Principles of Privacy Law
The following topics represent the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA). Pinnacle and all employees are required to maintain integrity and compliance to these rules governing all business practices and client protection. Respect for our clients and their personal information must always be upheld.
All officers, directors, and employees of Pinnacle are responsible for the client information, corporate and otherwise confidential, under their control. The CCO is ultimately responsible to maintain compliance to this policy. All inquiries or concerns regarding the use of client information, including information that has been transferred to a third party must be directed to the CCO.
The purposes for which personal client or other information is collected must be identified and documented at or before the time the information is collected. Pinnacle is permitted only to collect the databases necessary to fulfill the purpose of collection. The purposes for collection must be disclosed to the client before the purpose of the information is gathered.
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
Our only purpose for gathering clients’ information is to fulfill our obligations under Alberta Securities Laws and Regulations.
The knowledge and consent of the client are required for the collection of personal information and the subsequent use or disclosure of the information. Pinnacle employees must obtain consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected. In obtaining consent, the reasonable expectations of the client must always be considered and respected.
A client may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Pinnacle employees must inform the individual of the implications of such withdrawal.
The collection of personal information must be limited to that which is necessary for the purposes identified by the organization, without exception. Personal information cannot be collected indiscriminately. Both the amount and the type of information collected must be limited to that which is necessary to fulfill the purposes identified.
Limiting Use, Disclosure, and Retention
It is prohibited to disclose client information for purposes other than those for which it was collected, except with the consent of the client or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. If personal information is used for a new purpose, Pinnacle employees must document this purpose. Client information will be retained for a period of seven years following the end of the client relationship. After seven years, all client documentation must be destroyed.
Client information must be accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used and as appropriate considering the interests of the client. Client information can only be routinely updated so long as it is necessary to fulfill the purposes for which the information was collected. Client information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Client information must be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards protect client information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Pinnacle requires that all confidential information be maintained in its designated secured areas or electronic databases.
Some examples of protection include the following:
- Physical measures (e.g., locked filing cabinets and restricted access to offices)
- Organizational measures (e.g., security clearances and limiting access on a “need-to-know” basis)
- Technological measures (e.g., the use of passwords and encryption)
All clients have a right to access specific information about Pinnacle policies and procedures relating to the management of client information. The type of information available includes the following:
- The name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded.
- The means of gaining access to personal information held by the organization.
- A description of the type of personal information held by the organization, including a general account of its use.
- Information that explains Pinnacle’s policies, standards, or codes.
Upon request, a client shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A client is able to challenge the accuracy and completeness of the information collected and to have it amended as appropriate. In providing an account about an individual, Pinnacle is obligated to be as specific as possible about third parties to which client information has been disclosed. When it is not possible to provide a specific list of the applicable organizations, Pinnacle must provide a list of likely organizations to which it may have disclosed information about the client within a reasonable time and at minimal or no cost.
A client may address any concerns with respect to compliance with the above principles to the CCO. The existence of Pinnacle procedures regarding client complaints must be disclosed to clients when concerns are raised, and Pinnacle’s client complaint process must be followed.