PRIVACY POLICY
Procedure for the preservation, destruction, and anonymization of personal information
1. Overview
It is important to establish a procedure for the preservation, destruction, and anonymization of personal information to ensure the protection of individuals' privacy, comply with personal information protection laws, prevent privacy incidents involving personal information and security breaches, maintain customer trust, and protect the organization's reputation.
2. Purpose
The purpose of this procedure is to ensure the protection of individuals' privacy and to comply with legal obligations regarding the protection of personal information.
3. Scope
The scope of this procedure should cover the entire life cycle of personal information, from its collection to its destruction. It involves all employees and stakeholders involved in the collection, processing, preservation, destruction, and anonymization of personal information in accordance with legal requirements and best practices for privacy protection.
4. Definitions
Personal information: any information that can directly or indirectly identify an individual. Preservation: secure storage of personal information for the required duration. Destruction: deletion, disposal, or permanent erasure of personal information. Anonymization: the process of changing personal information in a way that no longer allows at any time and irreversibly the identification, direct or indirect, of the individuals concerned.
5. Procedure
5.1. Preservation duration
5.1.1. Personal information has been categorized in the following way:
-
information concerning company employees,
-
information concerning members of the organization,
-
information concerning customers.
5.1.2 The retention period for each of these categories has been established as follows:
• Company employees: 7 years after the end of employment.
• Members: variable depending on the type of personal information.
• Customers: variable depending on the type of personal information. For more details, please refer to the complete inventory of personal information held. Please note that specific retention periods may apply.
5.2 Destruction of Personal Information
5.2.1 For personal information on paper, it must be completely shredded.
5.2.2 For digital personal information, it must be completely removed from devices (computers, telephone, tablet, external hard drive), servers and cloud-based tools.
5.2.3 A destruction schedule based on the retention period established for each category of personal information should be set up. It is imperative to document the planned destruction dates.
5.2.4 It is important to ensure that the destruction is carried out in a way that the personal information cannot be recovered or reconstituted.
5.3 Anonymization of Personal Information
5.3.1 The anonymization of personal information should only be done if the organization wishes to retain and use it for serious and legitimate purposes.
5.3.2 The chosen method of anonymizing personal information is as follows: it will be deleted after the retention period.
5.3.3 It is necessary to ensure that the remaining information no longer allows the direct or indirect identification of the individuals concerned in an irreversible manner and to regularly assess the risk of re-identification of anonymized data by conducting tests and analysis to ensure their effectiveness. Please note, as of the date of writing this template, the anonymization of personal information for serious and legitimate purposes is not possible. A government regulation must be adopted to determine the criteria and terms.
5.4 Training and Awareness of Staff
5.4.1 It is important to ensure that regular training is provided to employees on the procedure for retaining, destroying and anonymizing personal information, as well as on the risks associated with privacy breaches.
5.4.2 This also includes raising staff awareness of good data security practices and the importance of complying with established procedures.
Last updated: April 4, 2025
Procedure for requesting access to personal information and handling complaints
1. Overview
Since a person can request access to the personal information that an organization holds about them, or could also make complaints, it is important to have predefined guidelines to respond to this type of request.
2. Objective
The purpose of this procedure is to ensure that all access requests are handled confidentially, quickly and accurately, while respecting the rights of the individuals concerned.
3. Scope
The scope of this procedure concerns internal actors responsible for handling access requests and complaint processing, as well as individuals wishing to access their own personal information.
4. Access Request Procedure
4.1 Submission of the request
4.1.1 The individual who wishes to access their personal information must submit a written request to the organization's personal information protection officer. The request can be sent by email or by regular mail.
4.1.2 The request must clearly indicate that it is a request for access to personal information, and provide sufficient information to identify the individual and the information sought.
4.1.3 This information may include the name, address and any other relevant information to reliably identify the individual making the request
4.2 Receipt of the request
4.2.1 Once the request is received, an acknowledgment of receipt is sent to the individual to confirm that their request has been taken into account.
4.2.2 The request must be processed within thirty (30) days of its receipt.
4.3 Identity verification
4.3.1 Before processing the request, the individual's identity must be reasonably verified. This can be done by requesting additional information or by verifying the individual's identity in person.
4.3.2 If the identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Response to incomplete or excessive requests
4.4.1 If a request for access to personal information is incomplete or excessive, the personal information protection officer communicates with the individual to request additional information or clarifications.
4.4.2 The organization reserves the right to refuse a request if it is manifestly abusive, excessive or unjustified.
4.5 Request Processing
4.5.1 Once the identity has been verified, the responsible for personal information protection proceeds to collect the requested information for processing access requests to personal data.
4.5.2 The responsible consults relevant files to collect the requested personal data, ensuring to comply with any legal restrictions.
4.6 Review of Information
4.6.1 Before communicating personal information to the individual, the responsible carefully reviews the information to ensure that it does not contain confidential third-party information or information that could infringe upon other rights.
4.6.2 If third-party information is present, the responsible assesses whether it can be separated or if it must be excluded from disclosure.
4.7 Disclosure of Information
4.7.1 Once the checks are completed, personal data is communicated to the individual within a reasonable period, in accordance with the legal requirements in force.
4.7.2 Personal information can be communicated to the individual electronically, by secure postal mail, or in person, according to the individual's preferences and appropriate security measures.
4.8 Follow-up and Documentation
4.8.1 All stages of the process for processing the request for access to personal information must be accurately and completely recorded.
4.8.2 The details of the request, the actions taken, the decisions made, and the corresponding dates should be recorded in an access request tracking log.
• Receipt date of the request;
• Acknowledgement date;
• Identity verification date;
• Identity verification method;
• Decision - access request accepted or denied;
• Information disclosure date (if applicable).
4.9 Confidentiality Protection
4.9.1 All staff involved in processing access requests to personal information must respect confidentiality and data protection.
4.10 Complaints and Appeals Management
4.10.1 If an individual is dissatisfied with the response to their request for access to personal information, they should be informed about the complaint procedures and appeals available before the Access to information Commission. 4.10.2 Complaints should be processed in accordance with internal policies and procedures for complaint management (next section).
5. Complaint Handling Procedure
5.1 Complaint Reception
5.1.1 Complaints can be submitted in writing, by phone, by email or through any other official communication channel. They must be recorded in a centralized registry, accessible only to designated staff.
5.1.2 The employee must immediately inform the person in charge of receiving complaints.
5.2 Preliminary Assessment
5.2.1 The designated person reviews each complaint to assess its relevancy and severity.
5.2.2 Frivolous, defamatory or groundless complaints may be dismissed. However, a justification must be provided to the complainant.
5.3 Investigation and Analysis
5.3.1 The person in charge of the complaint conducts an investigation by collecting evidence, interviewing the relevant parties and gathering all pertinent documents.
5.3.2 The person in charge must be impartial and have the necessary authority to resolve the complaint.
5.3.3 The person in charge must maintain the confidentiality of information related to the complaint and ensure that all involved parties are treated fairly.
5.4 Complaint Resolution
5.4.1 The person in charge of the complaint proposes suitable solutions to resolve the complaint in the shortest possible time.
5.4.2 Solutions may include corrective measures, financial compensations or any other necessary action to satisfactorily resolve the complaint.
5.5 Communication with the Complainant
5.5.1 The person in charge of the complaint communicates regularly with the complainant to keep them informed of the progress of the investigation and resolution of the complaint.
5.5.2 All communications must be professional, empathetic and respectful.
5.6 Complaint Closure
5.6.1 Once the complaint is resolved, the person in charge of the complaint must provide a written response to the complainant, summarizing the actions taken and the solutions proposed.
5.6.2 All information and documents related to the complaint must be kept in a confidential file.
Last updated: April 4, 2025
Procedure for Requesting De-indexing and Removal of Personal Information
1. Overview
This procedure aims to address the concerns and apprehensions of our clients regarding privacy and protection of their personal information.
2. Objective
The purpose of this procedure is to provide a structured mechanism for handling requests for de-indexing and removal of personal information from our clients.
3. Scope
This procedure applies to our internal team responsible for handling requests for de-indexing and removal of personal information. It covers all information published on our online platforms, including our website, mobile apps, databases, or any other digital medium used by our clients.
4. Definitions
Removal of Personal Information: Act of completely erasing data, making it unavailable and irretrievable. De-indexing of Personal Information: Removal of information from search engines, making it less visible but still directly accessible. Removal permanently deletes data, while de-indexing limits its online visibility.
5. Procedure
5.1 Receiving Requests
5.1.1 Requests for de-indexing and removal of personal information must be received by the designated responsible team.
5.1.2 Clients can submit their requests through specific channels such as the online form, dedicated email address, or telephone number.
5.2 Identity Verification
5.2.1 Before processing the request, the individual's identity must be reasonably verified.
5.2.2 This can be done by requesting additional information or verifying the individual's identity in person.
5.2.3 If the identity cannot be satisfactorily verified, the organization may refuse to proceed with the request.
5.3 Request Assessment
5.3.1 The responsible team must carefully review the requests and the personal information concerned to determine their eligibility for de-indexing or removal. 5.3.2 Requests must be processed confidentially and within the prescribed timelines.
5.4 Reasons for Refusal
5.4.1 There are also perfectly valid reasons why we might refuse to remove or de-index personal information:
• To continue providing goods and services to the client;
• For reasons of employment law requirement;
• For legal reasons in case of dispute.
5.5 De-indexing or removal of personal information
5.5.1 The responsible team must take the necessary steps to de-index or remove personal information in accordance with eligible requests.
5.6 Communication of follow-up
5.6.1 The responsible team is in charge of communicating with applicants throughout the process, providing receipt confirmations and regular updates on the status of their request.
5.6.2 Any delay or problem encountered during the processing of requests must be communicated to the applicants with clear explanations.
5.7 Follow-up and documentation
5.7.1 All requests for de-indexing and deletion of personal information, as well as the actions taken to respond to them, must be recorded in a dedicated tracking system.
5.7.2 The records must include the details of the requests, the action taken, the dates and the outcomes of the actions carried out.
Last update: April 4, 2025
Procedure for managing security incidents and breaches of personal information
1. Overview
A response plan is essential to manage cyber incidents effectively. During these times of crisis, it is not always clear how to act and prioritize actions. A response plan comes in to reduce the stress of forgetting important aspects.
2. Objective
The purpose of this procedure is to ensure that the organization is ready to respond to a cyber incident in a way that can quickly resume its activities.
3. Scope
The scope of this procedure includes all networks and systems, as well as stakeholders (clients, partners, employees, subcontractors, suppliers) who access these systems.
4. Recognize a cyber incident
A cybersecurity incident may not be recognized or detected immediately. However, some indicators may be signs of a security breach, a compromised system, unauthorized activity, etc. It is always necessary to be on the lookout for any sign that a security incident has occurred or is ongoing. Some of these indicators are described below:
Excessive or unusual connection and system activity, especially from any inactive user ID (user account).
Excessive or unusual remote access within your organization. This may concern staff or third-party providers.
The appearance of any new visible or accessible wireless network (Wi-Fi).
Unusual activity related to the presence of malicious software, suspicious files, or new or unapproved executable files and programs.
Lost, stolen, or misplaced computers or devices containing payment card data, personal information, or other sensitive data.
5. Contact Information
Role Owner:
Linda Rheault lindaroartiste@videotron.ca
6. Breach of Personal Information Protection - Specific Intervention
If it has been confirmed that a security incident related to a breach of personal information protection has occurred, the following steps will need to be taken:
• Complete the privacy incident register to document the incident.
• Review the breach of personal information protection to determine if personal information was lost due to unauthorized access or use, unauthorized disclosure, or any breach of the protection of these personal data and if there is a risk of serious harm to the individuals concerned. o In such a case, report it to the Quebec Access to Information Commission.
o Also, report it to the individuals whose personal information is targeted by the incident.
7. Ransomware - Specific Intervention
If it has been confirmed that a ransomware security incident has occurred, the following steps will need to be taken:
• Immediately disconnect from the network the devices targeted by ransomware.
• DELETE NOTHING from your devices (computers, servers, etc.).
• Examine the ransomware and determine how it infected the device. This will help you understand how to eliminate it.
• Communicate with local authorities to report the incident and cooperate in the investigation.
• Once the ransomware has been removed, a complete system analysis must be performed using the latest available antivirus, anti-malware, and any other security software to confirm that it has been removed from the device.
• If the ransomware cannot be removed from the device (often the case with stealthy malicious programs), the device should be reset using the original installation media or images. o Before proceeding with the reset from backup media/images, check that they are not infected with malware.
• If the data is critical and must be restored, but cannot be recovered from unaffected backups, seek decryption tools available on nomoreransom.org.
• The policy is not to pay the ransom, subject to the issues at stake. It is also strongly recommended to use the services of a cyber-attack project manager (breach coach).
• Protect systems to prevent any new infection by implementing patches or fixes to prevent any new attack.
8. Account Hacking - Specific Intervention
If it has been confirmed that an account hack has occurred, the following steps will need to be taken:
• Advise our customers and suppliers that they may receive fraudulent emails from us, and specify not to respond or click on links in these emails.
• Check if you still have access to the online account. o If not, contact the platform's support to try to recover access.
• Change the password used to connect to the platform. • If the password is reused elsewhere, also change all those passwords.
• Enable two-factor authentication for the platform.
• Remove non-legitimate connections and devices from the login history.
9. Loss or Theft of a Device - Specific Intervention
If it has been confirmed that a loss of equipment has occurred, the following steps will need to be taken:
• The theft or loss of a property, such as a computer, laptop, or mobile device, must be immediately reported to local police authorities. This includes losses/thefts outside normal business hours and during weekends.
• If the lost or stolen device contained sensitive data and is not encrypted, perform a sensitivity analysis of the type and volume of stolen data, including potentially affected payment card numbers.
• As far as possible, lock/disable lost or stolen mobile devices (e.g., smartphones, tablets, laptops, etc.) and perform a remote data wipe.
Last update: April 4, 2025