PRIVACY POLICY
Procedure for Retention, Destruction, and Anonymization of Personal Information
1. Overview
It is essential to establish a procedure for the retention, destruction, and anonymization of personal information to ensure the protection of individuals' privacy, comply with personal information protection laws, prevent confidentiality incidents involving personal information and security breaches, maintain customer trust, and safeguard the organization's reputation.
2. Objective
The purpose of this procedure is to ensure the protection of individuals' privacy and compliance with legal obligations regarding the protection of personal information.
3. Scope & Definitions
The scope of this procedure should cover the entire lifecycle of personal information, from its collection to its destruction. It applies to all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal information, in accordance with legal requirements and best practices in privacy protection.
Personal Information: Any information that can directly or indirectly identify a natural person.
Retention: Secure storage of personal information for the required duration.
Destruction: Permanent deletion, removal, or erasure of personal information.
Anonymization: The process of modifying personal information so that it can no longer identify, directly or indirectly, the individuals concerned, in a permanent and irreversible manner.
4. Procedure
4.1 Retention Period
4.1.1 Personal information is categorized as follows:
-
Information regarding company employees,
-
Information regarding organization members,
-
Information regarding clients.
4.1.2 The retention period for each category is as follows:
-
Company Employees: 7 years after the end of employment.
-
Members: Variable depending on the type of personal information.
-
Clients: Variable depending on the type of personal information.
For more details, refer to the complete inventory of personal information held. Specific retention periods may apply.
4.2 Secure Storage Methods
4.2.1 Personal information is stored in the following locations: One Drive, Wix.
4.2.2 The sensitivity level of each storage location has been determined.
4.2.3 These storage locations, whether physical or digital, are appropriately secured.
4.2.4 Access to these storage locations is restricted to authorized personnel only.
4.3 Destruction of Personal Information
4.3.1 For personal information on paper, it must be completely shredded.
4.3.2 For digital personal information, it must be permanently deleted from devices (computers, phones, tablets, external drives), servers, and cloud tools.
4.3.3 A destruction schedule based on the established retention periods for each category of personal information must be created. It is imperative to document the planned destruction dates.
4.3.4 Ensure destruction is carried out in a manner that prevents recovery or reconstruction of personal information.
4.4 Anonymization of Personal Information
4.4.1 Anonymization of personal information should only occur if the organization intends to retain and use it for serious and legitimate purposes.
4.4.2 The chosen method for anonymizing personal information is as follows: it will be deleted after the retention period.
4.4.3 Ensure that the remaining information can no longer allow, in any way, the direct or indirect identification of the individuals concerned and regularly evaluate the risk of re-identification of anonymized data by conducting tests and analyses to ensure their effectiveness.
Note: As of the drafting date of this template, the anonymization of personal information for serious and legitimate purposes is not yet possible. A government regulation must be adopted to determine the criteria and modalities.
4.5 Staff Training and Awareness
4.5.1 Regular training must be provided to employees on the procedure for retaining, destroying, and anonymizing personal information, as well as on the risks associated with privacy violations.
4.5.2 This also includes raising awareness among staff about best data security practices and the importance of complying with established procedures.
Last updated: December 16, 2024
Procedure for Access Requests to Personal Information and Complaint Handling
1. Overview
Since individuals may request access to their personal information held by an organization or may file complaints, it is essential to have predefined guidelines to address such requests effectively.
2. Objective
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.
3. Scope
This procedure applies to internal actors responsible for processing access requests and complaints, as well as individuals seeking access to their personal information.
4. Procedure for Access Requests
4.1 Submission of the Request
4.1.1 Individuals seeking access to their personal information must submit a written request to the organization’s Data Protection Officer. Requests may be sent via email or postal mail.
4.1.2 The request must clearly state that it is an access request for personal information and include sufficient details to identify the individual and the information sought.
4.1.3 These details may include the individual's name, address, and any other relevant information to reliably identify the requester.
4.2 Receipt of the Request
4.2.1 Upon receipt of the request, an acknowledgment is sent to the individual to confirm that their request has been received.
4.2.2 The request must be processed within thirty (30) days of receipt.
4.3 Verification of Identity
4.3.1 Before processing the request, the individual’s identity must be reasonably verified. This may involve requesting additional information or verifying the identity in person.
4.3.2 If the identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Incomplete or Excessive Requests
4.4.1 If an access request is incomplete or excessive, the Data Protection Officer will contact the individual for additional information or clarification.
4.4.2 The organization reserves the right to deny requests that are manifestly abusive, excessive, or unjustified.
4.5 Processing the Request
4.5.1 Once the identity is verified, the Data Protection Officer gathers the requested personal information.
4.5.2 The officer reviews relevant records to collect the requested personal information, ensuring compliance with any legal restrictions.
4.6 Reviewing Information
4.6.1 Before disclosing personal information, the officer carefully reviews the data to ensure it does not include third-party confidential information or infringe on other rights.
4.6.2 If third-party information is present, the officer assesses whether it can be redacted or excluded from disclosure.
4.7 Disclosure of Information
4.7.1 After verification, personal information is disclosed to the individual within a reasonable timeframe, in compliance with applicable legal requirements.
4.7.2 Personal information may be shared electronically, by secure postal mail, or in person, based on the individual’s preference and appropriate security measures.
4.8 Monitoring and Documentation
4.8.1 All steps in processing access requests must be precisely and comprehensively documented.
4.8.2 Documentation includes:
-
Date of request receipt;
-
Date of acknowledgment of receipt;
-
Date of identity verification;
-
Method of identity verification;
-
Decision (request approved or denied);
-
Date of information disclosure (if applicable).
4.9 Confidentiality Protection
4.9.1 All staff involved in processing access requests must respect confidentiality and data protection principles.
4.10 Complaint Management and Recourse
4.10.1 If an individual is dissatisfied with the response to their access request, they must be informed of the complaint and recourse procedures available through the Commission for Access to Information.
4.10.2 Complaints are processed in accordance with internal complaint management policies and procedures (see the following section).
5. Complaint Handling Procedure
5.1 Receipt of Complaints
5.1.1 Complaints may be submitted in writing, by phone, by email, or through any official communication channel. They must be recorded in a centralized register accessible only to designated personnel.
5.1.2 Employees must immediately notify the Complaint Officer upon receipt of a complaint.
5.2 Preliminary Assessment
5.2.1 The designated officer reviews each complaint to assess its relevance and severity.
5.2.2 Frivolous, defamatory, or clearly baseless complaints may be rejected, with a justification provided to the complainant.
5.3 Investigation and Analysis
5.3.1 The Complaint Officer conducts an investigation by collecting evidence, interviewing involved parties, and gathering all relevant documents.
5.3.2 The officer must act impartially and have the authority to resolve the complaint.
5.3.3 Confidentiality must be maintained throughout the process, and all parties must be treated fairly.
5.4 Resolving the Complaint
5.4.1 The Complaint Officer proposes appropriate solutions to resolve the complaint as quickly as possible.
5.4.2 Solutions may include corrective actions, financial compensation, or other necessary measures to satisfactorily address the complaint.
5.5 Communication with the Complainant
5.5.1 The Complaint Officer regularly communicates with the complainant to update them on the investigation and resolution progress.
5.5.2 All communications must be professional, empathetic, and respectful.
5.6 Closing the Complaint
5.6.1 Once resolved, the Complaint Officer provides a written response to the complainant summarizing the actions taken and solutions offered.
5.6.2 All information and documents related to the complaint must be retained in a confidential file.
Last updated: December 16, 2024
Procedure for De-indexing and Deletion of Personal Information
1. Overview
This procedure is designed to address the privacy and data protection concerns of our clients.
2. Objective
The objective of this procedure is to provide a structured mechanism to handle requests for de-indexing and deletion of personal information from our clients.
3. Scope
This procedure applies to our internal team responsible for managing de-indexing and deletion requests for personal information. It covers all information published on our online platforms, including our website, mobile applications, databases, or any other digital media used by our clients.
4. Definitions
Deletion of personal information: The action of permanently erasing data, making it unavailable and unrecoverable.
De-indexing of personal information: The removal of information from search engines, making it less visible but still directly accessible.
Deletion permanently eliminates the data, while de-indexing limits its online visibility.
5. Procedure
5.1 Receipt of Requests
5.1.1 Requests for de-indexing and deletion of personal information must be directed to the designated responsible team.
5.1.2 Clients may submit requests through specific channels, such as an online form, dedicated email address, or telephone number.
5.2 Verification of Identity
5.2.1 Before processing the request, the individual's identity must be reasonably verified.
5.2.2 This may involve requesting additional information or verifying the individual's identity in person.
5.2.3 If the identity cannot be satisfactorily verified, the organization may refuse to proceed with the request.
5.3 Evaluation of Requests
5.3.1 The responsible team must carefully review the requests and the personal information concerned to determine their eligibility for de-indexing or deletion.
5.3.2 Requests must be handled confidentially and within the stipulated timeframe.
5.4 Reasons for Refusal
5.4.1 Valid reasons for refusing de-indexing or deletion requests include:
-
To continue providing goods and services to the client;
-
For labor law requirements;
-
For legal reasons in case of ongoing litigation.
5.5 De-indexing or Deletion of Personal Information
5.5.1 The responsible team must take the necessary steps to de-index or delete personal information according to eligible requests.
5.6 Follow-up Communication
5.6.1 The responsible team is responsible for maintaining communication with the requestors throughout the process, providing acknowledgment of receipt and regular updates on the status of their request.
5.6.2 Any delays or issues encountered during the processing of requests must be communicated to the requestors with clear explanations.
5.7 Monitoring and Documentation
5.7.1 All requests for de-indexing and deletion of personal information, along with actions taken to address them, must be recorded in a dedicated tracking system.
5.7.2 Records must include the details of the requests, actions taken, dates, and outcomes.
Last updated: December 16, 2024
Procedure for Managing Security Incidents and Personal Information Breaches
1. Overview
An incident response plan is crucial to managing cyber incidents effectively. In moments of crisis, knowing how to act and prioritize actions reduces the risk of overlooking important aspects.
2. Objective
The purpose of this procedure is to ensure the organization is prepared to respond to cyber incidents in a way that enables a swift return to normal operations.
3. Scope
This procedure covers all networks and systems, as well as stakeholders (clients, partners, employees, subcontractors, suppliers) who access these systems.
4. Recognizing a Cyber Incident
Cybersecurity incidents may not always be immediately recognized or detected. However, certain indicators may signal a security breach, compromised system, unauthorized activity, etc. Be vigilant for signs of potential or ongoing security incidents, including:
-
Excessive or unusual login and system activity, particularly from inactive user accounts.
-
Excessive or unusual remote access activity within the organization, including third-party providers.
-
Detection of new, unauthorized wireless networks (Wi-Fi).
-
Unusual activity related to malware presence, suspicious files, or unapproved executable programs.
-
Lost, stolen, or misplaced devices containing sensitive data, such as payment card information or personal data.
5. Contact Information
Company: PCamiot Consulting
Responsible Person: Caroline Guilbault
Address: 2801 Ruisseau St-Georges Sud, St-Jacques, QC, J0K 2R0
Email: caroline.guilbault@pcamiotconsulting.com
Phone: 514-971-9067
Website: rtfak.com
6. Personal Information Breach = Specific Interventions for Incidents
When a confirmed personal information breach occurs, follow these steps:
-
Complete the confidentiality incident registry to document the breach.
-
Assess the breach to determine if personal information was lost due to unauthorized access, use, disclosure, or any protection failure with a risk of serious harm to the individuals concerned.
-
If necessary, report the breach to the Commission d’accès à l’information in Quebec.
-
Notify affected individuals about the incident.
-
-
7. Ransomware Attack = Specific Interventions for Incidents
In the event of a confirmed ransomware attack, take the following steps:
-
Immediately disconnect affected devices from the network.
-
Do NOT delete any files from the affected devices.
-
Analyze how the ransomware infected the device to determine its removal method.
-
Report the incident to local authorities and cooperate with their investigation.
-
Perform a full system scan using updated antivirus and antimalware software to confirm the removal of ransomware.
-
If the ransomware cannot be removed, reset the device using original installation media.
-
Ensure backup media/images are malware-free before restoration.
-
If critical data must be restored, explore decryption tools on resources like nomoreransom.org.
-
Avoid paying the ransom and consult a cyberattack expert (breach coach) if needed.
-
Implement patches or fixes to prevent future attacks.
8. Account Compromise = Specific Interventions for Incidents
When an account compromise is confirmed, take the following steps:
-
Inform clients and suppliers about potential fraudulent emails from the compromised account, advising them not to respond or click links.
-
Verify if access to the compromised account is still possible.
-
If access is lost, contact the platform's support team to recover access.
-
Change the account password and any reused passwords elsewhere.
-
Enable two-factor authentication.
-
Remove illegitimate connections and devices from the account's login history.
9. Lost or Stolen Device = Specific Interventions for Incidents
For confirmed lost or stolen devices, take the following steps:
-
Report the loss or theft immediately to local authorities, including incidents outside normal business hours.
-
If the device contains sensitive data and is not encrypted, assess the sensitivity, type, and volume of stolen data, including payment card numbers.
-
Lock or disable lost/stolen devices and remotely wipe their data, if possible.
Last updated: December 16, 2024
Privacy Legislation
We are committed to complying with the legislative provisions outlined in:
Quebec
Updated to reflect changes under LAW 25.
This privacy policy may be updated occasionally to maintain compliance with legislation and account for changes in our data collection processes. Users are encouraged to review the policy periodically for updates. If necessary, users may be informed of changes via email.
Last updated: December 16, 2024