Background and Scope
RPIA (“us”, “we”) is committed to protecting the privacy and confidentiality of the personal information of individuals who open and maintain client accounts with RPIA, or who otherwise invest in investment funds managed by RPIA.
Definitions
Unless specified otherwise, for the purpose of this Policy the following terms will have the meaning as set out below:
- name, address and contact information,
- age and date of birth,
- identification documents and numbers such government issued ID’s and Social Insurance Numbers,
- banking and financial transaction information,
- family and employment information, and/or
- income, financial assets and other financial information, as applicable.
“investors” include individuals who invest in RPIA managed investment funds or managed accounts. This may include individuals who are acting on behalf of, or who are deemed to be beneficial owners of, or who otherwise control or have an interest in a named entity investor.
“clients” refer to those investors who open and maintain accounts with RPIA in our capacity as an Exempt Market Dealer or Portfolio Manager to facilitate an investment into an RPIA fund or managed account.
“fund/s” include all prospectus-qualified or prospectus-exempt investment funds managed by RPIA.
“managed account” means a client investment portfolio separately managed by RPIA in its capacity as a Portfolio Manager.
Responsibilities
RPIA’s employees are obligated to adhere to this Policy and to take reasonable and necessary measures to protect the personal information of investors. RPIA’s registered Chief Compliance Officer (“CCO”) has been designated as the Privacy Compliance Officer. The CCO and RPIA’s Compliance Group are responsible for assessing and overseeing compliance with this Policy. RPIA employees who collect, process, have access to investor personal information and those who implement systems and controls related to personal information are primarily responsible for managing and safeguarding such information in accordance with RPIA’s internal policies and procedures.
Non-compliance with this Policy and privacy related incidents are considered to be of high significance and will be escalated to the CCO and RPIA’s Risk Committee and addressed in accordance with RPIA’s documented internal policies and procedures and applicable laws and regulations.
Principles
By implementing, monitoring and disclosing this Policy, RPIA abides by the PIPEDA Fair Information Principles in the collection and use of personal information.
Accountability
RPIA is responsible for all investor personal information under its control, including such information disclosed to third parties as per this Policy.
Identifying Purposes
RPIA will identify the purposes for which personal Information is collected at or before the time that the personal information is collected. The purposes for which RPIA collects personal information described in this Policy shall be those that a reasonable person would consider appropriate in the circumstances.
Consent
RPIA will seek and document consent from each applicable investor to collect, use and disclose their personal information in line with this Policy. RPIA will inform each such investor of the purposes for the collection, use or disclosure of personal information. An investor may withdraw their consent at any time with the understanding that it may impact the ability of RPIA to provide necessary services related to their investment in the funds or managed accounts.
Limiting Collection
RPIA will not collect personal information indiscriminately. RPIA will not deceive or mislead individuals about the reasons for collecting personal information and will limit the amount and type of information gathered to what is necessary for the identified purposes.
Limiting Use, Disclosure, and Retention
Personal information will not be used or disclosed by RPIA for purposes other than those for which it was collected, except with the consent of the individual, or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes, as per RPIA’s internal policies and as required by applicable regulation.
Accuracy
RPIA will take reasonable steps to keep personal information as accurate, complete, and up to date as necessary, considering its use and the interests of the individual and applicable regulatory obligations. Investors may access, review, challenge and update their personal information as described in this Policy.
Safeguards
RPIA will protect personal information with security safeguards it deems to be appropriate to the sensitivity of the personal information. Security safeguards aim to protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the personal information is held.
Openness
RPIA will implement its Privacy Policy and practices involving personal information in a transparent manner and will make its Privacy Policy understandable and easily available including in investor documents, on RPIA’s public website (www.rpia.ca) and upon request from an investor.
Individual Access
Upon written request, and unless prohibited by law, RPIA will inform investors of the existence, use and disclosure of their personal information and provide access to that personal information. An individual is welcome to challenge the accuracy and completeness of personal information and have it amended as appropriate.
Data Portability
Upon request, and unless prohibited by law, RPIA will provide investors with computerized personal information collected from them in a structured, commonly used, and technological format. This information can be transferred to the individual or directly to a third party authorized by law to collect such information.
Challenging Compliance
Investors can address challenges concerning compliance by RPIA with this Policy to the designated Privacy Compliance Officer.
Individuals also have recourse to the Office of the Privacy Commissioner of Canada, at the address noted below if they consider that RPIA has not responded satisfactorily to their inquiry or concern.
Office of the Privacy Commissioner of Canada
Commission d'accès à l'information du Québec
Policy Requirements and Guidelines
Consent to the Collection and Use of Personal Information
RPIA collects personal information from investors in order to facilitate investments in the funds or a managed account. By completing a fund subscription or managed account agreement and by providing us with their applicable personal information, an investor explicitly consents to our collection, use, and disclosure of their personal information as provided herein. Consent will be obtained prior to or at the time of collecting personal information, and further consent may be obtained subsequently on request or as required by applicable regulation.
In instances where an individual advises us in writing that they do wish to provide consent or wish to withdraw previous consent, RPIA will notify the investor that in the absence of their consent and without collecting and using personal information that we may be unable to provide the required services to facilitate an investment into a fund or managed account. In such an event, RPIA may seek legal counsel on an appropriate course of action.
In conjunction with seeking consent, RPIA will inform each such investor, by way of this Policy, of the purposes for the collection, use, or disclosure of personal information. If RPIA proposes to use personal information for a purpose not previously identified, the new purpose will be identified and documented prior to the new use, and explicit consent must be obtained from all impacted investors.
In certain circumstances, and only as specified and permitted by applicable Privacy Laws, taking into account certain provincial requirements, RPIA may collect, use, or disclose personal information about an investor without obtaining consent. For example, if it is clearly in the interests of the investor and consent cannot be obtained in a timely way, to take appropriate action if we detect potential fraud or breach of applicable laws and regulations, or to comply with a valid request or order from a regulatory authority.
Collection of Personal Information
Personal information may be collected directly from investors or through third parties as per RPIA’s policies and procedures and as permitted by applicable law.
RPIA collects and maintains personal information of investors in order to:
- collects and maintains personal information of investors in order to:
- comply with securities and other applicable laws and regulations, including but not limited to those pertaining to know-your-client, suitability, and anti-money laundering obligations
- open and maintain financial accounts for investors
- process investor transactions, including subscriptions, redemptions, and distributions,
- preparing and delivering investor and tax reporting,
- effectively communicate with investors and maintain investor relationships,
- protect investors and RPIA from error and fraud, and/or
- provide investors with professional services related to their investment in the RPIA funds or a managed account.
Investor personal information is collected verbally, electronically, or by way of physical documents from the following sources:
- account opening and “know-your-client” forms, subscription agreements, managed account agreements, and/or other investor-related forms and agreements, as applicable;
- investor transactions with us and our service providers,
- investor meetings, discussions, and conversations,
- written correspondence, including email and fax
- RPIA websites, i.e., certain personal information as provided via our web-based “client portal”, or limited information such as website preferences by way of cookies and/or
- where applicable, certain third parties such as wealth managers, investment dealers, and family offices.
Use, Disclosure, Safeguarding and Destruction of Personal Information
RPIA will use personal information only for the business-related purposes described in this Policy. If RPIA proposes to use personal information for a purpose not previously identified, the new purpose will be identified and documented prior to the new use. Except as authorized by law, the consent of the investor is required before the personal information can be used for that purpose.
RPIA may disclose investor personal information to third parties, when necessary, in connection with the services we provide related to their account or investment in the Funds, including:
- financial service providers, such as banks, custodians, and others, used to facilitate transactions by, or operations of, the Funds or investors;
- other service providers utilized in order to facilitate investment in the Funds or managed account, such as administration, transfer agency, accounting, legal, or tax preparation services; and
- regulatory and taxation authorities and agencies, which may include foreign authorities such as the U.S. Internal Revenue Service, where required by applicable law
Third parties may be located outside of Canada or an investor’s province or territory of residence, where applicable privacy laws may differ between jurisdictions. Personal information may be disclosed in response to valid and lawful requests to regulatory authorities in such jurisdictions. RPIA will undertake reasonable steps to confirm that the level of protection and privacy obligations in such jurisdictions are deemed to be comparable to applicable Canadian privacy laws.
RPIA will use contractual or other reasonable means to protect personal information that has been disclosed to third parties. Applicable agreements shall undergo appropriate business and/or legal review and shall contain appropriate confidentiality and use of information language to ensure compliance with safeguarding and limited use provisions of this Policy. In the event that a third-party service provider sub-contracts certain functions to other entities, which results in the disclosure of investor personal information, RPIA will take steps to ensure the service provider has sufficient oversight of applicable sub-contractors to ensure they maintain reasonably similar levels of safeguarding measures.
RPIA maintains investors’ personal information in a secure physical format or electronically on our secure networks or on the networks of our service providers. Personal information may also be stored off-site in a secured physical format with storage providers and electronically on secure third-party storage facilities, including internet, virtual, and cloud-based storage. Information stored electronically by RPIA is subject to our internal information technology and cybersecurity policies and procedures.
Access and Withdrawal of Consent
An investor may access their personal information to verify its accuracy, withdraw their consent or update their information by contacting RPIA’s Privacy Compliance Officer by mail - 39 Hazelton Avenue, Toronto, Ontario M5R 2E3, or by phone - 647-776-1777 or by email - [email protected].
RPIA will respond to requests for access within a reasonable time and at minimal or no cost. The requested personal information will be provided or made available in a form that is generally understandable. If access to personal information cannot be provided, RPIA will provide the reasons for denying access on request unless prohibited by law from doing so.
When an individual successfully challenges the accuracy or completeness of personal information, RPIA will correct, delete, or add personal information as required. When appropriate, the amended personal information will be transmitted to any third parties having access to the personal information in question.
Privacy Impact Assessments
RPIA will conduct a Privacy Impact Assessment (“PIA”) prior to onboarding, developing, or redesigning an information system or undertaking an electronic service delivery project that involves the collection, use, disclosure, retention, or destruction of personal information. RPIA shall follow applicable privacy laws to evaluate the sensitivity and extent of personal information involved, identify and analyze related privacy risks, and address measures to mitigate such risks in order to comply with this Policy and adequately protect the privacy of personal information.Education and Training
RPIA will ensure that all employees have access to this Policy and will obtain annual certifications that employees have read, understood, and complied with the Policy. Employee education and training on matters related to privacy and data protection (including cybersecurity) will also be provided to employees and may be tailored to the nature of their role in relation to the access and handling of investors' personal information.
Privacy Incidents, Breach Assessment, and Reporting
A privacy incident generally refers to an actual or potential loss of, unauthorized access to, or disclosure of personal information. Such incidents must be reported to the Compliance Group as soon as possible. The CCO (or appointed Compliance delegate) will document, investigate, and evaluate the facts, circumstances, and implications of the incident. Where it has been confirmed that an event has resulted in a breach of investor personal information it will immediately be escalated and may also be referred to external legal counsel as needed to aid in the assessment and appropriate actions related to the incident.
In its assessment of a confirmed breach and for the purpose of determining its reporting obligation, RPIA will follow the guidelines provided under applicable privacy laws to determine if the incident resulted in a real risk of significant harm (taking into account jurisdictional reporting obligations).
In instances where it is believed that the confirmed breach creates a real risk of significant harm, RPIA shall
- report the breach to the appropriate regulatory body as soon as practicable,
- notify affected individuals, and
- keep a record of the breach and notification.