When collecting information from clients and prospects, you must be prepared to explain the purposes for which you are collecting this information. Client consent to an advisor’s collection and use of personal information is generally included within the insurer application signed by the client. This provides authorization to the advisor for this single purpose and to this single insurer. Where the advisor will retain ANY of this information collected in order to build a client file or to assist the client with future requirements, consent should be obtained from the client in writing at all times. It is a good business practice to provide information to a client or prospect about your own privacy practices.

Accountability:

  • You must take appropriate measures in your practice to ensure that information you’ve collected is used for the purposes identified and that it is not used for another purpose or disclosed to a third party without the client’s or prospect’s consent, except as may otherwise be allowed by law.
  • You should only disclose personal information about your clients to another person or company if you have the verbal or written consent of your client or if you are otherwise allowed to do so by law. You can recommend other professionals or advisors to your clients if they ask you or if you believe they may benefit from such services. You should never provide any client names or other information to third parties that may use it to market their services to your clients, unless you have the client's consent.
  • You must take appropriate precautions to safeguard client information from third parties who may have access to your premises, i.e., security, cleaning services, and suppliers. 

More information on PIPEDA can be found at the Federal Privacy Commissioner’s website here.

Physical Operational Safeguards:

  • When destroying paper materials containing client or prospect personal information, always shred the documents, either by using your own shredder or subscribing to a shredding service. 
  • Information stored on CDs and diskettes should be deleted.
  • Ensure that all sensitive personal information is accessed through appropriate user ID and password, secured in locked rooms, cabinets, and/or desk drawers when not actively in use, and that access is appropriately restricted to those requiring access for the performance of their duties.
  • Safeguard client information, whether in your personal office, car, or other location. Personal information should be removed from the advisor’s place of business only when necessary or required to appropriately service clients.
  • Computers and PDAs should be locked to prevent access during all absences (lunch, meetings, evenings, weekends, illnesses, and vacations).
  • Laptops should be securely anchored or stored in a locked cabinet or drawer (the key should be stored in a safe place away from laptop).
  • Use screen savers or other means to cover personal information on computer screens when others are in your office or work area. 


Other Operational Safeguards:

  • You, your associates, and your staff should take appropriate measures to authenticate the identity of the person asking for confidential information before it is released. 
  • Attach a disclaimer to all e-mail and FAX communications containing client personal information. Example as follows:  “The contents of this communication, including any attachment(s), are confidential and may be privileged. If you are not the intended recipient (or are not receiving this communication on behalf of the intended recipient), please notify the sender immediately and delete or destroy this communication without reading it, and without making, forwarding, or retaining any copy or record of it or its contents. Thank you.”
  • Fax machines, photocopiers, printers, etc. should be located in areas where access is reasonably limited. 
  • Never discuss clients in public places, such as elevators, cafeterias, or restaurants.
  • Take precautions to avoid being overheard when discussing client or employee personal information on cellular phones. 
     
    These are excellent recommendations that can be incorporated into your Privacy Policy and Procedures.
     
    Remember, 
    Good Business is Compliant and Compliance Matters!