The correct answer is D because scanned client application forms contain personal information and must be stored using the brokerage’s approved secure systems , with proper encryption, naming standards, and access controls . This is the best option from a RIBO information-management and privacy-compliance perspective. The uploaded PIPEDA guidance says organizations must protect personal information against loss, theft, and unauthorized access, and should use safeguards such as passwords, encryption, limiting access, and secure computer systems . It also stresses that organizations should know where personal information is kept , how it is secured, and who has access to it.
A is not appropriate because an unencrypted USB drive presents a high risk of loss or unauthorized access, even if it is kept in a locked drawer. B uses a physical safeguard, but it is weaker than the brokerage’s approved secure digital process and is impractical for ongoing workflow and audit control. C is better than A or B, but a shared folder is still not the best answer unless it is specifically the brokerage’s approved secure repository; simply renaming files and adding password restrictions is not enough on its own.
From a RIBO perspective, brokers must follow approved retention, privacy, and documentation procedures—not ad hoc storage shortcuts—especially when handling sensitive client data.
