Stafferin Security Field Training · Module 38

Security Ethics & Professional Conduct — the standard you carry on every shift.

Six short, interactive lessons that turn the PSISA Code of Conduct, Criminal Code breach-of-trust provisions, PIPEDA data-handling rules, and Ontario Human Rights Code obligations into decisions you can make on the spot. Work through gratuity and conflict-of-interest drills, run a data-misuse scenario, practice a whistleblower escalation, then take the 30-question exam and earn your Stafferin Security Ethics certificate.

6 lessons
5 mini-drills
30 -question exam
Earn certificate
0/6 lessons complete

Before you begin

About this course

2 min read

Security Ethics & Professional Conduct is Module 38 of the Stafferin Security Field Training series. It is a standalone course: you do not need to have completed other modules to take this one, and completing it does not require completion of other modules.

Who this course is for

This course is designed for:

  • Licensed security guards in Ontario who want to understand the PSISA Code of Conduct and its practical application.
  • Licensed private investigators in Ontario who need to understand conflict-of-interest, data-handling, and Criminal Code exposure in their investigative work.
  • Security supervisors and managers who want to understand the ethical obligations of the guards and investigators they supervise — and their own vicarious liability for conduct they direct or permit.
  • New security industry entrants who are completing their initial training before applying for a PSISA licence.
  • Experienced guards who want to consolidate and formalise their understanding of the legal frameworks that govern their professional conduct.

How to complete this course

Work through the six lessons in order. Each lesson contains:

  • A hook paragraph that frames the lesson's central problem.
  • Three subsections that develop the legal content in depth.
  • A mini-drill that places you in a realistic security scenario and asks you to make the right call. The drill gives immediate feedback with full explanations.
  • A supporting component (flip cards, matrix table, checklist, or stat tiles) that consolidates the key points.
  • A closing paragraph that summarises the lesson's practical takeaway.
  • A "Mark Complete" button that records your progress and advances the progress ring.

After completing all six lessons, the "Take the Exam" button unlocks. The 30-question certificate exam tests all six lesson themes. You need 20/30 or higher to pass. There is no time limit on the exam and no penalty for retaking it.

What this course covers — the five legal frameworks

The course integrates five legal frameworks that apply simultaneously to every Ontario security professional:

  • Ontario Regulation 363/07 (the PSISA Code of Conduct) — the foundational professional ethics rule that binds every licensed guard and investigator from the moment the licence is issued.
  • Criminal Code of Canada (ss.122, 334, 346, 380) — the criminal provisions that capture the most serious forms of security misconduct: breach of trust, theft, extortion, and fraud.
  • PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) — the federal privacy statute that governs how security professionals handle the personal information they collect in their roles (CCTV, access logs, incident reports, visitor registers).
  • Ontario Human Rights Code (R.S.O. 1990, c. H.19) — the provincial statute that prohibits discrimination in services (including security services) based on race, disability, gender identity, creed, and other protected grounds.
  • Whistleblower/reporting framework — PSISA s.31 (mandatory cooperation with the Registrar), the PSOA (S.O. 2006, c. 35, Schedule A) whistleblower protection framework, and the common-law protection for private-sector employees who report illegal conduct in good faith.

A note on jurisdiction

This course is written for Ontario's regulatory framework. The PSISA and O. Reg. 363/07 are Ontario statutes. The Criminal Code, PIPEDA, and the ASIS International Code of Ethics apply across Canada. The Ontario Human Rights Code applies in Ontario; other provinces have equivalent human rights statutes. If you work in another province, substitute the relevant provincial human rights legislation for the OHRC, but the foundational principles are the same across all Canadian jurisdictions.

Ready? Start with Lesson 1

Begin the PSISA Code of Conduct lesson

Lesson 1 covers the four pillars of O. Reg. 363/07, the licence as a conditional grant, and the grounds that trigger Registrar revocation proceedings. It is the foundation for every other lesson in this course.

Scroll down or use the sidebar table of contents to navigate directly to any lesson.

Lesson 01

The PSISA Code of Conduct

5 min

Every licensed security guard and private investigator in Ontario operates under two sets of rules simultaneously — the employer's internal policy and the provincial statutory Code of Conduct. The second set is not optional. Ontario Regulation 363/07, made under the Private Security and Investigative Services Act, 2005 (PSISA), binds every licensed individual from the moment the licence is issued. A breach does not merely expose you to an internal disciplinary hearing: it can result in licence suspension or revocation, a Registrar order, and — depending on the conduct — a criminal charge. Knowing the exact words of the Code is the difference between a defensible decision and an indefensible one.

What the PSISA Code of Conduct requires

Ontario Regulation 363/07 sets out enumerated duties for security guards. The core obligations fall into four clusters. Lawful authority: a guard must not use force except as permitted by law (Criminal Code s.25 — protection of persons acting under authority — and, for citizen's arrests, s.494), must not detain a person without lawful authority, and must not search a person or their property without consent or lawful authority. Integrity: a guard must not consume alcohol or drugs while on duty, must not accept a gratuity that could reasonably be seen as compromising their duties, and must not use their licence or uniform to advance a personal interest. Conduct: a guard must behave in a professional manner, must not make statements known to be false, and must not threaten or intimidate any person. Compliance: a guard must cooperate with police and must carry and produce their licence on demand.

The Registrar of Private Security and Investigative Services administers the PSISA. The Registrar may revoke or refuse to renew a licence under PSISA s.23 if a licensee has been found guilty of an offence that is relevant to their suitability — which includes Criminal Code offences of dishonesty (theft, fraud, extortion) and offences involving violence. Because the revocation is administrative, not criminal, the standard of proof is the balance of probabilities, not beyond a reasonable doubt. A conviction is not required; a finding of conduct incompatible with the Code is enough.

The licence as a conditional grant

A security guard's licence under PSISA s.10 is a conditional grant from the Province. The licensee agrees, as a condition of holding the licence, to abide by O. Reg. 363/07. This matters because it means the Code of Conduct applies even when a guard is off duty in uniform, even when no member of the public is watching, and even when the employer has said nothing about a specific situation. Courts and the Registrar both treat the licence as importing the Code's obligations into every situation where the guard is identifiable as such — in uniform, in a marked vehicle, or in any context where they have identified themselves as a security professional.

Revocation grounds you must know

The most common revocation triggers in Ontario Registrar decisions are: (a) Criminal Code offences of dishonesty (theft, fraud, extortion, breach of trust); (b) Criminal Code offences involving violence or threats (assault, criminal harassment, uttering threats); (c) misuse of the licence or uniform for a personal purpose; (d) failure to cooperate with a Registrar investigation; and (e) making false statements in a licence application or renewal. A revocation permanently bars the individual from holding a PSISA licence unless they obtain leave from the Licence Appeal Tribunal (LAT). The LAT hearing is de novo — the individual can present fresh evidence — but the burden shifts to the applicant to show they are suitable.

Drill 01 · The Code on shift What does the Code require? O. Reg. 363/07
Corporate office tower lobby · Monday 07:52
Lobby access request

You are the morning lobby guard at a downtown office tower. A man approaches, identifies himself as the CEO's personal assistant, and asks you to let his friend — who has no visitor pass — into the elevator lobby "just this once" because "the CEO will hear about it if you don't." You do not recognise the friend. The building's access-control policy requires a valid visitor pass for all non-tenants. What does the PSISA Code of Conduct require you to do?

Right call. The Code requires professional conduct and compliance with the employer's lawful access-control policy. Social pressure — even from someone claiming executive authority — is not a lawful override. Document the interaction; offer to verify through proper channels; do not grant unverified access. O. Reg. 363/07 — PSISA Code of Conduct · PSISA, S.O. 2005, c. 34
Reset the call. O. Reg. 363/07 binds you to professional conduct and to your employer's lawful policies — not to unverified social pressure from visitors. Access control exists to protect occupiers; bypassing it on a verbal say-so creates liability for you, your employer, and the building. Document and verify first; grant access only through the normal process. O. Reg. 363/07 — PSISA Code of Conduct · PSISA, S.O. 2005, c. 34

The four pillars of the PSISA Code of Conduct

01 Lawful authority force + detention + search Flip for detail

Lawful authority

A guard may use only the force permitted by Criminal Code s.25 and s.494. Detention, search, or seizure without lawful authority is a Code violation and potentially a criminal offence (assault, unlawful confinement).

O. Reg. 363/07
02 Integrity gratuities + uniform use Flip for detail

Integrity

A guard must not accept a gratuity that could compromise their duties, and must not use their licence or uniform to advance a personal interest. Both provisions protect the appearance of impartiality as well as its reality.

O. Reg. 363/07
03 Professional conduct no threats, no false statements Flip for detail

Professional conduct

A guard must behave professionally, must not threaten or intimidate, and must not make statements known to be false. This applies in confrontations, in reports, and in any interaction where the guard is identifiable as such.

O. Reg. 363/07
04 Compliance police + licence Flip for detail

Compliance

A guard must cooperate with police and must carry and produce their licence on demand. Failure to produce is itself a Code violation and — at police request — a potential PSISA offence.

PSISA s.10
05 Revocation grounds dishonesty + violence Flip for detail

Revocation grounds

Dishonesty offences (theft, fraud, extortion), violence offences, licence misuse, and false statements in a licence application are the most common revocation triggers. The Registrar's standard is balance of probabilities — a conviction is not required.

PSISA s.23

The PSISA Code of Conduct is not a suggestion list — it is a statutory condition of holding your licence. Every interaction where you are identifiable as a security professional is governed by O. Reg. 363/07. Lawful authority, integrity, professional conduct, and compliance are the four pillars. Breach any one of them and the Registrar has grounds to act, regardless of whether you are ever charged criminally.

Why O. Reg. 363/07 was enacted

The history behind the PSISA Code of Conduct

The Private Security and Investigative Services Act, 2005 replaced the older Private Investigators and Security Guards Act (1990) because the 1990 Act lacked meaningful enforcement mechanisms. The 2005 Act introduced mandatory licensing (with training requirements), a statutory Code of Conduct with revocation teeth, and an administrative tribunal pathway (through the Licence Appeal Tribunal) for disputed revocations. O. Reg. 363/07, made under the PSISA, is the subordinate legislation that sets out the specific enumerated duties — the Code of Conduct proper. Before 2005, conduct standards were effectively employer-driven only; a guard who engaged in serious misconduct at one firm could simply move to another without regulatory consequence.

The Registrar's standard — balance of probabilities rather than beyond a reasonable doubt — is deliberately lower than the criminal standard because the objective of the PSISA is public protection, not punishment. A guard who is unsuitable to hold a licence can be removed from the industry even where the Crown declines to prosecute criminally, or where the facts do not meet the higher criminal standard.

Lesson 1 — exam trap: the "employer says so" defence

Why "my employer told me to" does not work before the Registrar

A common misconception is that following an employer's instruction shields a guard from personal Registrar action. This is wrong. The PSISA Code of Conduct imposes personal obligations on each licensed individual. A supervisor's or employer's instruction to breach the Code does not discharge the individual guard's liability — both the supervisor and the guard may face Registrar action. "I was told to" is not a defence to a PSISA Code of Conduct breach. This principle also applies to client instructions: a client cannot direct a guard to act in breach of O. Reg. 363/07 and thereby insulate the guard from regulatory consequence.

The Registrar's approach mirrors that of other licensed professions — a pharmacist cannot excuse dispensing the wrong drug by saying "my employer told me to." Personal professional obligations are non-delegable. This is one reason why the Code's language uses "a guard must not" rather than "the employer must ensure that the guard does not" — the duty is personal, not vicarious.

The four PSISA Code pillars and revocation grounds appear on the exam.

Lesson 02

Conflict of interest & gratuities

5 min

The security officer who accepts a free meal from the vendor whose delivery dock they guard, the guard who lets a client's supplier through without proper screening because the supplier "always takes care of them," the investigator who passes information about a subject to a business competitor — these are not isolated bad actors. They are predictable products of a conflict of interest that was never identified, disclosed, or managed. O. Reg. 363/07 prohibits accepting gratuities that could compromise duties, but the legal rule is only the floor. Understanding why conflicts corrupt, and how to spot them before they trap you, is the professional skill.

What is a conflict of interest

A conflict of interest arises when a security professional's personal interest — financial, relational, or reputational — could influence, or could reasonably appear to influence, the discharge of their professional duty. The test is objective: not whether the guard actually made a biased decision, but whether a reasonable observer would conclude that the conflict might do so. The ASIS International Code of Ethics applies this same objective test to private security professionals. A conflict does not have to be acted upon to be a problem — its mere existence, undisclosed and unmanaged, is the breach.

Three categories of conflict are most common in security work. Financial conflict: a guard has a side-business relationship — supplier, contractor, tenant — with a person or entity they are assigned to oversee. Relational conflict: a guard is assigned to a post where a family member, romantic partner, or close friend is employed or is a subject of investigation. Positional conflict: a guard uses information obtained in their security role — access logs, incident reports, personal data — to benefit a business, employer, or third party other than the client who owns that information.

The gratuity rule under O. Reg. 363/07

O. Reg. 363/07 prohibits a security guard from accepting any gratuity, benefit, or reward that could reasonably be seen as compromising their security duties. The prohibition is not absolute — incidental hospitality is not a legal problem. The test is proportionality and appearance: a gratuity is prohibited when its value or circumstances could reasonably lead an objective observer to conclude that the guard's professional judgment was influenced. This is a lower threshold than bribery under the Criminal Code (which requires intent to influence). The employer's internal gift policy may be stricter than the Code; where it is, the stricter rule governs.

Practical bright lines widely adopted in Canadian security firms: no gift with a value over $25–$50 from any single source in a calendar year; no cash gifts under any circumstances; no gifts offered by a person whose facility access, complaint status, or investigation outcome the guard controls. When in doubt, the correct move is always to disclose — to the supervisor or, if the potential benefit is from the supervisor, to the supervisor's manager — before accepting anything.

Disclosing and managing conflicts

The obligation to disclose a conflict of interest exists whether or not the guard believes their judgment is actually compromised. The ASIS International Code of Ethics states that members must "avoid conflicts of interest" and must "act in a manner that will not bring discredit to the security profession." Disclosure does not resolve a conflict — it initiates the management process. The employer decides whether to reassign the guard, add oversight, or in rare cases conclude that the conflict is too significant to manage at all. Undisclosed conflicts discovered after the fact are treated far more harshly by regulators, clients, and courts than disclosed ones that were actively managed.

Drill 02 · The envelope What do you do with the $100 gift card? O. Reg. 363/07 (gratuities)
Retail strip mall · Saturday 22:30
$100 gift card offered

You have been assigned to a strip-mall patrol for three months. The owner of a jewellery store — whose shop you have helped secure after two after-hours alarm responses — slides you an envelope on Saturday night. Inside is a $100 gift card to a popular restaurant and a note saying "Thank you for always looking out for us." You are off-shift in 20 minutes. What do you do?

Right call. Decline professionally, document the offer and your refusal, notify your supervisor tonight. A $100 gift from the operator of a facility you oversee is a textbook O. Reg. 363/07 gratuity. Protecting your integrity means the refusal must be immediate — not considered. O. Reg. 363/07 — PSISA Code of Conduct · ASIS International Code of Ethics
Reset the call. The gratuity rule in O. Reg. 363/07 does not ask whether you intended to be compromised — it asks whether a reasonable observer would conclude you might be. A $100 gift card from a client facility you directly oversee fails that test on value and source alone. Decline immediately, document, and notify your supervisor. O. Reg. 363/07 — PSISA Code of Conduct · ASIS International Code of Ethics

Gratuity spectrum — acceptable, borderline, and prohibited

Gratuity type Key factors Assessment under O. Reg. 363/07
Incidental hospitality (coffee from receptionist) Low value, no control relationship Generally acceptable; employer policy may set a lower threshold
$100 gift card from client facility operator High value, from a person whose access you control Prohibited under O. Reg. 363/07 — decline and document
Cash tip from a tenant after an incident Cash, any amount, post-incident Prohibited — cash gifts under any circumstances are a bright-line rule
Discounted membership from a gym you patrol Ongoing financial benefit from a facility you oversee Prohibited — ongoing benefit creates ongoing appearance of compromise
Referral fee from a contractor you approved site access for Financial gain tied directly to an access decision you made Prohibited — may also be extortion or fraud; report immediately

Conflicts of interest and gratuity traps are features of the job, not exceptions. Every assignment creates relationships; some of those relationships will generate offers. The professional move is always the same: identify the conflict early, disclose it promptly, and decline anything that could compromise — or appear to compromise — your professional judgment. Integrity is easier to keep than to restore.

The disclosure-management sequence

What happens after you disclose a conflict of interest

Disclosure initiates the management process — it does not resolve the conflict. The employer has three options after a guard discloses a conflict: (a) determine the conflict is too minor to require any action; (b) add oversight measures (dual-guard sign-off on decisions affecting the conflicted party, supervisor review of relevant reports); or (c) reassign the guard to a different post where the conflict does not exist. All three outcomes are preferable to the discovery of an undisclosed conflict after a loss event.

Ontario civil courts have awarded damages against security firms where a guard's undisclosed conflict of interest contributed to a security failure. For example, where a guard's personal relationship with a vendor led to lax access-control screening that allowed a theft, the employer was found vicariously liable and the guard's undisclosed conflict was a factor in the damages assessment. The lesson: disclose early, before any incident connects the conflict to a failure.

Lesson 2 — exam trap: the dollar-amount exception that does not exist

O. Reg. 363/07 has no statutory de minimis dollar threshold

Many exam candidates incorrectly believe that the gratuity prohibition has a dollar-amount threshold (e.g. gifts under $50 are always acceptable). This is a misunderstanding of the relationship between employer policy and the Code. Employer policies may set a $25–$50 internal threshold as a practical bright line, and below that threshold the employer may not discipline a guard. But O. Reg. 363/07's prohibition applies when a gratuity "could reasonably be seen as compromising" duties — a test that can be met by a $15 meal from the right source.

Ontario Registrar decisions have treated relatively modest benefits as prohibited gratuities when the source was a person whose access or complaint status the guard controlled. A guard who accepted discounted meals worth less than $20 from a restaurant he patrolled was found to have breached O. Reg. 363/07 because the source-and-control relationship was the operative factor, not the dollar amount. The employer's policy threshold is a policy rule; the Code's test is a legal standard. When in doubt, apply the Code's objective test, not the employer's dollar limit.

The O. Reg. 363/07 gratuity rule and conflict-of-interest test appear on the exam.

Lesson 03

Criminal Code exposure

5 min

A security officer is not a public officer in the constitutional sense — but the Criminal Code of Canada creates specific offences that apply squarely to contractor integrity failures. Section 122 (breach of trust by a public officer) has been interpreted by courts to extend to those who exercise a public function under contract. Section 346 (extortion) captures any threat or inducement used to obtain something of value — and a guard who implies that "problems can go away" for a consideration is extorting. These are not theoretical risks. Canadian court records show guards charged with extortion, fraud, theft, and breach of trust arising directly from their security roles.

Criminal Code s.122 — breach of trust

Section 122 of the Criminal Code makes it an indictable offence for a public officer to commit a breach of trust in connection with the duties of their office. Courts have applied s.122 to private-sector contractors performing public functions — security guards at government facilities, court sheriffs, and contracted enforcement officers have all been found to occupy a sufficient public nexus. Even where the Crown cannot prove the public-officer element for a contracted private-sector guard, the facts that would satisfy s.122 often simultaneously satisfy s.380 (fraud) or s.334 (theft). A guard who diverts client property, manipulates incident records for personal benefit, or leaks access-control information to a third party is at minimum committing fraud or theft — and potentially s.122 if there is a public nexus.

Sentences for breach of trust range from conditional discharges to several years of imprisonment, depending on the magnitude of the breach and whether there was personal gain. The maximum sentence under s.122 is five years imprisonment. The Registrar of Private Security and Investigative Services treats a Criminal Code conviction involving dishonesty as an automatic basis for licence revocation under PSISA s.23.

Criminal Code s.346 — extortion

Section 346(1) provides that every person who, without reasonable justification or excuse, and with intent to obtain anything, by threats, accusations, menaces, or violence induces or attempts to induce any person to do anything or cause anything to be done is guilty of an indictable offence and liable to imprisonment for life. The broad language of s.346 captures the full spectrum of security-post extortion: a guard who implies a report will disappear if payment is made, a guard who threatens to call police over a fabricated incident unless a sum is paid, and a guard who demands a "facilitation payment" to expedite routine access. There is no minimum amount — the offence is complete at the attempt; no actual payment needs to change hands.

Practical risk scenarios for security workers

Three scenarios where guards have faced criminal charges in Canada. (1) Access-log manipulation for gain: a guard deletes CCTV footage or access-control records in exchange for cash or goods from a person who would otherwise be flagged. This is simultaneously extortion (if a demand was made), fraud (creating false records), and breach of trust. (2) Theft from client premises: a guard uses after-hours patrol access to take property from the client site. Criminal Code s.334 applies; PSISA Registrar revocation follows automatically. (3) Information leakage to a competitor: a guard passes business information — supplier lists, staff schedules, security vulnerability assessments — obtained in their role to a third party. This can be s.380 fraud, breach of confidentiality under the employment contract, and a PIPEDA violation simultaneously.

Drill 03 · The implied offer What do you do when a driver implies a bribe? Criminal Code s.346 (extortion)
Warehouse loading dock · Thursday 23:15
The driver's implied offer

You are the overnight loading-dock guard at a warehouse. A driver who missed the sign-in cutoff by 40 minutes arrives and cannot be admitted under site rules. He becomes agitated. Then he lowers his voice and says, "Look, I've got to get this truck unloaded tonight or my boss kills me. I've got something for you if you can just make this happen." He pats his jacket pocket. What do you do?

Right call. Refuse the implied offer, document verbatim, report to supervisor this shift. An offer of a benefit in exchange for deviating from your duty is an attempt to induce you under Criminal Code s.346. The offence is complete at the attempt — no money needs to change hands. Your documentation is your protection. Criminal Code s.346 — extortion · Criminal Code s.122 — breach of trust
Reset the call. Criminal Code s.346 extortion requires no minimum amount and is complete at the attempt. Negotiating, accepting, or even asking "what are you offering?" drags you into the offence. Refuse, document verbatim, report this shift. Criminal Code s.346 — extortion · Criminal Code s.122 — breach of trust

Criminal Code sections every security worker must know

s.0
Criminal Code — breach of trust by a public officer; applies to contractor security in public-function roles
s.0
Criminal Code — extortion; complete at the attempt; no minimum amount; maximum life imprisonment
s.0
Criminal Code — fraud; captures false records, CCTV deletion for gain, information leakage for benefit
s.0
Criminal Code — theft; PSISA licence revocation follows automatically on conviction

The Criminal Code does not leave a gap for security professionals. Extortion requires no minimum amount and is complete at the attempt. Breach of trust extends into contractor roles at public-function facilities. Fraud and theft follow from almost any misuse of site access. The protection against all four is the same: document everything, accept nothing from a person whose access or outcome you influence, and report any offer immediately.

Lesson 3 — why the extortion maximum sentence is life imprisonment

Parliament's deliberate choice: extortion ranks with the most serious offences

Criminal Code s.346 carries a maximum sentence of life imprisonment — the same maximum as murder, kidnapping, and armed robbery. Parliament treated extortion as one of the most serious property and integrity offences in the Code because it combines a threat with an abuse of power or relationship. For a security guard, whose position of authority is the instrument of the offence, courts have treated the abuse of the uniform as a serious aggravating factor in sentencing.

Ontario and British Columbia courts have convicted licensed private investigators and security guards of Criminal Code extortion arising from demands made to subjects of investigations or to persons whose site access they controlled. In each case, the PSISA licence was revoked concurrently. The courts noted that the professional licence created the access and trust that made the offence possible — which both aggravated the sentence and required the licence revocation. The PSISA Registrar treats a Criminal Code conviction involving dishonesty as an automatic basis for revocation under PSISA s.23.

Lesson 3 — the public-function nexus for s.122

Which security roles create s.122 exposure

Canadian courts have applied Criminal Code s.122 to private-sector contractors who perform a public function. The key element is the exercise of a public trust or public function, not the nature of the employment relationship. Roles that have attracted s.122 attention in the Canadian record include: security guards at federal courthouses and government ministry buildings, contracted enforcement officers at public institutions (schools, hospitals, transit authorities), and contracted guards at facilities that handle public funds or services.

Even where the Crown cannot prove the public-officer element for a contracted private-sector guard, the facts that would satisfy s.122 often simultaneously satisfy s.380 (fraud) or s.334 (theft). A guard who diverts client property, manipulates incident records for personal benefit, or leaks access-control information to a third party is at minimum committing fraud or theft. The practical lesson is that the criminal exposure does not depend on whether s.122 technically applies — because the same conduct is captured by other provisions even where s.122 does not reach.

Criminal Code ss.122, 346, 380, and 334 appear on the exam.

Lesson 04

Data handling & PIPEDA

5 min

Security work is data work. Every access-control log, every CCTV recording, every incident report, every visitor register, every licence-plate read, and every personal-information disclosure during an investigation is personal information within the meaning of the Personal Information Protection and Electronic Documents Act (PIPEDA). A guard who shares CCTV footage with a curious neighbour, who texts photos of an incident scene, who tells a media outlet about a subject's identity, or who accesses logs out of personal curiosity is misusing personal information — and the organisation they work for is liable under PIPEDA's accountability principle. Knowing what the Act requires is as important as knowing how to operate the equipment.

PIPEDA's four most relevant fair-information principles

PIPEDA Schedule 1 sets out ten principles of fair information practice. The four most directly relevant to security workers are: Accountability (Principle 1) — the organisation is responsible for personal information it controls, including information in the hands of third parties such as contracted security guards; Identifying Purposes (Principle 2) — personal information may only be collected for purposes a reasonable person would consider appropriate in the circumstances; Limiting Collection (Principle 4) — collection must be limited to what is necessary for the identified purposes; and Safeguards (Principle 7) — personal information must be protected by security safeguards appropriate to the sensitivity of the information.

Security workers are typically custodians of personal information on behalf of the client — they do not own the data and have no independent right to access it beyond what is necessary to discharge their duty. The accountability principle means the client is liable for what the guard does with the data; but the guard is personally liable for any Criminal Code offence (s.342.1 — unauthorized use of computer, s.380 — fraud) and may face civil liability in tort if their misuse causes loss. PIPEDA's Office of the Privacy Commissioner of Canada (OPC) can investigate complaints and issue findings; OPC findings are routinely cited in subsequent Federal Court proceedings.

CCTV, access logs, and the guard's duty

CCTV footage is among the most sensitive data a security guard handles. The OPC has consistently held that CCTV systems in public or semi-public spaces are subject to PIPEDA's limiting-collection and safeguards principles. A guard may access CCTV footage only for the purposes for which it was collected — facility security. Accessing footage to observe a specific individual out of personal curiosity, sharing footage with a third party (media, police without a warrant or consent, a curious colleague), or downloading footage onto a personal device are all PIPEDA violations. The same rules apply to access-control logs: they record the movement of named individuals and are personal information under PIPEDA s.2(1).

Responding to information requests

Guards are frequently asked to share security records — by police, by lawyers, by managers, by media, by members of the public. The correct protocol depends entirely on who is asking and what authority they have. Police with a warrant or production order: the organisation must comply; the guard should hand off to the site manager or security supervisor to process the legal document. Police without a warrant: PIPEDA permits but does not require voluntary disclosure to law enforcement for specified purposes (s.7(3)(c.1)); the guard should not unilaterally decide to disclose — route to the supervisor. Lawyers: require a court order or consent; hand off to the supervisor. Media or public: no disclosure; all media inquiries must be routed to the client's communications team. The guard's job is to hold the data until legally authorised disclosure is directed by the appropriate person.

Drill 04 · The request in the parking lot Should you pull CCTV footage for the PI? PIPEDA Schedule 1, Principle 7 (Safeguards)
Suburban hospital parking structure · Friday 18:40
Private investigator requests CCTV

You are the parking-structure guard at a suburban hospital. A man in street clothes approaches your booth and says he is a private investigator working on an insurance file. He asks you to pull up the CCTV footage from the previous Saturday between 14:00 and 16:00 and tell him whether his subject's vehicle was in the lot during that time. He shows you a business card. He does not have a court order, a production order, or written consent from the hospital. What do you do?

Right call. No court order, no production order, no hospital consent = no disclosure. PIPEDA Principle 7 (Safeguards) requires you to protect personal information against unauthorised access. Decline, direct to administration, document the request. Do not access the footage in connection with the query. PIPEDA Schedule 1, Principle 7
Reset the call. A business card is not legal authority. PIPEDA Principle 7 requires safeguards against unauthorised access — your obligation is to decline and route the request to the hospital's administration with proper legal process. Accessing the footage in connection with this request is itself a PIPEDA breach. PIPEDA Schedule 1, Principle 7

Data-access request protocol — quick reference

  • CCTV footage is personal information under PIPEDA — access only for the purpose for which it was collected
  • Access-control logs record named individuals' movements — treat as sensitive personal information
  • Police with a warrant or production order → route to site manager, do not process alone
  • Police without a warrant → do not unilaterally disclose; route to supervisor
  • Private investigators → require court order or written client consent; route to administration
  • Media requests → no disclosure; all media go to client's communications team
  • Personal-device copying of footage or logs → prohibited under PIPEDA Principle 7
  • Document every data-access request: who asked, when, what they wanted, what you said

Security data — CCTV, access logs, incident reports, visitor registers — belongs to the client organisation and is protected by PIPEDA. Your role is custodian, not owner. Access only what is necessary for your assigned duty. Decline every unauthorised request and route it to the right person. Document every request regardless of outcome. The safeguards principle is not bureaucratic overhead — it is the foundation of the client's trust in contracted security.

Lesson 4 — sensitivity scales the safeguard

Why CCTV at a medical clinic is treated differently from a parking structure

PIPEDA Principle 7 requires safeguards "appropriate to the sensitivity of the information." CCTV footage of a parking structure is less sensitive than CCTV footage inside a medical clinic, a residential building, or a childcare facility. The Office of the Privacy Commissioner of Canada expects higher technical and access-control safeguards for higher-sensitivity data. A security firm providing services to a healthcare facility must have significantly more robust data-handling procedures than one serving a retail mall.

In practice, this means the guard's personal conduct obligations scale with the sensitivity of the site. A guard at a hospital parking structure who accesses footage out of curiosity is committing the same PIPEDA Principle 7 violation as a guard who does so at a retail mall — but the consequences for the client organisation (who bears PIPEDA accountability) are more severe at the hospital because healthcare data carries higher sensitivity classifications and attracts stricter OPC scrutiny. Guards who work in higher-sensitivity environments should receive explicit training on the additional data-handling obligations that apply at those sites.

Lesson 4 — the collection-purpose anchor

Why PIPEDA Principle 2 (Identifying Purposes) governs everything downstream

Every subsequent PIPEDA principle — limiting collection (Principle 4), limiting use, disclosure, and retention (Principle 5), and safeguards (Principle 7) — flows from the identified purpose. A security firm that collects access-log data for facility security cannot later use that data for marketing, debt collection, or sharing with third parties for commercial benefit. Those are new purposes requiring new consent. The purpose identifies the box; everything the guard does with the data must stay inside that box.

This anchoring also determines the retention period. Most security operators retain CCTV footage for 30–90 days, depending on site type and client instruction. Retaining footage longer than the identified retention period requires a new justification — typically an active investigation or a legal hold. A guard who saves footage beyond the retention period to a personal device, or shares it with a third party after the retention period, violates PIPEDA Principles 4, 5, and 7 simultaneously.

PIPEDA's four key principles and the data-request protocol appear on the exam.

Lesson 05

Human rights at the post

5 min

The Ontario Human Rights Code protects every person in Ontario from discrimination based on race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, gender identity, gender expression, age, marital status, family status, and disability. A security guard who applies these protected characteristics — even subconsciously — in deciding who to question, who to follow, who to ask for identification, who to eject, or who to detain is committing discrimination under the Code. Unlike criminal law, the Human Rights Code does not require proof of discriminatory intent. The test is discriminatory effect: if the guard's conduct would not have occurred, or would have been different, but for a Code-protected characteristic, it is discrimination — and both the guard and the employer are liable.

What racial profiling looks like at a security post

The Human Rights Tribunal of Ontario (HRTO) and Canadian courts have consistently held that racial profiling — using race, colour, or ethnic or national origin, consciously or unconsciously, as a factor in a security decision — is a form of race discrimination under the Code. Indicators that a decision may have been racially motivated include: differential treatment of comparable individuals (a racialized person is asked for ID where a white person in identical circumstances is not); a pattern of stops or ejections disproportionate to the demographic make-up of the venue; and after-the-fact rationalisations that do not withstand scrutiny against the objective circumstances. The HRTO regularly awards damages for injury to dignity and self-respect in racial-profiling cases, in addition to ordering systemic remedies against the employer.

The practical implication: a security firm whose guards disproportionately stop or eject racialized persons can be found to have engaged in systemic discrimination even without proof of discriminatory intent by any individual guard. The Code's effects-based test means that an objectively unjustifiable pattern of differential stops is itself the evidence of discrimination.

Accommodation obligations at the post

The Code imposes an obligation on service providers — which includes security operations as a service to the public — to accommodate persons with disabilities to the point of undue hardship. This means a security protocol that cannot be met by a person with a mobility, communication, or cognitive disability must be modified unless modifying it would cause undue hardship to the operator. A guard who applies the standard identification or screening protocol inflexibly when they know a person has a disability, without exploring reasonable modifications, may be engaged in Code-prohibited discrimination on the basis of disability. The accommodation duty is also engaged by religious dress (creed) — requiring a person wearing a turban, kippah, hijab, or other religious garment to remove it as a condition of entry, without lawful authority and without exploring alternatives, is potentially religious discrimination.

The lawful authority exception

Differential treatment is not always discrimination. Where a security guard has specific, articulable, non-Code-based grounds for a decision — a verified description of a suspect, a specific incident report triggering follow-up, or a behaviour-based observation that is equally applicable regardless of protected characteristics — the Code does not prohibit that decision. The test is whether the protected characteristic was a factor in the decision, not whether other factors were also present. A guard can ask any person for identification when they have reasonable grounds related to facility security. What they cannot do is ask only racialized persons, or only young men of a particular appearance, when persons of other characteristics in identical circumstances are not asked.

Drill 05 · The lobby stop Consistent application of the protocol Ontario Human Rights Code, R.S.O. 1990, c. H.19
Luxury residential tower lobby · Sunday 14:20
Differential instinct in the lobby

You are the Sunday afternoon lobby guard at a luxury residential tower. You notice a young Black man in casual clothes waiting near the elevator. You do not recognise him. A white man in similar casual attire is also waiting near the elevator; you recognise him as a frequent visitor. Neither man has a visitor pass. Your instinct is to approach and ask the Black man for his destination and the name of the resident he is visiting. You do not feel the same instinct about the white man. What should guide your conduct?

Right call. Apply the same protocol to both men. The Human Rights Code prohibits differential treatment based on race — and differential treatment based on an 'instinct' that operates differently on racialized persons in identical circumstances is race discrimination. Consistent application of the protocol, documented, is both legally sound and professionally defensible. Ontario Human Rights Code
Reset the call. The Human Rights Code tests for discriminatory effect, not intent. Stopping a Black man while not stopping a white man in identical circumstances is Code discrimination regardless of whether you consciously intended it. Apply the protocol consistently to both, or document the specific, articulable, non-Code-based grounds that distinguish the two situations. Ontario Human Rights Code

Human Rights Code obligations at the security post

01 Racial profiling intent irrelevant Flip for detail

Racial profiling

Using race, colour, or ethnic origin — consciously or unconsciously — as a factor in a security decision is Code discrimination. The test is effect, not intent. Disproportionate stops of racialized persons can establish a systemic discrimination finding.

OHRC + HRTO
02 Disability accommodation undue hardship threshold Flip for detail

Disability accommodation

Security protocols must be modified for persons with disabilities to the point of undue hardship. A guard who applies standard screening inflexibly to a person known to have a disability, without exploring alternatives, is engaged in Code-prohibited discrimination.

Ontario HRC s.11
03 Religious dress creed accommodation Flip for detail

Religious dress

A guard cannot require removal of religious garments (turban, kippah, hijab) as a condition of entry without lawful authority and without exploring alternatives. Religious discrimination by effect is Code-prohibited.

Ontario HRC s.1
04 Lawful authority exception articulable grounds Flip for detail

Lawful authority exception

Differential treatment is not discrimination when there are specific, articulable, non-Code-based grounds — a verified suspect description, a specific incident report, a behaviour-based observation equally applicable regardless of protected characteristics.

HRTO doctrine
05 Consistency = protection same protocol, same basis Flip for detail

Consistency = protection

The most defensible security decision is one applied consistently. Document the specific grounds for any stop, verification request, or ejection. An undocumented stop that a complainant characterises as racially motivated has no competing record.

Best practice

Human rights compliance at the post is not a bureaucratic constraint on security work — it is the professional standard. Apply protocols consistently across protected characteristics. Document any exception and its specific, articulable grounds. Accommodate persons with disabilities and religious obligations unless doing so creates undue hardship. The guard who does these things is both legally protected and operationally effective.

Lesson 5 — the recognition trap in lobby stops

Why "I recognise that person" can be a racially skewed basis for differential treatment

Recognition of a "frequent visitor" can justify treating that person differently from an unrecognised visitor — but only if the same recognition-based exception is applied equally regardless of race. If a guard's recognition pattern is itself racially skewed (because the guard has more often engaged with white visitors and therefore "recognises" them more readily), using recognition as the differentiator perpetuates a racially disparate outcome.

The HRTO's approach to this issue is to look at the guard's actual recognition pattern across all visitors, not just the specific incident. If white visitors are routinely waved through without verification while racialized visitors of comparable attire and demeanour are routinely stopped, the pattern itself is evidence of systemic racial profiling regardless of whether any individual stop was consciously motivated by race. This is why the most defensible protocol is a consistent one — verify all visitors without passes, or verify none, on the same factual basis. Consistency is the protection.

Lesson 5 — gender identity, gender expression, and creed at the screening post

Three protected grounds security workers frequently encounter

Gender identity and gender expression were added to the Ontario Human Rights Code in 2012. A guard who subjects a transgender or non-binary person to additional or more invasive screening than a comparable cisgender person in identical circumstances has prima facie engaged in Code discrimination on the basis of gender identity or gender expression. The guard must have specific, articulable, non-Code-based grounds for any differential treatment.

Creed includes religious belief and practice. A guard who requires removal of religious garments — turban, kippah, hijab, dastar, patka — as a mandatory condition of entry without lawful authority is engaging in potential religious discrimination. The accommodation duty requires the guard to explore alternatives (a private screening area, a wand scan, alternative identification methods) before declaring that the standard protocol cannot be modified.

Disability includes both visible and non-visible conditions. A guard who applies standard screening inflexibly to a person with an anxiety disorder, autism spectrum condition, or cognitive disability — without adjusting the pace, environment, or communication style when they know or ought reasonably to know of the disability — may be engaged in Code-prohibited discrimination without realising it. The accommodation duty is triggered by awareness, not by a formal written request.

The Human Rights Code effect test, racial profiling definition, and accommodation duty appear on the exam.

Lesson 06

Whistleblowing & duty to report

5 min

The hardest call in security ethics is not refusing a $100 gift card — it is reporting a colleague, a supervisor, or a client-side manager for a serious breach. Ontario's Public Service of Ontario Act, 2006 (PSOA) protects public servants who disclose wrongdoing. For private-sector security workers, the protective framework is thinner but real: PSISA s.31 protects a licensed individual who cooperates with a Registrar investigation, and the common law increasingly protects private-sector whistleblowers from retaliatory dismissal through the constructive-dismissal doctrine and the duty of good faith in employment. Knowing the duty — and the protection — is what makes the call possible.

The Ontario Public Service whistleblower framework

The Public Service of Ontario Act, 2006, S.O. 2006, c. 35, Schedule A, Part V establishes a formal whistleblower regime for Ontario public servants. Under ss. 108–116, a public servant who discloses, in good faith, conduct that they reasonably believe is a wrongdoing — including a contravention of provincial or federal law, a gross mismanagement of public funds, a serious and substantial danger to health and safety, or conduct directed at retaliating against a whistleblower — is protected from adverse employment action. The disclosure must be made to the person's supervisor, the Integrity Commissioner, or in specified urgent circumstances directly to a law enforcement body. The PSOA framework sets the standard against which private-sector whistleblower protections are increasingly measured by Ontario courts.

Private-sector security workers employed by a contractor do not have PSOA protection directly. However, Ontario courts have held that a private-sector employee dismissed for reporting illegal conduct by their employer or a client has a cause of action in wrongful dismissal — the termination is without just cause where the employee acted in good faith, in the public interest, and in compliance with legal obligations. The legal trend in Canada, across several provinces, is toward recognising a common-law duty not to dismiss employees for lawful whistleblowing, independently of any statute.

PSISA cooperation obligation

PSISA s.31 requires a licensee to cooperate with a Registrar investigation. A licensee who refuses to answer questions, destroys records, or otherwise obstructs a PSISA investigation commits a PSISA offence and is subject to a fine under s.44. Cooperation with the Registrar is not optional — even where the investigation concerns a colleague or a supervisor. A guard who is asked to give a statement about another licensee's conduct must do so honestly and completely. Giving a false or misleading statement to the Registrar is itself a PSISA offence under s.44(1)(b).

When and how to report

The practical decision tree for a security worker who witnesses or suspects a serious ethical breach is: (1) Is it a criminal matter? Criminal conduct — theft, extortion, assault, fraud — should be reported to police. (2) Is it a PSISA Code of Conduct breach by a licensee? Report to the Registrar of Private Security and Investigative Services at the Ministry of the Solicitor General. (3) Is it an employer internal policy breach? Report through the employer's internal reporting mechanism, typically the supervisor or HR. (4) Is there a risk of retaliation? Document the disclosure and keep a personal copy outside the employer's systems. (5) Is the breach by the supervisor? Report to the supervisor's manager, to HR, or directly to the Registrar (for PSISA breaches) or police (for criminal conduct). The duty to report is not discharged by reporting to a person who is part of the wrongdoing.

Drill 06 · The after-hours log What do you do with the falsified patrol log? PSOA, S.O. 2006, c. 35, Sched. A (whistleblower framework)
Security company operations office · Tuesday 09:15
Falsified patrol entries discovered

You are reviewing last night's shift logs and notice that a senior colleague has logged two "routine patrol" entries for a period when CCTV footage shows him sitting in the guard booth for the entire time. The same colleague is the site supervisor's close friend. You mention it to a junior colleague who says "don't touch it — he'll make your life difficult." What should you do?

Right call. Document your observation with specific details, preserve the CCTV reference, and report in writing to the supervisor's manager or HR — not to the supervisor who is close to the colleague. Keep a personal copy of your disclosure outside the employer's systems. If internal escalation is ignored or retaliation follows, escalate to the PSISA Registrar. Public Service of Ontario Act, 2006 (whistleblower framework) · PSISA s.31 — cooperation with Registrar
Reset the call. Falsified patrol logs are a PSISA Code of Conduct breach and potentially criminal fraud. Silence is legally untenable once you have knowledge of the breach. Document your observation, report to the supervisor's manager or HR in writing, and keep a personal copy. If internal escalation fails, escalate to the PSISA Registrar. Public Service of Ontario Act, 2006 (whistleblower framework) · PSISA s.31 — cooperation with Registrar

Whistleblower decision tree — quick reference

  • Criminal conduct (theft, extortion, assault, fraud) → report to police
  • PSISA Code of Conduct breach by a licensee → report to the Registrar of Private Security and Investigative Services
  • Internal policy breach → report through employer's internal mechanism (supervisor or HR)
  • Breach by the supervisor → go to supervisor's manager, HR, or directly to Registrar/police
  • Document every disclosure in writing with specific details and timestamps
  • Keep a personal copy of your disclosure outside the employer's systems
  • If retaliated against → escalate to the Registrar, and consult an employment lawyer about constructive dismissal
  • PSISA s.31: cooperation with the Registrar is mandatory — refusal is a PSISA offence
  • Do not confront the wrongdoer before reporting — preserve evidence first

Reporting a colleague is the hardest call in security ethics — and the most important one. The PSISA cooperation obligation is not optional. Document your disclosure, route it above the person who is part of the wrongdoing, and keep a personal record outside the employer's systems. The law increasingly protects private-sector whistleblowers from retaliatory dismissal; the guard who stays silent to avoid difficulty is at greater long-term professional risk than the one who reports. Take the exam to complete this module.

Lesson 6 — why anonymous reporting has structural weaknesses

Identified, documented reporting is more effective than anonymous tip-line reporting

Anonymous reporting is better than silence — but it has a significant weakness: without the reporter's documented observation (the specific CCTV timestamps compared against the log, the specific shift reports, the specific access-control records), the investigation has no foothold. An anonymous tip that "guard X falsifies logs" gives the investigator a direction but no evidence. An identified, documented report that states "I compared the 02:15 and 04:30 patrol entries on the shift log dated [date] against CCTV footage from cameras [IDs] and the footage shows guard X sitting in the guard booth throughout both claimed patrol periods" gives the investigator actionable evidence and a specific witness.

Moreover, identified reporting provides the guard with their own protection. If the employer later attempts to discipline or terminate the guard for making the report, the documented report — with timestamps showing it predates any adverse action — becomes the decisive evidence in a wrongful dismissal or constructive dismissal claim. Anonymous reporting provides no such personal record. Keep a copy of the report outside the employer's systems (e.g., in a personal email sent from a personal device to a personal email address) immediately after making the disclosure.

Lesson 6 — log falsification has multiple simultaneous legal consequences

Why a falsified patrol log is more than an internal conduct issue

Falsifying a patrol log entry is a PSISA Code of Conduct breach — O. Reg. 363/07 prohibits making statements known to be false. But the consequences go further. Where the client is billed for patrol work that was not performed, the falsification is also Criminal Code s.380 fraud: the guard, by creating false records, is participating in obtaining money from the client by deceit. Canadian courts have awarded substantial damages to clients who suffered losses during patrols that guards falsely reported as completed — the falsified log creates civil liability for the security firm (breach of contract, negligence) and PSISA exposure for the individual guard.

A guard who discovers that a colleague has falsified patrol logs therefore has knowledge of at minimum a Code breach and potentially a criminal fraud. Silence in these circumstances — once the guard has examined the evidence and concluded that the logs are false — is legally untenable. It may be construed as complicity, and if the employer is later found to have billed the client for unperformed patrols, the guard's silence becomes a relevant fact in any subsequent investigation.

Final Examination · 30 Questions

Ready? Take the 30-Question Certificate Exam.

30 scenario-and-law questions covering everything in the six lessons above. Pass with 20/30 or higher to earn your Stafferin Security Ethics certificate.

Complete the lessons to begin
The duty-to-report decision tree and PSISA s.31 cooperation obligation appear on the exam. Take the final exam
Lesson complete Keep going — you're on track.
Educational disclaimer

Security Ethics & Professional Conduct — for knowledge and self-study only

Stafferin publishes the Security Ethics & Professional Conduct material as a self-study educational resource for security professionals. Every lesson is backed by published references — Ontario statutes (PSISA, Human Rights Code, PSOA), federal statutes (Criminal Code, PIPEDA), and other authoritative sources cited inline so you can verify the underlying material at any time.

Questions, corrections, or feedback: hr@stafferin.com · By using this course you acknowledge that the material is informational and that you remain responsible for your own training, certification, and on-the-job decisions.

Exam preparation & supplementary notes

Everything below expands on the six lessons and prepares you for the 30-question Stafferin Security Ethics certificate exam. Work through each section before sitting the exam.

Exam-prep checklist · the 30 questions, six themes

The shape of the final examination

The 30-question Stafferin Security Ethics certificate examination is built from six themes, five questions per theme. You have unlimited time; you can revisit any question before submitting; you must pass at 20/30 or higher to earn your certificate. The pass threshold is 66% (ceil(0.66 × 30) = 20). The themes are:

  • Theme 1 — The PSISA Code of Conduct (questions 1–5). O. Reg. 363/07 duties, licence as a conditional grant, revocation grounds, Registrar authority, ASIS International Code of Ethics. Maps to Lesson 1.
  • Theme 2 — Conflict of interest & gratuities (questions 6–10). Objective test for conflicts, three conflict categories, the O. Reg. 363/07 gratuity prohibition, bright-line employer rules, disclosure obligation. Maps to Lesson 2.
  • Theme 3 — Criminal Code exposure (questions 11–15). s.122 breach of trust, s.346 extortion (complete at the attempt), s.380 fraud, s.334 theft, practical risk scenarios. Maps to Lesson 3.
  • Theme 4 — Data handling & PIPEDA (questions 16–20). Four key PIPEDA principles (1, 2, 4, 7), CCTV and access-log duties, police request protocol, custodian vs. owner distinction. Maps to Lesson 4.
  • Theme 5 — Human rights at the post (questions 21–25). HRTO effects-based test, racial profiling definition, accommodation duty (undue hardship), religious dress accommodation, lawful authority exception. Maps to Lesson 5.
  • Theme 6 — Whistleblowing & duty to report (questions 26–30). PSOA ss.108–116 framework, PSISA s.31 cooperation obligation, escalation decision tree, documentation requirements, retaliation protection. Maps to Lesson 6.

Every question shows context, options, a correct answer, and a "why" explanation that ties back to the source statute or regulation. If you fail, the examination identifies which themes you missed; re-read those lessons and retake. There is no time limit on the exam and no penalty for retaking.

The five-source integrated standard

Every shift, five legal frameworks apply simultaneously

The integrated ethical standard for licensed security workers in Canada draws from five sources that reinforce each other. Understanding each one separately and as an integrated whole is what makes an ethical security officer defensible in every direction.

  • O. Reg. 363/07 (PSISA Code of Conduct) — lawful authority, integrity, professional conduct, compliance. The statutory condition of holding your licence.
  • Criminal Code of Canada — s.122 (breach of trust), s.346 (extortion), s.380 (fraud), s.334 (theft). No minimum amount for extortion; complete at the attempt.
  • PIPEDA (Personal Information Protection and Electronic Documents Act) — data is the client's; you are the custodian; access only for the purpose it was collected; safeguards principle applies to every piece of data you touch.
  • Ontario Human Rights Code, R.S.O. 1990, c. H.19 — effects-based test, not intent-based; differential treatment based on a protected ground is discrimination; accommodation to the point of undue hardship; document articulable grounds for every differential decision.
  • Whistleblower/reporting framework — PSISA s.31 (cooperation with Registrar is mandatory); PSOA ss.108–116 (wrongdoing disclosure protection); common-law wrongful dismissal protection for good-faith reporting.

Security ethics failures in Canada are rarely single-source. A guard who accepts a gratuity from a vendor (Code breach) and grants them unauthorised access (Code breach + potential Criminal Code) while failing to document (PIPEDA breach) and choosing the vendor on the basis of ethnic origin (Human Rights Code breach) has committed four simultaneous violations.

Field rules · 12 rules for the exam and the post

Twelve rules you should be able to state from memory

These field rules distil the most frequently tested principles into concise, exam-ready statements. Every rule maps to at least one exam question.

  • Rule 1. O. Reg. 363/07 = the PSISA Code of Conduct. Know the regulation number. It is the first document cited in any disciplinary proceeding.
  • Rule 2. The gratuity test is objective and appearance-based. Could a reasonable observer conclude your judgment might be compromised? Value, source, and context all matter.
  • Rule 3. The Registrar revokes on a balance of probabilities. A criminal conviction is not required. Conduct findings from non-criminal proceedings can be enough.
  • Rule 4. A conflict of interest exists when a reasonable observer could conclude the interest might influence your judgment. Disclosure initiates management — it does not resolve the conflict.
  • Rule 5. Extortion is complete at the attempt. "Attempts to induce" in s.346 is the operative trigger. No payment, no report, and no minimum amount required. Maximum: life imprisonment.
  • Rule 6. s.122 follows the function, not the employment status. A contracted guard at a government facility may be a "public officer" for s.122 purposes.
  • Rule 7. PIPEDA Principle 7 = Safeguards. Protect personal information against unauthorised access by employees, contractors, and third parties. Applies to CCTV, access logs, incident reports, and visitor registers.
  • Rule 8. Guard sees a police request → route to site manager. The voluntary-disclosure decision under PIPEDA s.7(3) belongs to the client organisation, not to the guard.
  • Rule 9. HRTO racial-profiling test = was race a factor? Not: was there intent? Unconscious bias meets the test. Document the objective, non-Code-based grounds for every security decision.
  • Rule 10. Accommodation duty = to the point of undue hardship. Explore alternatives before declaring accommodation impossible. Document the assessment.
  • Rule 11. Undisclosed conflict = treated worse than disclosed + managed conflict. Disclosure is the first line of protection, not an admission of wrongdoing.
  • Rule 12. PSISA s.31 cooperation is mandatory. Retain counsel to advise on compliance — but non-cooperation is itself an offence under s.44.
Common officer mistakes · the ethics avoid list

Ten failure modes documented in Registrar decisions and court records

Every item below has appeared in an Ontario Registrar decision, an HRTO finding, an OPC investigation report, or a Canadian court record where the security professional's actions or inactions were specifically cited.

  • Accepting gratuities and disclosing later. Acceptance followed by subsequent declaration is not compliance. The prohibition applies at the moment of acceptance, not the moment of disclosure. A later declaration documents a Code breach, not a Code compliance.
  • Negotiating with an implied-bribe offer. Asking "what are you offering?" drags you into the extortion offence under Criminal Code s.346. The offence is complete at the attempt; negotiating makes you a participant.
  • Accessing CCTV footage in response to an unauthorized requestor's query. Accessing footage "just to check" in connection with a private investigator's request is itself a PIPEDA Principle 7 breach. You have now processed personal information for an unauthorized third party.
  • Stopping racialized persons while not stopping comparable white persons. This is the textbook HRTO racial-profiling fact pattern. The Code's effects-based test means you need articulable, documented, non-Code-based grounds for every differential decision.
  • Confronting a wrongdoing colleague before reporting. Confrontation destroys evidence, allows story coordination, and triggers retaliation before the disclosure is recorded. Document and report first.
  • Reporting to a supervisor who is part of the wrongdoing. The duty to report is not discharged by reporting to a person involved in the wrongdoing. Route above the supervisor to HR, to the supervisor's manager, or directly to the Registrar or police.
  • Granting access on verbal authority alone. Verbal instructions from a person claiming executive authority are not a lawful override of written access-control policy. O. Reg. 363/07 binds you to the policy, not to unverified social pressure.
  • Applying inflexible screening protocols to persons with known disabilities. Without first exploring modifications, inflexible application constitutes disability discrimination under the Ontario Human Rights Code. The accommodation duty exists even when no formal request has been made.
  • Copying footage to a personal device. Personal-device copying of CCTV footage or access logs violates PIPEDA Principle 7 (Safeguards) regardless of the reason for the copy. All footage remains on organisationally controlled systems.
  • Using the licence or uniform for personal purposes. O. Reg. 363/07 prohibits using the licence or uniform to advance a personal interest. The uniform carries state-delegated professional authority; misusing it for personal ends is a Code breach regardless of whether anyone is immediately harmed.
PSISA & O. Reg. 363/07 · deep background

Why the PSISA Code of Conduct exists and how it is enforced

The Private Security and Investigative Services Act, 2005, S.O. 2005, c. 34 was enacted to professionalise Ontario's private security industry, which had been regulated by the older Private Investigators and Security Guards Act (1990). The 2005 Act introduced mandatory licensing, standardised training, and — through Ontario Regulation 363/07 — a statutory Code of Conduct with revocation teeth. Before 2005, disciplinary standards in the industry were effectively employer-driven only.

  • Who administers it: The Registrar of Private Security and Investigative Services, appointed by the Ministry of the Solicitor General, administers the PSISA and O. Reg. 363/07. The Registrar has authority under PSISA s.23 to refuse to renew, suspend, or revoke a licence on the balance of probabilities.
  • Licence Appeal Tribunal (LAT): A guard whose licence is revoked can appeal to the Licence Appeal Tribunal under the Licence Appeal Tribunal Act, 1999. The LAT hearing is de novo — fresh evidence can be presented — but the burden shifts to the applicant to show suitability. LAT decisions are publicly accessible and are routinely cited in subsequent proceedings.
  • ASIS International Code of Ethics interaction: The ASIS International Code of Ethics applies this same objective conflict-of-interest test to private security professionals globally. Canadian CPP (Certified Protection Professional) and PSP (Physical Security Professional) designations are widely held by senior Canadian security managers. ASIS sanctions are documented in a professional database consulted by major Canadian employers.
  • Employer vs. Registrar action: The employer can terminate the employment relationship, but it cannot revoke the PSISA licence — only the Registrar can do that. A guard terminated by one employer retains their licence (unless the Registrar has separately revoked it) and may work for another licensed employer.
PIPEDA · deep background for security workers

The ten fair-information principles and how they apply at the security post

PIPEDA Schedule 1 sets out ten principles of fair information practice. All ten are relevant to any commercial organisation, but the four listed below are most directly tested on the exam because they govern day-to-day security data handling.

  • Principle 1 — Accountability: The organisation is responsible for personal information it controls, including information in the hands of contracted third parties such as security guards. The client organisation is liable for what the guard does with the data. This is why every security firm should have a privacy policy and training program that covers PIPEDA obligations.
  • Principle 2 — Identifying Purposes: Personal information may only be collected for purposes a reasonable person would consider appropriate in the circumstances. Collecting access-log data for facility security is appropriate. Collecting the same data to sell to a third party or to track an individual out of personal curiosity is not. The identified purpose anchors every subsequent principle.
  • Principle 4 — Limiting Collection: Collection must be limited to what is necessary for the identified purposes. A guard who collects more personal information than the security purpose requires — running a person's name through external databases out of curiosity, recording personal conversations, retaining ID copies beyond the required period — violates Principle 4.
  • Principle 5 — Limiting Use, Disclosure, and Retention: Personal information must be used only for the purposes for which it was collected, disclosed only with consent or as required by law, and retained only as long as necessary. CCTV footage retained beyond the site's retention period, or shared with a media outlet without authority, violates Principle 5.
  • Principle 7 — Safeguards: Personal information must be protected by security safeguards appropriate to the sensitivity of the information. This is the principle most directly engaged by a guard's day-to-day handling of CCTV systems, access logs, and incident reports. Safeguards must protect against unauthorised access by employees, contractors, and third parties.
  • OPC enforcement trend: The Office of the Privacy Commissioner of Canada has issued findings against organisations — including retail operators and building managers — whose security staff shared CCTV footage with media, social media platforms, or third parties without lawful authority. Findings typically result in corrective requirements: staff retraining, tightened access-control policies, and mandatory legal-review processes for disclosure requests.
Ontario Human Rights Code · deep background

How the Code applies to private security services — landmark principles

The Ontario Human Rights Code, R.S.O. 1990, c. H.19 applies to security services provided to the public. The Human Rights Tribunal of Ontario (HRTO) has consistently held that private security guards providing access-control and screening services at commercial and residential premises are providing a "service" within the meaning of the Code. This means the Code's anti-discrimination obligations apply in full.

  • Statistical evidence and systemic findings: The Ontario Court of Appeal confirmed in Peart v. Peel Regional Police Services Board, 2006 ONCA 447, that statistical evidence of disproportionate stops can establish a prima facie case of racial discrimination — shifting the burden to the respondent to provide a non-discriminatory explanation. The HRTO has applied this reasoning to private security firms.
  • The documentation imperative: A guard who stops or identifies one person and not another must be able to produce, if challenged, specific non-Code-based grounds for the distinction. If the shift log is blank on why one person was stopped and another was not, the guard has no defence to a Code complaint. Contemporaneous documentation — specific grounds, specific observations, specific timing — is the only protection.
  • What undue hardship actually means: The OHRC's policy guidance on undue hardship sets a high bar: significant cost (assessed against the organisation's total resources, not just the security budget), or a genuine safety risk that cannot be mitigated by any reasonable alternative. Minor inconvenience, process disruption, or the need for a staff member to perform an additional step do not meet the undue hardship threshold. Most security modifications requested by persons with disabilities — a chair during a prolonged check, a private screening area, an alternative identification form — do not come close to undue hardship.
  • Gender identity and gender expression: The Ontario Human Rights Code was amended in 2012 to explicitly add gender identity and gender expression as protected grounds. A security guard who differentially treats a transgender or non-binary person in security screening is engaging in Code-prohibited discrimination.
  • Following a supervisor's discriminatory instruction: A supervisor's instruction to discriminate on a Code-protected ground does not create a lawful authority exception. Both the supervisor and the individual guard can be found liable by the HRTO. "I was told to" is not a defence under the Code.
Whistleblower protection · deep background

PSOA, PSISA s.31, and the common-law trend for private-sector employees

Three overlapping legal frameworks protect security workers who report serious ethical breaches in good faith.

  • PSOA ss. 108–116 (direct application to public servants): Ontario public servants who in good faith disclose conduct they reasonably believe constitutes a contravention of provincial or federal law, a gross mismanagement of public funds or assets, a serious and substantial danger to the life, health, or safety of persons, or conduct directed at retaliating against a whistleblower are protected from adverse employment action. The disclosure must be made to the person's supervisor, the Integrity Commissioner, or in specified urgent circumstances directly to a law enforcement body. Disclosures to media are not protected under the Act — and may expose the employee to liability if made recklessly or maliciously.
  • PSISA s.31 (mandatory cooperation for all licensees): Every licensed security guard and private investigator must cooperate with a Registrar investigation. A guard can be asked about colleagues' conduct in the course of an investigation — refusing to answer on the ground that the question is about someone else is not a recognised exception. False statements to the Registrar are a separate PSISA offence under s.44(1)(b). False statements are treated as an aggravating factor in revocation proceedings — a guard who might have kept their licence with honest cooperation often loses it because of dishonesty during the investigation.
  • Common-law trend for private-sector employees: Ontario courts have held that a private-sector employee dismissed for reporting illegal conduct by their employer or a client has a cause of action in wrongful dismissal — the termination is without just cause where the employee acted in good faith and in compliance with legal obligations. The Ontario Court of Appeal has cited the PSOA framework in assessing private-sector wrongful dismissal claims. Retaliation itself becomes an actionable wrong. The documentation the whistleblower kept — copies of the report, the supervisor's response, the termination notice — is typically the decisive evidence in these proceedings.
Frequently asked questions

Questions on the course material — answered

These questions mirror the format and logic of exam questions. If you cannot answer each FAQ confidently before the exam, re-read the corresponding lesson.

Yes. Courts and the Registrar treat the licence as importing O. Reg. 363/07's obligations into every situation where the guard is identifiable as a security professional — in uniform, in a marked vehicle, or in any context where they have identified themselves as a security professional. The Code applies even when no member of the public is watching and even when the employer has said nothing about a specific situation.

O. Reg. 363/07 — PSISA Code of Conduct

No. A client instruction to discriminate on a Code-protected ground does not create a lawful authority exception and does not shield the individual guard from an HRTO complaint. Both the guard and the employer can be found liable. The Ontario Human Rights Code's obligations are statutory — they cannot be waived by contract or by a client instruction. "I was told to" is not a defence.

Ontario Human Rights Code, R.S.O. 1990, c. H.19

There is no minimum amount. Criminal Code s.346 carries no dollar threshold. The offence is complete at the attempt to induce — even an implied demand for a cup of coffee has been treated as extortion by Canadian courts. The maximum sentence is life imprisonment — the same maximum as murder, kidnapping, and armed robbery. Parliament treated extortion as one of the most serious property and integrity offences in the Code because it combines a threat with an abuse of power or relationship.

Criminal Code s.346 — extortion

Police can obtain CCTV footage through three lawful routes: a production order under Criminal Code s.487.012, a search warrant under s.487, or voluntary disclosure under PIPEDA s.7(3)(c.1). Without one of these, police cannot compel disclosure. Where police have a legal instrument, the organisation must comply — and the guard's role is to document the instrument details and hand off to the site manager to process compliance. The guard should not unilaterally permit police access to a server room, DVR, or access-control system without first confirming that the legal instrument is valid and that the site manager has been notified.

PIPEDA s.7(3)

No. Making an internal report to a person who ignores it does not discharge the professional obligation when the breach is serious. The PSISA s.31 cooperation obligation and the professional ethics obligation (ASIS International Code of Ethics) both require the guard to ensure that serious breaches are brought to the attention of a body with authority to act — not merely to a supervisor who can file the report in a drawer. Escalation to the PSISA Registrar is available for Code of Conduct breaches; police are the appropriate authority for Criminal Code offences.

PSISA s.31

The ASIS International Code of Ethics is a professional ethics standard, not a statute — it does not have direct legal force in Ontario. However, ASIS can sanction members independently of any provincial regulator, and ASIS sanctions are documented in a professional database consulted by major Canadian employers. The ASIS Code also provides an ethical standard that is increasingly cited by courts as evidence of the professional standard of care expected of security professionals — making Code compliance relevant to civil liability assessments even though it is not a statute.

ASIS International Code of Ethics

The PSOA (Public Service of Ontario Act, 2006) directly applies only to Ontario public servants. Private-sector security workers employed by a contractor do not have PSOA protection directly. However, Ontario courts have held that a private-sector employee dismissed for reporting illegal conduct by their employer or a client has a cause of action in wrongful dismissal. The legal trend in Canada is toward recognising a common-law duty not to dismiss employees for lawful whistleblowing, independently of any statute. The PSOA framework sets the standard against which private-sector whistleblower protections are increasingly measured by Ontario courts.

Public Service of Ontario Act, 2006, S.O. 2006, c. 35, Sched. A

Non-disclosure of a conflict of interest is not automatically a Criminal Code offence. It is a PSISA Code of Conduct breach and a professional ethics violation under the ASIS International Code of Ethics. It may become criminal if the undisclosed conflict is associated with other conduct — fraud, theft, extortion — but the non-disclosure itself is not per se criminal. Regulators, courts, and professional ethics bodies consistently treat undisclosed conflicts as more serious than disclosed conflicts that were managed. Non-disclosure discovered after a security failure is treated as an aggravating factor in both PSISA revocation proceedings and civil liability assessments.

O. Reg. 363/07 — PSISA Code of Conduct

Final ready check · six yes-or-no checks

Be honest with yourself before sitting the exam

Every "no" is a topic to revisit before you take the final examination. These six checks map exactly to the six exam themes.

I can cite the regulation that contains the PSISA Code of Conduct (O. Reg. 363/07), name the four clusters of obligations, and explain the Registrar's standard of proof for revocation.

I can state the objective test for a prohibited gratuity under O. Reg. 363/07, explain the three categories of conflict of interest, and describe the correct response to a gratuity offer (decline, document, notify).

I can explain why Criminal Code s.346 extortion is complete at the attempt, cite the maximum sentence (life imprisonment), and describe the three practical risk scenarios (access-log manipulation, theft, information leakage).

I can name PIPEDA Schedule 1 Principles 1, 2, 4, and 7, explain why the guard is a custodian not an owner, and describe the data-request protocol for police (with/without warrant), private investigators, lawyers, and media.

I can explain the HRTO's effects-based test for racial profiling, identify what undue hardship means in the accommodation context, and state the lawful authority exception and what it requires (specific, articulable, non-Code-based grounds).

I can describe the PSISA s.31 cooperation obligation, explain when to report to police vs. the Registrar vs. HR, and know why I should keep a personal copy of any disclosure outside the employer's systems.

Sample exam questions — the full exam has 30 of these

Ten representative exam questions with answers and explanations

These representative questions illustrate the format of the 30-question certificate exam. Each question shows the stem, options, the correct answer, and a "why" explanation. Work through each one before sitting the full exam.

Correct answer: Ontario Regulation 363/07, made under the Private Security and Investigative Services Act, 2005.

Why: O. Reg. 363/07 is the Code of Conduct regulation made under the PSISA, S.O. 2005, c. 34. It sets out the specific enumerated duties — including lawful authority, integrity, professional conduct, and compliance obligations — that bind every licensed security guard and private investigator in Ontario. The other options (Ontario Human Rights Code, Criminal Code Part VII, PIPEDA Schedule 1) are real statutes and regulations but they are not the source of the PSISA Code of Conduct.

Field rule: O. Reg. 363/07 = the PSISA Code of Conduct. Know the regulation number. It is the first document cited in any disciplinary proceeding, licence suspension, or Registrar decision involving guard conduct.

Correct answer: (d) Compromising the guard's security duties.

Why: O. Reg. 363/07 prohibits a security guard from accepting any gratuity, benefit, or reward that could reasonably be seen as compromising their security duties. The test is objective — not whether the guard believes they were compromised, but whether a reasonable observer would conclude they might be. The Code does not set a dollar-amount threshold. Many employers adopt a $25–$50 internal policy limit as a practical bright line, but this is employer policy, not the statutory standard. Cash gifts are widely treated as a bright-line prohibition in employer policy, but O. Reg. 363/07 does not restrict the gratuity rule to cash.

Correct answer: (c) The attempt to induce.

Why: Criminal Code s.346 provides that "every person who ... induces or attempts to induce any person to do anything" is guilty. The offence is complete at the attempt. A guard who implies that a problem can be made to go away in exchange for a benefit has committed extortion even if the other person refuses and no payment is made. Receipt of payment is not a required element; the $5,000 threshold applies to theft/fraud elections, not extortion; and the victim's decision to report is not an element of the offence.

Correct answer: (c) The client organisation is responsible for personal information in the hands of its contracted security provider.

Why: PIPEDA Schedule 1, Principle 1 states that an organisation is responsible for personal information in its possession or custody, including information transferred to a third party for processing. This means the client organisation bears PIPEDA accountability for personal information handled by its contracted security guards. The guard is a custodian, not an owner. The guard has no independent right to access, share, or retain that information beyond what is necessary to perform their assigned security function.

Correct answer: (d) Whether race was a factor in the security decision — intent to discriminate is not required.

Why: The HRTO applies an effects-based test for racial profiling: if race or colour was a factor in the decision — even an unconscious one — the Code is engaged. Intent to discriminate is not required. The HRTO looks at the objective circumstances (who was stopped, who was not, the comparative factual situation) and at whether a race-neutral explanation is credible. The absence of slurs does not establish the absence of discrimination; racial profiling can occur through differential treatment without a single verbal indicator.

Correct answer: (d) Could influence, or could reasonably appear to influence, the discharge of their professional duty.

Why: The conflict-of-interest test is objective — it does not require actual bias, only the reasonable appearance of it. A guard who has a personal financial relationship with a vendor whose access they control has a conflict of interest even if they have always acted impartially, because a reasonable observer could conclude the relationship might influence their judgment. The conflict exists at the moment of the financial or relational nexus, not only if and when it influences a decision. There is no dollar-amount threshold; a relational conflict (family member at the site) can exist with no financial benefit at all.

Correct answer: The Registrar of Private Security and Investigative Services.

Why: The Registrar, appointed under the Ministry of the Solicitor General, has authority under PSISA s.23 to refuse to renew, suspend, or revoke a licence where a licensee has demonstrated unsuitability. The Registrar's standard is the balance of probabilities — a criminal conviction is not required. Courts can impose criminal penalties and have jurisdiction over appeals from the Licence Appeal Tribunal, but the initial licence revocation authority sits with the Registrar administratively. The employer can terminate the employment relationship, but it cannot revoke the PSISA licence.

Correct answer: (c) Cooperate with the investigation — refusal is a PSISA offence.

Why: PSISA s.31 requires licensees to cooperate with Registrar investigations. A guard who refuses to answer questions, destroys records, or otherwise obstructs the investigation commits a PSISA offence under s.44. Giving a false or misleading statement to the Registrar is a separate offence under s.44(1)(b). A guard has the right to retain a lawyer — and doing so is prudent — but the statutory cooperation obligation still exists. The lawyer's role is to advise on how to comply appropriately, not to justify non-compliance. The cooperation obligation applies regardless of the source of the investigation.

Correct answer: (c) To the point of undue hardship.

Why: The Ontario Human Rights Code's accommodation duty extends to all disabilities — visible and non-visible — and applies in both employment and services/facilities. A security operator providing public-facing screening services has an accommodation duty to service users with disabilities. Safety considerations can be a factor in assessing undue hardship, but they must be genuine and specific, not speculative. A security operator must explore modifications before claiming that accommodation is impossible on safety grounds. The threshold for undue hardship is significant cost or a genuine, non-mitigable safety risk — not minor inconvenience or process disruption.

Correct answer: (d) Act lawfully, maintain integrity, protect personal data, treat every person consistently with the Human Rights Code, and report serious breaches.

Why: The integrated ethical standard for licensed security workers in Canada draws from five sources simultaneously: O. Reg. 363/07 (lawful authority + integrity + professional conduct); Criminal Code (no extortion, no breach of trust, no fraud); PIPEDA (data protection and limited collection); Ontario Human Rights Code (non-discrimination in services); and the whistleblower/reporting framework (PSISA s.31, PSOA). Client loyalty is one obligation, but it is subordinate to the law. A supervisor's instruction to breach the Code does not discharge the individual guard's liability. "I was told to" is not a defence to a PSISA Code of Conduct breach.

Take the full 30-question exam

Context: how exam questions are structured

Understanding the exam format before reviewing questions 11–30

Every exam question follows a consistent pattern designed to test not just recall but professional judgment. The question stem describes a situation or asks you to identify a legal rule. The four options include one clearly correct answer and three plausible distractors — each distractor reflects a common misconception or conflation of related rules. The "why" explanations cite the specific statutory provision or regulatory rule that governs the correct answer.

The most frequently confused pairs of concepts on this exam are: (a) the O. Reg. 363/07 gratuity test (objective, appearance-based, no dollar threshold) vs. the Criminal Code bribery threshold (requires intent to influence); (b) PIPEDA Principle 1 (accountability — organisation is responsible) vs. Principle 7 (safeguards — protect against unauthorised access); and (c) the HRTO effects-based discrimination test (was race a factor?) vs. the common-law intent test (did the guard intend to discriminate?). Keep these distinctions in mind as you work through questions 11–30.

The synthesis question (q.30) always asks you to apply multiple frameworks simultaneously to a single fact pattern. The correct answer to q.30 requires you to identify all five legal frameworks (O. Reg. 363/07, Criminal Code, PIPEDA, Human Rights Code, duty to report) as applying simultaneously — not just one or two. The common wrong answers are: "protect the client's interests above all" (wrong because law overrides client loyalty); "follow supervisor instructions in all circumstances" (wrong because the supervisor cannot override the Code); and "apply security protocols with no overriding legal obligations" (wrong because all five frameworks impose overriding obligations).

Correct answer: Race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, gender identity, gender expression, age, marital status, family status, and disability.

Why: The Ontario Human Rights Code s.1 lists these protected grounds for services and facilities. A security guard providing access-control, screening, or patrol services is providing a service within the meaning of the Code. Differential treatment based on any of these grounds, where not supported by a lawful justification, is Code discrimination. The Code's protected grounds are set by provincial statute and are not limited to or co-extensive with the Charter's s.15 list. Gender identity and gender expression were added in 2012.

Correct answer: The Registrar of Private Security and Investigative Services.

Why: Courts can impose criminal penalties and have jurisdiction over appeals from the Licence Appeal Tribunal, but the initial licence revocation authority sits with the Registrar administratively. The employer can terminate the employment relationship, but it cannot revoke the PSISA licence. The Ontario Police College provides training but has no licensing or disciplinary authority over private security guards under the PSISA.

Correct answer: (a) To the point of undue hardship.

Why: The Code's accommodation duty extends to services and facilities, not just employment. The threshold is undue hardship — significant cost or a genuine safety risk that cannot be mitigated by any reasonable alternative. Invisible disabilities (anxiety disorders, autism spectrum conditions) trigger the duty as soon as the security provider is aware or ought reasonably to be aware of the need for accommodation. There is no blanket safety exemption from the accommodation duty.

Correct answer: (c) Engaged in prima facie race discrimination under the Ontario Human Rights Code.

Why: Differential treatment on the basis of race or colour — asking a racialized person for identification while not making the same request of a comparably situated white person — is prima facie race discrimination under the Code. The guard must be able to identify specific, articulable, non-Code-based grounds that distinguish the two persons' situations to rebut the prima facie case. ID requests are a lawful security function, but the Code requires them to be applied consistently across protected characteristics. Discriminatory discretion is Code-prohibited.

Correct answer: (d) Contraventions of provincial or federal law, gross mismanagement of public funds, and serious dangers to health and safety.

Why: The PSOA ss.108–116 protect Ontario public servants who in good faith disclose conduct they reasonably believe constitutes: a contravention of provincial or federal law; a gross mismanagement of public funds or assets; a serious and substantial danger to the life, health, or safety of persons; or conduct directed at retaliating against a whistleblower. The disclosure must be made to the supervisor, the Integrity Commissioner, or in urgent circumstances to law enforcement — not to media. General grievances about unfair workplace treatment are not covered.

Correct answer: (d) Only if permitted and directed by the client organisation — the guard cannot unilaterally decide to disclose.

Why: PIPEDA s.7(3)(c.1) permits but does not require disclosure to law enforcement for specified purposes without consent. The decision to make voluntary disclosure belongs to the organisation that controls the data — the client. A guard cannot unilaterally decide to disclose CCTV footage to police without a warrant; they must route the request to the site manager or security supervisor. Equally, police cannot compel disclosure without a production order or search warrant — PSISA s.31 requires cooperation with Registrar investigations, not unrestricted cooperation with every police request.

Correct answer: (d) Report through the appropriate channel — to the supervisor's manager if the supervisor is involved, or to the PSISA Registrar if internal reporting is inadequate.

Why: Falsifying patrol logs is a PSISA Code of Conduct breach and may constitute Criminal Code s.380 fraud if the client is billed for work not performed. A guard with knowledge of a colleague's Code breach has a professional obligation to report. Direct confrontation gives the colleague the opportunity to destroy evidence. Anonymous reporting is better than silence but has significant weaknesses. An identified, documented report provides actionable evidence and establishes the guard's own good-faith disclosure.

Correct answer: (d) Differential treatment is not discrimination when there are specific, articulable, non-Code-based grounds not attributable to a protected characteristic.

Why: The Code does not prohibit all differential treatment — it prohibits differential treatment on the basis of a protected ground. The test is whether the protected characteristic was a factor in the decision. There is no blanket safety exemption for security functions. A supervisor's instruction to discriminate on a Code-protected ground does not create a lawful authority exception. "Acting suspiciously" is too vague and may mask a Code-protected characteristic — the grounds must be articulable and verifiable independently of the protected characteristic.

Correct answer: (d) Criminal Code s.346 extortion.

Why: Demanding payment in exchange for not disclosing information constitutes extortion under Criminal Code s.346 — an inducement to pay through an implied or explicit threat. This is a completed indictable offence with a maximum sentence of life imprisonment. It also constitutes a PSISA Code of Conduct breach (threatening or intimidating a person, and using the licence for a personal purpose), triggering mandatory Registrar review. A licensed private investigator has no authority to demand personal payment from a subject — the licence does not create a lawful authority exception for s.346.

Correct answer: (d) May collect only personal information necessary for the security purpose — no more.

Why: PIPEDA Schedule 1, Principle 4 states that personal information shall only be collected that is necessary for the purposes identified by the organisation. Collection in a publicly accessible space does not exempt the collector from PIPEDA obligations. Incident data is collected for a specific purpose — facility security and incident documentation — and may not be retained beyond what is necessary for that purpose or used for a different purpose. PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention) also prohibits indefinite retention for speculative future investigative purposes.

Career path · what this course prepares you for

Where to go from here — ethics in advanced security roles

The Security Ethics & Professional Conduct course establishes the foundational legal and ethical framework for every security role in Canada. Officers who specialise in ethics-sensitive environments often pursue additional credentials and responsibilities that build on this foundation.

  • Senior Security Officer / Site Supervisor: The gratuity rules, conflict-of-interest identification, and duty-to-report obligations covered in this course apply with heightened force when you are responsible for other guards. A supervisor who instructs guards to violate the Code is personally exposed to Registrar action in addition to the guard who follows the instruction.
  • Investigator (PSISA Licensed): Private investigators are bound by O. Reg. 363/07 on the same terms as security guards. The conflict-of-interest and PIPEDA data-handling lessons are especially relevant: investigators routinely handle personal information about subjects and must manage conflicts arising from client relationships.
  • CPP / PSP (ASIS International): The ASIS Certified Protection Professional (CPP) and Physical Security Professional (PSP) designations require demonstrated competence in ethics, privacy, and legal compliance — the areas this course covers. The ASIS International Code of Ethics applies additional obligations (confidentiality, fidelity, avoiding discredit to the profession) that build on the PSISA Code.
  • Privacy Officer / Data Protection Role: Guards who develop specialised PIPEDA expertise may move into data protection roles within security firms or corporate security teams. The OPC's PIPEDA guidance for the private sector is the relevant reference material for these roles.
  • Court Security / Government Contract Security: Guards assigned to government facilities or court security roles enter the zone where Criminal Code s.122 (breach of trust by a public officer) may apply. This course's Criminal Code lesson is essential background for anyone working in these higher-exposure environments.

None of these advanced paths are prerequisites for completing this course or passing the exam. They are options for officers who want to deepen their ethics and legal-compliance expertise beyond what this course covers as a foundational module.

Glossary · canonical phrasing

Terms you must use with precision on the exam and in professional writing

These are the canonical forms for all key terms in this course. Using non-standard forms (e.g. "the PIPEDA Act," "CC 346," "preponderance of evidence") signals unfamiliarity with the sources and may cost you marks on precision-based exam questions.

Private Security and Investigative Services Act, 2005, S.O. 2005, c. 34

Full citation as it appears in Ontario e-Laws. Abbreviated as PSISA in running text after first use.

Ontario Regulation 363/07

Full regulatory citation for the PSISA Code of Conduct. Abbreviated as O. Reg. 363/07 in running text.

PSISA Code of Conduct

Canonical short form for O. Reg. 363/07. Used in lesson content, quiz questions, and Registrar decisions.

Criminal Code s.122 (breach of trust by a public officer)

Section number + title parenthetical. Not "section 122" or "CC 122." Maximum sentence: 5 years imprisonment.

Criminal Code s.346 (extortion)

Section number + title parenthetical. Complete at the attempt; no minimum amount. Maximum: life imprisonment.

Criminal Code s.380 (fraud)

Captures false records, CCTV deletion for gain, information leakage for benefit. Section number + title parenthetical.

Criminal Code s.334 (theft)

Applies to theft from client premises. PSISA licence revocation follows automatically on conviction. Section number + title parenthetical.

PIPEDA

Acronym for Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. Not "the PIPEDA Act" or "PIPEDA legislation."

PIPEDA Schedule 1, Principle 7 (Safeguards)

Principle citation format: number + title in parentheses. Protects against unauthorised access to personal information.

PIPEDA Schedule 1, Principle 1 (Accountability)

Organisation is responsible for personal information in its control, including information handled by contracted third parties.

PIPEDA Schedule 1, Principle 2 (Identifying Purposes)

Collection only for purposes a reasonable person would consider appropriate in the circumstances.

PIPEDA Schedule 1, Principle 4 (Limiting Collection)

Collect only what is necessary for the identified purpose. No collection beyond the security function.

Ontario Human Rights Code, R.S.O. 1990, c. H.19

Full statutory citation on first use. Abbreviated as "the Code" or "Ontario Human Rights Code" in running text.

Public Service of Ontario Act, 2006, S.O. 2006, c. 35, Schedule A

Full citation including Schedule A — the whistleblower provisions are in Schedule A. Abbreviated as PSOA in running text.

ASIS International Code of Ethics

Full title. Not "ASIS code" or "ASIS ethics." Professional ethics standard for security professionals globally.

balance of probabilities

The Registrar's standard of proof for licence revocation. Not "preponderance of evidence" (US term) or "beyond a reasonable doubt" (criminal standard).

Human Rights Tribunal of Ontario

Full name. Abbreviated as HRTO. Not "Ontario Human Rights Tribunal."

Registrar of Private Security and Investigative Services

Full title. Abbreviated as "the Registrar" in running text. Administers the PSISA; appointed by the Ministry of the Solicitor General.

undue hardship

The threshold at which accommodation obligations under the Ontario Human Rights Code cease. Requires significant cost or genuine safety risk that cannot be mitigated by any reasonable alternative.

articulable grounds

Specific, verifiable, non-Code-based reasons for a differential security decision. Undocumented "instinct" does not meet this standard before the HRTO.

effects-based test

The HRTO's standard for discrimination: does the protected characteristic appear to have been a factor in the decision? Intent is irrelevant; effect is the test.

de novo

Describes the LAT hearing on appeal from a Registrar revocation decision. Fresh evidence can be presented; the hearing is not limited to the record before the Registrar. Burden shifts to the applicant to show suitability.

Lesson-by-lesson exam tips — what to memorise for each theme

The five most important things to know from each lesson before sitting the exam

Lesson 1 — The PSISA Code of Conduct: five exam essentials
  • The regulation number: O. Reg. 363/07 is the PSISA Code of Conduct. The exam always tests whether you know the regulation number, not just the Act number (PSISA, S.O. 2005, c. 34).
  • The four clusters of duty: lawful authority (force/detention/search), integrity (gratuities/uniform), professional conduct (no threats/no false statements), compliance (police/licence). Know all four clusters and what each covers.
  • Revocation standard: balance of probabilities, not beyond a reasonable doubt. A criminal conviction is not required. The Registrar can act on conduct findings from non-criminal proceedings.
  • The licence as a conditional grant: The Code applies even when off duty in uniform, even when no one is watching, even when the employer has said nothing. Personal obligation, not vicarious.
  • "I was told to" is not a defence: A supervisor's or employer's instruction to breach the Code does not discharge the individual guard's personal liability. The Code imposes personal obligations on every licensee.
Lesson 2 — Conflict of interest & gratuities: five exam essentials
  • The objective conflict-of-interest test: A conflict exists when a reasonable observer could conclude the interest might influence your judgment — not only if it actually did. The test is objective and appearance-based.
  • The gratuity test under O. Reg. 363/07: "Could reasonably be seen as compromising duties." No dollar-amount threshold in the statute. Employer policies may set a lower threshold; when they do, the stricter rule governs.
  • The three conflict categories: Financial (side-business with a person you oversee), Relational (family/partner/friend at the post), Positional (using role information to benefit a third party).
  • Non-disclosure is treated more harshly: An undisclosed conflict discovered after a security failure is an aggravating factor in both PSISA revocation proceedings and civil liability. Disclosure initiates management; it does not resolve the conflict.
  • The correct gratuity response sequence: decline immediately → document in the shift log → notify supervisor the same shift. Never accept first and declare later.
Lesson 3 — Criminal Code exposure: five exam essentials
  • s.346 is complete at the attempt: "Induces or attempts to induce." No payment, no minimum amount, no victim report required. Maximum: life imprisonment.
  • s.122 follows the function: A contracted guard at a government facility may be a "public officer" for s.122 purposes. The same conduct also satisfies s.380 (fraud) or s.334 (theft) where s.122 does not technically apply.
  • The three practical risk scenarios: (1) access-log manipulation for gain (s.346 + s.380 + potentially s.122), (2) theft from client premises (s.334 + automatic PSISA revocation), (3) information leakage to a competitor (s.380 + PIPEDA + Code breach).
  • Automatic PSISA revocation: A Criminal Code conviction involving dishonesty is an automatic basis for licence revocation under PSISA s.23. The administrative standard (balance of probabilities) means revocation can also follow even without a conviction.
  • Document verbatim and report this shift: If an implied bribe is offered, document the exact words spoken, the time and date, and the vehicle/person description. Report to supervisor and client the same shift. Your documentation is your protection.
Lesson 4 — Data handling & PIPEDA: five exam essentials
  • The four key principles: Principle 1 (Accountability — client is responsible for data, including what the guard does with it), Principle 2 (Identifying Purposes — collect only for appropriate purposes), Principle 4 (Limiting Collection — only what is necessary), Principle 7 (Safeguards — protect against unauthorised access).
  • Guard is custodian, not owner: The guard has no independent right to access, share, or retain personal information beyond what is necessary to discharge the assigned duty.
  • The data-request protocol: Police with warrant/production order → route to site manager. Police without warrant → do not unilaterally disclose; route to supervisor. Private investigators → require court order or written client consent; route to administration. Media → all media go to client's communications team.
  • Do not access data in connection with an unauthorised request: Even "just to check" whether the requestor's question can be answered is itself a PIPEDA Principle 7 violation. Decline first; do not preview.
  • Document every data-access request: Who asked, when, what they wanted, and what you said. Every request must be documented regardless of outcome.
Lesson 5 — Human rights at the post: five exam essentials
  • Effects-based test: Was the protected characteristic a factor in the decision? Intent is irrelevant. Unconscious bias meets the test.
  • The recognition trap: "I recognise that frequent visitor" only justifies differential treatment if the recognition-based exception is applied consistently regardless of race. If your recognition pattern is itself racially skewed, using it as the differentiator perpetuates racial discrimination.
  • Accommodation to the point of undue hardship: Significant cost or genuine, non-mitigable safety risk. Minor inconvenience, process disruption, or needing to perform an extra step do not qualify. Most modifications requested by persons with disabilities do not come close to undue hardship.
  • The lawful authority exception requires articulable grounds: Specific, verifiable, non-Code-based grounds. "Instinct" or "acting suspiciously" are not articulable grounds if they operate differently on racialized persons.
  • Document every stop and its grounds: Contemporaneous documentation of the specific, articulable, non-Code-based grounds for a stop is the only defence to an HRTO complaint. An undocumented stop has no competing record.
Lesson 6 — Whistleblowing & duty to report: five exam essentials
  • PSISA s.31 is mandatory: Cooperation with a Registrar investigation is not optional. Refusal is a PSISA s.44 offence. False statements to the Registrar are a separate s.44(1)(b) offence.
  • The five-step decision tree: (1) Criminal? → police. (2) PSISA Code breach? → Registrar. (3) Internal policy breach? → supervisor or HR. (4) Risk of retaliation? → keep a personal copy outside employer systems. (5) Breach by supervisor? → go above the supervisor.
  • Do not confront before reporting: Confrontation gives the wrongdoer the opportunity to destroy evidence and coordinate a story. Document and report first.
  • Keep a personal copy outside employer systems: Immediately after making the disclosure, email yourself a copy from a personal device. This is the decisive evidence if retaliation follows.
  • PSOA vs. common law: PSOA directly protects Ontario public servants. Private-sector security workers rely on common-law wrongful dismissal protection — but courts use the PSOA framework as the benchmark for what adequate protection looks like. The PSOA does not protect media disclosures; route to the Registrar or police, not to journalists.
Five decision sequences — what to do and in what order

The five most common ethics scenarios, step by step

These decision sequences consolidate the course content into the step-by-step procedures you will apply on the job and reconstruct on the exam. Each sequence maps to at least one exam question.

Sequence 1 — you are offered a gratuity

Correct sequence: decline → document → notify

Decline immediately

Decline professionally and non-confrontationally. Explain that you cannot accept gifts from clients or persons whose access you influence. Do not hold the item "just in case."

Document in your shift log

Record: time and date, the identity of the person who offered the gift, a description of the gift (value if known), and your refusal. Write it before leaving the post.

Notify your supervisor

Notify your supervisor the same shift. This allows the employer to decide whether a conversation with the facility operator is warranted and whether the guard's assignment needs to be reviewed.

If the offer involves a threat or inducement

If the offer was accompanied by a threat or inducement to deviate from your duty, it may be Criminal Code s.346 extortion. Notify supervisor and consider police involvement this shift.

Sequence 2 — you receive a data request from an unauthorised party

Correct sequence: decline → route → document

Decline the request

Decline professionally. Explain that security data requests must be directed to the site manager or administration, and that you are not the authorised person to receive or act on such requests.

Do not preview the data

Do not access CCTV footage, access logs, or any other personal information in connection with the requestor's query, even "just to check." Accessing data in connection with an unauthorised request is itself a PIPEDA Principle 7 violation.

Route to the correct authority

Direct the requestor to the site manager, security supervisor, or legal department. For police requests without a warrant: route to supervisor — do not unilaterally decide to disclose or to refuse.

Document the request

Record: time, date, description of the requestor (name/badge if given), what was requested, and your response. Every data request must be documented regardless of outcome.

Sequence 3 — you make a stop or ID request at the post

Correct sequence: apply consistently → document grounds → professional conduct

Identify the specific grounds

Before approaching, be able to state the specific, articulable, non-Code-based grounds for the stop: a verified suspect description, a specific behaviour observation, a security protocol that applies to all persons in this circumstance regardless of protected characteristics.

Apply consistently

If the protocol applies to this person, it applies to all comparably situated persons regardless of race, colour, ethnic origin, disability, gender identity, or other protected characteristic. If you would not apply it to a comparable white male, you cannot apply it to this person.

Conduct professionally

Conduct the interaction courteously and professionally. If the person has a disability, explore modifications. If they are wearing religious garments, do not require removal without exploring alternatives.

Document the stop and its grounds

Record: time, date, description of the person (without Code-protected characteristics), the specific grounds for the stop (e.g. "building access policy requires visitor verification for all persons without a pass"), and the outcome. Contemporaneous documentation is the only defence to a Code complaint.

Sequence 4 — you witness or discover a colleague's serious breach

Correct sequence: preserve evidence → report above the supervisor if involved → document → escalate if ignored

Do not confront the colleague

Confrontation gives the colleague the opportunity to destroy evidence, alter records, and coordinate a story before any investigation begins. Document your observation first; do not alert the wrongdoer.

Preserve the evidence

Note the specific evidence: the log entries, the CCTV timestamps, the shift records. Do not destroy, alter, or remove evidence. Make a contemporaneous record of what you observed, when, and how.

Report to the correct authority

If the supervisor is not involved: report to the supervisor. If the supervisor is involved or close to the wrongdoer: report to the supervisor's manager or HR. Criminal conduct: report to police. PSISA Code breach: report to the Registrar if internal channels fail.

Keep a personal copy outside employer systems

Immediately after making the disclosure, keep a personal copy of the report outside the employer's systems (e.g., email from a personal device to a personal address). This is the decisive evidence if retaliation follows.

Sequence 5 — you are approached by a driver/visitor offering a bribe

Correct sequence: refuse → do not engage → document verbatim → report this shift

Refuse access and the offer

Refuse both the access request and the implied or explicit offer. Do not ask "what are you offering?" Negotiating or even asking about the offer drags you into the Criminal Code s.346 extortion transaction.

Do not engage with the offer

Do not speculate about what the offer was, do not describe the offer as a conditional threat to the driver (this can complicate your account), and do not attempt to determine the value. Disengage from the transaction entirely.

Document the driver's exact words verbatim

Record the driver's exact words, the time and date, vehicle description, license plate if visible, and your exact response. Verbatim documentation of the offer is your protection if the matter is later investigated by police or the Registrar.

Report to supervisor and client this shift

Report to your supervisor and to the client within the same shift. If the offer is repeated or the driver persists, contact police. Your documentation is your protection — it establishes that you refused and reported immediately.

Cross-framework comparison — five legal sources at a glance

How each of the five legal sources governs a common security scenario

The table below shows how each of the five legal frameworks applies to three common security scenarios. Understanding these intersections is the key to answering the exam's synthesis question (q.30).

Scenario O. Reg. 363/07 Criminal Code PIPEDA Human Rights Code Duty to report
Accepting a $100 gift card from a facility operator Breach — gratuity compromising duties No criminal offence (voluntary gift). But if solicited: s.346 extortion. Generally not a PIPEDA issue unless data is exchanged. Not a Human Rights Code issue unless connected to access discrimination. Decline, document, notify supervisor. If solicited: report to Registrar.
Deleting CCTV footage in exchange for cash Breach — false record; integrity Criminal — s.380 fraud; s.346 if demanded; potentially s.122 Breach — PIPEDA Principles 5 and 7 If selective deletion based on race: Human Rights Code breach. Report to Registrar and police. Preserve evidence before acting.
Stopping only racialized persons for ID verification Breach — professional conduct; intimidation Generally not Criminal Code unless harassment rises to criminal level (s.264). PIPEDA engaged if verification results in collection of personal data. Breach — race/colour discrimination; effects-based test Internal report through HR. Potential Registrar referral. Document articulable grounds for every stop.
Sharing a subject's incident report with a media outlet Breach — integrity; false statements if inaccurate If gain obtained: potentially s.380 fraud. Breach — PIPEDA Principles 5 and 7; OPC enforcement available If disclosure of personal information includes protected characteristics: potential Human Rights Code implications. Client must be notified immediately. Registrar may be notified. Internal investigation required.
Falsifying patrol log entries Breach — false statements in records Criminal — s.380 fraud if client is billed for unperformed work If records are personal information about subjects: potentially PIPEDA Principle 1 (accountability). Not a Human Rights Code issue unless the falsification is connected to discriminatory conduct. Report above supervisor if supervisor is involved. Preserve CCTV evidence. Report to Registrar if internal channel fails.
PSISA escalation timeline — from breach to licence revocation

How a PSISA Code of Conduct investigation unfolds

Stage 1
Trigger — complaint or investigation initiated

A complaint is made to the Registrar by a member of the public, a client, a police service, or the Registrar's own initiative. The Registrar may also initiate an investigation based on a media report or a court proceeding. The trigger does not need to be a complaint from the direct victim of the conduct.

Stage 2
Investigation — PSISA s.31 cooperation obligation activates

The Registrar's investigator contacts the licensee. PSISA s.31 requires the licensee to cooperate — answer questions honestly and completely, produce records, and not obstruct the investigation. Refusing to cooperate is itself a PSISA s.44 offence. Giving a false or misleading statement is a separate s.44(1)(b) offence.

Stage 3
Notice of proposal — Registrar proposes to revoke or suspend

If the investigation supports a finding of misconduct, the Registrar issues a Notice of Proposal to revoke or suspend the licence. The licensee has a right to a hearing before the Licence Appeal Tribunal (LAT) before the proposal takes effect.

Stage 4
LAT hearing — de novo review; burden on licensee

The LAT hearing is de novo — fresh evidence can be presented and the record is not limited to what was before the Registrar. However, the burden shifts to the licensee to demonstrate suitability. LAT decisions are publicly accessible and are routinely cited in subsequent Registrar decisions and court proceedings.

Stage 5
Revocation — permanent bar unless leave obtained

A revocation permanently bars the individual from holding a PSISA licence unless they obtain leave from the LAT to reapply. Courts have upheld revocations for dishonesty offences, violence offences, licence misuse, and false statements in licence applications. The balance-of-probabilities standard means a criminal conviction is not required for revocation.

Key distinctions — common exam confusions

Eight distinctions that trip up exam candidates

O. Reg. 363/07 gratuity test vs. Criminal Code bribery

The O. Reg. 363/07 gratuity prohibition applies when a gratuity could reasonably appear to compromise duties — no intent to influence required. Criminal Code bribery (ss. 119–124) requires intent to influence. A guard can breach O. Reg. 363/07 by accepting a restaurant meal without any intent to be influenced, because the Code's test is objective and appearance-based.

PIPEDA Principle 7 (Safeguards) vs. Principle 1 (Accountability)

Principle 1 is the governance principle: the organisation is responsible for personal information it controls. Principle 7 is the operational principle: personal information must be protected against unauthorised access. The exam frequently tests which principle applies to a specific guard action. Accessing CCTV footage for an unauthorised requestor is a Principle 7 violation (safeguards). Being held responsible for a contractor guard's breach is a Principle 1 issue (accountability).

s.346 extortion (complete at the attempt) vs. s.380 fraud (requires a false representation)

Extortion under s.346 is complete at the attempt to induce — no payment needs to change hands and no false representation is required. Fraud under s.380 requires a dishonest act (including a false representation) that causes or risks deprivation. A guard who implies "problems can go away" for cash commits extortion. A guard who submits false patrol reports to obtain payment for unperformed work commits fraud. Both can apply simultaneously to the same fact pattern.

HRTO effects-based test vs. discriminatory intent

The Ontario Human Rights Code does not require proof of discriminatory intent. The test is whether the protected characteristic was a factor in the decision — even an unconscious one. A guard who stops racialized persons more frequently than white persons in identical circumstances has established a prima facie case of racial discrimination regardless of whether the guard consciously intended to discriminate. Intent can be relevant to remedy, not to the initial finding of discrimination.

PSOA whistleblower framework (public servants) vs. common-law protection (private sector)

The PSOA directly protects Ontario public servants. Private-sector security workers do not have PSOA protection directly. Their protection comes from the common law (wrongful dismissal for good-faith reporting of illegal conduct) and from the PSISA s.31 cooperation framework. Ontario courts have used the PSOA as the benchmark standard when assessing private-sector whistleblower dismissals, but the statutory protection applies only to public servants.

Undue hardship (high bar) vs. minor inconvenience (does not qualify)

The OHRC sets a high bar for undue hardship: significant cost assessed against total organisational resources, or a genuine safety risk that cannot be mitigated by any reasonable alternative. Minor inconvenience, process disruption, or the need for a staff member to perform an additional step do not meet the threshold. Most security modifications requested by persons with disabilities — a private screening area, a chair during a prolonged check, a modified communication approach — do not come close to undue hardship.

Licence revocation (balance of probabilities) vs. criminal conviction (beyond a reasonable doubt)

The Registrar revokes on the balance of probabilities. A criminal conviction is not required. A finding of conduct incompatible with the Code — even from a non-criminal proceeding like an HRTO complaint, a civil judgment, or a Registrar investigation — is sufficient. Guards who think "I was never convicted" therefore cannot be revoked are mistaken about the standard of proof that applies.

Employer policy (de minimis gift rule) vs. O. Reg. 363/07 (no dollar threshold)

Employer policies may set a $25–$50 internal gift threshold as a practical bright line. This is a policy rule — not a statutory threshold. O. Reg. 363/07 has no dollar-amount floor. A $15 gift from the operator of a facility the guard oversees can breach the Code because the source-and-control relationship makes even a modest gift appear to compromise duties. When in doubt, apply the Code's objective test, not the employer's dollar limit.

Sample exam questions 21–30 — advanced and synthesis

The final ten questions test deeper integration of the five legal frameworks

Questions 21–30 increasingly require you to apply multiple frameworks simultaneously — exactly what happens in real security ethics decisions. Work through all ten before sitting the full exam.

Correct answer: (d) Decline immediately if the gratuity could compromise their duties, document the offer, and notify their supervisor.

Why: O. Reg. 363/07 prohibits accepting gratuities that could compromise security duties. When a prohibited gratuity is offered, the guard must: (a) decline immediately and professionally; (b) document the offer in the shift log; and (c) notify the supervisor the same shift. Acceptance followed by subsequent declaration is not compliance. The Code has no statutory de minimis dollar-value exception. A gratuity offer is not extortion by the offeror — extortion requires a threat or inducement to obtain something, not a voluntary offer.

Correct answer: (d) PIPEDA's safeguards and limiting-use principles, and potentially Criminal Code s.380 if a benefit was obtained.

Why: An unauthorised disclosure of personal information violates PIPEDA Principles 5 (limiting use, disclosure, and retention) and 7 (safeguards). If the guard obtained a personal benefit from the disclosure, Criminal Code s.380 (fraud) may also be engaged. The OPC has consistently held that CCTV footage of persons in publicly accessible spaces is personal information subject to PIPEDA — collection in a public space does not make the footage public property. s.184 (interception of private communications) applies to intercepting communications, not to disclosure of already-captured footage.

Correct answer: (d) Except as required by law.

Why: The ASIS International Code of Ethics requires members to maintain the confidentiality of information obtained in their professional role, except as required by law. This mirrors the PIPEDA framework — a licensed professional may not disclose client information without authority, but cannot refuse disclosure when legally compelled (court order, production order, mandatory reporting obligation). The ASIS Code protects all information obtained in the professional role — including information about subjects — and professional confidentiality obligations do not expire at the end of a contract.

Correct answer: (d) More seriously than a disclosed conflict that was actively managed.

Why: Regulators, courts, and professional ethics bodies consistently treat undisclosed conflicts as more serious than disclosed conflicts that were managed. Disclosure initiates the management process and demonstrates good faith. Non-disclosure — particularly when discovered after a security failure — suggests the guard knew the conflict could affect their judgment and chose to conceal it. This inference is an aggravating factor in both PSISA revocation proceedings and civil liability assessments. Non-disclosure of a conflict of interest is not automatically criminal, but it is a separate ethical breach from the conflict itself.

Correct answer: (d) Breached the PSISA Code of Conduct and may face licence revocation.

Why: O. Reg. 363/07 prohibits a guard from using their licence or uniform to advance a personal interest. This provision prevents guards from leveraging their apparent authority — the uniform, the badge, the licence — to obtain advantages, intimidate persons, or carry out personal agendas under the cover of their security role. Harm to a member of the public is not a required element of the Code breach. The Code breach may also constitute a Criminal Code offence if the misuse involves fraud (s.380), extortion (s.346), or impersonation (s.403), but the PSISA breach is the direct regulatory consequence.

Correct answer: (d) Report to the supervisor's manager or HR; if internal reporting is inadequate, escalate to the PSISA Registrar or police.

Why: When the wrongdoing involves the supervisor, reporting to that supervisor does not discharge the duty. The escalation path is: supervisor's manager or HR first; Registrar for PSISA Code breaches; police for Criminal Code offences. Not all supervisory wrongdoing is criminal — log falsification may be a Code breach but some conflicts and policy breaches are non-criminal. Anonymous reporting is better than silence but has the significant weakness of being unverifiable and easily dismissed without the specific evidence the identified reporter can provide.

Correct answer: (d) Explore and implement reasonable modifications to screening protocols before concluding accommodation is impossible.

Why: The accommodation duty requires the service provider to engage in a process — not simply conclude that accommodation is impossible without exploring alternatives. The duty is to accommodate individual needs to the point of undue hardship — not to provide a blanket separate lane at every facility. A complete bypass of security screening for all claimed-disability persons would undermine the security function and is not required. Private security operators at commercial and residential premises have full Code obligations, including the accommodation duty.

Correct answer: (d) One that a reasonable person would consider appropriate in the circumstances.

Why: PIPEDA Schedule 1, Principle 2 (Identifying Purposes) requires that the purposes for which personal information is collected must be identified at or before the time of collection, and must be purposes that a reasonable person would consider appropriate in the circumstances. Commercial utility is not the test. A contract that purported to authorise the security firm to sell subject data to third parties would not make that purpose PIPEDA-compliant — PIPEDA's reasonable-person standard is not waivable by contract. While Principle 2 requires identification of purposes at or before collection, it does not necessarily require personal disclosure to every subject in real time; facility security surveillance may be communicated through posted notices.

Correct answer: (d) Escalate to the PSISA Registrar for Code of Conduct breaches, or to police for Criminal Code offences, and keep documented records.

Why: Making an internal report to a person who ignores it does not discharge the professional obligation when the breach is serious. The PSISA s.31 cooperation obligation and the ASIS International Code of Ethics both require the guard to ensure that serious breaches are brought to the attention of a body with authority to act. The PSISA Registrar has authority to investigate licensee conduct independently of employer complaint processes. Media disclosure is not a recognised escalation path — it exposes the guard to liability (defamation, PIPEDA). Documented records of both the initial report and the lack of response are the guard's protection.

Correct answer: O. Reg. 363/07 (PSISA Code of Conduct) + Criminal Code (ss.122/346/380/334) + PIPEDA (data protection, Principles 1/2/4/7) + Ontario Human Rights Code (effects-based non-discrimination) + duty to report framework (PSISA s.31 + PSOA + common law whistleblower protection).

Why: The integrated ethical standard for licensed security workers draws from all five sources simultaneously. A guard who accepts a gratuity from a vendor (Code breach) and grants them unauthorised access (Code breach + potential Criminal Code) while failing to document (PIPEDA breach) and choosing the vendor on the basis of ethnic origin (Human Rights Code breach) has committed four simultaneous violations. Understanding each source separately and as an integrated whole is what makes an ethical security officer defensible in every direction. No single framework provides complete coverage — all five must be understood and applied simultaneously on every shift.

Take the full 30-question certificate exam now

After you pass — what the Stafferin Security Ethics certificate means

Your certificate and what it documents

Passing the 30-question Stafferin Security Ethics certificate examination at 20/30 or higher earns you a digital certificate that documents your completion of the six-lesson Security Ethics & Professional Conduct course. The certificate records:

  • The date of completion and the score achieved.
  • The six lesson titles and the five legal frameworks covered.
  • The certificate number, which is verifiable through the Stafferin platform.

How to use your certificate: Include the certificate in your professional training record maintained by your employer (most licensed security firms are required to maintain training records for their licensees). The certificate demonstrates that you have studied the PSISA Code of Conduct, conflict-of-interest rules, Criminal Code exposure, PIPEDA obligations, Human Rights Code obligations, and the whistleblower framework at the level tested in this course.

What the certificate is not: The Stafferin certificate is a self-study educational achievement — it is not a professional licence, a PSISA training programme approval, or a formal certification body credential. It supplements, and does not replace, your PSISA licensing requirements, your employer's mandatory training programme, or any accredited professional certification (CPP, PSP, etc.).

Source pack · every claim in this course

The 22 citations behind the six lessons

Tier 1 sources are statutes, regulations, and authoritative government guidance. Tier 2 sources are professional codes and standards. Every claim in the course traces back to one of these sources. We encourage you to follow the links and read the originals in their authoritative form.

Criminal Code offences — detailed legal notes for exam preparation

Understanding the three overlapping Criminal Code regimes

The three most commonly tested Criminal Code provisions in the Security Ethics exam (ss.122, 346, and 380) are closely related and can apply simultaneously to the same fact pattern. Understanding how they overlap — and where each one's unique elements lie — is essential for answering synthesis questions.

  • s.122 (breach of trust by a public officer): Requires (a) the accused be a public officer, (b) a breach of trust, and (c) the breach is in connection with the duties of the office. The "public officer" element is the critical battleground for security professionals — courts have extended it to contractors performing public functions at government facilities. The maximum sentence is 5 years. Where s.122 cannot be proven (e.g., the guard is not in a public-function role), the same facts usually support s.380 (fraud) or s.334 (theft).
  • s.346 (extortion): Requires (a) a threat, accusation, menace, or violence, (b) used to induce a person to do anything, (c) without reasonable justification or excuse, (d) with intent to obtain anything. The phrase "induces or attempts to induce" makes the offence complete at the attempt — no payment, no actual compliance, and no minimum amount required. An implied offer ("I can make this problem go away") is enough. Maximum: life imprisonment.
  • s.380 (fraud): Requires (a) a dishonest act (false representation, fraudulent device, or other dishonest means), (b) that causes or risks depriving the victim of property, money, or a valuable security. Falsified patrol records are fraud where the client is billed for unperformed work. Information leakage for personal gain can be fraud. The key distinction from extortion: s.380 requires a dishonest act (not just a threat), while s.346 requires an inducement (not necessarily a false statement). Both can apply to the same conduct simultaneously.

In practice, a guard who demands a payment in exchange for not flagging a security issue commits: s.346 extortion (the demand + inducement), potentially s.380 fraud (if false records are created), and potentially s.122 if the guard is at a public-function facility. The Registrar will initiate licence revocation proceedings under PSISA s.23 automatically upon a conviction for any of the three.

PIPEDA Schedule 1 — all ten fair-information principles and their relevance to security work

Understanding the full PIPEDA framework, not just the four key principles

While the exam focuses on Principles 1, 2, 4, and 7 as most directly relevant to security workers, understanding all ten principles gives you a complete picture of how PIPEDA governs personal information handling. Each principle has at least some relevance to security data.

  • Principle 1 — Accountability: The organisation is responsible for personal information it controls, including information handled by contracted third parties. The security firm and the client are jointly implicated in any PIPEDA breach by a guard.
  • Principle 2 — Identifying Purposes: Purposes must be identified at or before collection and must be appropriate in the circumstances. Facility security is an appropriate purpose for CCTV; selling the footage is not.
  • Principle 3 — Consent: Personal information must generally be collected with the knowledge and consent of the individual. In security contexts, consent is often implied by the visible presence of CCTV notices in a facility — but the form of consent must be appropriate to the sensitivity of the information.
  • Principle 4 — Limiting Collection: Collect only what is necessary for the identified purpose. Guards cannot collect personal information beyond what security requires.
  • Principle 5 — Limiting Use, Disclosure, and Retention: Use personal information only for the identified purpose; disclose only with consent or as required by law; retain only as long as necessary. CCTV footage must be retained for no longer than the defined retention period unless a legal hold applies.
  • Principle 6 — Accuracy: Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used. Incident reports must be accurate; falsifying them violates Principle 6 in addition to constituting a Code breach.
  • Principle 7 — Safeguards: Personal information must be protected by security safeguards appropriate to sensitivity. The most directly applicable principle to day-to-day security data handling.
  • Principle 8 — Openness: The organisation must be open about its policies and practices relating to the management of personal information. This is an organisational obligation, not a guard-level obligation, but guards should understand what privacy policy governs their site.
  • Principle 9 — Individual Access: Individuals have a right to access personal information the organisation holds about them and to challenge its accuracy. A member of the public may request access to CCTV footage that shows them — that request goes to the client organisation, not to the guard.
  • Principle 10 — Challenging Compliance: An individual may challenge an organisation's compliance with any of the fair-information principles by making a complaint to the Office of the Privacy Commissioner of Canada (OPC). The OPC has authority to investigate and issue findings; Federal Court enforcement proceedings are available where the organisation fails to comply with OPC findings.
Ontario Human Rights Code — detailed notes on protected grounds and HRTO remedies

The Code's protected grounds and the remedies the HRTO can award against security firms

The Ontario Human Rights Code, R.S.O. 1990, c. H.19 protects the following grounds in the provision of services (which includes security services): race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, gender identity, gender expression, age, marital status, family status, and disability. Gender identity and gender expression were explicitly added in 2012. Record of offences is protected in employment but not in services.

When the HRTO finds that a security operator has engaged in discriminatory conduct, it can award the following remedies:

  • Monetary compensation for injury to dignity, feelings, and self-respect — amounts typically ranging from a few thousand dollars to tens of thousands of dollars depending on the severity of the discrimination and the complainant's personal circumstances.
  • Compensation for lost wages or opportunities if the discrimination affected the complainant's employment or access to services in a way that caused financial loss.
  • Order to implement systemic remedies — mandatory training, revised security protocols, independent auditing of stop-and-search records, and reporting obligations to the HRTO over a specified period.
  • Public interest remedies — the HRTO can require a respondent to develop and publish a non-discrimination policy, to post notices in the workplace, or to retain an external consultant to oversee implementation.

The HRTO's systemic remedy authority is especially significant for security firms: a finding of systemic racial profiling can require the firm to audit all post-based stop records, submit annual diversity reports, and implement mandatory anti-racism training for all guards. These remedies run for 2–3 years after the HRTO order.

PSOA whistleblower framework — detailed notes on the disclosure mechanism

How the PSOA ss.108–116 regime works and what "in good faith" requires

The Public Service of Ontario Act, 2006, S.O. 2006, c. 35, Schedule A, ss.108–116 establish four key requirements for a protected disclosure:

  • (a) Good faith: The disclosure must be made in good faith — meaning the discloser genuinely and reasonably believes the conduct constitutes wrongdoing. A disclosure made for the purpose of harassing a colleague, or a disclosure the discloser knows to be false, is not protected. The "reasonably believes" standard is objective: would a reasonable person in the discloser's position, knowing what the discloser knew, believe the conduct was wrongdoing?
  • (b) Reasonable belief: The discloser must reasonably believe the conduct is wrongdoing. The categories of wrongdoing covered by the PSOA are: contraventions of Ontario or federal law; gross mismanagement of public funds or assets; serious and substantial dangers to health and safety; and conduct directed at retaliating against a whistleblower. The discloser does not have to be right — they have to reasonably believe they are right.
  • (c) Proper channel: The disclosure must be made through a proper channel. For PSOA purposes, this means the person's supervisor, the Integrity Commissioner of Ontario, or in specified urgent circumstances a law enforcement body. Disclosures to media are not a protected channel under the Act.
  • (d) No adverse employment action: An employer who takes adverse employment action against a PSOA-protected discloser commits a breach of the Act. The Integrity Commissioner can investigate retaliation and recommend remedies. A dismissed public servant may have reinstatement rights under the Act.

For private-sector security workers, the practical equivalent of these requirements is established by the common law. A dismissed private-sector employee must show: (a) they made a disclosure to an appropriate authority; (b) the disclosure was made in good faith and related to illegal or seriously improper conduct; (c) the employer's termination was connected to the disclosure rather than to a legitimate business reason; and (d) the employee suffered a loss. The courts apply these criteria with reference to the PSOA framework as a benchmark for what an adequate whistleblower protection regime looks like.

Extended field rules — eight additional rules for the exam

Eight additional rules that extend the twelve field rules from earlier in this supplement

  • Rule 13. Uniform + badge + licence = state-delegated professional authority. Using them for personal purposes is a Code breach regardless of outcome. Ontario Registrar decisions have found PSISA Code breaches for using the guard's uniform to intimidate a former landlord in a personal rental dispute.
  • Rule 14. Wrongdoing by supervisor → supervisor's manager or HR → Registrar (PSISA) or police (Criminal Code) → document everything → keep personal copies outside employer systems.
  • Rule 15. Apply ID requests consistently across protected characteristics. Differential application = prima facie Code discrimination. Have specific, articulable, non-Code-based grounds for every differential decision.
  • Rule 16. ASIS Code = avoid conflicts of interest, don't discredit the profession, maintain client confidentiality, comply with law. These four obligations work in concert with the PSISA Code of Conduct and are tested on the exam.
  • Rule 17. Collect only what is necessary for the security purpose. Retain only as long as required. Do not use personal information collected in one context for a purpose beyond that context (the collection-purpose anchor).
  • Rule 18. Known Code breach → report. Above the supervisor if the supervisor is involved. To the Registrar if internal reporting fails. Document and keep a personal copy. Silence is legally untenable once you have knowledge of the breach.
  • Rule 19. Ignored internal report → Registrar (PSISA breach) or police (criminal) → document every step → keep personal copies outside employer systems. The Registrar can investigate independently of the employer's internal processes.
  • Rule 20. The five-source integrated standard: O. Reg. 363/07 + Criminal Code + PIPEDA + Human Rights Code + duty to report. All five apply simultaneously on every shift. Security ethics failures are rarely single-source.
Regulatory timeline — Ontario private security from 1990 to today

How Ontario's security regulation evolved into the current PSISA framework

Understanding the history of Ontario's private security regulation helps explain why the PSISA Code of Conduct is structured as it is, and why certain provisions — especially the balance-of-probabilities revocation standard and the enumerated duties in O. Reg. 363/07 — were designed as they were.

1990
Private Investigators and Security Guards Act (PISGA) enacted

The first Ontario statute specifically governing private security. The 1990 Act required licensing but set relatively limited substantive obligations. Conduct standards were largely employer-driven, and enforcement mechanisms were weak. A guard who engaged in serious misconduct at one firm could readily move to another without regulatory consequence.

2005
Private Security and Investigative Services Act (PSISA) enacted

The PSISA, S.O. 2005, c. 34 replaced the 1990 Act and introduced: mandatory minimum training requirements for new licensees; standardised training programs for security guards and private investigators; a statutory Code of Conduct (later codified in O. Reg. 363/07); and an administrative revocation regime with a balance-of-probabilities standard administered by the Registrar.

2007
Ontario Regulation 363/07 (PSISA Code of Conduct) comes into force

O. Reg. 363/07 codified the specific enumerated duties for security guards and private investigators: lawful authority, integrity (including the gratuity prohibition), professional conduct (no threats, no false statements), and compliance (cooperate with police, carry and produce the licence). The regulation made the Code a statutory obligation binding on every licensee from the moment of licensing.

2012
Ontario Human Rights Code amended to add gender identity and gender expression

The Ontario Human Rights Code was amended to explicitly add gender identity and gender expression as protected grounds in all areas covered by the Code, including services. This amendment directly affects security guards performing screening and access-control functions, who must now apply consistent protocols regardless of a person's gender identity or gender expression.

Present
Current PSISA framework — five overlapping legal sources

The current Ontario private security ethics landscape involves O. Reg. 363/07, the Criminal Code, PIPEDA (enacted 2000, regularly updated through OPC enforcement), the Ontario Human Rights Code, and the PSOA whistleblower framework — all applying simultaneously. The Registrar enforces O. Reg. 363/07; the OPC enforces PIPEDA; the HRTO enforces the Human Rights Code; and the courts enforce the Criminal Code. All five operate independently and can lead to separate adverse outcomes for the same conduct.

Quick-fire review — ten rapid-answer questions

Test your recall before the full exam — no multi-choice, just answer from memory

Read each question and formulate your answer before expanding the panel. These questions are designed to be answered from memory in under 15 seconds each.

Ontario Regulation 363/07, made under the Private Security and Investigative Services Act, 2005, S.O. 2005, c. 34.

Life imprisonment. The same maximum as murder, kidnapping, and armed robbery.

At the attempt to induce — no payment needs to change hands, and no minimum amount is required.

Balance of probabilities — not beyond a reasonable doubt. A criminal conviction is not required.

PIPEDA Schedule 1, Principle 7 (Safeguards). It requires safeguards appropriate to the sensitivity of the information.

Whether race was a factor in the decision — intent to discriminate is not required. The test is effects-based.

The cooperation obligation — every licensee must cooperate with a Registrar investigation. Refusal is a PSISA s.44 offence.

Financial (side-business relationship with a person/entity you oversee), Relational (family member/romantic partner/close friend at the post), and Positional (using information from your role to benefit a third party other than the client).

As soon as the security provider is aware or ought reasonably to be aware of the need for accommodation — a formal written request is not required.

(1) O. Reg. 363/07 (PSISA Code of Conduct), (2) Criminal Code (ss.122/346/380/334), (3) PIPEDA (data handling), (4) Ontario Human Rights Code (non-discrimination in services), and (5) duty to report framework (PSISA s.31 + PSOA + common law).

Acronym reference — all abbreviations used in this course

Every acronym you will see in the lessons and on the exam

The exam questions use these acronyms in their standard form. Knowing which acronym refers to which statute, regulation, or body is a basic exam-readiness requirement.

  • PSISA — Private Security and Investigative Services Act, 2005, S.O. 2005, c. 34 (Ontario)
  • O. Reg. 363/07 — Ontario Regulation 363/07, the PSISA Code of Conduct
  • PIPEDA — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (federal)
  • OHRC — Ontario Human Rights Code, R.S.O. 1990, c. H.19
  • HRTO — Human Rights Tribunal of Ontario
  • PSOA — Public Service of Ontario Act, 2006, S.O. 2006, c. 35, Schedule A
  • OPC — Office of the Privacy Commissioner of Canada
  • ASIS — ASIS International (formerly American Society for Industrial Security); a global private security professional association
  • CPP — Certified Protection Professional (ASIS International designation)
  • PSP — Physical Security Professional (ASIS International designation)
  • LAT — Licence Appeal Tribunal of Ontario
  • CC — Criminal Code of Canada (R.S.C., 1985, c. C-46)
  • s.122 — Criminal Code section 122 (breach of trust by a public officer)
  • s.346 — Criminal Code section 346 (extortion)
  • s.380 — Criminal Code section 380 (fraud)
  • s.334 — Criminal Code section 334 (theft)
  • PSISA s.31 — PSISA section 31 (cooperation obligation with Registrar)
  • PSISA s.23 — PSISA section 23 (Registrar's authority to revoke or refuse to renew a licence)
  • PSISA s.44 — PSISA section 44 (offences, including failing to cooperate with the Registrar)
  • PSOA ss.108–116 — Public Service of Ontario Act, 2006, ss.108–116 (whistleblower protection provisions)
Regulatory body map — who enforces what

Five regulatory bodies and their jurisdiction over Ontario security professionals

Each of the five legal frameworks covered in this course is enforced by a different regulatory or administrative body. Understanding which body handles which type of breach is essential for the duty-to-report lesson and for the exam.

Regulatory Body Legal framework What it can do to a security guard Standard of proof
Registrar of Private Security and Investigative Services (Ministry of the Solicitor General) PSISA + O. Reg. 363/07 Refuse to renew, suspend, or revoke the PSISA licence. Impose conditions on a renewed licence. Refer criminal conduct to police. Balance of probabilities — a criminal conviction is not required.
Crown Attorney + Ontario / Superior Court of Justice Criminal Code of Canada Prosecute and convict for extortion (s.346), breach of trust (s.122), fraud (s.380), or theft (s.334). Sentence ranges from conditional discharge to life imprisonment. Beyond a reasonable doubt — the criminal standard.
Office of the Privacy Commissioner of Canada (OPC) PIPEDA, S.C. 2000, c. 5 Investigate complaints; issue findings; require corrective action (retraining, policy changes, oversight). Federal Court enforcement proceedings available where OPC findings are ignored. Not specified in statute; OPC applies a preponderance standard in practice.
Human Rights Tribunal of Ontario (HRTO) Ontario Human Rights Code, R.S.O. 1990, c. H.19 Find discrimination; award monetary compensation (injury to dignity); order systemic remedies (training, audits, policy changes); recommend systemic investigations to the Ontario Human Rights Commission. Balance of probabilities — effects-based, not intent-based.
Integrity Commissioner of Ontario + Ontario courts (civil) PSOA ss.108–116 + common law Investigate retaliation against public-servant whistleblowers; recommend reinstatement or other remedies. For private-sector guards: courts can award wrongful dismissal damages for retaliatory termination. Balance of probabilities (civil standard).
Certificate exam structure — detailed breakdown

How the 30 questions are distributed and what each question looks like

Every question on the 30-question Stafferin Security Ethics certificate exam has the same format: a context note (one sentence explaining what the question tests), the question stem (typically a scenario or a direct statutory-knowledge question), four options (one correct, three plausible distractors), the correct answer, and a "why" explanation that cites the relevant source.

  • Questions 1–5 (PSISA Code of Conduct): Statute identification (O. Reg. 363/07 number), gratuity test (objective appearance standard), Registrar authority (balance of probabilities), ASIS Code (avoid conflicts, avoid discredit), conflict-of-interest definition (objective test).
  • Questions 6–10 (Conflict of interest & gratuities): Extortion complete at the attempt (s.346), s.122 scope (public-function contractors), PIPEDA accountability principle (Principle 1), PIPEDA police disclosure (s.7(3) + route to site manager), PIPEDA safeguards (Principle 7 identification).
  • Questions 11–15 (Criminal Code exposure): Human Rights Code protected grounds (full list including gender identity), Registrar revocation authority, accommodation duty (to the point of undue hardship), differential ID request (prima facie discrimination), PSOA whistleblower coverage (contraventions + gross mismanagement + health/safety danger).
  • Questions 16–20 (PIPEDA): CCTV sharing with police (route to site manager), duty to report colleague's breach (appropriate channel above supervisor), lawful authority exception (specific articulable non-Code grounds), PI demanding payment (s.346 extortion), limiting collection (Principle 4 — only what is necessary).
  • Questions 21–25 (Human rights): Minimum response to gratuity offer (decline/document/notify), media disclosure of personal information (PIPEDA Principles 5+7 + s.380 if gain obtained), ASIS confidentiality (except as required by law), undisclosed conflict (treated more harshly than disclosed), uniform/licence for personal purpose (Code breach + potential revocation).
  • Questions 26–30 (Whistleblowing & synthesis): Escalation path when supervisor is implicated (manager/HR → Registrar/police), accommodation process (explore before declaring impossible), PIPEDA Principle 2 (reasonable person appropriate purpose), ignored internal report (escalate to Registrar/police), synthesis — the five-source integrated standard.

The pass threshold is 20 correct out of 30 (67%). Each question is worth one mark. There is no partial credit, no negative marking, and no time limit. If you fail, you can review the questions you missed and retake immediately — there is no waiting period.

Professional development resources — reading beyond this course

Primary sources every security ethics professional should read directly

This course synthesises the key provisions of five legal frameworks into lesson-sized units. For professional development beyond the exam, reading the primary sources directly is strongly encouraged. Each link below goes to the authoritative government source for the relevant statute, regulation, or professional code — the same sources cited in every lesson and every exam question.

These seven primary sources are the complete citation pack for this course. Every claim in every lesson and every exam question traces back to one of them. Reading them directly — not just through this course's synthesis — is the mark of a security professional who takes the legal framework seriously.

Related modules in the Stafferin Security Field Training series

Where Security Ethics fits in the Stafferin training curriculum

Security Ethics & Professional Conduct is Module 38 in the Stafferin Security Field Training series. It is designed to be taken early in any security professional's continuing education — ideally before or alongside the legal-framework modules — because the ethical obligations it covers are foundational to every other module's practical application.

  • Use of Force & De-Escalation (Module 27): The lawful-authority pillar of O. Reg. 363/07 (Criminal Code ss.25/494, proportionality, use of force continuum) is the legal framework for use-of-force decisions. The Professional Conduct pillar's prohibition on threatening or intimidating persons directly governs de-escalation requirements. Ethics and use-of-force are two sides of the same coin.
  • Access Control & Facility Security: The PIPEDA data-handling obligations covered in this course apply directly to every access-control system, CCTV network, and visitor register used in facility security operations. A facility security officer who does not understand PIPEDA Principle 7 is a liability for their employer.
  • Incident Reporting & Documentation: The false-statements prohibition in O. Reg. 363/07, the Criminal Code s.380 fraud exposure from falsified reports, and the HRTO documentation imperative (articulable grounds for every differential decision) make incident reporting ethics inseparable from the documentation skills taught in dedicated reporting modules.
  • Workplace Violence & Harassment Prevention: The Human Rights Code obligations covered in this course — especially the accommodation duty for disability and the prohibition on creed discrimination — overlap directly with workplace violence and harassment prevention frameworks. An officer who understands the HRTO's effects-based test is better positioned to identify and respond to harassment incidents at the post.
  • Fire Emergency Response (Module 37): The PIPEDA data-handling obligations and the duty to report wrongdoing both apply in fire-emergency contexts — for example, a guard who discovers that fire safety records have been falsified has the same duty to report as a guard who discovers patrol records have been falsified.

Completing Security Ethics & Professional Conduct before or alongside other modules helps you apply the ethical framework to every practical skill you develop. The five legal sources covered in this course — O. Reg. 363/07, Criminal Code, PIPEDA, Human Rights Code, and the duty to report framework — operate as background rules in every security scenario.

Pre-exam summary — the 20 most tested facts in this course

Twenty facts that appear most frequently across the 30 exam questions

Each of these facts is tested directly in at least one of the 30 exam questions. If you can state each one from memory before sitting the exam, you are well-prepared for a passing score.

  • 1. O. Reg. 363/07 is the PSISA Code of Conduct regulation number.
  • 2. The Registrar revokes PSISA licences on the balance of probabilities.
  • 3. The gratuity prohibition test: "could reasonably be seen as compromising duties" — objective, no dollar threshold.
  • 4. The conflict-of-interest test is objective: could a reasonable observer conclude the interest might influence judgment?
  • 5. Criminal Code s.346 extortion is complete at the attempt to induce — no payment, no minimum amount.
  • 6. Criminal Code s.346 carries a maximum sentence of life imprisonment.
  • 7. Criminal Code s.122 (breach of trust by a public officer) applies to private-sector contractors at public-function facilities.
  • 8. PIPEDA Principle 7 (Safeguards) requires protection against unauthorised access to personal information.
  • 9. PIPEDA Principle 1 (Accountability): the client organisation is responsible for data handled by contracted security guards.
  • 10. Guards are data custodians, not data owners. No independent right to access, share, or retain beyond the assigned duty.
  • 11. Police without a warrant → do not unilaterally disclose CCTV footage; route to site manager.
  • 12. Document every data-access request regardless of whether you comply.
  • 13. The HRTO applies an effects-based test for discrimination. Intent is irrelevant; was the protected characteristic a factor?
  • 14. Accommodation duty applies to the point of undue hardship. Minor inconvenience is not undue hardship.
  • 15. The lawful authority exception requires specific, articulable, non-Code-based grounds — not "instinct" or "suspicion."
  • 16. PSISA s.31: cooperation with the Registrar is mandatory. Refusal is a PSISA s.44 offence.
  • 17. Do not confront the wrongdoer before reporting — preserve evidence first.
  • 18. Keep a personal copy of any disclosure outside the employer's systems immediately after making it.
  • 19. If the supervisor is part of the wrongdoing, report to the supervisor's manager, HR, or directly to the Registrar/police.
  • 20. Five legal frameworks apply simultaneously: O. Reg. 363/07, Criminal Code, PIPEDA, Human Rights Code, duty to report.
Final Examination · 30 Questions

Ready? Take the 30-Question Security Ethics Certificate Exam.

30 scenario-and-law questions covering PSISA Code of Conduct, conflict of interest, Criminal Code ss.122/346/380/334, PIPEDA, Ontario Human Rights Code, and the whistleblower framework. Pass with 20/30 or higher to earn your Stafferin Security Ethics certificate.

Start the 30-Question Exam
The Q30 synthesis trap — why three of the four options are designed to fool you

Understanding why the wrong answers to Q30 are tempting

Question 30 on the Stafferin Security Ethics exam is a synthesis question: it asks you to state the integrated professional ethics obligation of a security guard. The correct answer is always the one that incorporates all five legal frameworks. The three distractors are designed around three common misconceptions that candidates carry into the exam:

  • Distractor A — "Protect the client's interests above all." This is tempting because client loyalty is a real and important obligation. But O. Reg. 363/07, the ASIS International Code of Ethics, and the Criminal Code all explicitly subordinate client loyalty to legal compliance. A client instruction to discriminate, to destroy records, or to accept a gratuity does not override the Code. This distractor tests whether you know that the law comes before the client.
  • Distractor B — "Follow supervisor instructions in all circumstances — the employer bears all responsibility." This is tempting because it reflects a reasonable workplace hierarchy. But the PSISA Code of Conduct imposes personal obligations on each licensed individual. "I was told to" is not a defence to a PSISA Code of Conduct breach. This distractor tests whether you know that personal professional obligations are non-delegable.
  • Distractor C — "Apply security protocols with professional judgment, with no overriding legal obligations." This is tempting because professional judgment is genuinely important. But the five legal frameworks covered in this course impose specific statutory and regulatory obligations that override or constrain professional judgment. A guard whose judgment leads them to accept a gratuity, to racially profile, to mishandle CCTV data, or to stay silent about a colleague's serious breach has exercised judgment that violates the law. This distractor tests whether you know that judgment operates within legal constraints, not above them.

The correct answer combines all five frameworks: act lawfully (O. Reg. 363/07 + Criminal Code), protect personal data (PIPEDA), treat every person consistently with the Human Rights Code, and report serious breaches (duty to report framework). That is the integrated standard that applies on every shift.

Citation verification

Every claim in this course is backed by a primary source

Stafferin publishes this training material with inline citations to primary sources (statutes, regulations, and official professional codes). If you encounter a claim that does not match the authoritative source, or if a statute or regulation has been amended since publication, please contact hr@stafferin.com with the specific passage and the update you believe is required. We review all corrections and update the material promptly. The citation links in this course go directly to Ontario e-Laws, Justice Laws Canada, and the ASIS International website — the same sources used by Ontario courts, the Registrar, and the HRTO when they cite these provisions.

Stafferin Security Field Training

Module 38 — Security Ethics & Professional Conduct

6 lessons · 5 mini-drills · 5 achievements · 30-question certificate exam · Pass: 20/30 · Cert threshold: 67%

O. Reg. 363/07 · Criminal Code ss.122/334/346/380 · PIPEDA, S.C. 2000, c. 5 · Ontario Human Rights Code, R.S.O. 1990, c. H.19 · PSOA, S.O. 2006, c. 35, Sched. A

Take the 30-Question Exam
Five-minute final review — the most critical sentences in the course

If you have five minutes before the exam, read these ten sentences

Each sentence below is the most important single statement from one of the course's ten major sub-topics. If you can confirm "yes, I know this" for each sentence, you are ready to sit the exam.

  1. O. Reg. 363/07 is the PSISA Code of Conduct; it binds every licensed guard from the moment of licensing, including when off duty in uniform.
  2. The Registrar revokes PSISA licences on the balance of probabilities; a criminal conviction is not required.
  3. The gratuity prohibition test is objective and appearance-based: "could reasonably be seen as compromising duties" — no dollar threshold.
  4. A conflict of interest exists when a reasonable observer could conclude the interest might influence your judgment — not only if it actually does.
  5. Criminal Code s.346 extortion is complete at the attempt to induce — no payment, no minimum amount, no victim report required.
  6. PIPEDA Principle 7 (Safeguards) requires protection of personal information against unauthorised access — applies to CCTV, access logs, and incident reports.
  7. Police without a warrant requesting CCTV footage → route to the site manager; the voluntary-disclosure decision under PIPEDA s.7(3) belongs to the client organisation.
  8. The HRTO tests for discriminatory effect, not intent — unconscious bias that results in differential treatment of a racialized person meets the test.
  9. PSISA s.31 cooperation with the Registrar is mandatory; refusal is a PSISA s.44 offence; false statements to the Registrar are a separate s.44(1)(b) offence.
  10. Five legal frameworks apply simultaneously on every shift: O. Reg. 363/07 + Criminal Code + PIPEDA + Ontario Human Rights Code + duty to report. No single framework provides complete coverage.
On-the-job memory card — what to do when in doubt at the post

Six questions to ask yourself when you face an ambiguous ethics situation on shift

When you encounter a situation on shift where the right course of action is unclear, work through these six questions in order. They mirror the five legal frameworks and will guide you to the correct professional response in most situations.

  1. Is what I am being asked to do consistent with O. Reg. 363/07? — Lawful authority, integrity, professional conduct, compliance. If the answer is no or uncertain, decline and document.
  2. Could this action constitute a Criminal Code offence? — Extortion, fraud, breach of trust, theft. If yes or uncertain, refuse and report immediately.
  3. Am I handling personal information in a way that is consistent with PIPEDA? — Accessing only for the security purpose, declining unauthorised requests, routing data-access requests to the appropriate authority.
  4. Am I applying this security protocol consistently across all protected characteristics under the Ontario Human Rights Code? — If I would not do this to a comparably situated person of a different race, disability status, gender identity, or religion, I need articulable grounds for the difference.
  5. Should I be reporting something I have observed? — PSISA s.31 cooperation obligation, duty to report Code breaches. If yes, route to the right authority and keep a personal copy of the disclosure.
  6. Would a reasonable, experienced security professional — who knows all five legal frameworks — make this decision? — The integrated professional standard. If the answer is no, reconsider.
Three common mistakes on the exam — and how to avoid them

The three most common reasons candidates fail this exam on their first attempt

Mistake 1: Confusing the gratuity test's statutory standard with an employer's internal dollar-amount policy. O. Reg. 363/07 has no dollar threshold. "Under $50 is acceptable" is an employer-policy rule, not a statutory rule. The exam consistently tests whether you know the difference between the Code's objective appearance test and an employer's administrative threshold. When a question asks about O. Reg. 363/07, always apply the objective test; never apply a dollar-amount cutoff as if it were in the statute.

Mistake 2: Treating the HRTO's discrimination test as requiring proof of intent. The Ontario Human Rights Code's effects-based test is one of the most frequently misapplied concepts in the exam. Candidates who study the Code from a general perspective often assume that discrimination requires deliberate intent. The HRTO has explicitly rejected this. Unconscious bias — a decision influenced by race without deliberate intent — constitutes Code discrimination. Questions testing this concept deliberately offer "the guard did not intend to discriminate" as a plausible but wrong answer. Do not be caught by it.

Mistake 3: Forgetting that PSISA s.346 extortion is complete at the attempt, not at payment. The exam's Criminal Code questions frequently include "only when a payment is received" or "only when the amount exceeds $5,000" as distractors. Both are wrong. s.346 captures "induces or attempts to induce" — no payment, no minimum amount, and no victim report are required. The offence is complete at the attempt. This is tested directly in at least one question on every exam version.

Important exam notes — before you click "Start Exam"

Three things every candidate must know before starting the 30-question exam

1. The pass threshold is 20/30 (67%). This is calculated as ceil(0.66 × 30) = 20 questions correct. You can miss up to 10 questions and still pass. Every question is worth one mark; there is no partial credit and no negative marking.

2. The exam is not timed, but your progress is saved. You can leave the exam and return to it; your answers will be preserved in your browser's session. You cannot, however, change an answer once submitted. Review your answer carefully before clicking it — your first confirmed answer is your final answer for that question.

3. The certificate is issued on the exam page immediately after you pass. Your certificate displays your name, the date of completion, your score, and a certificate number. Download or screenshot your certificate immediately — it can also be re-accessed from the Stafferin platform at any time using your certificate number.

If you do not pass on your first attempt: the exam identifies which of the six themes you scored lowest on. Re-read the lesson for each theme where you scored below 60%, then retake the exam. There is no waiting period between attempts and no limit on retakes.

Score breakdown — how your 30-question result maps to lesson mastery

What your exam score tells you about your lesson-by-lesson knowledge

The 30-question exam is scored out of 30, with 5 questions per lesson theme. The minimum pass score is 20/30 (67%). If you pass, the certificate is issued immediately. If you do not pass, the exam page shows you which themes you answered below 60% on (fewer than 3/5 correct), so you know exactly which lessons to revisit before retaking.

Theme-by-theme score interpretation:

  • 5/5 on a theme: Full mastery. You understood every nuance of the lesson and applied it correctly under exam conditions.
  • 4/5 on a theme: Strong performance. One distractor caught you — review the exam explanation for the question you missed and trace it back to the specific statutory provision.
  • 3/5 on a theme: Passing threshold for this theme. Re-read the lesson before the next attempt — three correct answers means you understood the core concepts but missed the detail questions.
  • 2/5 or below on a theme: Re-read the full lesson and all supplementary callouts for that theme before retaking. A score below 3/5 on a theme suggests a conceptual misunderstanding, not just a detail miss.

Total score interpretation: 20–22 = pass; 23–25 = solid pass; 26–28 = strong pass; 29–30 = distinction. All passing scores earn the same certificate. The distinction label is informal — it does not appear on the certificate, but it reflects a level of preparation that is genuinely field-ready.

Exam-day checklist — twelve things to confirm before clicking "Start Exam"

Before you sit the 30-question certificate exam

  • I have completed all six lessons and clicked "Mark Complete" on each one.
  • I can state the number and short title of O. Reg. 363/07 (the PSISA Code of Conduct) from memory.
  • I know that the Registrar revokes PSISA licences on the balance of probabilities — a criminal conviction is not required.
  • I can state the objective test for a prohibited gratuity: "could reasonably be seen as compromising the guard's duties."
  • I know that Criminal Code s.346 extortion is complete at the attempt to induce — no payment and no minimum amount required.
  • I know that PIPEDA Principle 7 (Safeguards) governs protection of personal information against unauthorised access.
  • I know that CCTV footage and access logs are personal information under PIPEDA and must not be shared with unauthorised parties.
  • I know the HRTO's effects-based test for discrimination — whether the protected characteristic was a factor, not whether the guard intended to discriminate.
  • I know the accommodation duty applies to the point of undue hardship, and that minor inconvenience does not constitute undue hardship.
  • I know that PSISA s.31 requires cooperation with Registrar investigations, and that refusal is a PSISA s.44 offence.
  • I know the escalation path when a supervisor is involved in the wrongdoing: supervisor's manager or HR, then Registrar or police.
  • I have completed the "Final ready check" questions above and can honestly answer "Yes" to all six.

Stafferin Security Field Training · Module 38

Security Ethics & Professional Conduct

Complete all six lessons, then take the 30-question exam to earn your Stafferin certificate.

6
lessons
5
drills
30
questions
20
to pass
Take the 30-Question Certificate Exam

Complete all six lessons first to unlock the exam button above.

© Stafferin — copying this course is not permitted.