In this section of the policy “the Company” means collectively ACM Advisors Ltd. and its subsidiaries and affiliates, as applicable. Terms such as “the client” mean an individual who has made an application to the Company, or provided a guarantee for any product or service provided by the Company.
This policy explains the type of Personal Information collected, how it is used and the steps the Company takes to ensure Personal Information is handled appropriately.
2. What is Personal Information?
“Personal Information” is any information that is specific to the client as an individual and includes the residential address, date of birth, age, marital status, education, employment history, identification numbers, financial information and credit records. It does not include business contact information that would typically appear on a business card or that is available in public records such as public telephone directory information and professional and business directories available to the public.
3. Principles of Privacy Law
Protecting Personal Information provided to the Company by the client and using, disclosing and retaining Personal Information in accordance with applicable privacy legislation is a key value of the Company.
The Company has adopted the 10 principles for the protection of privacy forming part of the applicable privacy legislation which established rules for the collection, use and disclosure of Personal Information.
Principle 1 – Accountability
All inquiries or concerns regarding the use of Personal Information, including information that has been transferred by the Company to a third party (for example, for processing), should be directed to the Privacy Officer, as the first point of contact at the Company. The Privacy Officer will endeavour to take the necessary action, including escalating inquiries or concerns to the President as appropriate. The Privacy Officer may also bring in other departments of the Company, as necessary, to assist in resolving the inquiry or concern.
Principle 2 - Identifying Purposes and Use of Personal Information
The purposes for which Personal Information is collected and used must be identified, documented and disclosed to the client at or before the time their information is collected.
The Company is permitted to collect, use, disclose and retain Personal Information to the extent necessary to fulfill the purpose for which the information was collected.
Before the Company may use Personal Information for a purpose not previously identified to the client, the new purpose must be identified and documented, and the Privacy Officer should approve in writing the new purpose and the means to obtain client consent. Unless the use is required by law, client consent should be obtained before his or her information may be used for the new purpose.
The Company collects Personal Information for the following purposes:
(a) Assessing the eligibility of an individual to invest in units of the Funds;
(b) Providing services to the client in relation to their investment in the Funds;
(c) Verifying the creditworthiness of the client;
(d) Maintaining records for the Funds;
(e) Complying with statutory and regulatory requirements (such as establishing the identity of each client);
(f) Providing the client with the best possible service and protecting the Company and the client from error and fraud; and
(g) For any other purpose related to the products and services of the Company or its affiliates to which the client may consent, including to provide Fund information and updates.
Principle 3 – Consent
Knowledge and consent of the client is required for the collection, use and disclosure of Personal Information.
Subject to restrictions imposed by law or under a contract and with reasonable notice, consent may, at any time, be withdrawn by a client. The Company should inform the client where there are implications of withdrawing or refusing their consent.
Principle 4 - Limiting Collection
As mentioned above, Personal Information is not to be collected indiscriminately. The amount and the type of Personal Information collected must be limited to that which is necessary for the purpose of the collection identified to the client by the Company.
Principle 5 - Limiting Use, Disclosure and Retention
Caution should be exercised in regard to the disclosure of Personal Information. In general, Personal Information should only be disclosed for the purpose for which it was collected, with the express consent of the client or as required by law. If there is any doubt, the Company personnel should speak to the Privacy Officer prior to disclosing Personal Information. In some circumstances, for example where it is necessary in connection with the provision of a service and client consent has been obtained, the Company may disclose Personal Information to an affiliate, the Funds or financial service providers, such as banks and others involved in financing or facilitating transactions by the Company or operations of the Company.
As mentioned, the Company may be required by law to disclose Personal Information to taxation and regulatory authorities and agencies. In this regard, the Company may have to file with the appropriate securities commission a report that includes Personal Information such as the client’s name and address, the types of securities issued, the date of issuance and the purchase price of securities issued to the client. Such information is collected indirectly by securities regulators, under the authority granted to them in securities legislation, for the purposes of the administration and enforcement of the legislation. For a description of additional circumstances under which the Company may disclose Personal Information without the client’s knowledge or consent, see section 7 of PIPEDA.
The Company will not sell Personal Information.
Personal Information will be retained for a period of seven years following the end of the client relationship. After seven years, all client documentation with Personal Information will be destroyed in a manner commensurate with its sensitivity unless there are securities laws or other legal requirements that require its retention.
The Company may transfer Personal Information to service providers under contract to the Company that provide accounting, legal, tax preparation and like services. The Company remains responsible for Personal Information while it is in the hands of third party service providers. The Company will protect the information (and the Company) by requiring in its contractual relationships with its service providers that the service providers afford Personal Information the same level of protection as it is given by the Company.
Principle 6 – Accuracy
The Company will make every effort to ensure the Personal Information in the Company’s records is accurate and up to date. The Company also relies on the client to tell the Company when their Personal Information changes. If the client identifies any incorrect or outdated Personal Information requiring amendment, please contact the Company.
Where Personal Information under the Company’s control is inaccurate or incomplete, the Privacy Officer may take a copy of proof of the accurate or complete information and oversee the process taken by the Company to update this information in a timely manner.
Principle 7- Safeguards
Personal Information will be protected against loss, theft, unauthorized access, use, disclosure, copying, or modification by safeguards appropriate for sensitive information.
Personal Information (and confidential information of the Company) will be retained in a designated secure area or electronic database.
Some examples of the safeguards used to protect Personal Information include:
(a) Physical Measures: i.e. locking filing cabinets in which Personal Information is stored and restricting access to offices in which Personal Information may be accessible; and ensuring care in the disposal or destruction of Personal Information;
(b) Organizational Measures: i.e. security clearance is required for anyone entering areas in which Personal Information is accessible and access to Personal Information is restricted to personnel who “need to know” the information to provide a service; regular training and reminders to the Company’s personnel of the importance of safeguards; contractually requiring any service provider to provide comparable security measures; and verifying the identity of a caller and their right to access information prior to disclosing Personal Information; and
(c) Electronic Measures: i.e. password protection to prevent unauthorized access to the Company’s electronic records of Personal Information.
The Company’s personnel are individually responsible for ensuring the confidentiality, appropriate use and protection of all Personal Information to which they have access.
The Company will periodically review and update its security policies and controls as technology changes to ensure ongoing security of Personal Information.
The Company may refuse to disclose certain information relating to its security policies and controls where disclosure of such information would negatively impact the integrity of the security policies and controls.
When information is no longer required and is to be destroyed the Company will endeavour to shred paper documents that contain Personal Information and erase or make anonymous any Personal Information on electronic media.
Although the Company cannot take responsibility for any theft, misuse, unauthorized disclosure, loss, alteration or destruction of data by a third party, the Company endeavours to take reasonable precautions to prevent such unfortunate occurrences.
Principle 8 – Openness
Principle 9 - Individual Access
On request, a client may be informed of whether or not the Company is holding the client’s Personal Information, the use to which it has been put by the Company and the organizations to which it has been disclosed or the type of organizations to which it may have been disclosed where more precise information is not available.
Requests for access must be made in writing. Access to a client’s own Personal Information will be provided except where doing so would likely reveal personal information about a third party that cannot be severed from the Personal Information. Access may also be withheld where:
(a) Personal Information is not readily retrievable and the cost of retrieval cannot be justified;
(b) The Personal Information is protected by solicitor-client privilege;
(c) Providing access would reveal confidential commercial information;
(d) Providing access could reasonably be expected to threaten the life or security of another individual;
(e) The Personal Information was collected without consent because obtaining consent could have compromised the availability or accuracy of the information and the information is required for investigating the breach of a contract, federal or provincial law;
(f) The information was generated in the course of a formal dispute resolution process; or
(g) The information is required to be kept confidential under other applicable laws.
The Company will endeavour to respond to requests for access generally within 30 days unless responding in that time frame would unreasonably interfere with its business or information necessary to make a decision on access is not available in that time frame. In such cases, the Company may extend the time for responding to an access request by 30 days or the period that is required to convert Personal Information into an alternative format. The Company will give notice to the client where it requires an extension and include the reasons for the extension as well as advice that the client may make a complaint to the Office of the Privacy Commissioner of Canada (“OPC”) in respect of the extension. It is important for the Company to respect the time lines, as a failure to respond to an access request within the time lines will be deemed to be a refusal of the request.
If a client has a sensory disability, the Company may provide access to Personal Information in an alternate format as agreed upon with the client. The Company will be afforded reasonable time in order to convert the Personal Information into the alternative format.
Prior to the release of Personal Information, the Privacy Officer will endeavour to confirm the identity of the client by taking reasonable steps to verify the client’s identification. If photo identification is used, the photo identification must be presented to the Privacy Officer in original form, or alternatively, a photocopy will be accepted where a notary or lawyer has declared in writing that they have reviewed the original identification. Written documentation of this review will be retained by the Privacy Officer.
The Company will inform the client in writing if it refuses a request for access, setting out the reasons for the refusal and the right of the client to complain to the OPC. Information that is the subject of a complaint must be retained by the Company until the client’s rights are exhausted.
The Company will process access requests. The costs of these access requests, if any, will be paid by the client, but may be waived by the Company in its sole discretion. As such, prior to proceeding with such access request, the Company will inform the client that submits an access request of the approximate cost of the access request and will obtain approval to proceed from the client.
Specific rules apply in regard to requests for access to information provided to government agencies for purposes including law enforcement and all such requests should be directed to the Privacy Officer.
Principle 10 - Challenging Compliance
The Company has procedures regarding client complaints which Company personnel may explain to the client if concerns about Personal Information management are raised.
As mentioned above, the client has the right to challenge the accuracy and completeness of the Personal Information retained by the Company and to have it amended where appropriate.
Privacy Officer – ACM Advisors Ltd.
210 – 1140 Homer Street, Vancouver, BC, V6B 2X6
Should the client not accept the Company Privacy Officer’s conclusions, the client may contact: