Personalizing your Own Compliance Manual – Template

This is a compilation of the key elements you will need to complete the personalization portion of your
compliance manual. Your compliance manual should be an ever-evolving manual. Information should be
edited, added or removed to cater to the current evolving need of for your business. There are five
mandatory parts to be included; there are additional documents that you could include to build a stronger
compliance manual. A yearly review of the information in your compliance manual must be conducted to
ensure the program remains up to date; robust and effective.

Compliance Regime

The following five elements must be included in a compliance regime:

I. The appointment of a compliance officer

II. The development and application of written compliance policies and procedures
III. The assessment and documentation of risks of money laundering and terrorist financing,
and measures to mitigate high risks
IV. Implementation and documentation of an ongoing compliance training program
V. A documented review of the effectiveness of policies and procedures, training program and
risk assessment

Additional Documents

 Appointment of a privacy officer

 Development of written internal privacy policy
I. Appointment of a Compliance Officer
II. Compliance Policies and Procedures
 Anti-Money Laundering

Policy and Procedures

Appointed Compliance Officer is XXXXXXXX

Until further notice

Copy to be retained in the Policy and Procedures Binder to be kept in the following address of our office:

Address: __________________________________

__________________________________

__________________________________.

The following outline is policy and procedures (P&P) that every employee/employer of Advisor’s office
must adhere to involving the 3 sections pertaining to our type of entity and the services we provide, as a
life insurance broker, and the most recent amendments on June 23, 2008, to the Proceeds of Crime
(Money Laundering) and Terrorist Financing Act 2001. These policies and procedures are not intended as
a substitute for FINTRAC Guidelines, which can be accessed by visiting www.FINTRAC.gc.ca, nor the
companies we may represent. Be aware that the policy and procedures guideline will be under ongoing
review, development and documentation as required under the legislation.

Our employees will meet on an annual basis, or more often if required, to review and update as necessary
and each member will be obligated to attend the “in-house” training sessions. A record of these updates,
training sessions or meetings will be kept in the front of the binder and every person will be required to
sign and record the date of these meetings or training sessions.
Record Keeping and Client Identification for Life Insurance Companies, Brokers and Agents as per
Guideline 6A

When processing any Segregated Fund business there is a section on the application that pertains to
“Political Exposed Individuals”, “Third Party” involvement, Insider Information, knowing that if the client
answers “yes” to any of these questions, then a Politically Exposed Foreign Person (PEFP) and Third Party
Disclosure form must be completed and immediately sent to the appropriate compliance department.

We ensure that we shall use our in-house Client and Third-Party Identity Verification form (Attachment
“A”) if another entities form is not available.

All client’s files must include a copy of the current cheque, money order, or bank draft that accompanies
each transaction. We will check if the financial institution is a major Canadian institution by referencing
the federal (OSFI) or applicable provincial list.

** At no time, will any persons affiliated with our office accept cash for any transaction or product. There
is to be no exception to this rule, regardless of the company that we are doing business with or
representing.

Because we never accept cash, we do not have to keep a separate “Large Cash Transaction Record”.

Each Client’s file will include a legible photocopy of a government issued identification that was taken
when the client opened their account and was also verified by the advisor. Watch for flaws or any obvious
alterations to the identification and it must be valid and current, for example, we cannot accept expired
drivers’ licenses or passports.

On accounts that were opened before this legislation, a photocopy of client Identification should be at
the time of file updates or the next meeting with that client. Please review the file for updated photocopy
of government issued identifications.

In the case of corporate accounts (non-individual accounts), officers with signing authority for the
corporation must provide their personal client identification for their file, along with the corporate
resolution, business number (BN or BIN), and copies supporting the identification of the corporate entity.
 Suspicious Transactions or Attempted Suspicious Transactions

Per FINTRAC’s Guideline 2: Suspicious Transactions (please refer to the binder containing all forms and
material on Anti-Money Laundering or by visiting www.FINTRAC.gc.ca, there is no minimum dollar amount
threshold for reporting suspicious transactions or attempted transactions. Although the business
conducted under our office would be a very minimum risk, being we are situated in a small city (population
approx. XXXXXXXXXX, XX minutes from the nearest larger city, XXXXXXX, we cannot stress enough the
importance of always knowing the identity of the person we are conducting business with. Even if we
know our client well and would never deem him/her to be suspicious, we always look at the overall picture
and consider if the transaction itself is unusual or otherwise, not a normal type of transaction for that
client. It is our practice to be on the lookout for suspected 3rd party involvement.

If we should ever find himself or herself with suspicion towards a suspicious transaction or attempted a
transaction, we shall within 30 days, from the date your suspicion occurred, to file a STATR (Suspicious
Transaction or Attempted Transaction Report). We use the FINTRAC electronic method of reporting
(http://www.FINTRAC-canafe,gc.ca). However, we do have a paper version of this report retained in the
binder.

XXXXXXXXXX, as appointed Compliance Officer will be notified immediately and the Compliance Officer
will in turn, notify FINTRAC and our branch compliance manager of the transaction in question, along with
the details.

XXXXXXXX will assume the role of Compliance Officer at any time XXXXXXXX is absent from the office.
 Terrorist Property Reports

The OSFI terrorist list, (both individual and non-individual) will be reviewed annually to determine if any
of our clientele appears on these lists. If we identify, or have reason to believe, any of our clients are on
these lists, we will immediately contact FINTRAC providing them with the names and identifying any
property (accounts) associated with these clients and completing a Terrorist Property report.

At no time, would we alert the client to our suspicions, or disclose the fact that we have made a report,
nor can the contents of the report be disclosed.

We shall record the FINTRAC’s acknowledgment message per receipt of our report and the identification
number assigned by FINTRAC. All copies of correspondence and the report itself must be kept in our
office.

To further assist in helping to prevent or recognize anti-money laundering or anti-terrorist activity the
following attachments are found in this binder.

Attachment #1 – What is required by the client

Attachment #2 – What is required by the advisor

Attachment #3 - New & Existing Clients

These attachments are very specific to indicate types of client identification and banking information that
is acceptable. Confirmation of beneficiary information, what to accept and what not to accept, and what
additional documentation may be required based on whether the client is a charitable organization or is
politically exposed. Attachment #3 summarizes the Do’s and Don’ts for new and existing clients.

Appendix 1: Product Services, Delivery Channels and Geographic Locations found in Guideline
4 – Implementation of a Compliance Regime article produced by FINTRAC. This assessment tool was
also used and the results were LOW with regards to money laundering and terrorist financing
exposure.

The following reference documents are included in our AML/ATL policies and procedures.
 - Employee Acknowledgement that they have read and understood the various guidance manuals
and policies and procedures contained in our binder
- Training sessions and meetings log.
- Policies and Procedures and Risk Assessment Table
- Tabbed section for FINTRAC updates and correspondence
- Tabbed section for the Guidance Manual to Combat Money Laundering and Terrorist Activity
Financing by the CLHIA (Canadian Life & Health Insurance Association)
- Tabbed section for FINTRAC’s Guideline #2, Suspicious Transactions
- Tabbed section for FINTRAC’s Guideline #4, Implementation of a Compliance Regime
- Tabbed section for FINTRAC’s Guideline #6A, Record Keeping and Client Identification for Life
Insurance Companies, Brokers, and Agents
- Tabbed section for Unusual Activity Reports and samples of FINTRAC’s Suspicious Reports
- FINTRAC Examinations (for reference only)

For any updates to these documents visit www.FINTRAC.gc.ca. These documents will be kept
up-to-date.

For Charitable Organizations

Keep a record that sets out whether the organization is:

i) a charity registered with the CRA under the Income Tax Act

ii) an entity that solicits charitable financial donations from the public without being registered.
We will not deal with this type of Charitable Organization

For Politically Exposed Foreign Persons (PEFP)

The in-house “Client and Third-Party Identity Verification” (Attachment “A”) must be completed,
signed by the client, and witnessed by the advisor. A copy of this form will be kept in the client
file.

Determine if a person who makes a lump-sum payment of $100,000 or

more in respect of an immediate or deferred annuity or life insurance policy on their own

behalf or on behalf of a third party is a PEFP.

Establish the source of the funds that has been used for the transaction.
- The transaction must be reviewed by an administrative employee and the review must be
completed within 14 days after the day on which the transaction occurred.
- Keep a record that sets out
- a) The office or position in respect of which the person initiating the transaction is determined to
be a PEFP
- b) The source, if known, of the funds that are used for the transaction,
- c) The date of the determination that the person is a PEFP,
- d) The name of the administrative employee who reviewed the transaction, and e) the date the
transaction was reviewed.
 Attachment #1

What is required by the client?

1. All clients must show face to face government issued photo identification.
2. All clients must reside in Canada.
3. A copy of a cheque from a Canadian Chartered Financial Institution marked VOID. In the case of
a non-chequing account confirmation of banking information on bank letterhead, bank stamped
and signed by a bank officer is kept in the client’s file.
4. When a client meets with the advisor, the advisor will confirm beneficiary information such as
name, address, and occupation if the beneficiary information applies to the account.
5. Cash is not accepted. Cheques must be made payable to the Insurance Carrier from a Canadian
Financial Institution.
6. Client information; occupation, income, employer etc. for all new clients should be collected.
Client information sheets should be in client files. This information should also be maintained
in the contact management system.
7. If a client is acting on behalf of a third party and/or has been politically exposed additional
documentation will be required. (Attachment “A”), this form must be signed by the client and
witnessed by the advisor.
8. If a client is a charitable organization, please refer to the Charitable Organization area of the
policies and procedures. Additional documentation will be required.
 Attachment #2

What is required by the advisor?

1. An account cannot be opened without a valid government issued photo identification, banking
information or beneficiary information.
2. The advisor must obtain a copy of valid government issued photo identification such as driver’s
license. This identification must be obtained in person and must be kept up to date in the client
file and on the contact management information system.
3. The advisor must confirm that the client resides in Canada.
4. The advisor must request a copy of a cheque from a Canadian Chartered Financial Institution
marked VOID. In the case of a non-chequing account confirmation of banking information on
bank letterhead, bank stamped and signed by a bank officer will be accepted and a copy will be
kept in the client’s file and kept up-to-date.
5. The advisor must confirm beneficiary information such as name, address, and occupation if the
beneficiary information applies to the account.
6. The advisor must not accept cash. Cheques must be made payable to the Insurance Carrier of the
business written.
7. The advisor along with the client must complete the Client and Third-Party Identity Verification
form (see Attachment “A”). The client is required to sign the form and the advisor is required to
witness the form.
8. At any time when a client requests an appointment, the client’s file is reviewed for any
identification that may be out of date, as well any bank information or beneficiary information
and this is recorded as an agenda item for the client to provide up-to-date information.
 Attachment #3

New & Existing Clients

1. Identify the client and verify the client’s identity using reliable, independent source documents,
data, or information. View original, valid acceptable identification such as government-issued
photo identification (i.e. Driver’s license).
2. Determine whether the client is acting on behalf of another person and take reasonable steps to
obtain sufficient identification data to ascertain the identity of that other person.
3. Identify the beneficial owner of an account and take reasonable measures to ascertain the identity
of the beneficial owner such that the insurer is satisfied that it knows who the beneficial owner
is.
4. For corporate entities and arrangements such as partnerships, clubs, or associations the
ownership and control structure of the client must be known.
5. Obtain any other information for the purpose and intended nature of the business relationship
and any other relevant factors.
6. Refuse insurance to beneficial owners that use fictitious names or whose identity is kept
anonymous.
7. Rely on identification and verification such as government issued photo ID unless doubts arise
about the veracity of the information held by the insurer.
8. Collect information regarding occupation and business.
9. Ensure that an individual acting on behalf of an entity is authorized to do so.
10. Ask for certification of appropriate authorities and professionals of documents that may be
presented such as Powers of Attorney.
11. Request additional documents that may be needed to complement those which have been
required such as copies of Social Insurance Cards for RESP accounts.
12. Require that the first premium payment for insurance is withdrawn from an account in the client’s
name with a Canadian Financial Institution.
13. Do not deal with viatical company operating in a jurisdiction where trafficking in insurance is not
prohibited including the beneficial owner.
14. Do not deal with a business originating from a high-risk country.
15. Do not accept foreign cheques.
16. Do not establish business with a “risky client”.
17. If applicable, monitor ongoing patterns or unusual or suspicious activity to ensure that risk activity
can be scrutinized.
18. Pay special attention to customer entry and exit of insurance products, early surrenders and any
abnormal business patterns or a change in payor or beneficiary.
19. Identify materiality between insurers considering for example average premium income size per
customer and the average duration of contract in force to avoid setting monetary thresholds.
20. Pay special attention to all complex unusually large transactions and all unusual patterns of
transactions.
21. Pay special attention to insurance policies that change beneficiaries.
 Attachment “A”

Client and Third-Party Identity Verification

Full legal name of owner: ________________________________________________

Is the owner acting on behalf of a third party? О Yes О No

Is a third party contributing the funds being used to purchase this contract? О Yes О No

Does a third party have control of this contract? О Yes О No

(If the answer to any question is ‘YES’, please complete information below about the third party)

Name

Address

City Province Postal Code

Incorporation Number (if applicable) Jurisdiction of registration (i.e. Federal, Provincial

if applicable)

Principal business or occupation of the third party What is the nature of the owner’s relationship
with the third party identified above?

.
 Politically exposed person information

Has the owner or person contributed the funds or any close relative of either person ever held a senior
position in government, political party, military, tribunal, or government-owned corporation of a foreign
country? (i.e. Is politically exposed) О Yes О No

(if the answer to the question is “YES”, please complete information below)

Who is politically exposed? □Owner □Contributor (current of future)

What is the name of the person who holds or

held a foreign political office? (first, middle initial,
last)

In what country is/was the position held? During what period was the position held?

Starting Year Ending Year

What position is or was held by the person who is

or was politically exposed in a foreign country?

□ Head of state or head of government □ President of a state-owned company or bank

□ Member of the executive council or □ Head of government agency

government or member of a legislature
□ Judge
□ Deputy Minister (or equivalent)
□ Leader or President of a political party in a
□ Military general legislature

□ Ambassador or ambassador’s attaché or

counselor

Time of position held

What is the relationship of the person named □ Brother, sister, half-brother, or half-sister
above to the owner or contributor?
□ Spouse’s or common-law partner’s parent
□ Self □ Child □ Mother or father

□ Spouse or common-law partner

Client Signature _________________________________

Client Name (Print) _________________________________

Date _________________________________

Witness Signature _________________________________

Witness Name (Print) _________________________________

Date _________________________________
III. Risk Assessment of your Business
 Risk Assessment Questionnaire

This document will serve as a guide for you to create an Anti-Money Laundering and Anti-Terrorist
Financial Activity (AML) Internal Policies and Procedures that is specific to your own business.

Your version of the internal policies and procedures should contain information that answers all the
questions below. Please answer the questions in essay format. The question below is not meant to be
included in your policies and procedures as it is a guide only.

Green is Low Risk Blue is Medium Risk Red is High Risk

Overall Risk Picture

1) What level of risk exists in your firm for money laundering and terrorist financing?
(Low, Medium, High)
2) How many clients?
3) Where are most of your clients? (Local, Province-wide, Nationwide)
4) What are the crime rates in the areas where your clients reside? (Low, Medium, High)
5) How many of your clients are households?
6) How many of your clients are businesses?
7) How many of your clients are charitable organizations?
8) How many of your clients are politically exposed persons?
9) How much overseas funding exposure does your clientele have?
10) Approximate what percentage of your clientele is:
a. Blue Collar
b. White Collar
c. Affluent (Net worth 1-5 million)
d. High Net Worth (5 million +)
11) Approximate what percentage of your business is:
a. Term Insurance
b. Whole Life Insurance
c. Universal Life Insurance
d. Critical Illness Insurance
e. Disability Insurance
f. Non-Registered Segregated Funds
g. Registered Segregated Funds
h. Annuities
i. Group Benefits
j. Group Pensions
k. Guaranteed Investment Certificates
l. Mutual Funds
m. Travel Insurance
12) Do you have referral clients with the following: (If yes, what percentage of your business?)
a. Portfolio Managers
b. Exempt Market Products

13) Approximate what is the average dollar amount of your transactions for: (<10K, 10-100K, 100K+)
a. Whole Life Insurance
b. Universal Life Insurance
c. Term/Disability/Critical Illness
d. Registered Segregated Funds
e. Non-Registered Segregated Funds
f. Guaranteed Investment Certificates/ Annuities
g. Other Investments

14) Do you conduct non-face-to-face transactions? (Yes or No)

15) Do you closely monitor ownership transfers? (Yes or No)
IV. Training Schedule and Attendance Record
 Compliance Training Program

Our compliance training follows the compliance training program created by CF Canada Financial. The
following pages contains the training schedule set out by CF Canada Financial. Our attendance to these
training sessions is recorded in our records.
 CF Compliance Training Program
12 Sessions, approx. 1.5 hrs each

FINTRAC

April 6, 2017 Session 1: Introduction – What is FINTRAC?

- Responsibility of Entities in the Life Insurance Industry
- Our Responsibilities as Insurance Agents:
- Appointment of Compliance Officer
- Written Compliance Policies and Procedures
- Risk Assessment & Mitigation
- Review
- Reporting
- Compliance Training
May 4, 2017 Session 2: Risk Assessment
- Risk Survey & Review
- Attempted Transactions
- Suspicious Transactions
- Large Cash Transactions & Terrorist Funding
- Suspicious Factors – General
- Suspicious Factors – Industry Specific

June 1, 2017 Session 3: Reporting Requirements

- How to Report
- What to Report
- Required Record Keeping
- Large Cash Transactions
- Client Identification

July 6, 2017 Session 4: Implementation

- Mandatory Compliance Regime
- Penalties for Non-Compliance
- Penalties for Failure to Report
- Review of Previous Sessions
- Individual Written Policies Required
- Initial Paperwork
- Risk Assessment
- Reviews
- Attend Training Sessions
Privacy

August 3, 2017 Session 5: Introduction

- Ten Privacy Principles:
- Accountability
- Identifying Purpose
 - Consent
- Limiting Collection
- Limiting use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
- Individual Written Policies Required
- Initial Paperwork
- Risk Assessment
- Reviews
- Attend Training Sessions

September 7, 2017 Session 6: Privacy Breaches

- Breach Containment and Preliminary Assessment
- Evaluate the Risks
- Notification
- Prevention of Future Breaches

Insurance Council of British Columbia (ICBC)

October 5, 2017 Session 7: Code of Conduct/Suitability

- Trustworthiness
- Good Faith
- Competence
- Usual Practices
- Financial Solvency

November 2, 2017 Session 8: Usual Practices 1

- Disclosure & Point of Sales
- Continuing Education

December 7, 2017 Session 9: Usual Practices 2

- Financial Needs Analysis (FNA)
- Risk Tolerance
- Know Your Client (KYC)
- Needs Based Selling

January 4, 2018 Session 10: Contracting

- CHLIA Requirements
- Representation & Fronting
- Duty to Notify

February 1, 2018 Session 11: Complaint Handling

- Defining a Complaint
- Handling a Complaint
- Errors & Omissions Insurance

March 1, 2018 Session 12: Rebates & Referrals

- National Do Not Call List
- Rebate & Referral Fees
- Referring Third Party Entities
 Anti-Money Laundering and Terrorist Activity Financing Training Attendance Sheet

Training Topic:

DATE NAME SIGNATURE

 Compliance Policies and Procedures for Anti-Money Laundering and Terrorist
Activity Financing

Date and sign below to acknowledge you have read the guidance manuals and understand our
obligations and the mandatory compliance policies and procedures.

EMPLOYEES SIGNATURE DATE

V. Yearly Review of Compliance Manual
Additional Documents
 <Company Name>

INTERNAL PRIVACY POLICY

Objective
To ensure that:

(a) <Company Name> is in compliance with regulatory and self-regulatory requirements

regarding Privacy (“Regulations”);
(b) <Company Name> client’s Privacy is handled professionally, in a secure environment and
appropriately monitored;

Our Privacy Officer: _________________________

Person(s) Responsible:

(1) <Designated Person> is the Privacy Officer and all inquiries/complaints shall be directed to
her/him
(2) <Designated person’s name> is hereby designated as responsible for the application of this
policy;

Our Commitment

At <Company Name> our clients are our business. As a financial services Company, we are trusted with
our clients’ most sensitive personal information. We must respect that trust and need our clients to be
aware of our commitment to protect the information they provide doing business with us.

We collect personal information in compliance with applicable laws and ethical business practices, to
provide services and to conduct business. We limit the information we collect to that which is necessary
for, or related to, these purposes.
We abide by the Ten Privacy Principles. The Principles are based on the federal government’s privacy
legislation, the Personal Information Protection and Electronic Documents Act

1. Accountability: An organization is responsible for personal information under its control and shall
designate an individual or individuals who are accountable for the organization's compliance with the
following principles.

2. Identifying Purposes: The purposes for which personal information is collected shall be identified by
the organization at or before the time the information is collected.

3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure
of personal information, except when inappropriate.

4. Limiting Collection: The collection of personal information shall be limited to that which is necessary
for the purposes identified by the organization. The information shall be collected by fair and lawful
means.

5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for
purposes other than those for which it was collected, except with the consent of the individual or as
required by the law. Personal information shall be retained only for as long as necessary for the fulfillment
of those purposes.

6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the
purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the

sensitivity of the information.

8. Openness: An organization shall make readily available to individual with specific information about its
policies and practices relating to the management of personal information.

9. Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of
his or her personal information and shall be given access to that information. An individual shall be able
to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance: An individual shall be able to address a challenge concerning compliance
with the above principles to the designated individual or individuals for the organization's compliance.

Information Collection and Use

We collect the information required for us to complete the task for which we are engaged, whether that
is insurance, money products or financial plans.

Personal information is information that refers to you specifically. We will use fair and lawful means to
collect their personal information. We will only collect information that is pertinent and consistent with
the purposes of the collection. Whenever practical, we will collect the required information directly
from the client, or from their authorized representative(s), in completed applications and forms,
through other means of correspondence, such as the telephone, mail or the internet, and through their
business dealings with us.

What we need to know and why

We collect information from our clients and about them, only with their consent, or as required or
permitted by law. In general, we will collect personal information such as their name, address,
telephone number(s) or other identifying information, such as their Social Insurance Number (SIN) or
date of birth.

The type of additional information we gather will depend on the type of product or service involved.
The information gathered may be financial, which would include such information as place of
employment, annual income, assets and liabilities. It may be investment or advice related, requiring
information on such things as your financial goals and retirement plans. If the client is applying for
insurance or group insurance benefits, it may also include health information or lifestyle-related
information, such as their occupation, travel history and plans, driving record or criminal record.

Consent

The consent for us to establish a file and collect and maintain personal, medical & financial information is
to be signed by the client and placed in their file.

Protection of Personal Information

As the principals, management and employees of <Company Name> we are granted access to client
information and must understand the need to keep the information protected and confidential. Our
training procedures clearly communicate that we are to use the information only for the intended
purpose(s).

Staff will be required to sign a confidentiality agreement upon commencement of employment.

Retention of Personal Information

We will only keep client’s personal information in our records for as long as it is needed to fulfill the
identified purposes, or as required or permitted by law.

Privacy Choices

Clients may request copies of our privacy policies and procedures at any time.

Clients may request access to their information. We must respond to this request as quickly as possible,
but no later than 30 days after the receipt of the request.

Clients may withdraw their consent at any time by contacting our Privacy Officer. However, they will be
made aware that failure to provide adequate information may prevent us from completing the task for
which we were engaged.

Clients may file complaints about our privacy procedures as well as a breach in our privacy
policy. Complaints should be received in writing and forwarded to the Privacy Officer. The Privacy Officer
will contact the client and obtain all details. The Privacy Officer will then review the circumstances of the
complaint and determine if there is reason to alter the existing privacy policy. Insurance carriers should
be notified of any complaint involving their clients/products.

Exception to client access

Organizations must refuse an individual access to personal information:

 If it would reveal personal information about another individual unless there is consent or a life-
threatening situation
 If the organization has disclosed information to a government institution for law enforcement or
national security reasons. Upon request, the government institution may instruct the
organization to refuse access or not to reveal that the information has been released. The
organization must refuse the request and notify the Privacy Commissioner. The organization
 cannot inform the individual of the disclosure to the government institution, or that the institution
was notified of the request, or that the Privacy Commissioner was notified of the refusal.

Organizations may refuse access to personal information if the information falls under one of the
following:

 Solicitor-client privilege
 Confidential commercial information
 Disclosure could harm an individual’s life or security
 It was collected without the individual’s knowledge or consent to ensure its availability and
accuracy, and the collection was required to investigate a breach of an agreement or
contravention of a federal or provincial law (the Privacy Commissioner must be notified)
 It was generated during a formal dispute resolution process.