Privacy at CIBC Mellon

This privacy disclosure applies to the collection, use, sharing, protection, accuracy of and access to personal information at CIBC Mellon.

This privacy disclosure applies for as long as CIBC Mellon holds your information, including after the end of the business relationship under which we collect, use or share the information. By giving us your information, you consent to the collection, use and sharing of your information as described in this privacy disclosure.

Our policies and procedures are in place across CIBC Mellon.  Applicable legislation provides for certain exceptions to the steps discussed within this privacy disclosure, some of which will modify our privacy practices in certain circumstances. We may change this privacy disclosure from time to time as new privacy legislation comes into force or as the understanding of good privacy practices evolve.

Throughout this document, the words “we”, “our” and “us” refer to CIBC Mellon. The words “you” and “your” refer to CIBC Mellon clients, former clients, potential clients, clients’ employees, pensioners, unit holders, as well as visitors to the CIBC Mellon website or persons who otherwise provide personal information to CIBC Mellon.

Our privacy commitment is described in the following sections.

CIBC Mellon will make all reasonable efforts to limit its collection, use and sharing of personal information to that which is required for valid business purposes, to comply with applicable law and which a reasonable person would consider appropriate in the circumstances.  The type of personal information depends on several factors, such as the type of services you use, any applicable legal and regulatory obligations, and the channel you use to communicate with us.

Trustee Services Information. The collection, use and sharing of personal information may occur when an individual purchases a retirement savings or similar plan through some one such as a broker, financial intermediary who has engaged CIBC Mellon to act as trustee. 

Agent Services Information. The collection, use and disclosure of personal information may also occur when someone such as a corporate, business or governmental client has hired us to handle information for them. A client might hire us to perform recordkeeping for a plan, fund or trust, or to perform other administration related to a plan, fund, trust or custodial assets. Such activities may include the processing of plan holder or unit holder transactions or payments, the administration of pension benefit payments and processes, mailings and recordkeeping associated with these activities.

Information on Individuals is provided to us by our clients or their agents, or by you or your representatives, in order that we might provide these trustee or agent services.  Information provided may include without limitation:

• Name
• Address
• Date of Birth / Date of Death
• Social Insurance Number (SIN)
• Member ID / Internal reference number
• Transaction information and balances  
• Banking information
• Beneficiary information
• Previous employer's name / pension plan

Contact information is used to communicate with you and verify your identity when you contact us, or a third party acting on our behalf, regarding your account or services.  This may include the use of general contact information, such as name, address and email, and/or security question answers.  In addition, biometric information, such as voice patterns, may be used to validate your identity.

Voice Recording Information may be collected, used and shared in conjunction with  CIBC Mellon telephone assistance lines, which support various trustee and agent services. Your call is recorded when you call into one of our recorded lines.  You will be notified that you are speaking on a recorded line and by staying on the line, you are providing your consent to be recorded. This helps protect both you and us by providing a record of the conversation. It also helps us monitor the quality of service we offer.

We may record your comments and opinions in the course of events like fireside chats, client forums or hosted industry events.  In such instances, we will notify you that such recording will occur.  Once we notify you of the recording, your attendance will be considered consent to our making of the recordings and the use and distribution.  If you have any concerns regarding a recording you can reach our Chief Privacy Officer by contacting CIBC Mellon's Privacy Office at the address found in section "Addressing Any Privacy Concerns" below.

Web browser Information (CIBC Mellon website) is collected and used to help CIBC Mellon measure website usage and to help improve website functionality.

CIBC Mellon may use your IP address to diagnose problems with our servers, to understand the geographical location of our visitors and to enhance our websites (an IP address is a unique identifier for a device on the internet). In addition, personal information can be requested via the website if a visitor chooses to respond to online surveys, send CIBC Mellon an email message or use one of our online tools.

In some cases, we may collect information about you that is not associated with an identifiable individual. Examples of this type of information include the Internet browser you are using, the type of operating system, the domain name of the website that linked you to our site, and the pages you visited while you were using the website or our online tools. In this context, we use non-personally identifiable information in a non-identifying, anonymized and aggregated form to determine the overall reaction to various sections of the website, measure the effectiveness and usefulness of various pages and to improve the flow and interconnectivity of the site.

When you view our website, essential information is stored on your computer that helps support security and the basic functionality of the site. This information is in the form of "cookies" or "web beacons." A "cookie" is a small file placed on your device when you visit certain websites. "Cookies" help us tailor the website or advertisement to better match your interests and preferences. "Web beacons" are tiny graphic images placed on our website pages or in our emails. They may be used to measure response rates to our communications and to help us improve our web pages. Internet browsers allow you to block, receive a warning or erase all "cookies" from your hard drive. Please refer to your browser instructions or help screen to learn more about these functions.

You can manage your cookie consent with us via our website Privacy Tool by clicking on the "Manage Cookie Consent" button in the bottom right of the browser window. An overlay will appear, and you can either select specific cookie categories or accept or reject all cookie categories. You have the right to withdraw your cookie consent at anytime.

CIBC Mellon websites may contain links to non-CIBC Mellon websites. CIBC Mellon is not responsible for these websites in any way, including, without limitation, for their information and privacy practices. We recommend that you read the privacy policy of each of these websites to learn about its information and privacy practices before you provide any personal information in any non-CIBC Mellon website.

In general, CIBC Mellon’s clients, and/or their agents, provide us with the personal information required to provide services, and CIBC Mellon does not collect personal information directly from individuals. We may however collect personal information on behalf of clients, client employees and/or pensioners or unitholders when we are providing trustee or agent services, such as when an individual contacts us directly about their account or plan to provide an address change for pensioner communications or tax forms.

Information is provided to us in a variety of ways including, but not limited to:

• Trade instructions
• Verbal interaction
• Online activities
• Other documentation that is provided by clients or their representatives

We may also receive personal information from third party partners to assist us in administering your account and processing transactions on your behalf.

We may collect your comments and opinions in surveys or questionnaires, however, we will obtain your consent within the survey or questionnaire before doing so. 

CIBC Mellon may use your personal information:

• For the purposes documented in agreement(s) with us entered into by you, or a party working on your behalf, and as described in this privacy disclosure
• To verify your identity to authenticate you when you contact us
• So that we can act on your instructions (e.g., by recording phone conversations, maintaining records of email communications and in-person conversations)
• To communicate to you any benefit, feature or other information about services you have with us or with a broker, financial intermediary or other person who has engaged CIBC Mellon to provide services, including responding to your inquiries
• To perform tax reporting functions
• To meet legal and regulatory requirements and industry practices applicable to services provided
• To measure website usage and improve functionality
• In a de-identified format to facilitate general service improvement

CIBC Mellon will not share any personal information that we have collected to anyone except as described in this privacy disclosure. Examples of specific ways we may share your personal information include:

When we must share information for legal reasons or regulated industry practices

We may be required to share information by law (including tax reporting, anti-money laundering, terrorist financing and securities legislation in Canada and other countries, including the United States), by court order, or to a regulatory authority or to a successor trustee or agent or a successor to our business. We may also share certain personal information to corporate, business or government bodies to enable them to comply with similar legal and regulatory requirements applicable to them. Our policy is to release information only to the extent required to fulfill these requirements and meet industry practices and we will contact you if sharing is not within the scope of agreed services and we are permitted to do so.

When CIBC Mellon is processing information for another

When someone hires us to process information for them, or to act as trustee for a relationship they may have with you, we will share that information with them. Examples include pension plan sponsors and investment fund managers.

When entering into certain business transactions

Personal information may be used by CIBC Mellon and shared to parties connected with the contemplated or actual financing, securitization, insuring, reorganization, sale, assignment or other disposal of all or part of CIBC Mellon or our business or assets.

Third parties

In providing any of the trustee services or agent services set out above, personal information may be shared with related or affiliated companies (including parent companies) or third parties who have been retained by CIBC Mellon to assist us in conducting administrative or technological functions. In such cases, they are provided the information only for the purposes of performing those services, which includes, without limitation, the following:

• Document management, such as printing cheques, statements and letters, shredding, and physical storage
• Marketing and communications, such as inquiries made on our website, and client surveys and questionnaires and mailings
• Operational activities, such as quality assurance, document delivery and courier services, corporate security, and fraud protection
• Professional services, such as tax processing, legal support, external audits, employee recruitment, and general consulting
• Pensioner, beneficiary or unitholder payments to domestic or foreign jurisdictions
• Technology support, such as providing information technology infrastructure and support, systems and applications that process transactions and host information, and scanning documents and cheques

We may share information with other third parties as permitted or required by law:

• To comply with laws, regulations, subpoenas, or court orders
• To respond to valid and authorized information requests from domestic and international authorities
• To prevent and detect fraud and suppress financial abuse
• To protect the personal safety of employees, clients or other third parties on CIBC Mellon property

We require third parties to protect the information in accordance with applicable law and in a manner that is consistent with our privacy policies and security practices.

When we transfer your information to another jurisdiction

In accordance with Program standards, it is our policy to retain personal information within Canada except where consent has been provided to make payments, or where it is required in order to carry out the service we have been engaged to provide, such as to provide tax information to a foreign jurisdiction on an individual’s behalf. Personal information in a foreign jurisdiction, such as, but not limited to, the United States, may become subject to the laws of that jurisdiction, including laws governing disclosure. When CIBC Mellon uses the services of a company in another jurisdiction, we select the company carefully and require that it uses standards comparable to ours, subject to requirements in foreign jurisdictions applicable to those organizations.

Personal information originating within and communicated outside of Québec will be subject to measures to protect your personal information, including appropriate contract clauses or other applicable safeguards. CIBC Mellon conducts privacy risk assessments with third parties that collect, use, or have access to personal information to ensure that they have measures in place to adequately protect the personal information. CIBC Mellon completes privacy impact assessments prior to the acquisition, development or redesign of an information system or electronic service delivery project involving the collection, use, sharing or destruction of personal information.

By appointing CIBC Mellon to perform trustee or agent services, or by subscribing for a product or service from a CIBC Mellon client which has engaged CIBC Mellon to provide trustee or agent services, you consent to CIBC Mellon’s collection, use and sharing of personal information as described in this privacy disclosure. 

Consent can be express or implied. Express consent can be verbal or written. For example, an application for registration of a retirement savings plan may contain a written consent for our use of your information to conduct the role of a retirement savings plan trustee. Or you might consent to release the information over the phone. Consent is implied when we can reasonably conclude that you have given consent by an action you have taken or not taken, or where the context reasonably requires that we have and use information to carry out what you have asked us to do.

You can withdraw your consent any time after you have given it to us by contacting our Privacy Officer, provided there are no legal or contractual requirements to prevent this and on reasonable notice. If you do not consent to certain uses of information or if you withdraw your consent, we may not be able to provide a particular service. If so, we will explain the situation to you to help you with your decision.

CIBC Mellon may be required or permitted under statute or regulation to collect, use or share personal information without your consent, for example, to comply with a court order, to comply with local, federal or foreign regulations or a legally permitted inquiry by a Canadian or foreign government agency, or to collect a debt owed to us. When someone hires CIBC Mellon to process your information for them, you may have provided them with express or implied consent to share that information with CIBC Mellon so that CIBC Mellon can conduct the information processing. This is in accordance with requirements they may have to obtain consent. Once shared with us, we will safeguard it and handle it in accordance with this privacy disclosure.

CIBC Mellon takes the protection of your personal information seriously. We will keep your information in confidence and make reasonable efforts to prevent unauthorized use, sharing, loss or theft of information. We regularly audit our security procedures and assess their effectiveness and appropriateness.

Chief Privacy Officer ("CPO")

The CPO directs and oversees the Program, including, but not limited to, the development, implementation and maintenance of corporate policies and procedures, monitoring activities, issue investigation, tracking and resolution, corporate training, and recurring and ad-hoc reporting. The CPO is supported by a network of designated governance officers who are responsible for the administration of the Program within their respective business units and subject matter experts across various fields enterprise wide.

Policies and procedures

CIBC Mellon has principles and procedures in place to assist our employees in complying with our policies. Internal Audit monitors the adherence to these policies and reports any findings to a committee of the Board of Directors of CIBC Mellon. Principles and procedures governing information are outlined in CIBC Mellon's corporate Confidentiality and Privacy, Records Management, Code of Conduct, Information Security, and Acceptable Use policies. These policies establish corporate standards, roles and responsibilities and outline procedures for the administration of information. Business units are required to maintain detailed procedures that align with corporate policy requirements.

Monitoring program

Each business unit is required to design, implement and maintain its own business-unit-specific confidentiality and privacy compliance program. Business unit programs include risk assessment and the detailed documentation of controls. An independent monitor periodically reviews controls and results are sent to Corporate Compliance for review. In addition, Corporate Compliance reviews the design of each business unit program, performs company-wide privacy reviews and control effectiveness is assessed by Internal Audit.

Issue management

Employees who become aware of a potential information issue are responsible for reporting the issue to CIBC Mellon's Privacy Office. The Privacy Office has an Incident Response Guideline that establishes containment, preliminary assessment, evaluation, notification and prevention procedures. A record of every issue is maintained that documents the details and actions undertaken for each issue. A "Real Risk of Significant Harm" framework is in place to determine if notification is necessary and who specifically to notify.

If you become aware of a potential information issue, please contact our Privacy Office at the address found in section "Addressing Any Privacy Concerns" below.

Training

Our employees and agents who have access to your personal information are aware of the importance of keeping it confidential. All CIBC Mellon full- and part-time employees, including contract and temporary employees, must complete corporate policy training, including with respect to Confidentiality and Privacy. Training includes a test of employees' knowledge and where applicable, an annual attestation confirming each employee's adherence to policy requirements. Employees must attest annually that they have maintained the confidentiality of Personal Information entrusted to them.

Record retention

Except as otherwise permitted or required by applicable law, we keep your information only as long as needed to provide services in accordance with CIBC Mellon's Records Management Policy and Records Retention Schedule, and personal information is destroyed and erased when no longer required to fulfil the identified purposes.

Complaint handling procedures

CIBC Mellon has a Complaints Management Program in place, which is a system of controls to manage the receipt, processing, and resolution of complaints for the protection of consumers and to safeguard the name and reputation of CIBC Mellon and our clients.

Safeguarding

CIBC Mellon's detailed and coordinated Information Security Program protects the confidentiality, integrity and availability of our information, systems and technology. Our strategic approach to information security is shaped by our business priorities, the evolving threat landscape, regulatory trends, technological developments and internal security posture assessments. Our strategies are strengthened, validated and updated by risk assessments, audit and compliance reviews, and the identification of regulatory requirements and benchmarking exercises across our industry. CIBC Mellon's Information Security Program includes, without limitation:

• Governance over Information Security
• Corporate Information Security Policy
• Acceptable Use Policy
• Code of Conduct
• Clean Workspace Requirements
• Record Retention
• Data Classification and Handling Standards
• System Access Control
• Cryptography
• Physical and Environmental Security
• Data Governance
• Data Loss Prevention Program
• Vulnerability Management
• Malware and Virus Protection
• Risk Assessments and Assessments of New Technology
• Cyber Security Threat Intelligence
• Vendor Governance and Information Security in Supplier Relationships
• Change Control Management
• Compliance
• Fraud Management
• Cyber Resiliency Exercises
• Handling of Security Incidents
• Staff Training, Testing, and Awareness
• Screening

CIBC Mellon possesses the International Organization for Standardization's (ISO) 27001:2022 Certification, issued by the British Standards Institution, recognizing our commitment, policies and programs related to information security. Supporting our information security strategies are our well-established business continuity protocols that conform to the ISO 22301:2019 Societal Security and Business Continuity Management Systems Standard.

CIBC Mellon will support your control over, and access to, your information.

Upon written request, you can check your information to verify, update and correct it, and have obsolete information removed. There is no charge for verifying or correcting information. There may be a charge if you want a copy of records or if special expense is involved in retrieving your information. We will advise you of any charges in advance.

CIBC Mellon will deal with your request to see your information within 30 days. If we need to extend the time, we will notify you of the reasons for the extension and your rights under applicable legislation. If we must refuse the request, we will tell you why (subject to any legal restrictions).

Whenever reasonably possible and appropriate, we will correct any information we have shared with any other organization. If we have received the information from another party, if possible, we will let you know the name and address of the party so that you can ask them to correct it (subject to any legal restrictions).

There may be files that comingle information about you and other people which is confidential, the property of CIBC Mellon or other clients, protected by legal privilege or otherwise not subject to access. Because we value everyone’s confidentiality and legal rights, we cannot make these files available outside of CIBC Mellon or our related companies (including parent companies). However, where we can, through reasonable efforts, separate your information from the information of others without affecting another’s confidentiality or legal rights, we will make available to you your information contained in the files.