Information Security

At Canada Life, we treat information security very seriously. Our policies and procedures set out how we manage the security of any information which is sent to us.

How do we manage risk?

Our Risk and Control Self-Assessment (RCSA) programme ensures that all areas of Canada Life regularly review and assess their operating risks.  This includes the Information Services team assessing technology-related risks and threats; a full assessment is carried out every year and key risks are reviewed every quarter.

Information Security

Canada life has an Information Security Policy setting out how we protect our assets (e.g. computers) as well as the information given to us by our customers, advisers, employees and business partners. This includes how we:

  • Classify information
  • Manage risk
  • Control access to information
  • Building security
  • Define who is involved in information security and what they are responsible for


Our employment policy complies with current employment legislation. We carry out checks on all of our employees to ensure they are competent and have the necessary skills, education and background to do their work. Anyone in a high-risk role, such as key management positions, Finance and Information Services, is checked in greater detail.

Canada Life limits the access employees have to data according to their job profiles which set out the level of security they require to do their job. A central security administration team controls requests from security coordinators and access is reviewed using daily and monthly reports. We have minimum password requirements and strict controls around sharing passwords.

Each year our employees are trained and take tests to make sure they understand and keep to the Information Security policies and procedures and everyone signs up to the Canada Life Code of Conduct.

We have processes and procedures to protect information in our offices including:

  • Security staff who work 24 hours a day
  • CCTV
  • Identification cards that control access to Canada Life offices
  • All information received electronically is retained
  • Printed information is shredded on site when it is no longer needed
  • Use of USB / memory sticks is strictly controlled
  • Regular tests take place of environmental controls including power supply and generators, fire suppression systems, smoke detectors and manual extinguishers

The security of any information sent to Canada Life relies on secure management of assets (such as PCs) which our employees use. We have a register of all equipment and assets and all changes are recorded. Our technology assets are secured and monitored so only authorised, licensed and supported hardware is used. 

As well as only giving employees access to the information they need to do their job, we have well-managed firewalls which prevent any unauthorised or unintended exposure of data. Where anyone is given a laptop, we use two-factor authentication and an encrypted Virtual Private Network (VPN).

We provide laptops and mobile phones to staff based on the relevance to their job role. These are usually given to people who travel as part of their role, such as sales staff and home-based rehabilitation consultants, or to senior staff.

Our incident management process includes both communication and escalation procedures.  Depending on the severity of an incident, and the impact that it has on information we hold, we inform our customers, advisers and/or business partners of the event.

We have comprehensive plans that set out recovery steps needed if our service is interrupted. We have a European Business Continuity Coordinator who is responsible for business resilience and is supported by a number of site coordinators. Plans are tested and approved annually. We have two data centres; one in the UK and the other in Ireland which act as disaster recovery sites for each other.

We are regulated by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) in the UK. Our legal and compliance departments research and evaluate laws and regulations to ensure we remain compliant. All staff receive compulsory relevant legislation and regulation training every year.

Our privacy controls reflect current laws and regulations governing the privacy of data. This includes:

  • Enforcing a clear desk policy
  • Limiting the use of personal portable media, e.g. mobile phones
  • Restricting access depending on an individual’s role
  • Use of appropriate encryption
  • Use of secure data communications (e.g. secure mail, Transport Layer Security and Secure File Transfer Protocol)

All software we use is licensed and the ability to install unauthorised software has been removed. Installing new or updated software must be authorised by our Information Security teams. Updates to security are done monthly or more frequently, if necessary, following a risk-based assessment.

While we recognise the growing use of cloud-based solutions within the Financial Services industry, the security of information is our primary concern. So we use secure data centres in the UK and Ireland.  And we only use technology which has been assessed as providing the level of security expected by our customers, advisers, employees, or business partners.

We recognise the ongoing risks of cyber-attacks on Financial Services institutions and have set up a Cyber Security programme covering the whole Canada Life UK business. This programme ensures we regularly review the governance, policies, staff, processes and technologies needed to safeguard information on a sustainable and ongoing basis.

This website is for UK professional advisers only and is not approved for use by private customers.

Canada Life Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

Canada Life International Limited and CLI Institutional Limited are Isle of Man registered companies authorised and regulated by the Isle of Man Financial Services Authority.

Canada Life International Assurance (Ireland) DAC is authorised and regulated by the Central Bank of Ireland.

Stonehaven UK Limited and MGM Advantage Life Limited, trading as Canada Life, are subsidiaries of The Canada Life Group (U.K.) Limited. Stonehaven UK Ltd is authorised and regulated by the Financial Conduct Authority. MGM Advantage Life Limited is authorised and regulated by the Financial Conduct Authority.