|1.||Privacy of Client Information
In addition to securities legislation, Numus is subject to federal privacy legislation, specifically the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”). Every business that carries on “commercial activities” (a term that is defined broadly and includes Numus’s business operations) is subject to the application of PIPEDA as it relates to the collection, use and disclosure of personal information (information about an identifiable individual, with the exception of the name, title, business address and business telephone number of an employee of an organization). Numus is required to comply with PIPEDA in all of its business practices that involve personal information about individuals.
|2.||Principles of PIPEDA
Principle 1 – Accountability
All inquiries or concerns regarding the use of Client or Investor information, including information that has been transferred by Numus to a third party, must be directed to the Privacy Officer.
Principle 2 – Identifying Purposes
The purposes for which Client or Investor information is collected and used must be identified, documented and disclosed to Clients at or before the time their information is collected.
Numus is only permitted to collect, use, disclose and retain this information to the extent necessary to fulfil the purpose for which the information was collected.
Before Numus may use this Information for a purpose not previously identified to the Client or Investor, the new purpose must be identified and unless the use is required by law, consent must be obtained before the information may be used for the new purpose.
Principle 3 – Consent
Knowledge and consent of Clients and Investors is required for the collection, use and disclosure of their information. Consent under PIPEDA is only valid if it is reasonable to expect that the individual to whom the organization’s activities are directed understands the nature, purpose and consequences of the collection, use and disclosure of one’s personal information.
Subject to restrictions imposed by law or under a contract and reasonable notice, consent may, at any time, be withdrawn by a client and Numus must inform them where there are implications of withdrawing or refusing their consent.
PIPEDA provides certain exemptions from the consent requirements in the context of a breach of the law, fraud detection or prevention, and communications with next of kin or a government institution where the individual has been, may be or is the victim of ‘financial abuse’.
Principle 4 – Limiting Collection
As mentioned above, Client and Investor information is not to be collected indiscriminately. The amount and the type of Information collected must be limited to that which is necessary for the purpose of the collection identified by Numus.
Principle 5 – Limiting Use, Disclosure, and Retention
In general, Client Information should only be disclosed for the purpose for which it was collected, with the express consent of the Client or Investor, or as required by law. If there is any doubt, Personnel should speak to the Privacy Officer prior to disclosing the information. As mentioned, Numus may on occasion be required by law to disclose Client Information to taxation and regulatory authorities and agencies.
Client and Investor Information will be retained for seven years following the end of the relationship. After which, all documentation will be destroyed in a manner commensurate with its sensitivity unless there are legal requirements that require its retention.
Numus transfers Client and Investor information to service providers under contract to Numus that provide accounting, legal, tax preparation and like services. Numus remains responsible for such information while it is in the hands of third party service providers and protects the information (and Numus) through contractual requirements for its service providers to afford the information the same level of protection as it is given by Numus.
Principle 6 – Accuracy
Client and Investor information must be as accurate, complete, and up to date as necessary for the purposes for which it is to be used and will only be routinely updated where necessary for those purposes.
Principle 7 – Safeguards
Client and Investor information will be protected against loss, theft, unauthorized access, use, disclosure, copying, or modification by safeguards appropriate for sensitive information. The information (and confidential information of Numus) will be retained in a designated secure area or electronic database.
Personnel are individually responsible for ensuring the confidentiality, appropriate use and protection of all information to which they have access.
Principle 8 – Openness
Principle 9 – Individual Access
On request, a Client or Investor shall be informed of whether or not Numus is holding his or her information, the use to which it has been put by Numus and the organizations or individuals to which it has been disclosed or the type of organizations to which it may have been disclosed where more precise information is not available.
Requests for access must be made in writing and access to their own information will be provided except where doing so would likely reveal personal information about a third party that cannot be severed from the Client’s or Investor’s information. Access may also be withheld where:
- the information is protected by solicitor-client privilege;
- providing access would reveal confidential commercial information;
- providing access could reasonably be expected to threaten the life or security of another individual;
- the information was collected without consent because obtaining consent could have compromised the availability or accuracy of the information and the information is required for investigating the breach of a contract, federal or provincial law; or
- the information was generated in the course of a formal dispute resolution process.
Numus will endeavour to respond to requests for access within 30 days unless responding in that time frame would unreasonably interfere with its business or it needs information to make a decision on access that is not available in that time frame. In such cases, Numus may extend the time for responding to an access request by 30 days or the period that is required to convert the information into an alternative format (for example, to download it onto a CD). Numus will give notice to the Client or Investor where it requires an extension and include the reasons for the extension and an advisement that they may make a complaint to the Office of the Privacy Commissioner of Canada (“OPC”) in respect of the extension. It is important for Numus to respect the timelines as a failure to respond to an access request within the time lines will be deemed to be a refusal of the request.
Numus will inform the Client or Investor in writing if it refuses his or her request for access, setting out the reasons for the refusal and the right of the Client or Investor to complain to the OPC. Information that is the subject of a complaint must be retained by Numus until the Client’s or Investor’s rights are exhausted.
Numus will process access requests. The costs of these access requests will be paid by the Client or Investor but may be waived by Numus in its sole discretion. As such, prior to proceeding with such access request, Numus will inform the Client or Investor that submits an access request of the approximate cost of the access request and will obtain approval to proceed.
Specific rules apply in regard to requests for access to information provided to government agencies for purposes including law enforcement and all such requests should be directed to the Privacy Officer.
Principle 10 – Challenging Compliance
Numus has procedures regarding Client or Investor complaints that Personnel must explain to Clients and Investors if concerns about Client or Investor information management are raised. The complaint process to be followed is outlined elsewhere in this Compliance Manual.
As mentioned above, Clients and Investors have the right to challenge the accuracy and completeness of their information and to have it amended as appropriate.
|3.||PIPEDA – Breach Reporting and Record-Keeping|
Since November 1, 2018, the Breach of Security Safeguards Regulations has been enacted under PIPEDA. As of such time, in the event Numus experiences a data breach, referred to in PIPEDA as a “breach of security safeguards”, Numus will have certain specific legal obligations, including the following:
- Numus is required to determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused.
- In the event Numus considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible.
- In such instance, Numus must also notify any other organization that may be able to mitigate harm to affected individuals.
- Additionally in such instances, the firm must maintain a record of any data breach that the firm becomes aware of and provide it to the Commissioner upon request
In the event any employee suspects that Numus may have experienced a data breach (a “breach of security safeguards”) or may be vulnerable to same, the employee is required to notify the CCO. The CCO is responsible for, and unless he delegates this responsibility to an employee of Numus in a specific instance, is the only individual in the firm authorized to notify affected individuals and to file reports to the Commissioner and any other organizations. The CCO is also responsible for the record-keeping obligations referred to above. In addition to the requirements under PIPEDA and the Breach of Security Safeguards Regulations, in the event of a data breach or a potential breach of Numus’s security safeguards, the CCO will also consider what other measures should be taken by Numus and its employees in order to address potential civil liability issues and to reduce risks that any such occurrence is repeated. These measures may typically include speaking with outside counsel, IT and other industry experts, Numus’s Board of Directors, and, as may be required, Numus’s insurer(s).
In respect to the above requirements, a report to the Commissioner is required “as soon as feasible after Numus determines that a breach of security safeguards has occurred,” where the breach involves personal information under Numus’s control and it is reasonable to believe that the breach creates a “real risk of significant harm” to an individual. The Breach of Security Safeguards Regulations prescribes the content, form and manner of the reporting. The report to the Commissioner must include the following:
(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) the number of individuals affected by the breach or, if unknown, the approximate number;
(e) a description of the steps that Numus has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of PIPEDA; and
(g) the name and contact information of a person who can answer, on behalf of Numus, the Commissioner’s questions about the breach.
A notice to affected individuals is required—unless prohibited by law—if it is reasonable to believe that the breach creates a “real risk of significant harm” to the individuals. The notification must be given “as soon as feasible after Numus confirms that the breach has occurred,” and the Breach of Security Safeguards Regulations prescribe the content, form, and manner of notification. Generally, a direct notification is required. This form of notification may be given to the affected individual in person, by telephone, mail or email, or any other reasonable manner under the circumstances. An indirect notification can be given if a direct notification would be likely to cause further harm, likely to cause undue hardship to Numus or Numus doesn’t have the individual’s contact information. The notification to the individual must include the following:
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
(e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
(f) contact information that the affected individual can use to obtain further information about the breach.
Numus is also required to “notify any other organization, a government institution, or a part of a government institution of the breach” where Numus believes that the other organization or institution “may be able to reduce the risk of harm that could result or mitigate that harm, or if any of the prescribed conditions are satisfied.”
With respect to record-keeping, Numus is required to retain records with respect to every breach of security safeguards involving personal information (and not just for breaches that are deemed to create a “real risk of significant harm”). The Breach of Security Safeguards Regulations prescribe that Numus must maintain a record of every breach of security safeguards for 24 months after the day on which the firm determines that the breach has occurred, and that the record must contain any information pertaining to the breach that enables the Commissioner to verify compliance with the reports to the Commissioner and notification to affected individuals requirements.
Numus Capital Corp.
At Numus Capital Corp.(the “Company”) we are committed to protecting your privacy and the confidentiality of personal information that is share with us by our clients. This policy sets out the information practices for the Company, what kinds of information are collected, how the information is used and with whom this information might be shared.
|2.||Identifying the purposes and uses of personal information: When you apply to open an account with the Company we may collect the following personal information about you, including:
(i) Your legal name, address, occupation, telephone numbers and e-mail addresses;
(ii) Your date of birth;
(iii) Your Social Insurance Number;
(iv) Identification in the form of a passport or valid driver’s licence or a recent utility bill to verify your address;
(v) Details of your financial circumstances, including your income, your assets and liabilities, any legal undertakings and guarantees, your dependants, citizenship and tax status;
(vi) Details of your investment experience, your goals and financial planning objectives; and
(vii) Your business interests that would require insider trading practices.
This information is collected and used for seven purposes:
(i) To meet the account opening requirements of a custodian or chartered bank;
(ii) To verify the basis of developing with you a client profile under which your funds will be managed by the Company;
(iii) To document which other persons or professional advisors may have access to your account information and/or provide investment instructions to us on your behalf;
(iv) To allow the Company to satisfy itself about the information its reports regularly with respect to federal legislation on money laundering, fraud and other criminal activity;
(v) To allow the Company to prepare and distribute information to Canadian federal tax authorities;
(vi) To report to certain government securities regulators, as required, about the investment practices and operating procedures of the Company and to allow such regulatory agencies to conduct periodic compliance audits of the Company; and
(vii) To manage and assess the risks posed to the Company
A variety of personal information pertaining the operations of an investment account (security purchases and sales, deposits, withdrawals and security transfers) will develop over time.
For legal entities such as businesses, trusts, partnerships or estates we will collect information about the legal structure of the entity and information about those individuals authorized to act on the entity’s behalf. Where necessary we will establish beneficial owners of any of these entities.
If we sell the Company or enter into an acquisition or merger agreement with another company, we may release the information it has about you to prospective purchasers. We will require any prospective purchaser to protect the information provided consistent with the Company’s privacy policies and practices.
|3.||Consent: The client will consent in writing to the provision of such personal information to the Company. This policy shall be attached to the Numus client profile executed for the client. By retaining the services of the Company the client will have consented to the disclosure of his or her personal information to various third parties as outlined in this policy and for the purposes set out in it.
A client may withdraw or withhold his or her consent at any time, subject to any legal or contractual restrictions. Such action shall be made in writing by the client, at which time the consequences of such withdrawal or withholding of personal information will be explained by the Company.
The Company will typically collect personal information from clients in the process by which accounts are opened or client profile are reviewed. However, it will also collect information from clients through personal meetings, telephone discussions, e-mail and facsimile transmissions and also from third party service providers involved in supporting the Company’s services. Records of these interactions may be kept by the Company.
The Company may use your e-mail address to communicate with you about privacy issues you raise and may send you information about products and services it offers or may offer in the future based upon an analysis of the personal information you provided. E-mails sent over the internet are generally not encrypted.
Limitation of use and retention of information: The Company will collect only that personal information which is required by it to meet its regulatory, statutory and business management needs to manage a client’s financial assets according to the agreed investment policy, as outlined in this policy. The Company will retain personal information only for the purposes of this policy and for meeting government and regulatory requirements, after which it will be destroyed or rendered anonymous, as per retention policies.
A prospective client, who does not enter into a portfolio management services agreement with the Company shall have returned to him or her all relevant personal information provided to the Company.
Every effort will be made by the Company to maintain correct data and from time to time clients may be asked to verify that information.
Safeguards: Your personal information is maintained on our secure computer networks and office files. Your information may also be stored on a secure off-site storage facility. A variety of security measures will be in place to reduce the possibility of theft of personal information or accidental disclosure.
You may access your personal information to verify its accuracy (upon written request), to withdraw your consent to any of the foregoing collections, uses and/or disclosures being made of your personal information and may update your information by contacting, in writing, the portfolio manager(s) employed the Company that is(/are) responsible for your account(s).
Existing Clients shall be able to express any concerns, at no additional cost to the client. All relevant client concerns shall be documented and maintained in a written (and electronic) file. The Company will use commercially reasonable efforts to promptly determine and rectify the problem.
There are circumstances in which the Company may use personal information without the client’s knowledge or consent. These circumstances include: (1) when the Company has reasonable grounds to believe the information might be useful when investigating a contravention of a federal, provincial or foreign law; (2) during an emergency which threatens an individual’s life, health or security; (3) for a statistical or scholarly study; (4) when mandated to provide such information by any federal, provincial or foreign law or regulation.
The Company has a right to refuse access to personal information by a client if: (1) the information is protected by legal privilege; (2) the information was collected for purposes related to the detection and prevention of fraud; (3) the information was generated in the course of a formal dispute resolution process; (4) granting access might reveal confidential commercial information; (5) it is reasonably expected that such personal information might lead to the threatening of the life or security of another individual.