INVESTMENT INDUSTRY REGULATORY ORGANIZATION OF CANADA PRIVACY CODE
The Investment Industry Regulatory Organization of Canada (“IIROC”) is committed to maintaining the values of integrity, diligence and accountability with respect to the privacy of personal information within its control. IIROC respects and is committed to protecting all personal information. To fulfill this commitment, IIROC complies with all applicable privacy laws.
This Code outlines certain of the principles and practices IIROC follows in protecting the personal information that is in its custody or control by virtue of its performing its regulatory functions. This includes, but is not limited to, personal information of current and former clients, employees, agents, directors, officers, partners and others collected from parties under IIROC’s jurisdiction (“Regulated Persons”).
This Code does not apply to the personal information of IIROC employees. That information is covered separately by the IIROC Employee Code of Conduct.
“Personal Information” means information about an identifiable individual. This can include information such as age, home address and telephone number, social insurance number, marital status, religion, income, medical information, educational and employment history, but does not include business contact information, such as position name or title, business address, telephone or fax number. Under certain privacy legislation, “personal information” does not include “work product” information, such as information prepared or collected by a person as part of his or her employment or business responsibilities or information about how a person goes about fulfilling those responsibilities.
IIROC’s General Counsel is its Privacy Officer, responsible for ensuring IIROC’s compliance with this Code and all applicable privacy laws. The Privacy Officer may be contacted at [email protected] or at 1 877 442-4322.
IIROC collects, uses, retains and discloses personal information in order to perform its regulatory functions, which include registration services, monitoring, investigating and enforcing compliance with the Rule Book, Universal Market Integrity Rules (“UMIR”), related policies (“UMIR Policies”) and certain market specific requirements, securities laws and regulations. In doing so, IIROC engages in a number of activities which may involve the collection, use, retention or disclosure or personal information, such as (without limitation), surveilling trading and trading-related activity; conducting sales compliance, financial compliance and other regulatory audits; investigating potential regulatory and statutory violations; compiling and maintaining regulatory databases; conducting enforcement or disciplinary proceedings; and reporting to securities regulators.
In some situations, IIROC may disclose personal information, whether obtained from Regulated Persons or from other persons, to other organizations including securities regulatory authorities, regulated marketplaces, other self-regulatory organizations, law enforcement agencies and foreign securities regulators.
Applicable privacy laws may permit the collection, use, retention, or disclosure of personal information without consent and/or its collection from a source other than the individual. Where consent is required by applicable privacy laws, IIROC obtains such consent. Some of the personal information that IIROC collects, uses, retains and discloses is disclosed to IIROC by Regulated Persons and others who are subject to applicable privacy laws. Under such laws, Regulated Persons and others must obtain appropriate consents when required. For more information, please see the Joint Regulatory Notice on Federal and Provincial Privacy Legislation, issued on December 3, 2003 and posted on www.iiroc.ca.
IIROC makes reasonable efforts to ensure that the personal information it collects is limited to what is necessary for its intended use.
Limiting use, disclosure, and retention
IIROC does not use or disclose personal information for the purposes inconsistent with IIROC’s regulatory purposes unless required by law. IIROC does not sell personal information to other parties. Personal information is retained for as long as necessary for regulatory purposes or as required by law.
IIROC has put in place procedures and practices reasonably appropriate to the sensitivity of the personal information IIROC collects, uses, retains and discloses for protecting it against loss, theft, unauthorized access and similar risks. IIROC reviews and updates its policies and controls on a reasonable basis to ensure ongoing personal information security.
For more specific information about IIROC’s policies and procedures with respect to privacy, to make a complaint regarding IIROC’s compliance with its Privacy Code and any applicable privacy laws, or to initiate the procedure by which you may access your personal information, please contact the IIROC Privacy Officer using the contact information above.