The Canadian Investment Regulatory Organization Privacy Code

The Canadian Investment Regulatory Organization (CIRO) is committed to maintaining the values of integrity, diligence and accountability with respect to the privacy of personal information within its control. CIRO respects and is committed to protecting all personal information. To fulfill this commitment, CIRO complies with all applicable privacy laws.

This Privacy Code outlines certain of the principles and practices CIRO follows in protecting the personal information in its custody or control by virtue of its performing its regulatory functions. This includes, but is not limited to, personal information of current and former clients, agents, directors, officers, partners and others collected from parties under CIRO’s jurisdiction (“Regulated Persons”). This Privacy Code does not apply to the personal information of CIRO Employees, whose information is covered separately by the CIRO Employee Code of Conduct. 

Personal Information

“Personal Information” means information about an identifiable individual including information such as age, home address and telephone number, social insurance number, marital status, religion, income, medical information, educational and employment history. It does not include business contact information, such as position name or title, business address, telephone or fax number. Under certain privacy legislation, “personal information” does not include “work product” information, such as information prepared or collected by a person as part of their employment or business responsibilities or information about how a person goes about fulfilling those responsibilities.


CIRO’s General Counsel is its Privacy Officer, responsible for ensuring CIRO’s compliance with this Code and all applicable privacy laws. The Privacy Officer may be contacted at [email protected] or at 1 877 442-4322.

Regulatory Purposes

CIRO collects, uses, retains and discloses personal information in order to perform its regulatory functions, including registration services, monitoring, investigating and enforcing compliance with CIRO Rules, Universal Market Integrity Rules (“UMIR”) and related policies (“UMIR Policies”), and certain market specific requirements, securities laws and regulations. CIRO engages in a number of activities involving the collection, use, retention or disclosure of personal information, such as (without limitation): surveilling trading and trading-related activity; conducting sales compliance, financial compliance and other regulatory audits; investigating potential regulatory and statutory violations; compiling and maintaining regulatory databases; conducting enforcement or disciplinary proceedings; and reporting to securities regulators.


In some situations, CIRO may disclose personal information, whether obtained from Regulated Persons or from other persons, to other organizations, including securities regulatory authorities, regulated marketplaces, other self-regulatory organizations, law enforcement agencies and foreign securities regulators. Personal information may be transmitted through, stored, or processed in a province or country other than where you are based, in which case the information is bound by the laws of those jurisdictions. CIRO takes measures to protect your personal information with appropriate contract clauses or other applicable safeguards.


Applicable privacy laws may permit the collection, use, retention, or disclosure of personal information without consent and/or its collection from a source other than the individual. Where applicable privacy laws require consent, CIRO obtains such consent.

Some of the personal information CIRO collects, uses, retains and discloses is provided to CIRO by Regulated Persons and others subject to applicable privacy laws. Under such laws, Regulated Persons and others must obtain appropriate consents when required. For more information, please see the Joint Regulatory Notice on Federal and Provincial Privacy Legislation (MR-0256), issued on December 3, 2003 and posted on

Limiting collection

CIRO makes reasonable efforts to ensure the personal information it collects is limited to what is necessary for its intended use.

Limiting use, disclosure, and retention

CIRO does not use or disclose personal information for purposes inconsistent with CIRO’s regulatory purposes unless required by law. CIRO does not sell personal information to other parties. CIRO retains personal information for as long as necessary for regulatory purposes or as required by law.


CIRO has put in place procedures and practices reasonably appropriate to the sensitivity of the personal information CIRO collects, uses, retains and discloses. These procedures and practices seek to protect personal information against loss, theft, unauthorized access and similar risks. CIRO reviews and updates its policies and controls on a reasonable basis to ensure ongoing personal information security.


For more specific information about CIRO’s policies and procedures with respect to privacy, to make a complaint regarding CIRO’s compliance with its Privacy Code and any applicable privacy laws, or to initiate the procedure by which you may access your personal information, please contact the CIRO Privacy Officer using the contact information above.