Protection of Personal Information GIC Financial Management/Two Roads Financial Centre (“the company”) has adopted the following interrelated privacy principles specified in the Personal Information Protection and Electronic Documents Act (“The Act”):
- Accountability – the company is responsible for personal information under its control and shall designate a Privacy Officer accountable for compliance.
- Identifying purposes – the purpose for which personal information is collected shall be identified by the company at or before the time the information is collected.
- Consent – the knowledge and consent of the client is required for the collection, use and disclosure of personal information.
- Limiting collection – the collection of personal information shall be limited to that which is necessary for the purposes identified by the company and its regulators.
- Accuracy – personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is to be used.
- Safeguards – personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The company will apply the same standard of care as it applies to safeguarding its own confidential information of a similar nature.
- Openness – the company shall make readily available to clients specific, understandable information about its policies and practices relating to the management of personal information.
- Individual access – upon request, a client shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information. A client is entitled to question the accuracy and completeness of the information and have it amended as appropriate on proof of inaccuracy.
- Challenging compliance – a client shall be able to question compliance with the above principles to the Privacy Officer accountable for the company’s compliance. The company shall have policies and procedures to respond to questions and concerns.
(b) Identifying purposes The Privacy Officer will document all purposes including existing and new purposes for which personal information is collected, used and disclosed. The company will make reasonable efforts to ensure that clients are aware of the purpose for which their personal information is collected including any disclosure of the personal information to third parties. The company will ensure all employees are aware of the purpose for which employee’s personal information is collected including any disclosure to third parties.
(c) Consent Once client consent is obtained further consent will not be required when personal information is supplied to agents of the company who carry out functions such as data processing, printing and cheque processing. Express consent electronically, verbally and in writing through the use of applications, signed forms and contracts will be used for obtaining consent for the collection use and disclosure of personal information.
(d) Limits on consent The company will not as a condition of the supply of a product or service, require a client to consent to the collection, use or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes. Clients may withdraw consent. The request to withdraw consent must include acknowledgement that the client has been advised that the company may subsequently not be able to provide the product, service or information that may be of value to the client.
(e) Limiting collection The company will not collect personal information indiscriminately. It will specify both the amount and the type of information collected, limited to that which is necessary to fulfill the purposes identified, in accordance with this policy.
(f) Accuracy The Privacy Officer will ensure the company has guidelines and procedures to ensure client and employee data is accurate, complete and current. The company will not routinely update personal information unless such a process is necessary to fulfill the purpose for which the information was collected.
(g) Safeguards The company will to the best of its ability in collaboration with third parties specializing in security safeguards, protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, discourse or disposal. The company will conduct regular reviews or practices related to the safeguarding of personal information. Employees and officers will be required to sign a statement of conduct annually that includes a commitment to keep client and company information secure and confidential. Third parties The company will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Personal information disclosed to unrelated third party suppliers is strictly limited to programs endorsed by the company. The Privacy Officer must be satisfied the personal information is adequately safeguarded by the third party. The third party will be required to safeguard personal information disclosed to them in a manner consistent with policies of the company. Examples include data processors, printers and cheque processors. The company will not enter into a relationship with any organization that does not agree to abide by acceptable limitations on information users and appropriate safeguards.
(h) Individual access All requests for access to personal information must be submitted in writing and include adequate proof of the individual’s identity/right to access, and provide sufficient information to allow the company to locate the requested information. Any situations that result in legal restriction to access will be reviewed by the Privacy Officer.
(i) Challenging compliance Any individual can challenge the company’s compliance with the Act. The Privacy Officer will investigate all complaints. Inquiries/complaints must be in writing and the company must respond as quickly as possible and within 30 days. The Privacy Officer is responsible for ensuring appropriate measures are taken when an inquiry/complaint is found to be justified.