made available in person, in writing, by telephone, in publications or on an organization's website.

9. Individual Access:

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Tip: Keep personal information about individuals in one place to make retrieval easier or record where all such information can be found. Never disclose personal information unless you are sure of the identity of the requestor and that person's right to access.

10. Challenging Compliance:

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization's compliance.

Tip: How well you handle an individual's complaint may help preserve or restore the individual's confidence in an organization.


Passwords are used to protect valuable information you would not normally share with others or leave out in the open.

  • Never write down your passwords.
  • Passwords are the first line of defense to all the confidential information on your computer. Change your passwords frequently and use strong passwords that are at least eight characters long, contain upper and lower case letters and special characters, if applicable.
  • Never share your passwords with anyone else including an administrative assistant or associate advisor. No one apart from yourself should know your passwords.
  • When you share your password, your identity will be tied to all transactions that were conducted during that particular log on session. This includes mistakes, malicious attacks, criminal activity, etc.

Password sharing can be done any number of ways, with or without your knowledge. Examples are:

  • Giving it to a friend or colleague so that they can access your system.
  • Writing it down and then having someone else see it.
  • Unwittingly divulging it to a hacker through a social engineering attack. Hackers are always looking for opportunities to get into a system. One way that they do this is by impersonating a tech support employee and conning someone to give up his or her password.
  • Failing to log off a system or not locking your computer. In this way, you are inadvertently sharing your password with anyone who cares to use your system while it remains logged on.

On a daily basis, you deal with clients' personal, health and financial information. Clients expect that you will protect and safeguard their information so it doesn't fall into the wrong hands. It is important that you don't take their confidence in you for granted. Treat clients' personal information the same way you would expect the companies you deal with to treat your personal information.

Here are some helpful tips for your daily business practice:

Laptop tips

  • Always use a security cable to secure your laptop to your desk.
  • Always lock your laptop in a cabinet or desk drawer at the end of the day, if you don't take it home with you.
  • Never leave your laptop unattended in public areas (e.g., meeting room, washroom, customer's house, or restaurant). Keep it within your sight at all times.
  • Always lock your laptop and client files in the car trunk while in transit. Do this before you reach your destination. If you don't have a trunk, don't leave it in your car, carry it with you.
  • Always keep your laptop with you as carry-on luggage when travelling (by air or train).
  • Always use the room safe or arrange to have your laptop locked in the hotel safe if you have to go out without your laptop.
  • Never leave the laptop in your vehicle for extended periods or overnight.
  • Always use your password protected screen saver, even if you're stepping away from your desk for a few minutes.
  • Always turn off your computer or put it in suspend mode when you are not using it.
  • Always remember that when you're in a public area, people around you may see what's on your computer screen. Whenever you are in any public place and viewing confidential information on your computer, use extreme caution. Always be aware of your surroundings to avoid disclosing confidential information to unauthorized persons. You don't know who could be watching!
  • Always be cautious when using free unsecured wireless networks.

Physical security tips

  • Always lock your office doors.
  • Always keep client information in locked cabinets and/or a locked desk.
  • Never leave confidential information visible and unattended at your desk.
  • Always securely store documents and use a password protected screen saver when you are away from your desk.
  • Always back up your hard drive and store a set of back-up media off-site in a secured location and cabinet.

Tips for protecting clients' personal information

  • Never send unencrypted confidential information via Internet email. Sending emails on the Internet is very insecure. Internet emails can be on computers around the world within minutes and be read by anyone who has access to it.
  • Always be alert and use discretion if you must discuss confidential information in public. You do not know who might be listening in.
  • Always pick up your print out immediately when you print confidential information.
  • Always be cautious when using post-it notes or slips of paper to write down confidential information like client information.
  • Always ensure that confidential printed matter is shredded using cross-cut shredders.
  • Always know who is receiving a confidential fax. Before you fax the information, call the person so they can be at the fax machine when it arrives. Always double check the fax number before you transmit.

Lost or stolen information

As an advisor, you are responsible for safeguarding your clients' personal information. When a client's personal information is compromised, there's an increased risk that the client's identity may be stolen.

Clients' personal information may be at risk if one of the following is stolen, lost or accessed by unauthorized individuals:

  • Laptop
  • Blackberry or other handheld devices
  • Memory sticks, discs or other portable storage devices
  • Clients' paper files

Notify the appropriate compliance officer at your distribution firm and any carrier whose clients' information may have been impacted.

Before you send the fax

Complete a fax cover sheet - ensure it includes a confidentiality notice and your name and phone number.

If applicable, be sure your sender ID (the name of your area) and fax number are programmed correctly into the fax machine.

Triple check the recipient's fax number:

  • Has it changed recently? Is it pre-programmed into the fax machine?
  • Did you record it correctly on the fax cover sheet?
  • Did you key it in correctly? Check the display window before you hit "send".

Does the document include personal client/employee information or confidential information?

Consider other options - only use fax if it must be sent immediately.

Call the recipient before sending the fax and ask them to stand by the fax machine to pick it up as soon as it arrives.

While sending the fax

Does the document include personal client/employee information or confidential information? Stand at the machine while the fax is being transmitted.

After you send the fax

Check the transmission report to confirm it was sent to the right fax number.

Remove the materials from the machine.

Does it include personal client/employee information or confidential information? Call the recipient to let them know the fax has gone through.

If the fax was misdirected, immediately:

  • Check where the information was sent and contact your client to let them know the information was sent to an incorrect fax number.
  • Contact the number who the information was sent to in error and ask them to destroy or return to you.