Personalizing Your Compliance Manual – Sample

All details included in this sample document is for REFERENCE ONLY. Please review the entirety of the

document and alter any detailed information that fits your business.

This is a compilation of the key elements you will need to complete the personalization portion of your

compliance manual. Your compliance manual should be an ever-evolving manual. Information should be

edited, added or removed to cater to the current evolving need of for your business. There are five

mandatory parts to be included; there are additional documents that you could include to build a stronger

compliance manual. A yearly review of the information in your compliance manual must be conducted to

ensure the program remains up to date; robust and effective.

Compliance Regime

The following five elements must be included in a compliance regime:

I. The appointment of a compliance officer

II. The development and application of written compliance policies and procedures

III. The assessment and documentation of risks of money laundering and terrorist financing,

and measures to mitigate high risks

IV. Implementation and documentation of an ongoing compliance training program

V. A documented review of the effectiveness of policies and procedures, training program and

risk assessment

Additional Documents

Appointment of a privacy officer

Development of written internal privacy policy

I. Appointment of a Compliance Officer

II. Compliance Policies and Procedures

Anti-Money Laundering

Policy and Procedures

Appointed Compliance Officer is Bruce Wayne

Until further notice

Copy to be retained in the Policy and Procedures Binder to be kept in the following address of our office:

Address: 1188 – 1095 W. Pender Street, Vancouver, BC, V6E 2M6

The following outline is policy and procedures (P&P) that every employee/employer of Advisor’s office

must adhere to involving the 3 sections pertaining to our type of entity and the services we provide, as a

life insurance broker, and the most recent amendments on June 23, 2008, to the Proceeds of Crime

(Money Laundering) and Terrorist Financing Act 2001. These policies and procedures are not intended as

a substitute for FINTRAC Guidelines, which can be accessed by visiting www.FINTRAC.gc.ca, nor for the

companies we may represent. Be aware that the policy and procedures guideline will be under ongoing

review, development and documentation as required under the legislation.

Our employees will meet on an annual basis, or more often if required, to review and update as necessary

and each member will be obligated to attend the “in-house” training sessions. A record of these updates,

training sessions or meetings will be kept in the front of the binder and every person will be required to

sign and record the date of these meetings or training sessions.

Record Keeping and Client Identification for Life Insurance Companies, Brokers and Agents as per

Guideline 6A

When processing any Segregated Fund business there is a section on the application that pertains to

“Political Exposed Individuals”, “Third Party” involvement, Insider Information, knowing that if the client

answers “yes” to any of these questions, then a Politically Exposed Foreign Person (PEFP) and Third Party

Disclosure form must be completed and immediately sent to the appropriate compliance department.

We ensure that we shall use our in-house Client and Third-Party Identity Verification form (Attachment

“A”) if another entities form is not available.

All client’s files must include a copy of the current cheque, money order, or bank draft that accompanies

each transaction. We will check if the financial institution is a major Canadian institution by referencing

the federal (OSFI) or applicable provincial list.

** At no time, will any persons affiliated with our office accept cash for any transaction or product. There

is to be no exception to this rule, regardless of the company that we are doing business with or

representing.

Because we never accept cash, we do not have to keep a separate “Large Cash Transaction Record”.

Each Client’s file will include a legible photocopy of a government issued identification that was taken

when the client opened their account and was also verified by the advisor. Watch for flaws or any obvious

alterations to the identification and it must be valid and current, for example, we cannot accept expired

drivers’ licenses or passports.

On accounts that were opened before this legislation, A photocopy of client Identification should be taken

at the time of file updates or the next meeting with that client. Please review the file for a current

photocopy of government issued identification. Place the photocopy to the front of the file along with

other documentations.

In the case of corporate accounts (non-individual accounts), any officers with signing authority for the

corporation must provide their Personal Client Identification for their file, along with the corporate

resolution, business number (BN or BIN), and copies supporting the identification of the corporate entity.

Suspicious Transactions or Attempted Suspicious Transactions

Per FINTRAC’s Guideline 2: Suspicious Transactions (please refer to the binder containing all forms and

material on Anti-Money Laundering or by visiting www.FINTRAC.gc.ca, there is no minimum dollar amount

threshold for reporting suspicious transactions or attempted transactions. Although the business

conducted under our office would be a very minimum risk, being we are situated in a small city

(population approx. 80,000,15 minutes from the nearest larger city Gotham, we cannot stress enough

the importance of always knowing the identity of the person we are conducting business with. Even if

we know our client well and would never deem him/her to be suspicious, we always look at the overall

picture and consider if the transaction itself is unusual or otherwise, not a normal type of transaction for

that client. It is our practice to be on the lookout for suspected 3rd party involvement.

If anyone should ever find himself or herself with suspicion towards a suspicious transaction or attempted

transaction, we shall within 30 days, from the date your suspicion occurred, to file a STATR (Suspicious

Transaction or Attempted Transaction Report). We use the FINTRAC electronic method of reporting

(http://www.FINTRAC-canafe.gc.ca). However, we do have a paper version of this report retained in the

binder.

Bruce Wayne, as appointed Compliance Officer will be notified immediately and the Compliance Officer

will in turn, notify FINTRAC and our branch compliance manager of the transaction in question, along with

the details.

Alfred Pennyworth will assume the role of Compliance Officer at any time Bruce Wayne is absent from

the office.

Terrorist Property Reports

The OSFI terrorist list, (both individual and non-individual) will be reviewed annually to determine if any

of our clientele appears on these lists. If we identify, or have reason to believe, any of our clients are on

these lists, we will immediately contact FINTRAC providing them with the names and identifying any

property (accounts) associated with these clients and completing a Terrorist Property report.

At no time, would we alert the client to our suspicions, or disclose the fact that we have made a report,

nor can the contents of the report be disclosed.

We shall record the FINTRAC’s acknowledgment message per receipt of our report and the identification

number assigned by FINTRAC. All copies of correspondence and the report itself must be kept in our

office.

To further assist in helping to prevent or recognize anti-money laundering or anti-terrorist activity the

following attachments are found in this binder.

Attachment #1 – What is required by the client

Attachment #2 – What is required by the advisor

Attachment #3 - New & Existing Clients

These attachments are very specific to indicate types of client identification and banking information

that is acceptable. Confirmation of beneficiary information, what to accept and what not to accept, and

what additional documentation may be required based on whether the client is a charitable

organization or is politically exposed. Attachment #3 summarizes the Do’s and Don’ts for new and

existing clients.

Appendix 1: Product Services, Delivery Channels and Geographic Locations found in

Guideline 4 – Implementation of a Compliance Regime article produced by FINTRAC. This

assessment tool was also used and the results were LOW with regards to money laundering and

terrorist financing exposure.

The following reference documents have been included in our AML/ATL policies and procedures.

- Employee Acknowledgement that they have read and understood the various guidance manuals and policies and procedures contained in our binder

- Training sessions and meetings log. - Policies and Procedures and Risk Assessment Table - Tabbed section for FINTRAC updates and correspondence - Tabbed section for the Guidance Manual to Combat Money Laundering and Terrorist Activity

Financing by the CLHIA (Canadian Life & Health Insurance Association) - Tabbed section for FINTRAC’s Guideline #2, Suspicious Transactions - Tabbed section for FINTRAC’s Guideline #4, Implementation of a Compliance Regime - Tabbed section for FINTRAC’s Guideline #6A, Record Keeping and Client Identification for Life

Insurance Companies, Brokers, and Agents - Tabbed section for Unusual Activity Reports and samples of FINTRAC’s Suspicious Reports - FINTRAC Examinations (for reference only)

For any updates to these documents visit www.FINTRAC.gc.ca. These documents will be kept

up-to-date.

For Charitable Organizations

Keep a record that sets out whether the organization is:

i) a charity registered with the CRA under the Income Tax Act

ii) an entity that solicits charitable financial donations from the public without being registered.

We will not deal with this type of Charitable Organization

For Politically Exposed Foreign Persons (PEFP)

The in-house “Client and Third-Party Identity Verification” (see Attachment “A”) must be

completed, signed by the client, and witnessed by the advisor. A copy of this form will be kept

in the client file.

Determine if a person who makes a lump-sum payment of $100,000 or

more in respect of an immediate or deferred annuity or life insurance policy on their own

behalf or on behalf of a third party is a PEFP.

Establish the source of the funds that have been used for the transaction.

- The transaction must be reviewed by an administrative employee and the review must be

completed within 14 days after the day on which the transaction occurred.

- Keep a record that sets out

- a) The office or position in respect of which the person initiating the transaction is determined

to be a PEFP

- b) The source, if known, of the funds that are used for the transaction,

- c) The date of the determination that the person is a PEFP,

- d) The name of the administrative employee who reviewed the transaction, and

- e) The date the transaction was reviewed.

Attachment #1

What is required by the client?

1. All clients must show face to face government issued photo identification. 2. All clients must reside in Canada. 3. A copy of a cheque from a Canadian Chartered Financial Institution marked VOID. In the case of

a non-chequing account confirmation of banking information on bank letterhead, bank stamped and signed by a bank officer is kept in the client’s file.

4. When a client meets with the advisor, the advisor will confirm beneficiary information such as name, address, and occupation if the beneficiary information applies to the account.

5. Cash is not accepted. Cheques must be made payable to the Insurance Carrier from a Canadian Financial Institution.

6. Client information; occupation, income,employer etc. for all new clients should be collected . Client information sheets should be in client files . This information should also be maintained in the contact management system.

7. 8. If a client is acting on behalf of a third party and/or has been politically exposed additional

documentation will be required. (Attachment “A”), this form must be signed by the client and witnessed by the advisor.

9. If a client is a charitable organization, please refer to the Charitable Organization area of the policies and procedures. Additional documentation will be required.

Attachment #2

What is required by the advisor?

1. An account cannot be opened without a valid government issued photo identification, banking information or beneficiary information.

2. The advisor must obtain a copy of valid government issued photo identification such as driver’s license. This identification must be obtained in person and must be kept up to date in the client file and on the contact management information system.

3. The advisor must confirm that the client resides in Canada. 4. The advisor must request a copy of a cheque from a Canadian Chartered Financial Institution

marked VOID. In the case of a non-chequing account confirmation of banking information on bank letterhead, bank stamped and signed by a bank officer will be accepted and a copy will be kept in the client’s file and kept up-to-date.

5. The advisor must confirm beneficiary information such as name, address, and occupation if the beneficiary information applies to the account.

6. The advisor must not accept cash. Cheques must be made payable to the Insurance Carrier of the business written.

7. The advisor along with the client must complete the Client and Third-Party Identity Verification form (see Attachment “A”). The client is required to sign the form and the advisor is required to witness the form.

8. At any time when a client requests an appointment, the client’s file is reviewed for any identification that may be out of date, as well any bank information or beneficiary information and this is recorded as an agenda item for the client to provide up-to-date information.

Attachment #3

New & Existing Clients

1. Identify the client and verify the client’s identity using reliable, independent source documents,

data, or information. View original, valid acceptable identification such as government-issued

photo identification (i.e. Driver’s license).

2. Determine whether the client is acting on behalf of another person and take reasonable steps to

obtain sufficient identification data to ascertain the identity of that other person.

3. Identify the beneficial owner of an account and take reasonable measures to ascertain the

identity of the beneficial owner such that the insurer is satisfied that it knows who the beneficial

owner is.

4. For corporate entities and arrangements such as partnerships, clubs, or associations the

ownership and control structure of the client must be known.

5. Obtain any other information for the purpose and intended nature of the business relationship

and any other relevant factors.

6. Refuse insurance to beneficial owners that use fictitious names or whose identity is kept

anonymous.

7. Rely on identification and verification such as government issued photo ID unless doubts arise

about the veracity of the information held by the insurer.

8. Collect information regarding occupation and business.

9. Ensure that an individual acting on behalf of an entity is authorized to do so.

10. Ask for certification of appropriate authorities and professionals of documents that may be

presented such as Powers of Attorney.

11. Request additional documents that may be needed to complement those which have been

required such as copies of Social Insurance Cards for RESP accounts.

12. Require that the first premium payment for insurance is withdrawn from an account in the

client’s name with a Canadian Financial Institution.

13. Do not deal with the viatical company operating in a jurisdiction where trafficking in insurance is

not prohibited including the beneficial owner.

14. Do not deal with a business originating from a high-risk country.

15. Do not accept foreign cheques.

16. Do not establish business with a “risky client”.

17. If applicable, monitor ongoing patterns or unusual or suspicious activity to ensure that risk

activity can be scrutinized.

18. Pay special attention to customer entry and exit of insurance products, early surrenders and any

abnormal business patterns or a change in payor or beneficiary.

19. Identify materiality between insurers considering for example average premium income size per

customer and the average duration of contract in force to avoid setting monetary thresholds.

20. Pay special attention to all complex unusually large transactions and all unusual patterns of

transactions.

21. Pay special attention to insurance policies that change beneficiaries.

Attachment “A”

Client and Third-Party Identity Verification

Full legal name of owner: ________________________________________________

Is the owner acting on behalf of a third party? О Yes О

No

Is a third party contributing the funds being used to purchase this contract? О Yes О

No

Does a third party have control of this contract? О Yes О

No

(If the answer to any question is ‘YES’, please complete information below about the third party)

Name

Address

City

Province Postal Code

Incorporation Number (if applicable) Jurisdiction of registration (i.e. Federal, Provincial

if applicable)

Principal business or occupation of the third party

What is the nature of the owner’s relationship

with the third party identified above?

.

Politically exposed person information

Has the owner or person contributed the funds or any close relative of either person ever held a senior

position in government, political party, military, tribunal, or government-owned corporation of a foreign

country? (i.e. Is politically exposed) О Yes О No

(if the answer to the question is “YES”, please complete information below)

Who is politically exposed? □Owner □Contributor (current of future)

What is the name of the person who holds or

held a foreign political office? (first, middle initial,

last)

In what country is/was the position held? During what period was the position held?

Starting Year Ending Year

What position is or was held by the person who is

or was politically exposed in a foreign country?

□ Head of state or head of government

□ Member of the executive council or

government or member of a legislature

□ Deputy Minister (or equivalent)

□ Military general

□ President of a state-owned company or bank

□ Head of government agency

□ Judge

□ Leader or President of a political party in a

legislature

□ Ambassador or ambassador’s attaché or

counselor

Time of position held

What is the relationship of the person named

above to the owner or contributor? □ Self

□ Child □ Mother or father □ Spouse or

common-law partner

□ Brother, sister, half-brother, or half-sister

□ Spouse’s or common-law partner’s parent

Client Signature _________________________________

Client Name (Print) _________________________________

Date _________________________________

Witness Signature _________________________________

Witness Name (Print) _________________________________

Date _________________________________

III. Risk Assessment of your Business

Anti-Money Laundering and Anti-Terrorist Financial Activity Internal Policies and Procedures

Self-Review Risk Assessments SAMPLE DOCUMENT

**This example has been colour coded for ease of understanding. Your final version does not have to

be colour coded. Your entry will be black with brackets indicating risk level (Low, Medium, High) **

Green is Low-Risk Blue is Medium-Risk Red is High-Risk

The risk of money laundering and terrorist financing for the business I conduct in my firm is medium. A current number of clients managed by my firm is approximately 600 individuals.

I mainly deal with local, white collar households who lives in residential areas that have low crime rates.

(Low Risk)

I have roughly 50 clients that are small businesses and no dealings with a charitable organization.

(Medium Risk)

To the best of my knowledge, I do not have any politically exposed person in part of my clientele. (Low

Risk)

I have a small number of the client who has small business overseas in Sweden. (High Risk)

I have not completed any non-face-to-face transactions. (Low Risk)

My clients are mainly local and I make an effort to meet with all my clients in person. I do a routine

review of my client’s accounts and I would pay more attention to clients that request for more than a

normal number of ownership change requests. (Low Risk)

I do not conduct referral programs with and portfolio managers or exempt market products. (Low Risk)

Approximately, 15% of my clients are Blue Collar, 80% of my clients are White Collar, 5% are clients with

a net worth between 1 to 5 million. (Low Risk)

My target market does not include any clients with a net worth over 5 million dollars. (Low Risk)

Approximately, 80% of my business are Whole Life, Term, and Critical Illness policies. Of this 80%, Whole

Life policies take up about 60%, Term Insurance is about 10%, and 30% of Critical Illness policies.

(Low Risk)

The remaining 15% of my business comes from registered segregated funds for RRSP, SRRSP, and TFSA.

(Low Risk)

5% of my total business comes from non-registered segregated funds. (Medium Risk)

The average transaction amount for my life insurance businesses is less than ten thousand dollars in

annual premium per case. (Low Risk)

Most of the registered investments fall under ten thousand dollars per transactions. (Low Risk) I have

come across a small number of high dollar amount RRSP investment transactions over $10,000.

(Medium Risk)

Non-registered investment account will range between ten thousand to one hundred thousand dollars.

(Medium Risk)

IV. Training Schedule and Attendance Record

Compliance Training Program

Our compliance training follows the compliance training program created by CF Canada Financial. The

following pages contains the training schedule set out by CF Canada Financial. Our attendance to these

training sessions is recorded in our records.

CF Compliance Training Program 12 Sessions, approx. 1.5 hrs each

FINTRAC April 6, 2017 Session 1: Introduction – What is FINTRAC?

- Responsibility of Entities in the Life Insurance Industry - Our Responsibilities as Insurance Agents:

- Appointment of Compliance Officer - Written Compliance Policies and Procedures - Risk Assessment & Mitigation - Review - Reporting - Compliance Training

May 4, 2017 Session 2: Risk Assessment - Risk Survey & Review - Attempted Transactions - Suspicious Transactions - Large Cash Transactions & Terrorist Funding - Suspicious Factors – General - Suspicious Factors – Industry Specific

June 1, 2017 Session 3: Reporting Requirements

- How to Report - What to Report - Required Record Keeping - Large Cash Transactions - Client Identification

July 6, 2017 Session 4: Implementation

- Mandatory Compliance Regime - Penalties for Non-Compliance - Penalties for Failure to Report - Review of Previous Sessions - Individual Written Policies Required - Initial Paperwork - Risk Assessment - Reviews - Attend Training Sessions

Privacy August 3, 2017 Session 5: Introduction

- Ten Privacy Principles: - Accountability - Identifying Purpose - Consent - Limiting Collection - Limiting use, Disclosure, and Retention - Accuracy - Safeguards - Openness - Individual Access - Challenging Compliance

- Individual Written Policies Required - Initial Paperwork - Risk Assessment - Reviews - Attend Training Sessions

September 7, 2017 Session 6: Privacy Breaches

- Breach Containment and Preliminary Assessment - Evaluate the Risks - Notification - Prevention of Future Breaches

Insurance Council of British Columbia (ICBC) October 5, 2017 Session 7: Code of Conduct/Suitability

- Trustworthiness - Good Faith - Competence - Usual Practices - Financial Solvency

November 2, 2017 Session 8: Usual Practices 1

- Disclosure & Point of Sales - Continuing Education

December 7, 2017 Session 9: Usual Practices 2

- Financial Needs Analysis (FNA) - Risk Tolerance - Know Your Client (KYC) - Needs Based Selling

January 4, 2018 Session 10: Contracting

- CHLIA Requirements - Representation & Fronting - Duty to Notify

February 1, 2018 Session 11: Complaint Handling

- Defining a Complaint - Handling a Complaint

- Errors & Omissions Insurance

March 1, 2018 Session 12: Rebates & Referrals - National Do Not Call List - Rebate & Referral Fees - Referring Third Party Entities

Anti-Money Laundering and Terrorist Activity Financing Training Attendance Sheet

Training Topic:

DATE NAME SIGNATURE

Compliance Policies and Procedures for Anti-Money Laundering and Terrorist

Activity Financing

Date and sign below to acknowledge you have read the guidance manuals and understand our

obligations and the mandatory compliance policies and procedures.

EMPLOYEES SIGNATURE DATE

V. Yearly Review of Compliance Manual

Additional Documents

Dark Knight Financial Services Inc.

INTERNAL PRIVACY POLICY

Objective To ensure that:

(a) Dark Knight Financial Services Inc. is in compliance with regulatory and self-regulatory requirements regarding Privacy (“Regulations”);

(b) Dark Knight Financial Services Inc.’s client Privacy is handled professionally, in a secure

environment and appropriately monitored;

Our Privacy Officer: Bruce Wayne

Person(s) Responsible:

(1) Bruce Wayne is the Privacy Officer and all inquiries/complaints shall be directed to her/him (2) Bruce Wayne is at this moment designated as responsible for the application of this policy;

Our Commitment

At Dark Knight Financial Services Inc. our clients are our business. As a financial services Company, we

are trusted with some of our clients’ most sensitive personal information. We must respect that trust and

need our clients to be aware of our commitment to protect the information they provide while doing

business with us.

We collect personal information in compliance with applicable laws and ethical business practices, to

provide services and to conduct business. We limit the information we collect to that which is necessary

for, or related to, these purposes

We abide by the Ten Privacy Principles. The Principles are based on the federal government’s privacy

legislation, the Personal Information Protection and Electronic Documents Act

1. Accountability: An organization is responsible for personal information under its control and shall

designate an individual or individuals who are accountable for the organization's compliance with the

following principles.

2. Identifying Purposes: The purposes for which personal information is collected shall be identified by

the organization at or before the time the information is collected.

3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure

of personal information, except when inappropriate.

4. Limiting Collection: The collection of personal information shall be limited to that which is necessary

for the purposes identified by the organization. The information shall be collected by fair and lawful

means.

5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for

purposes other than those for which it was collected, except with the consent of the individual or as

required by the law. Personal information shall be retained only for as long as necessary for the fulfillment

of those purposes.

6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the

purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the

sensitivity of the information.

8. Openness: An organization shall make readily available to an individual with specific information about

its policies and practices relating to the management of personal information.

9. Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of

his or her personal information and shall be given access to that information. An individual shall be able

to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance: An individual shall be able to address a challenge concerning compliance

with the above principles to the designated individual or individuals for the organization's compliance.

Information Collection and Use

We collect the information required for us to complete the task for which we are engaged, whether that

is insurance, money products or financial plans.

Personal information is information that refers to you specifically. We will use fair and lawful means to

collect their personal information. We will only collect information that is pertinent and consistent with

the purposes of the collection. Whenever practical, we will collect the required information directly from

the client, or from their authorized representative(s), in completed applications and forms, through other

means of correspondence, such as the telephone, mail or the internet, and through their business dealings

with us.

What we need to know and why

We collect information from our clients and about them, only with their consent, or as required or

permitted by law. In general, we will collect personal information such as their name, address, telephone

number(s) or other identifying information, such as their Social Insurance Number (SIN) or date of birth.

The type of additional information we gather will depend on the type of product or service involved. The

information gathered may be financial, which would include such information as place of employment,

annual income, assets and liabilities. It may be investment or advice related, requiring information on

such things as your financial goals and retirement plans. If the client is applying for insurance or group

insurance benefits, it may also include health information or lifestyle-related information, such as their

occupation, travel history and plans, driving record or criminal record.

Consent

The consent for us to establish a file and collect and maintain personal, medical & financial information is

to be signed by the client and placed in their file.

Protection of Personal Information

As the principals, management and employees of Dark Knight Financial Services Inc. we are granted

access to client information and must understand the need to keep the information protected and

confidential. Our training procedures clearly communicate that we are to use the information only for the

intended purpose(s).

Staff will be required to sign a confidentiality agreement upon commencement of employment.

Retention of Personal Information

We will only keep client’s personal information in our records for as long as it is needed to fulfill the

identified purposes, or as required or permitted by law.

Privacy Choices

Clients may request copies of our privacy policies and procedures at any time.

Clients may request access to their information. We must respond to this request as quickly as possible,

but no later than 30 days after the receipt of the request.

Clients may withdraw their consent at any time by contacting our Privacy Officer. However, they will be

made aware that failure to provide adequate information may prevent us from completing the task.

Clients may file complaints about our privacy procedures as well as a breach of our privacy policy. Complaints should be in writing and forwarded to the Privacy Officer. The Privacy Officer will contact the client and obtain all details. The Privacy Officer will then review the circumstances of the complaint and determine if there is a reason to alter the existing privacy policy. Insurance carriers should be notified of any complaint involving their clients/products.

Exception to client access

Organizations must refuse an individual access to personal information:

If it would reveal personal information about another individual unless there is consent or a life-threatening situation

If the organization has disclosed information to a government institution for law enforcement or national security reasons. Upon request, the government institution may instruct the organization to refuse access or not to reveal that the information has been released. The organization must refuse the request and notify the Privacy Commissioner. The organization cannot inform the individual of the disclosure to the government institution, or that the institution was notified of the request, or that the Privacy Commissioner was notified of the refusal.

Organizations may refuse access to personal information if the information falls under one of the

following:

Solicitor-client privilege

Confidential commercial information

Disclosure could harm an individual’s life or security

It was collected without the individual’s knowledge or consent to ensure its availability and accuracy, and the collection was required to investigate a breach of an agreement or contravention of a federal or provincial law (the Privacy Commissioner must be notified)

It was generated during a formal dispute resolution process.