Table of Contents Introduction
Summary of Principles
Scope and Application
Definitions
The Roche Financial Group Privacy Code in Detail
Principle 1 -Accountability
Principle 2 -Identifying Purposes for Collection of Personal Information
Principle 3 -Obtaining Consent for Collection, Use or Disclosure of Personal Information
Principle 4 -Limiting Collection of Personal Information
Principle 5 -Limiting Use, Disclosure, and Retention of Personal Information
Principle 6 -Accuracy of Personal Information
Principle 7 - Security Safeguards
Principle 8 - Openness Concerning Policies and Procedures
Principle 9 -client and Employee Access to Personal Information
Principle 10 -Challenging Compliance
Additional Information Introduction At The Roche Financial Group, respecting privacy is an important part of our commitment to our
clients and employees. That is why we have developed The Roche Financial Group Privacy Code. The Roche Financial Group Privacy Code is a statement of principles and guidelines
regarding the minimum requirements for the protection of personal information provided by The Roche Financial Group to its clients and employees. The objective of The Roche Financial Group Privacy Code is to promote responsible and transparent personal information management
practices in a manner consistent with the provisions of the
Personal Information Protection and Electronic Documents Act (Canada).
The Roche Financial Group will continue to review The Roche Financial Group Privacy Code to
make sure that it is relevant and remains current with changing industry standards, technologies
and laws.
Summary of Principles Principle 1 - Accountability The Roche Financial Group is responsible for personal information under its control and shall
designate one or more persons who are accountable for The Roche Financial Group's compliance
with the following principles.
Principle 2 - Identifying Purposes for Collection of Personal Information The Roche Financial Group shall identify the purposes for which personal information is
collected at or before the time the information is collected.
Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information The knowledge and consent of a client or employee are required for the collection, use, or
disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection of Personal Information The Roche Financial Group shall limit the collection of personal information to that which is
necessary for the purposes identified by The Roche Financial Group. The Roche Financial Group
shall collect personal information by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information The Roche Financial Group shall not use or disclose personal information for purposes other
than those for which it was collected, except with the consent of the individual or as required by
law.
Principle 6 - Accuracy of Personal Information Personal information shall be as accurate, complete, and up to date as is necessary for the
purposes for which it is to be used.
Principle 7 - Security Safeguards The Roche Financial Group shall protect personal information by security safeguards appropriate to the sensitivity of the information.
Principle 8 - Openness Concerning Policies and Procedures The Roche Financial Group shall make readily available to clients and employees specific information about its policies and procedures relating to the management of personal information.
Principle 9 -client and Employee Access to Personal Information The Roche Financial Group shall inform a client or employee of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A client or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 -Challenging Compliance A client or employee shall be able to address a challenge concerning compliance with the above
principles to the designated person or persons accountable for The Roche Financial Group's
compliance with The Roche Financial Group Privacy Code.
Scope and Application The ten principles that form the basis of The Roche Financial Group Privacy Code are
interrelated and The Roche Financial Group shall adhere to the ten principles as a whole. Each
principle must be read in conjunction with the accompanying commentary. As permitted by the
Personal Information Protection and Electronic Documents Act (Canada), the commentary
in The Roche Financial Group Privacy Code has been drafted to reflect personal information issues
specific to The Roche Financial Group.
The scope and application of The Roche Financial Group Privacy Code are as follows:
The Roche Financial Group Privacy Code applies to personal information collected, used, or
disclosed by The Roche Financial Group in the course of commercial activities.
The Roche Financial Group Privacy Code applies to the management of personal information in
any form, whether oral, electronic or written.
The Roche Financial Group Privacy Code does not impose any limits on the collection, use or
disclosure of the following information by The Roche Financial Group:
(a)
an employee's name, title or business address or telephone number;
(b)
information that The Roche Financial Group collects, uses or discloses for journalistic,
artistic or literary purposes and does not collect, use or disclose for any other purpose; or
(c)
other information about the individual that is publicly available and is specified by
regulation pursuant to the
Personal Information Protection and Electronic Documents Act (Canada).
The Roche Financial Group Privacy Code will not typically apply to information regarding The Roche Financial Group's corporate clients. However, such information may be protected by other The Roche Financial Group policies and practices and through contractual arrangements.
The application of The Roche Financial Group Privacy Code is subject to the requirements and
provisions of the
Personal Information Protection and Electronic Documents Act (Canada), the
regulations enacted thereunder, and any other applicable legislation or regulation.
Definitions collection: The act of gathering, acquiring, recording, or obtaining personal information from
any source, including third parties, by any means.
consent: Voluntary agreement for the collection, use and disclosure of personal information for
defined purposes. Consent can be either express or implied and can be provided directly by the
individual or by an authorized representative. Express consent can be given orally, electronically
or in writing, but is always unequivocal and does not require any inference on the part of The Roche Financial Group. Implied consent is consent that can reasonably be inferred from an
individual's action or inaction.
client: An individual who purchases or otherwise acquires or uses any of The Roche Financial Group's products or services or otherwise provides personal information to The Roche Financial Group in the course of The Roche Financial Group's commercial activities.
disclosure: Making personal information available to a third party.
employee: An employee of, advisor, financial advisor, associated advisor, or independent
contractor to The Roche Financial Group.
personal information: Information about an identifiable individual, but does not include the
name, title, business address or telephone number of an employee of an organization.
The Roche Financial Group: Is a registered trademark of Roche Financial Corporation.
third party: An individual or organization outside of The Roche Financial Group.
use: The treatment, handling, and management of personal information by and within The Roche Financial Group or by a third party with the knowledge and approval of The Roche Financial Group.
*******************************
The Roche Financial Group Privacy Code in Detail
Principle 1 -Accountability The Roche Financial Group is responsible for personal information under its control and shall designate one or more persons who are accountable for The Roche Financial Group's compliance with the following principles. 1.1 Responsibility for compliance with the provisions of The Roche Financial Group Privacy Code rests with the Roche Financial Group Privacy Officer who can be reached at 1-647-222-2688:. Other individuals within The Roche Financial Group may be delegated to act
on behalf of The Roche Financial Group Privacy Officer or to take responsibility for the
day-to-day collection and/or processing of personal information.
1.2 The Roche Financial Group shall make known, upon request, the title of the person or
persons designated to oversee The Roche Financial Group's compliance with The Roche Financial Group Privacy Code.
1.3 The Roche Financial Group is responsible for personal information in its possession or
control. The Roche Financial Group shall use contractual or other means to provide a
comparable level of protection while information is being processed or used by a third party.
1.4 The Roche Financial Group shall implement policies and procedures to give effect to The Roche Financial Group Privacy Code, including:
(a)
implementing procedures to protect personal information and to oversee The Roche Financial Group's compliance with The Roche Financial Group Privacy Code;
(b)
implementing procedures to receive and respond to complaints;
(c)
training and communicating to staff about The Roche Financial Group's policies and
procedures; and
(d)
developing information materials to explain The Roche Financial Group's policies and
procedures.
Principle 2 Information -Identifying Purposes for Collection of Personal Information The Roche Financial Group shall identify the purposes for which personal information is collected at or before the time the information is collected. 2.1
The Roche Financial Group collects personal information only for the following
purposes:
a)
to communicate with clients in a timely and efficient manner
b)
to prepare
clients income tax returns
c)
to prepare the
clients business financial statements, and related tax returns
d)
to prepare clients financial plan
e)
to evaluate clients needs for investment, insurance and other services available
to the clients and from time to time communicate regarding these issues
f)
to open savings, investments, and insurance accounts with our suppliers
g)
to disclose information to our insurers to be used according to the guidelines
established by them under PIPEDA
h)
to disclose information to Self Regulatory Organizations (SRO) such as, but not
limited to,
Mutual Fund Dealers Association, Ontario securities Commission, Certified General Accountants Association of Ontario, Financial Planners Standards Council, etc.
to be used by the SRO's according to their privacy guidelines established under the PIPEDA
Further reference to "identified purposes" mean the purposes identified in this Principle.
2.2 The Roche Financial Group shall specify orally, electronically or in writing the identified
purposes to the client or employee at or before the time personal information is collected. Upon
request, persons collecting personal information shall explain these identified purposes or refer
the individual to a designated person within The Roche Financial Group who can explain the
purposes.
2.3 When personal information that has been collected is to be used or disclosed for a
purpose not previously identified, the new purpose shall be identified prior to use. Unless the
new purpose is permitted or required by law, the consent of the client or employee will be
acquired before the information will be used or disclosed for the new purpose.
Principle 3 -Obtaining Consent for Collection, Use or Disclosure of Personal
Information The knowledge and consent of a client or employee are required for the collection, use, or disclosure of personal information, except where inappropriate. In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. 3.1 In obtaining consent, The Roche Financial Group shall use reasonable efforts to ensure
that a client or employee is advised of the identified purposes for which personal information
will be used or disclosed. The identified purposes shall be stated in a manner that can be
reasonably understood by the client or employee.
3.2 Generally, The Roche Financial Group shall seek consent to use and disclose personal
information at the same time it collects the information. However, The Roche Financial Group
may seek consent to use and/or disclose personal information after it has been collected, but
before it is used and/or disclosed for a new purpose.
3.3 The Roche Financial Group may require clients to consent to the collection, use and/or
disclosure of personal information as a condition of the supply of a product or service only if
such collection, use and/or disclosure
is required to fulfill the explicitly specified, and legitimate
identified purposes.
3.4 In determining the appropriate form of consent, The Roche Financial Group shall take
into account the sensitivity of the personal information and the reasonable expectations of its
clients and employees.
3.5 The purchase or use of products and services by a client, or the acceptance of
employment or benefits by an employee, may constitute implied consent for The Roche Financial Group to collect, use and disclose personal information for the identified purposes.
3.6 A client or employee may withdraw consent at any time, subject to legal or contractual
restrictions and reasonable notice.
clients and employees may contact The Roche Financial Group for more information regarding the implications of withdrawing consent.
3.7 The Roche Financial Group may collect or use personal information without knowledge
or consent if it is clearly in the interests of the individual and consent cannot be obtained in a
timely way, such as when the individual is seriously ill or mentally incapacitated.
3.8 The Roche Financial Group may collect, use or disclose personal information without
knowledge or consent if seeking the consent of the individual might defeat the purpose of
collecting, using or disclosing the information, such as in the investigation of a breach of an
agreement or a contravention of a law.
3.9 The Roche Financial Group may collect, use or disclose personal information without
knowledge or consent in the case of an emergency where the life, health or security of an
individual is threatened.
3.10 The Roche Financial Group may use or disclose personal information without knowledge
or consent to a lawyer representing The Roche Financial Group, to collect a debt, to comply with
a subpoena, warrant or other court order, or as may be otherwise required or authorized by law.
Principle 4 -Limiting Collection of Personal Information The Roche Financial Group shall limit the collection of personal information to that which is necessary for the purposes identified by The Roche Financial Group. The Roche Financial Group shall collect personal information by fair and lawful means. 4.1 The Roche Financial Group collects personal information primarily from its clients or
employees.
4.2 The Roche Financial Group may also collect personal information from other sources
including credit bureaus, employers or personal references, or other third parties who represent
that they have the right to disclose the information.
Principle 5 -Limiting Use, Disclosure, and Retention of Personal Information The Roche Financial Group shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. The Roche Financial Group shall retain personal information only as long as necessary for the fulfillment of those purposes. 5.1 The Roche Financial Group may disclose a client's personal information to:
a)
other professionals within The Roche Financial Group
b)
other professionals associated and affiliated with the Roche Financial Group
c)
suppliers of investment and insurance products to the Roche Financial Group
d)
insurers of The Roche Financial Group for professional liability
e)
self regulated organizations (SRO), i.e. Ontario Securities commission and Mutual Fund Dealers Association.
5.2 The Roche Financial Group may disclose personal information about its employees to
suppliers of investment and insurance products to the Roche Financial Group.
5.3 Only The Roche Financial Group's employees with a business need-to-know, or whose
duties reasonably so require, are granted access to personal information about clients and
employees.
5.4 The Roche Financial Group shall keep personal information only as long as it remains
necessary or relevant for the identified purposes or as required by law. Depending on the
circumstances, where personal information has been used to make a decision about a client or
employee, The Roche Financial Group shall retain, for a period of time that is
reasonably sufficient to allow for access by the client or employee, either the actual information or the
rationale for making the decision.
5.5 The Roche Financial Group shall maintain reasonable and systematic controls, schedules
and practices for information and records retention and destruction which apply to personal
information that is no longer necessary or relevant for the identified purposes or required by law
to be retained. Such information shall be destroyed, erased or made anonymous.
Principle 6 - Accuracy of Personal Information Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. 6.1 Personal information used by The Roche Financial Group shall be sufficiently accurate,
complete, and up-to-date to minimize the possibility that inappropriate information may be used
to make a decision about a client or employee.
6.2 The Roche Financial Group shall update personal information about clients and
employees as necessary to fulfill the identified purposes or upon notification by the individual.
Principle 7 - Security Safeguards The Roche Financial Group shall protect personal information by security safeguards appropriate to the sensitivity of the information. 7.1 The Roche Financial Group shall protect personal information against such risks as loss
or theft, unauthorized access, disclosure, copying, use, modification or destruction, through
appropriate security measures, regardless of the format in which it is held.
7.2 The Roche Financial Group shall protect personal information disclosed to third parties
by contractual agreements stipulating the confidentiality of the information and the purposes for
which it is to be used.
7.3 All of The Roche Financial Group's employees with access to personal information shall
be required to respect the confidentiality of that information.
Principle 8 - Openness Concerning Policies and Procedures The Roche Financial Group shall make readily available to clients and employees specific information about its policies and procedures relating to the management of personal information. 8.1 The Roche Financial Group shall make information about its policies and procedures
easy to understand, including:
(a)
the title and address of the person or persons accountable for The Roche Financial Group's compliance with The Roche Financial Group Privacy Code and to whom inquiries
and/or complaints can be forwarded;
(b)
the means of gaining access to personal information held by The Roche Financial Group;
(c)
a description of the type of personal information held by The Roche Financial Group,
including a general account of its use; and
(d)
a description of what personal information is made available to related organizations (e.g., subsidiaries).
8.2 The Roche Financial Group shall make available information to help clients and
employees exercise control of the collection, use and/or disclosure of their personal information
and, where applicable, privacy-enhancing services available from The Roche Financial Group.
Principle 9 -client and Employee Access to Personal Information Upon request, The Roche Financial Group shall inform a client or employee of the existence,use, and disclosure of his or her personal information and shall give the individual access to that information. A client or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 9.1 Upon request, The Roche Financial Group shall afford clients and employees a
reasonable opportunity to review the personal information in the individual's file. Personal
information shall be provided in understandable form within a reasonable time, and at minimal
or no cost to the individual.
9.2 In certain situations, The Roche Financial Group may not be able to provide access to all
the personal information that it holds about a client or employee. For example, The Roche Financial Group may not provide access to information if doing so would likely reveal personal
information about a third party or could reasonably be expected to threaten the life or security of
another individual. Also, The Roche Financial Group may not provide access to information if
disclosure would reveal confidential commercial information, if the information is protected by
solicitor-client privilege, if the information was generated in the course of a formal dispute
resolution process, or if the information was collected in relation to the investigation of a breach
of an agreement or a contravention of the laws of Canada or a province.
9.3 Upon request, The Roche Financial Group shall provide an account of the use and
disclosure of personal information and, where reasonably possible, shall state the source of the
information. In providing an account of disclosure, The Roche Financial Group shall provide a
list of third parties to which it may have disclosed personal information about the individual
when it is not possible to provide an actual list.
9.4 In order to safeguard personal information, a client or employee may be required to
provide sufficient identification information to permit The Roche Financial Group to account for
the existence, use and disclosure of personal information and to authorize access to the
individual’s file. Any such information shall be used only for this purpose.
9.5 The Roche Financial Group shall promptly correct or complete any personal information
found to be inaccurate or incomplete. Any unresolved differences as to accuracy or
completeness shall be noted in the individual’s file. Where appropriate, The Roche Financial
Group shall transmit to third parties having access to the personal information in question any
amended information or the existence of any unresolved differences.
9.6 Clients and employees can obtain information or seek access to their individual files by
contacting The Roche Financial Group.
Principle 10 -Challenging Compliance A client or employee shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for The Roche Financial Group's compliance with The Roche Financial Group Privacy Code. 10.1 The Roche Financial Group shall maintain procedures for addressing and responding to
all inquiries or complaints from its clients and employees regarding The Roche Financial Group's handling of personal information.
10.2 The Roche Financial Group shall inform its clients and employees about the existence of
these procedures as well as the availability of complaint procedures.
10.3 The person or persons accountable for compliance with The Roche Financial Group Privacy Code may seek external advice where appropriate before providing a final response to
individual complaints.
10.4 The Roche Financial Group shall investigate all complaints concerning compliance with The Roche Financial Group Privacy Code. If a complaint is found to be justified, The Roche Financial Group shall take appropriate measures to resolve the complaint including, if necessary,
amending its policies and procedures. A client or employee shall be informed of the outcome of
the investigation regarding his or her complaint.
Additional Information For more information regarding The Roche Financial Group Privacy Code, please contact
The Roche Financial Group Privacy Officer at 1-647-222-7624.
Please visit the Privacy Commissioner of Canada's web site at
www.privcom.gc.ca. COMMITMENT TO PRIVACY Each office shall display this commitment as a framed document at each work station so that it is
obvious to all clients.
At The Roche Financial Group, respecting privacy is an
important part of our commitment to our clients and
employees.
At The Roche Financial Group, respecting privacy is an important part of our commitment to our clients and employees. Our commitment to privacy is reflected in The Roche Financial Group Privacy Code, which has been developed to comply with the relevant portions of the
Personal Information Protection and Electronic Documents Act (Canada). In this respect, The Roche Financial Group Privacy Code governs our behavior with respect to the collection, use and disclosure of our clients' and employees' personal information. We have also developed The Roche Financial Group Privacy Protection Pledge to explain why we collect personal information, how we use personal information and how we keep such information protected. A copy of The Roche Financial Group Privacy Protection Pledge is being made available to all of our clients. You can also review it at
www .rochefinancialgroup. comCopies of the
forgoing privacy protection pledge must be available in all offices and must be
given out freely to any client requesting a copy of same.