A dealer once asked advisor Bruce Cumming to obtain a client’s permission to send information to the client and his spouse in the same envelope. Cumming could hardly believe the request.

“This is pushing privacy too far,” says the advisor with FundEx Investments Inc. in Oakville, Ont.

The dealer’s compliance move may have seemed excessive, but it is up to dealerships and advisors to ensure they are compliant with the federal Personal Information Protection and Electronic Documents Act, which came into effect on Jan. 1, 2001. Under the act, the Office of the Privacy Commissioner of Canada can and does investigate consumer complaints.

In fact, the commission recently reviewed about one-fifth of the cases that came before it in 2004 and 2005. (More details of the review are available at www.privcom.gc.ca. ) The random review of 34 resolutions showed slightly more than one in five complaints were against financial services institutions.

The above case, for example, was probably the result of a recent redress issued by a bank after a client made a complaint to the privacy commissioner. The bank paid the client an undisclosed amount after it sent his information to his spouse without his consent.

In many instances, the complainants were satisfied with the explanation the businesses gave them; in others, the businesses changed their policies.

Several provinces, including British Columbia, Alberta and Quebec, have laws governing digital privacy. But the federal act trumps provincial laws in terms of breadth and enforceability. All Canadian businesses were supposed to have been in compliance with the federal act as of the beginning of 2004.

Under the act, the privacy commissioner of Canada can investigate consumer complaints. If issues aren’t resolved, the commissioner can audit a business and report its findings to the Federal Court. The Federal Court has the authority to award damages to complainants, including damages for humiliation. There is no ceiling on the amount of damages. An organization can also be subject to a fine of up to $100,000 for an indictable offence.

Because the Investment Dealers Association of Canada, the Mutual Fund Dealers Association of Canada and provincial securities regulators do not look at privacy in their routine audits, it falls to dealerships and advisors to meet the requirements of the act. Advisors are particularly vulnerable because of the number of clients and suppliers, and because of the quality and depth of the information they collect about clients, especially on the insurance side.

“Almost every aspect of our work involves sharing client information with our dealer, investment and insurance product providers, Canada Revenue Agency for tax returns, and our staff,” says Cumming. “We use paper and electronic files.

“I would never want to compromise that information because it would be a quick leap to compromise the client relationship,” he adds. “The trust bond could be quickly deflated.”

Compliance with the federal act can be a balancing act. On the one hand, the act encourages the use of digital and electronic storage, which is less prone to loss, is tracked more easily and makes for efficient due diligence. On the other hand, digital information is easily transferred from server to server and vendor to vendor, and the weightiness of the information can be forgotten.

“You can’t make it foolproof, but you can do your best and take on your responsibility,” says Mark Halpern, president of Markham, Ont.-based Illnessprotection.com Inc.

As any advisor should, Halpern discusses privacy issues with clients and makes it clear to them how their information will be used. Clients then sign a consent form.

In fact, consent is one of the 10 principles of privacy outlined in the privacy act. All firms should have measures and procedures in place to help them abide by the principles, which generally encourage limited collection and storage of accurate personal information for only as much time is as needed for business use.

Adel Melek, a partner at Deloitte & Touche LLP in Toronto, has consulted for just about every major bank in Canada on implementing procedures and practices for storing and using client information. He points to laptops and personal digital assistants as risks for any organization, no matter its size.

“They are inexpensive and so prevalent,” says Melek, global leader of security and privacy services at Deloitte. “But they are data collection devices, even though that is not our intention.”

@page_break@Employees, in the course of their work, will upload client data onto these devices for market and sales analysis, or for cold calls. They take them out of the office, and the devices can be lost or stolen. The consequences can be grave.

Melek says a privacy and security risk audit of your firm’s approach to electronic information should include a complete inventory of where you keep client information, in either paper or electronic form, and a complete accounting of how all information is used. This will include all the servers and computers accessible to employees.

From there, the firm can determine where security lapses are. It can limit access to certain confidential information to those who absolutely need the information to perform their jobs, and add encryption to keep others away.

Employees need to acknowledge their responsibility. Firms should ask them to sign disclosure papers once a year to reaffirm their commitment to behaving ethically. IE