Mercantile Exchange is subject to the Personal Information Protection and Electronic Documents Act (PIPED). PIPEDA, which is Canada’s privacy law, sets out specific rules for organizations that collect, use and retain personal information as part of their commercial activities.
Section 5 of PIPEDA adopts the principles established by the Canadian Standards Association Model Code for the Protection of Personal Information. These are set out in Schedule 1 of PIPEDA. The ten distinct principles are used as signposts, to prescribe how organizations should collect, use and disclose personal information. The principles also address an individual’s right to access his/her personal information and have it amended for commercial purposes.
Protection of Your Personal Information
Principle 1. Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Mercantile Exchange is responsible for personal information in our possession. The Chief Compliance Officer is Mercantile Exchange’s designated Privacy Officer, charged with the obligation to ensure Mercantile Exchange complies with these principles.
Mercantile Exchange may transfer personal information to third parties for the limited purposes of credit verification, financial audit compliance and to comply with federal legislation regarding anti money laundering and terrorist financing. In these instances, Mercantile Exchange is satisfied that these third party entities provide a comparable level of protection to the information.
Mercantile Exchange has a number of policies and procedures in place to ensure that personal information is handled in accordance with these principles. These policies and procedures involve physical security measures, technological safeguards and policy safeguards.
Any complaint regarding the collection, use and retention of personal information may be made by the person to whom the information pertains, directly to Mercantile Exchange’s Privacy Officer, for investigation, resolution and reporting. Any inquiry regarding our policies and procedures to protect personal information may be made to the Privacy Officer. The Privacy Officer can be reached at email@example.com.
Principle 2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The purposes for which Mercantile Exchange collects personal information is identified on the Account Application and Agreement, the document that initiates the client relationship with Mercantile. By signing the document, the signatory affirms that he or she has read and understood the purposes for collection.
Mercantile Exchange uses personal information collected from clients and from persons participating in the client referral program for the following reasons:
- to provide foreign exchange products and services requested by clients;
- to be able to contact the client or participant in the referral program by telephone, mail and/or electronic means;
- to comply with the federal Proceeds of Crime (Anti Money Laundering) and Terrorist Financing Act and regulations, including internal risk assessment;
- to verify identity;
- to establish creditworthiness;
- to verify accuracy;
- to report to tax authorities, and
- to prevent fraud.
Principle 3. Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where impossible, impractical, required by law to be collected without consent or obtained from a third party who would be expected to obtain consent before disclosing personal information.
Mercantile Exchange obtains the consent of the person signing the Account Application and Agreement to the collection, use and disclosure of the personal information on the Agreement, for the purposes stipulated on the Agreement. Where personal information about persons who are not signatories on the Agreement is collected, Mercantile obtains the certification of the signatory that the appropriate consent has been obtained.
Principle 4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Types of personal information requested from the client or individuals are date of birth, citizenship, address, phone number and occupation, and the type, unique identifier number and expiry date of an identification document of an individual.
The bulk of personal information is collected by requesting it directly from the client or the individual from whom it is collected. In these circumstances, providing us with personal information is always the client’s or individual’s choice. The request is clear and the purpose is clear, therefore the means of collection is fair and lawful.
Other personal information may be collected tangentially to pursuing our lawful business requirements. For example, if we submit a client name to a government record third party service provider, and the third party service provider provides a report that contains the name of a director that was not disclosed by the client as required upon request, we may thereby come into possession of the name of a director by indirect means.
Principle 5. Limiting Use, Disclosure and Retention
Personal Information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal Information shall only be retained as long as necessary for the fulfillment of those purposes.
All the information provided to us by our clients is used only for the purposes disclosed in Principle 2. It is disclosed to no one except as required by law; and to reliable third party service providers for the purposes of verifying credit history and to verify if the client or related parties have been identified as requiring enhanced due diligence as required by the Proceeds of Crime (Anti-Money Laundering) and Terrorist Financing Act (i.e. to government record providers, banks, and World Check). Information is retained as required under the Proceeds of Crime (Anti-Money Laundering) and Terrorist Financing Act and as required by the requirement to review decisions based on the information and to verify that diligent review has taken place (i.e. to financial and process auditors).
Principle 6. Accuracy
Personal Information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is used.
Most personal information obtained by Mercantile is obtained directly from the client, with the consent of the individuals about whom the information pertains, and from persons participating in our referral program. Therefore, the expectation is that this information is accurate and up to date. Any personal information drawn from another source (e.g. World Check or government records) that differs from that provided by the individual or client, will be verified with the individual or client and amended if necessary. Some information will be reviewed for currency and accuracy on a regular basis, as required by the Proceeds of Crime (Anti-Money Laundering) and Terrorist Financing Act.
Principle 7. Safeguarding Individual Information
Personal Information shall be protected by security safeguards appropriate to the sensitivity of the information.
Personal information is protected in a number of ways. Information in hard copy is kept in filing cabinets that are locked after business hours. The physical premises are also locked after hours and on weekends. Information in electronic form is protected in different ways, dependent on the location of the electronic information. Information on shared drives is accessible only to those personnel who require it in the performance of their employment duties. Information on the client database is similarly limited in accessibility.
Principle 8. Openness
Mercantile Exchange shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Principle 9. Individual Access
Upon making a request in accordance with this Policy, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Upon making a request to the Privacy Officer, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. The individual may challenge the accuracy and completeness of the information and have it amended as appropriate.
The exception to the free access to information regarding the disclosure of the individual’s information is if the information has been disclosed to FinTRAC through a Suspicious Transaction Report. Mercantile is prohibited by law from informing an individual that their personal information has been disclosed in this manner. In addition, personal information that has been gathered or disclosed further to litigation or possible litigation, and is subject to either solicitor client privilege or litigation privilege, will not be automatically disclosed to the individual pursuant to their request under this Policy.
Principle 10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with these Privacy Principles to Mercantile Exchange’s Privacy Officer.
If an individual wishes to challenge Mercantile’s compliance with these Principles, they may direct their challenge to the Privacy Officer at firstname.lastname@example.org. Their challenge will be considered and any decisions made as a result of that consideration will be communicated to the individual in a timely manner.