Data Privacy and Security

We are committed to maintaining the confidentiality and security of all personal information we may collect, use and disclose in compliance with applicable laws and regulations. Data privacy and security are of utmost importance to the Corporation and we have strict policies in place to ensure the personal information entrusted to us is protected.

Commitment

We have formalized our commitment to protecting the information we collect and generate in the policies that govern the way in which we conduct our business. In these policies, we have established specific guidelines relating to the collection, use and disclosure of personal information. We also have policies and procedures relating to the protection of confidential information from theft, loss, unauthorized disclosure, access or destruction or other misuse. 

Our Code of Business Conduct and Ethics and Third Party Code of Conduct outline our broad expectations regarding the treatment of personal information for both our personnel and third parties we work with. These expectations are further detailed in our formal policies that cover personal information collected from the public, employee personal information, cybersecurity and record retention. 

Our Privacy Policy establishes guidelines for the collection, use and disclosure of personal information from the public, including from those using our websites and third-party social media sites, or subscribing to our e-mail notification service. 

We also have a separate Employee Privacy Policy that establishes the guidelines for the collection, use and disclosure by Power Corporation of personal information regarding our employees for the purposes of establishing, maintaining and concluding the employment relationship. 

Our Security of Technology and Intellectual Property Policy (the “Cybersecurity Policy”) sets forth the Corporation’s expectations for all employees, consultants and contractors with respect to the proper use of the Corporation’s technology and intellectual property and the protection of cybersecurity.

Furthermore, our Record Retention Policy ensures that our records, including personal information, are retained, processed, and destroyed appropriately and in accordance with applicable laws.

Implementation

In accordance with applicable privacy laws, we collect personal information that is necessary to our business where we have consent to do so or as permitted or required by law. Each officer and employee is provided with a copy of our various policies and procedures. 

Through our annual corporate policies training sessions, we educate our employees on the application of our policies and procedures, including those related to data privacy and security. The training process is facilitated by a web-based platform, through which the mandatory training module covering Power’s Code of Business Conduct and Ethics and key corporate policies is being conducted. At the end of the module, as part of our annual certification requirement, employees are required to certify their compliance with our Code of Business Conduct and key corporate policies.

In addition, from time to time, our personnel also receives training on more specific issues such as cybersecurity from industry experts, as new risks are identified, or new systems are implemented.

We have established a comprehensive information and cybersecurity program, benchmarked our capabilities to sound industry practices, and we have implemented threat and vulnerability assessments and response capabilities. We continue to invest in security technologies to protect against, detect and respond to cybersecurity threats. This includes our IT Security Incident Response Protocol, which is administered and implemented by both the Vice-President and Controller and the IT Director, and provides our employees and third-party service providers guidelines with respect to responding to security breaches that could threaten our data and technology.

It should be noted that as a holding company, we have no clients of our own. Our group companies are responsible for implementing their own policies and procedures to protect the privacy of their clients’ information. Our major subsidiaries, Great-West Lifeco and IGM Financial, and their operating companies, have established privacy policies which detail their requirements regarding the collection, use and disclosure of personal information, including:

  • Clearly identifying the purpose of the information they collect; 

  • Providing a means for individuals to opt in or out of the data collection;

  • Providing a means for individuals to verify, correct and delete their data, where relevant; and,

  • Communicating whether third parties have access to the information, the purpose of their use, and the controls in place to ensure the protection of information.

While each of IGM Financial's operating companies has their own privacy-related procedures relevant to its business, IGM Financial itself has implemented an overarching Privacy Policy applicable across the company. Privacy is covered in the annual, mandatory compliance training for all employees and advisors. Topics include our privacy obligations, privacy tips and best practices, and how to handle privacy breaches, complaints and access to information requests. In 2021, the company also began preparations for complying with upcoming federal and provincial legislative changes, which will grant Canadians greater control and transparency over their personal data. 

As part of our active ownership approach, we are committed to fostering compliance with data privacy and security legislation by our subsidiaries.

Responsibility

Proper use and protection of information is the responsibility of our entire organization and relies on the diligence of each member of our personnel. The Vice-President and General Counsel is responsible for providing oversight of data privacy programs, as well as training and compliance regarding our policies and procedures. The Vice-President and Controller is responsible for administering our Cybersecurity Policy. Both report to the Audit Committee of the Board of Directors as needed.

Reporting Mechanisms 

To report any concerns, inquiries or complaints regarding our privacy policies, our personnel and the public should contact the General Counsel’s office. 

Monitoring and Review

We continuously monitor and enhance our information technology defenses and procedures to prevent, detect, respond to and manage cybersecurity threats, which we recognize are constantly evolving. We also participate in industry-established forums and collaborate with peers on threat intelligence and critical security threats facing the global financial services sector.

We conduct periodic audits of our information security systems to ensure proper implementation of our policies as well as compliance with evolving regulations, including the European General Data Protection Regulation (GDPR). We make necessary improvements to adapt to regulations. 

Scroll To Top
X