Global RESP Corporation accountable for actions of sales representative for the use of patients' personal information purchased from a Rouge Valley Hospital employee

PIPEDA Report of Findings #2015-016

October 19, 2015

---

Approximately two months after giving birth in 2013, a woman received a phone call from someone trying to sell her a Registered Education Savings Plan (“RESP”) for her newborn. The call was made by an Independent Sales Representative (“ISR”) from a company called Global RESP Corporation (“Global”). The woman was told by the sales representative that her information had been obtained from Rouge Valley Hospital (“Rouge Valley”), where she had given birth.

In June 2014, it was publicly reported that a major privacy breach had occurred at Rouge Valley. The breach, as reported by the media, involved the sale of thousands of patients’ personal information. Reports suggested that information had been offered for sale by two former hospital employees. Rouge Valley believed that the information consisted of maternity patients’ names, contact information (including phone number), and dates of last visits to the hospital.

In July 2014, and believing herself to be directly affected by the incident reported at Rouge Valley, the complainant filed a complaint against Global with our Office, complaining that the company had collected and used her personal information without her consent.

In December 2014, the Ontario Information and Privacy Commissioner found that Rouge Valley employees had inappropriately accessed personal information belonging to maternity patients, and then sold it to an RESP sales representative for the purpose of marketing RESPs to new mothers. This action was found to be in contravention of Ontario’s Personal Health Information Protection Act.

As a result of our enquiries, Global informed our Office that one of its sales representatives had admitted to buying the maternity patient information from a Rouge Valley employee for use as sales leads. The company indicated that the sales representative claimed to have acted alone. In light of the significant degree of control Global had over their sale representatives, their activities and the information they collected, it was our Office’s position that Global was responsible and accountable under the Personal Information Protection and Electronic Documents Act (PIPEDA) for the actions of its salespeople.

Upon investigation, our Office was concerned to discover that Global had no reliable system in place to document how the personal information of prospective clients is obtained and used by its salespeople. Our Office noted that even though initial suspicions were raised within the company with respect to how the sales representative in this particular case had obtained the complainant’s personal information, the company did not initiate an internal investigation. Once Global subsequently discovered that the sales representative had obtained the information from Rouge Valley, it did not carry out further enquiries to determine the scope of the breach.

Moreover, Global did not appear to have any policies, procedures or training in place to ensure that its employees and contractors understood their PIPEDA obligations, including key privacy-related principles, such as consent and collection for a specific purpose. Existing policies simply did not explain sufficiently what “consent” means for the collection and use of prospective clients’ contact information for marketing purposes. Our Office therefore concluded that Global was contravening Principles 4.1 and 4.1.4 in the circumstances.

Finally, it was clear that Global had not obtained the complainant's consent for this collection and use of her personal information, as required by Principle 4.3.

In concluding our investigation, we recommended that Global:

• develop and implement policies and procedures to identify the source of each prospective — and actual — client’s personal information collected and used, as well as policies, procedures and measures to ensure contact information is collected and used in accordance with PIPEDA;
• develop and implement policies, procedures and measures, including audits and where warranted, investigations, to ensure that its employees and sales representatives collect and use the contact information of prospective and actual clients in accordance with the Act;
• ensure that its employees, including sales representatives, receive training on these policies and procedures and sign a document confirming the completion of such training;
• agree to undergo an independent third-party audit that certifies that the company’s accountability measures are operating with sufficient effectiveness to provide reasonable assurance that the personal information the company processes is being collected and used in accordance with PIPEDA and provide the final report to our Office; and
• review our Office’s publication entitled Getting Accountability Right with a Privacy Management Program.

In response, Global advised that it had created a document as part of its manual, referencing the ten PIPEDA principles and the role and obligations of the company and its sales representatives with respect to these principles. It also advised that its regular spot audits will verify whether these obligations are being followed. Global further advised that it had incorporated privacy training as part of its training module for the entire company, including a test. Global agreed to obtain an accountability audit and report from an independent third party within a year from the issuance of this report.

As Global agreed to implement all of our Office’s recommendations within a year’s time, our Office concluded that this matter was well-founded and conditionally resolved.

Update: A year after issuing our findings, Global confirmed that an independent third party had completed an audit, and certified that Global’s accountability measures were operating with sufficient effectiveness to provide reasonable assurance that the personal information the company processes is being collected and used in accordance with PIPEDA. Our Office was also provided with a copy of the independent third party’s audit report. In light of the actions taken by Global, our Office is satisfied that Global has addressed our recommendations.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”)

1. The complainant alleged that Global RESP Corporation (“Global”) collected and used her personal information without her consent. Specifically, the complainant alleged that Global was connected to an information breach (the “Breach”) at the Rouge Valley Hospital (“Rouge Valley”), which involved the unauthorized disclosure of maternity patient information. The complainant alleged that Global obtained her personal information from Rouge Valley, where she had given birth, through the Breach and used it to solicit and sell her a Registered Education Savings Plan (“RESP”) for her child.

Summary of Investigation

Timeline

2. Approximately two months after giving birth to a child at Rouge Valley in October 2013, the complainant received a telephone call from an independent sales representative (the “Representative”) from Global, soliciting to enrol the complainant’s child in a Global Education Trust, a form of RESP. Additional information about Global’s independent sales representatives (“ISR”) is provided later in this report.
3. The complainant alleges that during the telephone call, the Representative informed her that her contact information had been obtained from Rouge Valley.
4. On June 3, 2014, it was publicly reported that the Breach had occurred at Rouge Valley involving patient information. According to media reports, the Breach involved two former employees of Rouge Valley selling the personal information of patients to RESP companies. The reports indicated that the personal information of approximately 8,300 maternity patients who gave birth between 2009 and 2013 at Rouge Valley may have been inappropriately accessed and disclosed as a part of the Breach. The reports also indicated that the Information and Privacy Commissioner of Ontario (“IPC-O”) would be carrying out an investigation with respect to Rouge Valley’s responsibility for the Breach.
5. On July 16, 2014, the complainant filed a complaint with our Office against Global, alleging that the Representative had inappropriately obtained her information from Rouge Valley as part of the Breach.
6. In August 2014, media reports indicated that the Breach at Rouge Valley was larger than previously reported. The reports stated that the personal information of 14,450 maternity patients at Rouge Valley may have been inappropriately accessed and disclosed.
7. In October 2014, our Office was advised by Rouge Valley that it believed Global was one of the RESP companies that had received information from the Breach. Rouge Valley stated that other patients had informed it that Global had contacted them.
8. Rouge Valley also noted that it was unable to confirm specifically which patients had their information inappropriately accessed and disclosed as part of the Breach. Rouge Valley had therefore decided to notify all patients who had given birth during the timeframe in which the two former employees had access to the relevant databases. Rouge Valley subsequently confirmed that the complainant was on their list of patients who was potentially affected by the Breach.
9. With respect to the information that had been accessed and disclosed, Rouge Valley believed that it consisted of maternity patients’ names, contact information (including phone number), dates of last visits to the hospital and potentially health card numbers. Rouge Valley did not believe that any patient medical information was compromised.
10. On November 24, 2014, the Ontario Securities Commission (“OSC”) announced that its Joint Serious Offences Team^{Footnote 1} had an ongoing investigation into the Breach.^{Footnote 2} It also indicated that it had filed quasi-criminal charges against a former employee of Rouge Valley related to selling maternity patient information to one or more RESP dealer representatives.
11. On December 16, 2014, the IPC-O released PHIPA Order HO-013 (the “Order”), which reported the results of its investigation into the Breach at Rouge Valley^{Footnote 3}. The IPC-O conducted interviews and a review of Rouge Valley’s relevant policies, practices and procedures under Ontario’s Personal Health Information Protection Act (“PHIPA”).
12. The IPC-O’s report found that two employees of Rouge Valley had inappropriately accessed information of patients who had given birth at the hospital. Further, one of the employees had admitted to selling the information to an RESP sales representative so that the representative could in turn market RESPs to the patients. The IPC-O’s report also confirmed that due to gaps in the audit functionality of Rouge Valley’s electronic information system, the hospital was not able to identify precisely the patients whose personal information was accessed inappropriately.
13. On June 2, 2015, the OSC further announced that it had laid criminal and quasi-criminal charges related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital.^{Footnote 4} In its news release, it indicated that a former Global ISR had allegedly purchased stolen maternity patient labels from a registered nurse over an approximate two-and-a-half-year period and allegedly used this confidential patient information as a source of potential RESP investment sales leads.

Information from Global

14. In September 2014, Global advised our Office that it came into possession of the complainant’s personal information when it received a completed Enrollment Application from the Representative. It specifically indicated that it had no formal arrangement with any hospitals at the time.
15. Global also stated that the only prospecting method that involved obtaining consent for the collection and use of information for the purpose of selling RESPs is when an individual provides their name and contact information on a contest ballot pad for a chance to win an Education Savings Plan worth $20,000. Global stated that, apart from the contest ballot, ISRs may obtain telephone numbers of potential clients through referrals and other methods but that the ISRs are responsible for verifying that the numbers are not on the National Do Not Call List before they are contacted. In the complainant’s case, Global confirmed that she had not completed a contest ballot. However, her home and cell phone numbers were not on the National Do Not Call List.
16. Global further advised that there was no way to determine how an individual’s contact information was obtained by its ISRs. Global did however indicate that it had the intention of including such tracking in the future.
17. Global stated that following the announcement of the Breach, Global sent a communication (the “Communication”) to its employees, ISRs and branch managers (“BM”) via email. Global provided our Office with a copy of the emails sent to its staff on June 13, 2014.
18. Among other things, the Communication encouraged anyone to contact Global’s Chief Compliance Officer (“CCO”), if they believed they were involved, or someone else was involved, in any unauthorized purchase, sale or use of personal information related to the Breach. According to Global, while it did receive responses which indicated that staff was not involved in the Breach, it did not receive any positive response from the Communication regarding involvement in the Breach. Global provided our Office with a copy of several emails from BMs, confirming that their ISRs did not purchase leads from unauthorized sources.
19. In October 2014, Global advised our Office that it had interviewed the Representative, who denied telling the complainant that she received her information from Rouge Valley. While she was unable to indicate how she obtained the contact information of the complainant, according to Global, she also denied receiving it from any hospital.
20. Following the release of the Order by the IPC-O in December 2014, our Office contacted Global again.
21. At the beginning of February 2015, Global advised our Office that it had become aware on January 14, 2015 that the Representative was connected to the Breach. Global indicated that it had met with the Representative again and that she had admitted to purchasing lists from an employee at Rouge Valley in order to assist with her sale of RESPs. Global advised that it terminated its relationship with the Representative that same day.
22. Global further advised that the Representative claimed to have acted alone. As a result, Global stated that it did not conduct any further internal investigation.
23. Global denied being involved in the Breach as the Representative was a “rogue” ISR who had acted alone and without its knowledge.
24. On February 25, 2015, our Office attended the premises of Global and interviewed its CCO, Chief Privacy Officer (“CPO”), a BM and an ISR.

Information from Global’s CCO and CPO

25. During the interview with the CCO and CPO, our Office was advised that:
    1. the Representative purchased information from an employee at Rouge Valley;
    2. Global did not have any information relating to the names that the Representative purchased; and
    3. as a result, Global was unable to contact these individuals to inform them their information had been obtained by a Global ISR as a result of the Breach.
26. The CCO and CPO further stated that Global was not tied to the Breach as it did not consider its ISRs, including the Representative, to be employees of Global. Each ISR signs a Dealing Representative Agreement, which outlines the relationship between it and Global, including section 6.1 of Article VI which defines this relationship as one of principal and agent and not that of employer and employee. ISRs are paid on commission, as a percentage of their sales, and are not on Global’s payroll.
27. The CCO and CPO reiterated that they did not receive any positive response following the Communication and that all BMs had reported back to the CCO that no ISRs were involved.
28. The CCO and CPO advised that BMs are responsible for recruiting and training ISRs, including how to make sales calls, conduct mall shows, set up booths, baby shows and exhibits, and work with interested groups and churches.
29. They explained that many sales are the result of referrals and ISRs are compensated by a percentage model, based on each sale they make. Each ISR signs a contract with Global and is provided with work space in Global’s branch offices, initial and continuous training by BMs and other Global staff, and access to Global’s internal portal. Each is also required to participate in weekly meetings and provide weekly reports to BMs.
30. They confirmed that no model or system exists to confirm if and how consent is acquired by ISRs.
31. The CCO and CPO stated that following the Breach, BMs held meetings to explain to ISRs that purchasing external leads without confirming that consent has been acquired is illegal.

Information from an ISR at Global

32. The ISR stated that ISRs are trained when they first join Global, and that training is continuous, noting that “training is constant, training is weekly”. The ISR stated training is presented by BMs, as well as various others in Global, and takes place either in a branch office or at Global’s main office.
33. The ISR stated that they produce weekly reports and attend weekly meetings with BMs, and it is normal to see your BM every day.
34. The ISR stated that most of his new clients are the result of referrals. For example, an existing client will provide the name and phone number of five of their friends. Sometimes the ISR asks the existing client to call the friend and make an introduction for him. The ISR described that he would begin a call to a potential new subscriber by introducing himself as a “Global RESP representative” selling Global products.
35. The ISR stated that he first learned about the Breach from the news and subsequently called his BM to discuss it. The ISR stated that he was never asked by his BM whether he was connected to the Breach, nor if he knew anyone connected to the Breach. The ISR also stated that he does not recall receiving the Communication.

Information from Global’s BM

36. During our interview with the BM, he stated that training by Global was continuous and involved training in administration, knowing your client, accuracy of information, how to recruit, how to do a call show, how to do a baby show, how to set calls, how to use the Do Not Call lists, how to use various types of scripts, personal development, and writing training. The BM stated that he is trained in such to be able to train ISRs.
37. The BM acknowledged that there was privacy training and everyone, including ISRs, must sign a form agreeing to adhere to the marketing and contact requirements of the National Do Not Call List.
38. The BM also indicated that the only leads lists he would purchase were those approved and sold by Global because these lists were produced through third party agreements with various companies who acquired consent to share such information with others, such as Global.
39. The BM stated that they are only sometimes able to identify the source of an application from an ISR and there is no policy in existence to know how clients’ information is collected by Global.
40. The BM described his role in the supervision of ISRs including providing support, leading weekly meetings with ISRs, conducting monthly branch meetings, going into the field with ISRs if they have a difficult case, and monitoring the sales of ISRs. The BM stated that he reports to the CCO.
41. The BM stated he learned about the Breach from the morning news. The BM stated that he was instructed by Global to ask the ISRs under his supervision if they were purchasing leads from unknown sources. The BM indicated that he believes he sent an email to his ISRs and asked them at a branch meeting to come forward.
42. The BM advised that he was the supervisor for the Representative and acknowledged that he found it suspicious that the Representative could not recall where she got the complainant’s information when interviewed about it in September 2014.
43. The BM stated that the Representative was one of his top five performers and he was made aware of the Representative’s connection with the Breach in January 2015 by the CCO.

Global’s Privacy Compliance Program

44. During our site visit, Global provided our Office with documents outlining the following privacy compliance measures currently in place.

Contest ballot pad

45. The current contest ballot pad allows individuals to choose to provide their consent to the use of their contact information for subsequent sales attempts by Global. The language states:

    Yes, I consent to provide Global RESP Corporation (GRESP) and approved distributors my phone number and e-mail for the purposes of learning more about the GETP, Registered Education Savings Plans and Government Grants along with e-mail notifications regarding their contests, promotions, e-newsletter, products and services, etc.

Dealing Representative Agreement

46. The current Dealing Representative Agreement between each ISR and Global, last revised in August 2013, includes the following clauses:

    3.1.1(m) The Dealing Representative shall ensure that all client files are kept current, secure and confidential and in accordance with applicable securities and privacy legislation. The Dealing Representative acknowledges that all books and records are the property of Global and shall be available for review and inspection by, and delivery to, Global and regulatory authorities during normal business hours;…
    8.1 Dealing Representative hereby undertakes to strictly adhere to privacy laws and internal Confidential Information and Privacy Policy…

The Code of Ethical Business Conduct for the RESP Dealers Association of Canada

47. Global, as a member of RESP Dealers Association of Canada (“RESPDAC”), has agreed to abide by the Code of Ethical Business Conduct (“the Code”) developed by RESPDAC and updated on March 15, 2012. The Code includes the following clauses:

    Section III Guiding Principles All Members, their employees, agents and Sales Representatives, will adhere to this Code.

    Section IV Standards. Subsection E Supervision and Supervisory Proficiency Members will monitor that their other employees and agents, and outside service providers whom they may engage, comply with this Code.

    Section IV Standards Subsection F Corporate Responsibility A Member is responsible for the acts and omissions of its Sales Representatives, other employees and agents engaged in carrying out its business.

    Section V Approaching Prospects/Clients Subsection B Members will conduct their sales activities in accordance with applicable legislation including the Competition Act, (Canada) (Bill C-20), the Telecommunications Act (Canada) (Bill C-37), Personal Information and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

    Section VII Post-Contract Subsection B Members will treat all personal information of Clients as confidential, applying proper safeguards to protect this confidentiality. Members will maintain tight control over access to Client information. A Member will not disclose a Client’s personal or confidential information, except with the Client’s written consent, or in accordance with applicable laws and will not use that information to the detriment of the Client or to obtain advantage for themselves or for another person. A Member will develop and maintain written policies and procedures relating to confidentiality and the protection of client information.

Global’s Compliance Policies and Procedures Manual

48. Global’s Compliance Policies and Procedures Manual contains its internal Privacy Policy, which includes the following clauses:

    [Global] follows established federal government guidelines of the Personal Information and Privacy Electronic Documents Act (PIPEDA). PIPEDA sets out regulations [sic] to organizations for the collection, use and disclosure of personal information in the course of commercial activities.…
    The regulations [in Global’s internal privacy policy] pertain to officers, employees, agents, dealing representatives, and administration personnel of [Global].…
    All sales persons are required to make reasonable efforts to ensure that client information is safeguarded and used for only the intended purpose for the financial business.

Global’s ISR training

49. Global provided copies of training materials for its ISRs, including information about Know Your Client requirements and the Do Not Call List. It also states: “It is also our duty to be diligent in our acquiring leads and prospects that [sic] we follow process that respects privacy laws – i.e. from 3^rd party leads”.

Global’s Enrollment Application for new clients

50. Global’s Enrollment Application for new clients includes the following statements:

    representatives and administrative personnel, as well as to third parties with whom Global has a business relationships [sic] to administer your account or to offer new products and services.
    …
    Global and its personnel are responsible for protecting your personal information in our possession, custody or control, whether in electronic or paper form.
    …
    At Global, you have control over how your personal information is obtained and used. Your prior consent is required before your personal information is used for providing financial-related services.
    …
    Your personal information is used only for the purposes it was collected, that is, to provide you with appropriate investment products and services. Personal information will be securely kept and disclosed only when required to meet our legal and regulatory obligations.

Global’s online Privacy Policy

51. This policy, which is available online, includes the following statement:

    [Global] is responsible for your personal information in its possession or custody, including personal information that has been transferred to, or received from, a third party in the course of commercial activities for processing or other purposes for which you have consented. [Global] is accountable in the collection, use and disclosure of your personal information.

Changes to Global’s Privacy Compliance Program

52. During our site visit, Global advised that it had added a new form to its Enrollment Application called Global’s Education Trust Foundation (GETF) (Promoter) Education Savings Plan Enrollment Application – Amendment - Additional Client Information. This form, which was made mandatory as of March 2015 and must accompany the Enrollment Application, is a new single-page document that describes how the ISR obtained a client’s information with the requirement that it be signed by both parties.

Application

53. In making our determinations, our Office applied Principles 4.1, 4.1.4 and 4.3 of Schedule 1 of the Act.
54. Section 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with principles under the Act.
55. Principle 4.1.4 states that organizations shall implement policies and practices to give effect to the principles, including:
    1. Implementing procedures to protect personal information;
    2. Establishing procedures to receive and respond to complaints and inquiries;
    3. Training staff and communicating to staff information about the organization’s policies and practices; and
    4. Developing information to explain the organization’s policies and procedures.
56. Section 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.

Findings

Collection and Use without Consent

57. During our investigation, Global confirmed that it was informed by the Representative that she had purchased the information of maternity patients from an employee at Rouge Valley. The apparent purpose was so that the Representative could attempt to sell Global’s RESP products to mothers who had recently given birth.
58. The contact information of maternity patients – including the fact that they were maternity patients - clearly constitutes “personal information” within the meaning of the Act. Furthermore, Global clearly did not have consent for the collection and use of such information. Patients whose information was affected by the Breach had not consented to the disclosure of their information by Rouge Valley to Global or other RESP dealers for marketing purposes.
59. Our Office was not able to determine independently from records whether the complainant’s personal information was collected and used by the Representative specifically because Global did not retain a copy of the lists purchased by the Representative. However, Rouge Valley confirmed that the complainant was among the individuals potentially affected by the Breach. Further, the complainant stated she received a call from the Representative approximately two months after she had given birth and was informed by the Representative that her information had been obtained from Rouge Valley. According to Global, the Representative denied this allegation but the Representative also initially denied obtaining any information from Rouge Valley. According to Global, the Representative could also not confirm where she had obtained the complainant’s contact information. In the circumstances, it seems highly probable that the complainant’s personal information was part of the information that the Representative obtained from Rouge Valley and that this information was used by the Representative to contact the complainant in order to market Global’s RESP products to her.
60. In any event, we are satisfied, based on the evidence, that the Representative did collect and use the personal information of maternity patients of Rouge Valley without consent.
61. During the course of our investigation, Global expressly declined to take a position in terms of whether it, as an organization, was responsible under the Act for the Representative’s actions in collecting and using personal information from Rouge Valley.
62. For the reasons outlined below, it is our Office’s position that Global is responsible and accountable under the Act for the actions of its ISRs in the collection and use of personal information to sell Global RESP products, including the actions of the Representative in this case.
63. Global exercises a significant degree of control over ISRs, their activities and the information they collect. During our investigation, Global advised that it hires and terminates ISRs, provides them with workspaces and provides training on a continuous basis by BMs and other Global employees. Global also stated that ISRs have access to its internal portal and must provide weekly reports, participate in branch meetings, and generally communicate with BMs weekly, if not daily. Global requires its ISRs to sign a Dealing Representative Agreement, which, among other things, requires ISRs to abide by privacy laws and Global’s internal privacy policy. The Dealing Representative Agreement also provides that Global maintains control and ownership over all books and records of ISRs.
64. Global’s ISRs act on its behalf when engaged in the selling of RESP products. In this regard, Global’s Dealing Representative Agreement clearly provides that ISRs are in a principal-agent relationship with Global and are therefore entitled to act on Global’s behalf. Global advised that ISRs introduce themselves to potential clients as “Global Sales Representatives”.
65. While the Representative’s actions in this case may have been contrary to Global’s policies and agreements, the Representative was engaged in soliciting business on behalf of Global by collecting and using the personal information at issue in order to sell Global RESP products
66. Lastly, a number of Global’s own documents indicate that Global is responsible for the actions of its ISRs under the Act. In particular, Global’s Code and its Enrollment Application form for new clients both expressly provide that Global is responsible for the actions of its ISRs.
67. In the circumstances, it is therefore our Office’s finding that Global contravened Principle 4.3 of the Act by virtue of the fact that the Representative collected and used personal information of maternity patients of Rouge Valley without consent for the purpose of marketing Global RESP products.

Accountability

68. Our Office also examined whether Global has sufficient policies and procedures in place to ensure that its ISRs are obtaining contact information appropriately and to avoid a recurrence of the events raised in this complaint. During our investigation, our Office noted several statements from Global that indicated issues of concern with respect to its accountability for personal information in its possession, including Global’s inability to identify the source for the collection of personal information by ISRs.
69. During our investigation, we learned that Global is often unaware of which specific method an ISR has employed to collect personal information of a potential or an actual client, despite being advised of the various methods available to an ISR.
70. Further, we noted that despite the Representative’s inability to recall how she obtained the complainant’s information and the admission of her BM that this was suspicious, no further internal investigation ensued. As well, after it was revealed on January 14, 2015 that the Representative was indeed connected to the Breach, Global admitted that no further internal investigation occurred and no steps were taken to determine the names of the individuals that had been obtained by the Representative as a result of the Breach and whether they had been contacted by the Representative to market Global RESP products.
71. As well, during our interviews with the ISR and BM, our Office noted concerns that privacy related elements such as consent and collection for a specific purpose were not properly understood, which suggested that training on privacy, the applicable legal requirements, and the protection of personal information was required.
72. As a commercial organization to which the Act applies, Global is accountable for the personal information under its control, possession or custody, and must be able to demonstrate that it has a robust system in place to give effect to the principles in the Act on a day to day basis.
73. While we are pleased to see that Global has added a mandatory document to its Enrollment Application form that describes how the ISR obtained the client’s information (as indicated above), this only applies where a prospective client has agreed to do business with Global.
74. Global does not appear to have any policies, procedures or training in place that clearly explain to ISRs their obligations under the Act with respect to obtaining consent for the collection and use of contact information of prospective clients or “leads”. The existing policies merely refer to the need for compliance with the Act without explaining specifically what that means in the context of obtaining consent for the collection and use of the personal information of prospective clients for marketing purposes.
75. Furthermore, Global does not have any procedures in place for auditing ISRs to ensure that any prospecting lists they are using have been obtained with consent or pursuant to a valid exception in the Act. Spot audits or routine verifications could help ensure that ISRs are acting in accordance with the Act and are not using lists that have been obtained inappropriately and without proper consent. Global should also have procedures in place to conduct thorough investigations in cases where compliance issues are raised, as they clearly were in this case.
76. Given the actions of the Representative and the information gathered during our investigation, our Office finds Global to have fallen below proper standards of accountability pursuant to Principles 4.1 and 4.1.4. This is particularly troubling given that it operates in a sector dealing with a significant amount of sensitive personal information, including financial information.

Preliminary Report of Investigation and Recommendations

77. On July 9, 2015, our Office issued a Preliminary Report of Investigation to Global, setting out our preliminary findings and the following recommendations:
    1. Implement policies and procedures to protect personal information, including:
       1. Develop and implement policies and procedures to ensure Global is able to identify the source of each individual’s personal information collected and used by its employees and ISRs, for prospective and actual clients.
       2. Develop and implement policies, procedures and measures, including audits and, where warranted, investigations, to ensure that employees and ISRs are collecting and using the contact information of prospective and actual clients in accordance with the Act.
    2. Train and communicate to staff information about the organization’s policies and practices, including:
       1. Ensure all employees and ISRs receive training with respect to their obligations under the Act and each signs a document confirming that it has received this training.
       2. Ensure all employees and ISRs receive training with respect to any and all new and amended policies and procedures developed and implemented as per (a) above.
    3. Agree to obtain an accountability audit and report from an independent third party within 120 days from the issuance of our Office’s final Report of Findings that certifies Global’s accountability measures are operating with sufficient effectiveness to provide reasonable assurance that the personal information Global processes is being collected and used in accordance with the Act and submit the report to our Office for review and acceptance.
78. To assist with the implementation of the above recommendations, our Office also suggested that Global refer to our Office’s publication entitled Getting Accountability Right with a Privacy Management Program^{Footnote 5} and make changes to its accountability measures, as required.
79. Our Office requested that Global respond in writing, advising how it intended to implement the above recommendations.

Response to Preliminary Report of Investigation

80. In response to our Office’s PRI, Global advised that it had implemented recommendation a. above. Specifically, it confirmed that it had created a document entitled "Privacy - Global's Ten Steps" and added it to Global’s Compliance Policies and Procedures Manual. This document references the ten principles in Schedule 1 of the Act and outlines the role of Global and each ISR, as well as what needs to be done going forward to respect these principles, when dealing with the personal information of actual and prospective clients. Global also confirmed that its regular spot audits (completed by its CCO) will going forward also audit whether the obligations outlined in this new document are being followed by its BMs and ISRs.
81. In response to recommendation b., Global advised that it had incorporated privacy training as part of its training modules for the entire Global family from the executives to the customer service team. The privacy training module includes a test to ensure that everyone understands the importance of protecting the privacy of prospective and actual clients.
82. Global further confirmed that it had appointed a new Privacy Officer who has taken a proactive role to ensure that its privacy policies and procedures are strictly adhered to.
83. Global has also agreed to obtain an accountability audit and report from an independent third party, as outlined in recommendation c., within a year from the issuance this Report of Findings.
84. Moreover, Global confirmed that it has reviewed our Office’s publication entitled Getting Accountability Right with a Privacy Management Program.

Conclusion

85. We are satisfied, that, once implemented, the above changes will meet our Office’s recommendations. Accordingly, our Office concludes that this matter is well-founded and conditionally resolved.