SROs issue warning on privacy legislation

(December 3, 2003) Advisors under the jurisdiction of a self-regulatory organization (SRO) — such as the IDA or the MFDA — could be subject to disciplinary proceedings if they don’t fulfill their obligations under the federal government’s new privacy legislation.

The warning came today in a joint regulatory notice on privacy issued by the IDA, MFDA, Market Regulation Services, the Montreal Exchange and the Canadian Investor Protection Fund.

It states that advisors may be subject to disciplinary proceedings by their SRO if they fail to notify properly clients about the collection, use and disclosure of personal information or if they accept or administer an account without providing that notice.

As of January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) will apply to anyone who collects, uses or discloses personal information as part of a business activity. PIPEDA sets out 10 principles organizations must follow when dealing with private information, such as accountability, consent, safeguards and disclosure.

The key principle under PIPEDA and similar provincial privacy requirements is knowledgeable consent by an individual to the collection, use or disclosure of their personal information, explains IDA vice-president Paul Bourque.

“That’s the new requirement,” he says. “Firms have to give their clients notice as to the purpose for which they are collecting personal information.”

Bourque says consent can come in a number of forms and it’s up to firms to decide how to do that. For existing accounts and personal information already on file, Bourque says the SROs believe that by providing notice, clients will be agreeing to a tacit, or “deemed,” consent.

“If [clients] wish to object to that, of course they can,” he says. “In that case, our member firms either have to decline to accept the account, or they have to decline to administer the account. So the account can’t operate unless the client is agreeable to this kind of sharing of personal information.”

Notification on the use of personal information may be included in new client account documentation, client account statements and trade confirmations, the SROs say. Advisors who maintain a Web site should also include a privacy notice.

“The reason we’re collaborating on this is because we all have the requirement to collect personal information from our firms’ clients and former clients and the names of our members’ employees and former employees,” says Bourque. “We’ve always done that but we have to make sure we can continue to do it under the environment of the new privacy legislation.”

PIPEDA also requires that firms designate a person within the organization who will be accountable for compliance with the privacy principles. Does that mean we’ll see a spate of new job postings for privacy officers in the financial services industry? It’s too soon to say, but Bourque notes that the public sector has been dealing with similar privacy provisions for 20 years.

“They had to build an infrastructure to accommodate the new principles of access to personal information,” he says. “I suspect that will be the same in the private sector.”

Filed by Doug Watt, Advisor.ca, doug.watt@advisor.rogers.com