Data Privacy and Security
We are committed to maintaining the confidentiality and security of all personal information we may collect, use and disclose in compliance with applicable laws and regulations. Data privacy and security are of utmost importance to the Corporation and we have strict policies in place to ensure the personal information entrusted to us is protected.
We have formalized our commitment to protecting the information we collect and generate in the policies that govern the way in which we conduct our business. In these policies, we have established specific guidelines relating to the collection, use and disclosure of personal information. We also have policies and procedures relating to the protection of confidential information from theft, loss, unauthorized disclosure, access or destruction or other misuse.
Our Code of Business Conduct and Ethics and Third Party Code of Conduct outline our broad expectations regarding the treatment of personal information for both our personnel and third parties we work with. These expectations are further detailed in our formal policies that cover personal information collected from the public, employee personal information, cybersecurity and record retention.
Our Security of Technology and Intellectual Property Policy (the “Cybersecurity Policy”) sets forth the Corporation’s expectations for all employees, consultants and contractors with respect to the proper use of the Corporation’s technology and intellectual property and the protection of cybersecurity.
Furthermore, our Record Retention Policy ensures that our records, including personal information, are retained, processed, and destroyed appropriately and in accordance with applicable laws.
In accordance with applicable privacy laws, we collect personal information that is necessary to our business where we have consent to do so or as permitted or required by law. Each officer and employee is provided with a copy of our various policies and procedures.
Through our annual corporate policies training sessions, we educate our employees on the application of our policies and procedures, including those related to data privacy and security. The training process is facilitated by a web-based platform, through which the mandatory training module covering Power’s Code of Business Conduct and Ethics and key corporate policies is being conducted. At the end of the module, as part of our annual certification requirement, employees are required to certify their compliance with our Code of Business Conduct and key corporate policies.
In addition, from time to time, our personnel also receives training on more specific issues such as cybersecurity from industry experts, as new risks are identified, or new systems are implemented.
We have established a comprehensive information and cybersecurity program, benchmarked our capabilities to sound industry practices, and we have implemented threat and vulnerability assessments and response capabilities. We continue to invest in security technologies to protect against, detect and respond to cybersecurity threats. This includes our IT Security Incident Response Protocol, which is administered and implemented by both the Vice-President and Controller and the IT Director, and provides our employees and third-party service providers guidelines with respect to responding to security breaches that could threaten our data and technology.
It should be noted that as a holding company, we have no clients of our own. Our group companies are responsible for implementing their own policies and procedures to protect the privacy of their clients’ information. Our major subsidiaries, Great-West Lifeco and IGM Financial, and their operating companies, have established privacy policies which detail their requirements regarding the collection, use and disclosure of personal information, including:
Clearly identifying the purpose of the information they collect;
Providing a means for individuals to opt in or out of the data collection;
Providing a means for individuals to verify, correct and delete their data, where relevant; and,
Communicating whether third parties have access to the information, the purpose of their use, and the controls in place to ensure the protection of information.
IGM Financial also participates in industry-established forums, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Canada Center for Cyber Security, and collaborates with peers on threat intelligence and critical security threats facing the global financial services sector.
As part of our active ownership approach, we are committed to fostering compliance with data privacy and security legislation by our subsidiaries.
Proper use and protection of information is the responsibility of our entire organization and relies on the diligence of each member of our personnel. The Vice-President and General Counsel is responsible for providing oversight of data privacy programs, as well as training and compliance regarding our policies and procedures. The Vice-President and Controller is responsible for administering our Cybersecurity Policy. Both report to the Audit Committee of the Board of Directors as needed.
To report any concerns, inquiries or complaints regarding our privacy policies, our personnel and the public should contact the General Counsel’s office.
Monitoring and Review
We continuously monitor and enhance our information technology defenses and procedures to prevent, detect, respond to and manage cybersecurity threats, which we recognize are constantly evolving. We also participate in industry-established forums and collaborate with peers on threat intelligence and critical security threats facing the global financial services sector.
We conduct periodic audits of our information security systems to ensure proper implementation of our policies as well as compliance with evolving regulations, including the European General Data Protection Regulation (GDPR). We make necessary improvements to adapt to regulations.