Obligations
The Personal Information Protection and Electronic Documents Act (PIPEDA), or other similar provincial legislation, requires you to have a written privacy compliance program and to obtain client consent for the collection, use and disclosure of clients’ personal information. To meet this obligation you must:
Establish a compliance program for your practice and any persons employed by you or your corporation or acting on behalf of your corporation.
Obtain appropriate consents from clients to collect, use or disclose their personal information.
Ensure all employees and representatives of the corporation, as well as third parties who have access to the corporation’s premises or computers, have signed a confidentiality agreement.
Use call authentication procedures.
Ensure appropriate information security measures are in place for your electronic devices, client files, etc.
Appropriately dispose of information.
Have a record retention policy.
Ensure you have access to and only use information necessary for the pursuit of your activities.
Provide ongoing privacy training to employees and persons acting on behalf of the corporation.
You are required to follow a records retention policy. You must not conceal, destroy or alter any records that are relevant to any pending, threatened or anticipated regulatory investigation or legal proceeding. You must keep all records, accounting and files relating to clients, including information on separate account and commission register for the retention time period prescribed in your province.
Office of the Privacy Commissioner of Canada