Privacy
1. Scope
Trans-Canada Capital Inc. (“TCC”) is a Canadian corporation domiciled in the Province of Quebec. As such, it is subject to the Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Privacy Law”) and the Personal Information Protection and Electronic Documents Act (“PIPEDA”), as amended from time to time.
TCC created this privacy policy (the “Policy”) to comply with such laws and define TCC’s responsibilities and practices with respect to the collection, use, disclosure, retention, and destruction of Personal Information. This Policy also describes the procedures adopted by TCC relating to data breach responses, data subject rights and requests, and privacy complaints.
This Policy applies to a wide range of Data Subjects, as defined below, including TCC’s clients, potential clients, employees, and web visitors.
In some cases, TCC may provide these persons with supplementary information about the processing of Personal Information at the time such information is collected from them. Additionally, TCC may obtain specific consent from these persons for the use or disclosure of their Personal Information where it is required to do so by law.
2. Definitions
In this Policy, the following terms have the meanings set out below unless the context otherwise requires.
“Personal Information” is information about an identifiable individual, but it does not include the name, title and business address or business phone number of an employee. Personal Information does not include information that is publicly available.
“Sensitive Personal Information” is Personal Information which entails a high level of reasonable expectation of privacy due to its sensitive nature. This includes, but is not limited to, medical and biometric information. Some Personal Information presented in government-issued identification documents is considered sensitive.
“Data Breach” is the unauthorized access, use or disclosure of Personal Information, loss of Personal Information or any other breach of Personal Information. This includes, but is not limited to, phishing, malware deployment, ransomware attacks and sending information to the wrong email address.
“Data Subjects” are the natural persons concerned by the collection, use, retention, and destruction of Personal Information by TCC.
3. Collection, Use and Disclosure of Personal Information
3.1 Collected Information
The collection of Personal Information is limited to what is reasonably required to fulfill the purposes for which it was collected.
TCC may collect Personal Information from potential clients, clients, and employees, among other Data Subjects. The Personal Information collected by TCC will depend on the Data Subject’s relationship with TCC.
For instance, TCC may collect the following information from its clients:
- Personal identifiers including name, contact information, passport number, driver’s license number, medical insurance number and date of birth;
- Commercial information including amount to be invested, assets owned and products purchased;
- Information collected for money laundering and know your client (“KYC”) purposes;
- Professional or employment-related information, such as professional title and occupation.
TCC will also collect such information from its employees where employees invest in TCC’s funds.
Where the collection of Personal Information is limited to employment purposes, TCC will only collect some of the information listed above.
Finally, TCC may collect web-based data such as internet protocol addresses, device type, cookies and browsing activities from persons who viewed TCC’s website.
3.2 Means of Collection
TCC will collect Personal Information directly from the Data Subjects by means of employment related forms and agreements, subscription agreements and other similar agreements.
3.3 Consent
TCC will obtain the express consent of all Data Subjects for the collection, use and disclosure of their Sensitive Personal Information. Such consent should be written and documented.
Personal Information collected by TCC may be used for legitimate business purposes consistent with the initial purpose for collection, commercial transactions and outsourcing without the need for TCC to obtain new consent from the Data Subject.
3.4 Information Use
The Personal Information collected by TCC will be used for general business purposes such as:
- Providing a product or service;
- Managing TCC’s business activities;
- Processing job applications;
- Preventing and reducing risks (i.e. risks related to money laundering); and
- Fulfilling legal or regulatory requirements, requests, or assessments.
TCC stores Personal Information at its office in Montreal. Some of its service providers may access, use or store Personal Information outside the Province of Quebec. The laws of those locations will then apply to the Personal Information, including laws that may permit or require disclosure of the Personal Information to government, courts and law enforcement agencies.
3.5 Disclosure of Personal Information to Third Parties
TCC may share Personal Information with third parties such as government bodies, regulatory entities, and service providers, for a variety of purposes. The purpose of this disclosure will always be consistent with that for which the Personal Information was initially collected.
However, TCC will ensure that any Personal Information that it transfers to a third party located outside the Province of Quebec will receive a level of protection equivalent to that required in Quebec.
Before TCC transfers Personal Information to a destination outside Quebec, TCC must inform Data Subjects of the following elements:
- Their Personal Information may be transferred outside of Quebec;
- The purpose for which such information is transferred;
- Their Personal Information may be accessed by the authorities in the foreign jurisdiction;
- They can obtain a copy of TCC’ Privacy Policy;
- TCC’s Privacy Officer can respond to their questions regarding such transfers.
TCC must maintain a list of service providers which may store certain clients’ Personal Information in data centers located outside Quebec.
In addition to the above, TCC must also perform due diligence in the form of a privacy impact assessment on a third party to whom Personal Information is transferred and satisfy itself that the recipient of the Personal Information maintains privacy and security protections equivalent to what TCC is required to have under Quebec laws.
4. Privacy Roles and Responsibilities within Trans-Canada Capital
TCC defined the privacy roles and responsibilities within the corporation. TCC also developed and implemented policies to safeguard Personal Information.
TCC holds an appointed Privacy Officer. The Privacy Officer is responsible for conducting PIAs, risk analyses following a data breach, responding to Data Subject requests, handling privacy complaints and ensuring TCC’s compliance with Quebec Privacy Law, among other items.
TCC’s information technologies team (“IT Team”) also holds specific privacy responsibilities. The IT team is primarily responsible for ensuring the safety of Personal Information held by TCC by safeguarding TCC’s networks.
5. Retention and Destruction of Personal Information
5.1 Retention of Personal Information
TCC will retain all Personal Information for the period that such information is necessary to fulfill the purpose for which it was collected.
In the case of Personal Information collected from TCC clients, such information will be retained by TCC for a period of at least seven years following its collection to satisfy securities regulatory requirements.
For Personal Information collected from TCC employees who are not also subscribers to TCC Funds, such information will be retained for a period of six years following a termination of employment to satisfy labor law requirements.
5.2 Security Safeguards
TCC will prevent unauthorized access, loss, misuse, sharing or modification of Personal Information in its custody.
Moreover, TCC will work to protect Personal Information by using safeguards which are appropriate to guard against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
5.3 Destruction of Personal Information
TCC will destroy all Personal Information following the expiry of the periods outlined above.
6. Data Breach Response Plan
TCC will take reasonable measures to reduce the risk of injury and prevent new incidents where it has cause to believe that a Data Breach involving Personal Information has occurred.
TCC will assess every such breach to determine if the breach presents a serious risk of injury following a set of predetermined assessment criteria, including the sensitivity of the Personal Information affected by the breach, the anticipated consequences of the breach, and the likelihood that this information will be used for injurious purposes. If the Data Breach represents a risk of serious injury, TCC will promptly notify the Commission d’accès à l’information (“CAI”) and any persons concerned by the Data Breach. All such communications will be documented and recorded by TCC.
Moreover, the TCC Information Security Policy, and relevant internal procedures, include detailed information on how a Data Breach will be handled by the IT and Compliance teams.
7. Data Subject Requests
7.1 Access
Upon request, Data Subjects shall be informed of the existence, use and disclosure of their Personal Information and shall be given access to that information.
7.2 Rectification
Data Subjects are responsible for providing and maintaining accurate and complete information. As such, Data Subjects may request that their Personal Information be rectified if such information is inaccurate, equivocal, kept or collected, in a manner not authorized by law. TCC reserves itself the right to refuse to rectify Personal Information where the request is unfounded, or otherwise submitted by a person other than the Data Subject. In this case, TCC will communicate the refusal and the reasons behind such refusal to the Data Subject in writing. TCC will also inform the Data Subject of possible recourses, including appeals to the CAI.
TCC will transmit the rectified Personal Information to third parties having access to the Personal Information subject to the rectification request.
7.3 Withdrawal
Data Subjects may also withdraw their consent to the use and disclosure of their Personal Information by TCC. However, where this right is exercised by a client of TCC, it is possible that TCC will no longer be able to provide this client with the services for which it was engaged.
7.4 Other Generalities
Only the persons identified as Data Subjects, or their authorized representatives, may exercise these Data Subject’s rights and submit these requests.
TCC must answer all Data Subject’s requests in writing within 30 days of receipt. All Data Subject’s requests, and related documentation will be documented and retained by TCC.
8. Privacy Complaints
All Data Subjects and their legal representatives may file a privacy complaint with TCC.
TCC is obligated to answer and address all privacy complaints. Consequently, TCC must reply in writing to all such complaints within 5 business days of receipt of the complaint with an initial response. Additionally, all privacy complaints must be closed within 90 days of their receipt by TCC.
The process for handling privacy complaints includes the following steps:
- Privacy complaints will be submitted to TCC in writing by means of a privacy complaint form available on TCC’s website.
- The Privacy Officer will acknowledge the complaint and liaise with the complainant within 5 business days of receipt of the complaint to seek additional information and to identify the outcome the complainant is seeking.
- The Privacy Officer will review the complaint submission and save the submission along with any additional documentation in the complaints registry. A file will be created for each new complaint including the complainant’s submission along with all other documents shared by the complainant, TCC’s analysis of the complaint, and the final justified written response.
- The Privacy Officer will impartially investigate and assess the complaint in consultation with the relevant TCC teams.
- The investigation process will be appropriately documented.
- The Privacy Officer will advise the complainant in writing of the outcome of the investigation and the measures proposed by TCC to address the incident raised by the complaint. If the investigation shows the Personal Information was mishandled, TCC will immediately implement measures to ensure the incident does not occur again.
- The Privacy Officer will provide the complainant with the contact information of the CAI in the event that the complainant is dissatisfied with the outcome of the investigation and seeks to submit a complaint to the CAI.
Persons who wish to file a complaint about privacy-related incidents to the CAI may do so by following the instructions provided on the CAI’s website. TCC prohibits any threat of or actual reprisal against persons who file a complaint with the CAI in good faith or cooperate in an investigation of the CAI.
9. Amendments to the Policy
This Policy is subject to an annual review. TCC may amend this Policy from time to time at its sole discretion. Any material changes to this Policy will be effective when the revised Policy is communicated to TCC employees, and such changes will be made available on TCC’s website. TCC may also contact Data Subjects to notify them of any such material changes when required by law.
10. Contact Information
Data Subjects may contact TCC’s Privacy Officer for any complaints or questions related to this Policy following the contact information outlined below. TCC’s Privacy Officer is responsible for overseeing how TCC uses Personal Information and for monitoring compliance with this Policy and applicable laws.
By email at: privacy@transcanadacapital.com
By mail at: Privacy Officer
Trans-Canada Capital Inc.
1800 McGill College, Suite 2000
Montreal, Quebec, H3A 3J6