Protecting Personal Information
Personal Information
Under the Act respecting the protection of personal information in the private sector, () all CSF-member advisors are required to maintain the confidentiality of personal information they collect as an independent representative (advisor) or for their firm, dealer, or independent partnership and keep in the scope of their business. Personal information is any information about a natural person that can identify them.
- Address
- Personal e-mail address
- National or ethnic origin
- Religion
- Age
- Marital status
- Level of education
- Medical records
- Legal records
- Employment history
- Financial transactions in which a person participated
- Orders or transactions on behalf of a person
- Number or symbol or any other personal identification of a person
- Name, when mentioned with other personal information about the person or when simply disclosing the name would reveal information about them
Protecting personal information is an essential part of the right to privacy. The main concepts are:
- All people are entitled to privacy.
- When a person creates a file on another person, they must have a legitimate and serious interest for doing so.
- Only personal information related to the purpose of the file may be collected for the file.
- Personal information may not be communicated to third parties without the person’s consent, unless otherwise authorized by law.
Firms, dealers, independent partnerships, and independent representatives (advisors) must, while conducting their business, collect a variety of personal information on the clients, and occasionally send it to third parties, such as insurers. This personal information must be protected. Establishments must therefore establish measures to ensure this protection. Also, given that a large portion of client information is originally collected by the advisor who is in a direct relationship with them, this advisor must also ensure it is protected.
Protecting clients’ personal information relies on simple basic principles that advisors must apply to their practice, such as:
- Establish a clear purpose for each collection, use, or communication of a client’s personal information.
- Limit the collection, use, and communication of a client’s personal information to what is necessary for the fulfilment of this purpose.
- Obtain the client’s consent to collect or process information about them under all circumstances.
- In concrete terms, the advisor must ensure that the client’s consent for collection, communication, or use of personal information is clear, obvious, and given for specific purposes. This is why they must collect the information from the client themselves.
- Ensure that information on a client is correct and up-to-date. This is especially important when the information is used to make a decision about this client.
- Ensure the security of personal information held on a client. In concrete terms, the advisor must take the necessary measures to protect the confidentiality of this information, whether it’s during its collection, use, communication, storage, or disposal.
- Allow the client to view and correct their file as needed.
- Establish specific policies to implement these concepts.
The advisor’s responsibility to ensure the protection of their clients’ personal information applies during their collection, use, and communication.
This responsibility applies to all advisors, regardless of their type of practice, and includes:
- secrecy regarding all of a client’s personal information
- use of this information exclusively for the purposes for which it was collected
- non-disclosure of a client’s personal information to a third party
In the last two cases, the client’s consent, an applicable law, or a court may allow use or communication of this information.
Attached Advisor
An advisor who works for a firm, independent partnership, or dealer must send all the information they collect on clients to the establishment to which they are attached.
Advisor Running A Company
An advisor who runs a company may, without the client’s consent and under certain conditions, communicate personal information contained in a client file, for example:
- to their lawyer
- to the Director of Criminal and Penal Prosecutions
- to an organization tasked with preventing, detecting, or controlling crime or breaches of the law
- to a person tasked with applying a law or collective agreement
- to a public organization under the Access Act for performing its duties or the implementation of a program
- to a person or organization with the power to force its communication
- to a person who must be informed due to an emergency situation threatening the life, health, or safety of the person in question
- to a person authorized by the Commission d’accès à l’information to receive communication of personal information for purposes of study, research, or statistics
- to a person who can recover a debt under the law
- to a person for the purpose of creating a list of names
- to a person or organization with the aim of preventing an act of violence, including suicide, when there is reason to believe that a serious risk or death or serious injury is threatening a person or group
Using Information Technology
Due to the increasingly frequent use of information technology (IT) in the advisor’s activities, protecting personal information has become an especially significant compliance challenge.
When an advisor uses IT to send or keep information on a client, they must be careful and take necessary protection measures.
The section Using information technology (provides more details on this topic.