Continuing Education for Financial Service Professionals
Privacy Practices for the Financial Services
Privacy Practices for the Financial Services
Copyright 2013 CLIFE Inc. Revised 2015 All rights reserved. Any reproduction of parts or all of this course and its contents by any means electronic or mechanical is prohibited.
The information in this course is provided for educational purposes only; it should not be construed or interpreted as providing advice. Readers should always seek guidance from their principals and compliance experts in regards to informing themselves and others about details of the products they sell and other considerations of their business.
We welcome all feedback and suggestions for additions to the course. Please send your comments to info@clifece.ca.
CLIFE INC. 1595 Sixteenth Avenue Suite 301 Richmond Hill, ON L4B 3N9 www.clifece.ca This course provides continuing education credits upon satisfactory completion of an online test. Please see the website for details or email info@clifece.ca.
TABLE OF CONTENTS Privacy Regulations ….. 4 Personal Privacy Checklist…. 8 The Privacy Commissioner of Canada …..10 Understanding Privacy ….. 12 Personal Privacy Checklist…. 15 Employees Have Privacy Rights Too…..16 Personal Privacy Checklist…. 18 Biometrics….. 19 Personal Privacy Checklist…. 21 Breaking Privacy Laws….. 22 Personal Privacy Checklist…. 25 What’s the Point? ….. 26 Personal Privacy Checklist…. 30 The Principles of Privacy….. 31 Personal Privacy Checklist…. 42 Social Media: Problems and Policy….. 43 Personal Privacy Checklist…. 47 The Right to Free Speech? ….. 48 Personal Privacy Checklist….49 A Privacy Breach ….. 51 Personal Privacy Checklist…. 53 Legal Remedies….. 55 Training ….. 57 Personal Privacy Checklist….61 Handling a Privacy Complaint….. 62 Privacyand You: Final Thoughts….. 64 Master Privacy Checklist….. 65
PRIVACY REGULATIONS o Canada and the provinces have all enacted legislation to protect the privacy rights of individuals.
o The two federal acts are: o Personal Information Protection and Electronic Documents Act (known generally as PIPEDA), and o The Privacy Act.
o PIPEDA covers regulations that apply to the private sector (i.e., business and companies that operate in Canada); the Privacy Act applies to about 250 federal government departments and agencies.
o PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.
o The Privacy Commissioner of Canada provides oversight of the Privacy Act and Part 1 of PIPEDA.
o Provinces also have their own privacy laws and they supercede PIPEDA when they are “substantially similar” to PIPEDA. o All the provinces except Prince Edward Island have enacted specific laws pertaining to the protection of health-related information.
o For the sake of simplicity in this Course, we will refer to “privacy laws” as a general allencompassing term instead of specifying particular acts or jurisdictions. o It is also important to note that the term “personal information” has been updated and clarified to mean “personally-identifiable information.” We will use these two terms interchangeably throughout the Course.
Are you subject to privacy legislation? o
As a Canadian resident you benefit from the privacy laws that apply to all individuals in Canada. This gives you the necessary rights for protection of your personal information with organizations you deal with and the knowledge that the personal information that is both collected by you and about you is subject to privacy legislation.
o
Professionally, privacy legislation applies to all organizations in Canada,. Organizations include corporations, associations, partnerships, individuals, and trade unions.
Primary Privacy Protection: PIPEDA (The Personal Information Protection and Electronic Documents Act) o
Here is an overview of what the Act means to your business:
You need consent to collect, use or disclose personal information about people, except in a few specific circumstances that are described later in this Course.
You can use or disclose that personal information only for the purpose for which they gave consent.
You must limit the collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
Secondary Means of Protecting Privacy o PIPEDA, the Privacy Act, and the provincial laws protecting personal information have all been formulated to safeguard information. However, new laws also protect an individual’s right to privacy by governing telecommunication practices and their incursion into “personal space.”
Do Not Call o If you cold call, the following information will apply to you.
o The National Do Not Call List (DNCL) gives consumers a choice about whether to receive telemarketing calls at home. It does not apply to calls made to businesses. Exceptions are also provided for:
registered charities;
debt collection agencies;
political parties and candidates;
opinion-polling firms or market-research firms conducting surveys;
newspapers calling to sell a subscription;
organizations that have a business relationship with you when: -
you’ve done business with the organization in the last 18 months;
-
you’ve inquired about the organization's products or services in the last six months;
if you have provided express consent to be called. Express consent includes: -
Your permission on a written form, electronic form, or an online form; or
-
Your verbal permission.
o Consumers can register their residential, wireless, fax or VoIP telephone number on the National DNCL. Their registration indicates that they do not wish to receive inbound voice or text telemarketing.
o Telemarketers are required to register with the Canadian Radiotelevision and Telecommunication Commission (https://www.lnntedncl.gc.ca/ind/insorg-regorg-eng), purchase a subscription to the DNCL list, and must not call those whose names appear on that list.
o Telemarketers must also maintain internal lists of customers who request their names and numbers no longer be contacted.
o Rules are also set for telemarketers when they call names that are not on the list:
At the beginning of a call, a telemarketer must give the reason for the call, identify them self, and identify on whose behalf the call is being made;
Telemarketers may only call within specific calling hours: Calling hours are restricted to weekdays (Monday to Friday) between 9:00 am and 9:30 pm and weekends (Saturday and Sunday) between 10:00 am and 6:00 pm.
Upon request, a telemarketer must: -
provide a local or toll-free number allowing the customer access to speak to an employee or other representative of the telemarketer and where applicable, its client;
-
provide the name and address of an employee or other representative of the telemarketer and where applicable, its client, to whom the consumer can write.
Anti-Spam Legislation o If you send bulk emails or text messages, this legislation could apply to you.
o Partially under the purview of PIPEDA, the anti-spam rules are widely known as CASL, or Canada’s Anti-Spam Legislation.
o Spam is defined as the use of electronic messaging systems to send unsolicited, bulk messages. Spam messages may contain deceptive content, support illegal activities and may also be used to deliver electronic threats to computers in the form of spyware and viruses.
o CASL prohibits:
sending commercial messages to email accounts, social networking sites, or by text without permission of the recipient;
•
installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
•
use of false or misleading representations online in the promotion of products or services;
•
collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
•
collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting).
CASL is intended to prevent this type of message from being received from an unknown sender:
Hello Friend, I am sorry to contact you in this manner accept my apologies if the
content here under is contrary to your moral ethics but please treat with absolute secrecy and personal. My name is Engr. SherifAlmed from Damascus Syria. I am now 64 years Old, and i am a retired government official, I was former personal investor & financial consultant advisers to some Top Politician in Syria, also an oil Tycoon from Syria and Saudi Arabia. Why i contacted you is that I want you to tell me more about good investment in your country so that i could relocate my investment planning to your beautiful country, out of Syria, ‌�
If you receive an email from a prospect or customer and you want to be able to add his or her email address to your contact list for future communications, you must simply ask him or her if you can do so. Once you have that permission, you will be following the regulations in regards to spam.
Note that the legislation is intended to stop the fraudulent nature of spam messages; many legitimate businesses that rely on email for purely business purposes will also being affected.
Personal Checklist Do you understand the implications of cold calling to the Do Not Call List? Do you know where to register if you telemarket? Do you follow the rules when it comes to calling those who are not on the List? Do you enforce the rules when it comes to calling those who are not on the List for your employees?
If you or your employees telemarket, have you established the name and address of an employee or other representative of the firm to whom a consumer can write? Do your employees know that name and address? If you or your employees telemarket, have you established a local or toll-free umber allowing the customer to speak with your employee or other representative at that number?
CLICK HERE TO ORDER