Self-regulatory organizations in Canada have set out the standards for the collection, use and disclosure of personal information of clients and others for regulatory purposes under new federal and provincial privacy laws.

Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act, comes fully into effect Jan. 1. Quebec has a provincial privacy law in place, B.C. has enacted a privacy law that will come into force Jan. 1, and Alberta has a bill pending which, if enacted, would also come into force the same day. Individuals will have to determine which laws apply to them.

A joint regulatory notice from the Investment Dealers Association, Market Regulation Services Inc., the Mutual Fund Dealers Association, Bourse de Montreal Inc., and the Canadian Investor Protection Fund sets out a common principle underlying PIPEDA and provincial privacy requirements. It is that there is “knowledgeable consent by an individual to the collection, use or disclosure of his or her personal information”. Personal information can include information contained in new client account forms, account statements and trading records, and cheques and other financial records.

Firms and people collecting this sort of information must ensure they have policies and procedures in place to comply with federal and provincial privacy requirements. For example, an organization must identify to an individual the purposes for which that individual’s personal information may be collected, used or disclosed by the organization.

Also, those under SRO jurisdiction must produce information for SROs for regulatory purposes. To comply with their obligations they must, at a minimum, ensure the documentation they provide to individuals from whom they collect personal information includes notification describing the purposes of their collection, use and disclosure of personal information, including its disclosure to SROs and its use and disclosure by SROs. They are not allowed to accept or administer an account in which a client does not consent to such disclosure to SROs and the use and disclosure of that information by SROs.

SROs require access to personal information of current and former clients, employees, agents, directors, officers, partners and others for regulatory purposes. The notice says personal information includes: surveillance of trading-related activity, sales, financial compliance, trade-desk review and other regulatory audits; investigation of potential regulatory and statutory violations; regulatory databases; enforcement or disciplinary proceedings; reporting to securities regulators; and information-sharing with other authorities.

Regulated people who maintain a Web site should include a privacy notice that includes the fact that personal information may be disclosed to SROs.

Disciplinary proceedings may apply to an SRO if it fails to provide notification to individuals from whom it collects personal information, or if it accepts an account from a client that doesn’t consent to disclosure.