Privacy Policy
Procedure for Retention, Destruction, and Anonymization of Personal Information
1. Overview
It is important to implement a procedure for the retention, destruction, and anonymization of personal information to ensure the protection of individuals' privacy, comply with personal information protection laws, prevent confidentiality incidents involving personal information and security breaches, maintain customer trust, and protect the organization's reputation.
2. Objective
The purpose of this procedure is to ensure the protection of individuals' privacy and to comply with legal obligations regarding the protection of personal information.
3. Scope
The scope of this procedure should cover the entire life cycle of personal information, from its collection to its destruction. It applies to all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal information in accordance with legal requirements and best practices in privacy protection.
4. Definitions
-
Personal Information: Any information that can identify, directly or indirectly, a physical person.
-
Retention: Secure storage of personal information for the required period.
-
Destruction: Complete deletion, elimination, or erasure of personal information.
-
Anonymization: The process of modifying personal information so that it no longer allows the identification, directly or indirectly, of the individuals concerned, in an irreversible manner.
5. Procedure
5.1 Retention Period
5.1.1 Personal information is categorized as follows:
-
Information regarding company employees,
-
Information regarding organization members,
-
Information regarding clients.
5.1.2 The retention period for each category is as follows:
-
Company employees: 7 years after the end of employment.
-
Members: Variable depending on the type of personal information.
-
Clients: Variable depending on the type of personal information. For more details, refer to the complete inventory of retained personal information. Specific retention periods may apply.
5.2 Secure Storage Methods
5.2.1 Personal information is stored in locations such as One Drive, Leadfox. 5.2.2 The sensitivity level of each storage location has been assessed. 5.2.3 These storage locations, whether paper or digital, are adequately secured. 5.2.4 Access to these storage locations is restricted to authorized persons only.
5.3 Destruction of Personal Information
5.3.1 For personal information on paper, it must be completely shredded. 5.3.2 For digital personal information, it must be completely deleted from devices (computers, phones, tablets, external hard drives), servers, and cloud tools. 5.3.3 A destruction schedule based on the established retention period for each category of personal information must be created. It is imperative to document the scheduled destruction dates. 5.3.4 Ensure that the destruction is carried out so that personal information cannot be recovered or reconstructed.
5.4 Anonymization of Personal Information
5.4.1 Anonymization of personal information should only be done if the organization wishes to retain and use it for serious and legitimate purposes. 5.4.2 The chosen method of anonymization is as follows: will be deleted after the retention period. 5.4.3 Ensure that the remaining information no longer allows, in an irreversible manner, the direct or indirect identification of the individuals concerned and regularly assess the risk of re-identification of anonymized data by performing tests and analyses to ensure their effectiveness. Note that as of the drafting date of this template, the anonymization of personal information for serious and legitimate purposes is not possible. A government regulation must be adopted to determine the criteria and modalities.
5.5 Employee Training and Awareness
5.5.1 Ensure regular training for employees on the procedure for the retention, destruction, and anonymization of personal information, as well as on the risks associated with privacy breaches. 5.5.2 This includes raising awareness among staff about good data security practices and the importance of complying with established procedures.
Last updated: April 2024
Procedure for Access Requests and Complaint Handling
1. Overview
Since an individual may request access to personal information that an organization holds about them, or may also file complaints, it is important to have predefined guidelines to respond to such requests.
2. Objective
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.
3. Scope
The scope of this procedure involves the internal actors responsible for handling access requests and complaints, as well as individuals wishing to access their own personal information.
4. Access Request Procedure
4.1 Submission of the Request
4.1.1 The individual wishing to access their personal information must submit a written request to the organization's personal information protection officer. The request can be sent by email or postal mail. 4.1.2 The request must clearly indicate that it is an access request for personal information, and provide sufficient information to identify the individual and the information sought. 4.1.3 This information may include the name, address, and any other pertinent information to reliably identify the individual making the request.
4.2 Reception of the Request
4.2.1 Once the request is received, an acknowledgment of receipt is sent to the individual to confirm that their request has been taken into account. 4.2.2 The request must be processed within thirty (30) days of its receipt.
4.3 Verification of Identity
4.3.1 Before processing the request, the individual's identity must be reasonably verified. This can be done by requesting additional information or by verifying the individual's identity in person. 4.3.2 If the identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Response to Incomplete or Excessive Requests
4.4.1 If an access request for personal information is incomplete or excessive, the personal information protection officer communicates with the individual to request additional information or clarifications. 4.4.2 The organization reserves the right to refuse a request if it is manifestly abusive, excessive, or unjustified.
4.5 Processing the Request
4.5.1 Once the identity is verified, the personal information protection officer processes the access requests for personal information by collecting the requested information. 4.5.2 The officer consults the relevant files to collect the requested personal information, ensuring compliance with any legal restrictions.
4.6 Examination of Information
4.6.1 Before disclosing personal information to the individual, the officer carefully reviews the information to ensure it does not contain confidential third-party information or information that could infringe on other rights. 4.6.2 If third-party information is present, the officer assesses whether it can be separated or must be excluded from the disclosure.
4.7 Communication of Information
4.7.1 Once the verifications are complete, the personal information is communicated to the individual within a reasonable timeframe, in accordance with legal requirements. 4.7.2 Personal information may be communicated to the individual electronically, by secure postal mail, or in person, depending on the individual's preferences and appropriate security measures.
4.8 Follow-Up and Documentation
4.8.1 All steps of the process for handling access requests for personal information must be accurately and completely recorded. 4.8.2 The details of the request, the actions taken, the decisions made, and the corresponding dates must be recorded in an access request tracking log.
-
Date of receipt of the request;
-
Date of acknowledgment of receipt;
-
Date of identity verification;
-
Method of identity verification;
-
Decision – access request accepted or refused;
-
Date of communication of the information (if applicable).
4.9 Protection of Confidentiality
4.9.1 All personnel involved in handling access requests for personal information must respect confidentiality and data protection.
4.10 Complaint Handling and Remedies
4.10.1 If an individual is dissatisfied with the response to their access request for personal information, they must be informed of the complaint procedures and the remedies available before the Commission d'accès à l'information.
4.10.2 Complaints must be handled in accordance with internal policies and procedures for complaint management (next section).
Last updated: April 2024
Procedure for Deindexing and Deleting Personal Information
1. Overview
This procedure aims to address clients' concerns and privacy protection needs.
2. Objective
The purpose of this procedure is to provide a structured mechanism for handling deindexing and deletion requests for personal information from our clients.
3. Scope
This procedure applies to our internal team responsible for managing deindexing and deletion requests for personal information. It covers all information published on our online platforms, including our website, mobile applications, databases, or any other digital medium used by our clients.
4. Definitions
-
Deletion of Personal Information: The action of completely erasing data, making it unavailable and unrecoverable.
-
Deindexing of Personal Information: Removing information from search engines, making it less visible but still directly accessible. Deletion permanently eliminates data, while deindexing limits its online visibility.
5. Procedure
5.1 Reception of Requests
5.1.1 Deindexing and deletion requests for personal information must be received by the designated responsible team. 5.1.2 Clients can submit their requests through specific channels such as an online form, dedicated email address, or phone number.
5.2 Verification of Identity
5.2.1 Before processing the request, the individual's identity must be reasonably verified. 5.2.2 This can be done by requesting additional information or by verifying the individual's identity in person. 5.2.3 If the identity cannot be satisfactorily verified, the organization may refuse to proceed with the request.
5.3 Evaluation of Requests
5.3.1 The responsible team must carefully review the requests and the personal information concerned to determine their eligibility for deindexing or deletion. 5.3.2 Requests must be handled confidentially and within the specified timeframes.
5.4 Reasons for Refusal
5.4.1 There are also valid reasons for refusing to delete or deindex personal information:
-
To continue providing goods and services to the client;
-
For labor law compliance reasons;
-
For legal reasons in case of litigation.
5.5 Deindexing or Deletion of Personal Information
5.5.1 The responsible team must take the necessary steps to deindex or delete personal information according to eligible requests.
5.6 Communication of Follow-Up
5.6.1 The responsible team is tasked with communicating with requesters throughout the process, providing acknowledgment of receipt and regular updates on the status of their request. 5.6.2 Any delays or issues encountered during the processing of requests must be communicated to the requesters with clear explanations.
5.7 Follow-Up and Documentation
5.7.1 All deindexing and deletion requests for personal information, as well as the actions taken to respond to them, must be recorded in a dedicated tracking system. 5.7.2 Records must include details of the requests, actions taken, dates, and results of the actions performed.
Last updated: April 2024
Procedure for Managing Security Incidents and Personal Information Breaches
1. Overview
An intervention plan is essential for effectively managing cybersecurity incidents. In times of crisis, knowing how to act and prioritize actions can be challenging. An intervention plan helps reduce the stress of forgetting important aspects.
2. Objective
The purpose of this procedure is to ensure the organization is ready to intervene in the event of a cybersecurity incident, enabling a quick resumption of activities.
3. Scope
The scope of this procedure includes all networks and systems, as well as stakeholders (clients, partners, employees, subcontractors, suppliers) who access these systems.
4. Recognizing a Cyber Incident
A cybersecurity incident may not be immediately recognized or detected. However, certain indicators can signal a security breach, a compromised system, or unauthorized activity. It is crucial to stay alert for any signs indicating that a security incident has occurred or is in progress. Some of these indicators include:
-
Excessive or unusual connection and system activity, particularly from inactive user accounts.
-
Excessive or unusual remote access within the organization, which may involve personnel or third-party vendors.
-
The appearance of new visible or accessible wireless networks (Wi-Fi).
-
Unusual activity related to the presence of malware, suspicious files, or new or unauthorized executable files and programs.
-
Lost, stolen, or misplaced computers or devices containing payment card data, personal information, or other sensitive data.
5. Contact Information for Key Personnel
-
Role Owner: Hélène Lachapelle
-
Address: 175 rue Bellerive St-Eustache, QC, J7R 2T1
-
Phone: 438 410 7473
-
Email: info@helenelachapelle.com
6. Specific Response for Personal Information Breach
If it is confirmed that a security incident involving a personal information breach has occurred, the following steps must be taken:
-
Complete the confidentiality incident log to document the incident.
-
Review the personal information breach to determine if personal information has been lost due to unauthorized access, use, or disclosure, and assess if there is a serious risk of harm to the individuals concerned.
-
Report the breach to the Commission d'accès à l'information in Quebec.
-
Inform the individuals whose personal information is affected by the incident.
7. Specific Response for Ransomware
If it is confirmed that a ransomware security incident has occurred, the following steps must be taken:
-
Immediately disconnect the affected devices from the network.
-
Do NOT delete anything from the devices (computers, servers, etc.).
-
Examine the ransomware to determine how it infected the device, which helps understand how to eliminate it.
-
Report the incident to local authorities and cooperate with their investigation.
-
Once the ransomware is removed, conduct a thorough system analysis using the latest available antivirus, antimalware, and security software to confirm its removal.
-
If the ransomware cannot be removed from the device (often the case with stealthy malware), the device must be reset using the original installation media or images.
-
Before proceeding with the reset from backup media/images, ensure they are not infected with malware.
-
If the data is critical and must be restored but cannot be recovered from unaffected backups, look for decryption tools available on nomoreransom.org.
-
The policy is not to pay the ransom, subject to the issues involved. It is also highly recommended to enlist the services of a breach coach expert in cyberattacks.
-
Protect systems from further infections by implementing patches or fixes to prevent further attacks.
8. Specific Response for Account Hacking
If it is confirmed that an account hacking has occurred, the following steps must be taken:
-
Notify our clients and suppliers that they may receive fraudulent emails from us and advise them not to respond or click on links in these emails.
-
Check if we still have access to the online account.
-
If not, contact the platform's support to try to regain access.
-
Change the password used to log in to the platform.
-
If the password is reused elsewhere, change all those passwords as well.
-
Enable two-factor authentication for the platform.
-
Remove illegitimate connections and devices from the connection history.
9. Specific Response for Device Loss or Theft
If it is confirmed that a device loss has occurred, the following steps must be taken:
-
Report the loss or theft of an asset, such as a computer, laptop, or mobile device, immediately to local police authorities. This includes losses/thefts outside normal business hours and over weekends.
-
If the lost or stolen device contained sensitive data and is not encrypted, conduct a sensitivity analysis, including the type and volume of stolen data, including potentially affected payment card numbers.
-
If possible, lock/disable lost or stolen mobile devices (e.g., smartphones, tablets, laptops) and perform remote data wiping.
Last updated: April 2024
4o