Regulators drop some personal info previously required for registration

The Canadian Securities Administrators (CSA) are dropping some of the mandated personal information collected on registrants, including eye and hair colour, height and weight.

On Thursday, the CSA published a blanket order with temporary exemptions under the national instrument for registration information, NI 33-109. The order, effective on May 1, “removes certain requirements to provide personal information that the CSA has determined is not required” for registration purposes, a release said.

Beyond the information noted above, citizenship and passport information “when needed can be collected outside of the requirements in the instrument,” the order says. Citizenship information had been collected when registrants were citizens of other countries.

The order will act as an interim measure until NI 33-109 is formally amended, the release said.

The change to collected personal information follows the Canadian Investment Regulatory Organization’s (CIRO) 2025 data breach, which was detected last August and resulted from a phishing attack.

Last fall, CIRO confirmed that stolen personal information included registrants’ eye and hair colour, height and weight, among other sensitive data. In January, CIRO said about 750,000 Canadian investors were also affected by the regulator’s breach.

For registrants, the personal information was collected on Form 33-109F4 and submitted to the national registration database (NDR) by current or former dealers. The breach occurred about four months after most of the provincial securities regulators delegated broader authority for registration to CIRO, and a few weeks after the Autorité des marchés financiers did so. As previously reported, the NDR wasn’t affected by the breach, the CSA said.

In addition to the types of data that were stolen, the regulator’s retention of data was called into question. CIRO previously said it intended to conduct a “renewed review” of its data retention policies. In public remarks to dealers last week, CEO Andrew Kriegler said the industry’s “data ecosystem,” including data retention, would undergo a review. The regulator would say more “in the months to come,” he said, and the review would extend to dealer businesses.

Two potential class actions against CIRO — one in Quebec and one in B.C. — related to the breach have been filed in court, neither of which has been certified.

Thursday’s release said that in Manitoba and Ontario, relief relating to the collection of certain personal information will also be granted concurrently under commodity futures legislation in the provinces’ respective jurisdictions. In Quebec, similar relief will also be granted “contemporaneously” under derivatives legislation, it said.

Michelle Schriver

Michelle is a senior reporter for Advisor.ca and sister publication Investment Executive. She has worked with the team since 2015 and been recognized by the National Magazine Awards and SABEW for her reporting. Email her at michelle@newcom.ca.