The Investment Industry Regulatory Organization of Canada (“IIROC”) is committed to maintaining the values of integrity, diligence and accountability with respect to the privacy of personal information within its control. IIROC respects and is committed to protecting all personal information. To fulfill this commitment, IIROC complies with all applicable privacy laws.

This Code outlines certain of the principles and practices IIROC follows in protecting the personal information that is in its custody or control by virtue of its performing its regulatory functions. This includes, but is not limited to, personal information of current and former clients, employees, agents, directors, officers, partners and others collected from parties under IIROC’s jurisdiction (“Regulated Persons”).

This Code does not apply to the personal information of IIROC employees. That information is covered separately by the IIROC Employee Code of Conduct.

Personal Information

“Personal Information” means information about an identifiable individual. This can include information such as age, home address and telephone number, social insurance number, marital status, religion, income, medical information, educational and employment history, but does not include business contact information, such as position name or title, business address, telephone or fax number. Under certain privacy legislation, “personal information” does not include “work product” information, such as information prepared or collected by a person as part of his or her employment or business responsibilities or information about how a person goes about fulfilling those responsibilities.


IIROC’s General Counsel is its Privacy Officer, responsible for ensuring IIROC’s compliance with this Code and all applicable privacy laws. The Privacy Officer may be contacted at [email protected] or at 1 877 442-4322.

Regulatory Purposes

IIROC collects, uses, retains and discloses personal information in order to perform its regulatory functions, which include registration services, monitoring, investigating and enforcing compliance with the Rule Book, Universal Market Integrity Rules (“UMIR”), related policies (“UMIR Policies”) and certain market specific requirements, securities laws and regulations. In doing so, IIROC engages in a number of activities which may involve the collection, use, retention or disclosure or personal information, such as (without limitation), surveilling trading and trading-related activity; conducting sales compliance, financial compliance and other regulatory audits; investigating potential regulatory and statutory violations; compiling and maintaining regulatory databases; conducting enforcement or disciplinary proceedings; and reporting to securities regulators.


In some situations, IIROC may disclose personal information, whether obtained from Regulated Persons or from other persons, to other organizations including securities regulatory authorities, regulated marketplaces, other self-regulatory organizations, law enforcement agencies and foreign securities regulators.


Applicable privacy laws may permit the collection, use, retention, or disclosure of personal information without consent and/or its collection from a source other than the individual. Where consent is required by applicable privacy laws, IIROC obtains such consent. Some of the personal information that IIROC collects, uses, retains and discloses is disclosed to IIROC by Regulated Persons and others who are subject to applicable privacy laws. Under such laws, Regulated Persons and others must obtain appropriate consents when required. For more information, please see the Joint Regulatory Notice on Federal and Provincial Privacy Legislation, issued on December 3, 2003 and posted on

Limiting collection

IIROC makes reasonable efforts to ensure that the personal information it collects is limited to what is necessary for its intended use.

Limiting use, disclosure, and retention

IIROC does not use or disclose personal information for the purposes inconsistent with IIROC’s regulatory purposes unless required by law. IIROC does not sell personal information to other parties. Personal information is retained for as long as necessary for regulatory purposes or as required by law.


IIROC has put in place procedures and practices reasonably appropriate to the sensitivity of the personal information IIROC collects, uses, retains and discloses for protecting it against loss, theft, unauthorized access and similar risks. IIROC reviews and updates its policies and controls on a reasonable basis to ensure ongoing personal information security.


For more specific information about IIROC’s policies and procedures with respect to privacy, to make a complaint regarding IIROC’s compliance with its Privacy Code and any applicable privacy laws, or to initiate the procedure by which you may access your personal information, please contact the IIROC Privacy Officer using the contact information above.

MFDA and IIROC have consolidated

As of January 1, 2023 the MFDA and IIROC have come together as New Self-Regulatory Organization of Canada (New SRO).

New SRO has assumed the regulatory responsibilities of the MFDA and IIROC.

We have set up an interim website for updates and information related to the New SRO including:

  • Executive Management
  • Governance
  • New SRO Rules
  • Member Application
  • Investor Office and the Investor Advisory Panel
  • Information concerning mutual fund dealers registered in Québec
  • Complaints
  • Careers

Enforcement proceedings, membership lists, continuing education, investor education resources and any other information not set out above continue to reside on and