PRIVACY POLICIES
Procedure for Retention, Destruction, and Anonymization of Personal Information
1. Overview
It is important to establish a procedure for the retention, destruction, and anonymization of personal information to ensure the protection of individuals' privacy, comply with privacy laws, prevent confidentiality incidents involving personal information and security breaches, maintain customer trust, and protect the organization's reputation.
2. Objective
The purpose of this procedure is to ensure the protection of individuals' privacy and to comply with legal obligations related to the protection of personal information.
3. Scope
This procedure should cover the entire lifecycle of personal information, from its collection to its destruction. It applies to all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal information in accordance with legal requirements and best practices in privacy protection.
4. Definitions
-
Personal Information: Any information that can identify, directly or indirectly, a natural person.
-
Retention: Secure storage of personal information for the required duration.
-
Destruction: Permanent deletion, elimination, or erasure of personal information.
-
Anonymization: The process of modifying personal information so that it no longer allows, at any time and in an irreversible manner, the direct or indirect identification of the individuals concerned.
4. Procedure
4.1 Retention Period
4.1.1 Personal information is categorized as follows:
-
Information about company employees,
-
Information about organization members,
-
Information about clients.
4.1.2 The retention period for each category is as follows:
-
Company employees: 7 years after employment ends.
-
Members: Varies depending on the type of personal information.
-
Clients: Varies depending on the type of personal information.
For more details, refer to the complete inventory of personal information held.
Note that specific retention periods may apply.
4.2 Secure Storage Methods
4.2.1 Personal information is stored in the following locations: One Drive, Wix.
4.2.2 The sensitivity level of each storage location has been established.
4.2.3 These storage locations, whether paper or digital, are adequately secured.
4.2.4 Access to these storage locations is restricted to authorized personnel only.
4.3 Destruction of Personal Information
4.3.1 For personal information on paper, it must be completely shredded.
4.3.2 For digital personal information, it must be completely deleted from devices (computers, phones, tablets, external hard drives), servers, and cloud tools.
4.3.3 A destruction schedule based on the established retention period for each category of personal information must be created. It is essential to document the scheduled destruction dates.
4.3.4 Ensure that destruction is carried out in a way that personal information cannot be recovered or reconstructed.
4.4 Anonymization of Personal Information
4.4.1 Anonymization of personal information should only occur if the organization wishes to retain and use it for serious and legitimate purposes.
4.4.2 The chosen method of anonymization for personal information is as follows: it will be deleted after the retention period.
4.4.3 Ensure that the remaining information no longer allows, in an irreversible manner, the direct or indirect identification of the individuals concerned, and regularly assess the risk of re-identification of anonymized data by conducting tests and analyses to ensure their effectiveness.
Note: As of the drafting date of this template, anonymization of personal information for serious and legitimate purposes is not yet possible. A government regulation must be adopted to determine the criteria and modalities.
4.5 Training and Awareness
4.5.1 Ensure that regular training is provided to employees on the procedure for the retention, destruction, and anonymization of personal information, as well as on the risks associated with privacy violations.
4.5.2 This also includes raising employee awareness of good data security practices and the importance of adhering to established procedures.
Last updated: August 1, 2024
Procedure for Requesting Access to Personal Information and Handling Complaints
1. Overview
Since an individual may request access to the personal information an organization holds about them, or may also file complaints, it is important to have predefined guidelines in place to respond to such requests.
2. Objective
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.
3. Scope
This procedure applies to internal stakeholders responsible for processing access requests and handling complaints, as well as individuals wishing to access their own personal information.
4. Access Request Procedure
4.1 Submission of the Request
4.1.1 An individual who wishes to access their personal information must submit a written request to the organization’s Personal Information Protection Officer. The request can be sent by email or postal mail.
4.1.2 The request must clearly indicate that it is an access request for personal information and provide sufficient details to identify the individual and the information sought.
4.1.3 This information may include the name, address, and any other relevant information to reliably identify the individual making the request.
4.2 Receipt of the Request
4.2.1 Once the request is received, an acknowledgment of receipt is sent to the individual to confirm that their request has been taken into account.
4.2.2 The request must be processed within thirty (30) days of its receipt.
4.3 Identity Verification
4.3.1 Before processing the request, the individual's identity must be reasonably verified. This may be done by requesting additional information or by verifying the individual's identity in person.
4.3.2 If the identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Response to Incomplete or Excessive Requests
4.4.1 If an access request for personal information is incomplete or excessive, the Personal Information Protection Officer will contact the individual to request additional information or clarification.
4.4.2 The organization reserves the right to refuse a request if it is manifestly abusive, excessive, or unjustified.
4.5 Processing the Request
4.5.1 Once the identity is verified, the Personal Information Protection Officer will proceed to gather the requested personal information.
4.5.2 The officer will consult the relevant records to collect the requested personal information, ensuring compliance with any applicable legal restrictions.
4.6 Review of Information
4.6.1 Before disclosing the personal information to the individual, the officer will carefully review the information to ensure it does not contain confidential third-party information or information that could infringe on other rights.
4.6.2 If third-party information is present, the officer will assess whether it can be separated or must be excluded from disclosure.
4.7 Communication of Information
4.7.1 Once the verifications are completed, the personal information will be communicated to the individual within a reasonable timeframe, in accordance with applicable legal requirements.
4.7.2 The personal information may be communicated to the individual electronically, by secure postal mail, or in person, depending on the individual's preferences and appropriate security measures.
4.8 Follow-up and Documentation
4.8.1 All steps of the process for handling the access request must be documented precisely and completely.
4.8.2 The details of the request, actions taken, decisions made, and corresponding dates must be recorded in an access request tracking log.
-
Date of receipt of the request;
-
Date of acknowledgment of receipt;
-
Date of identity verification;
-
Method of identity verification;
-
Decision—access request accepted or denied;
-
Date of information communication (if applicable).
4.9 Confidentiality Protection
4.9.1 All personnel involved in processing access requests for personal information must respect confidentiality and data protection.
4.10 Handling Complaints and Remedies
4.10.1 If an individual is dissatisfied with the response to their access request, they must be informed of the complaint procedures and remedies available before the Commission d’accès à l’information.
4.10.2 Complaints must be handled in accordance with the organization’s internal complaint management policies and procedures (see next section).
5. Complaint Handling Procedure
5.1 Receipt of Complaints
5.1.1 Complaints can be submitted in writing, by phone, by email, or through any other official communication channel. They must be recorded in a centralized register accessible only to designated personnel.
5.1.2 The employee must immediately inform the designated Complaint Officer upon receipt of the complaint.
5.2 Preliminary Assessment
5.2.1 The designated officer examines each complaint to assess its relevance and severity.
5.2.2 Frivolous, defamatory, or baseless complaints may be rejected; however, a justification must be provided to the complainant.
5.3 Investigation and Analysis
5.3.1 The officer responsible for the complaint conducts an investigation by collecting evidence, interviewing relevant parties, and gathering all pertinent documents.
5.3.2 The officer must be impartial and have the necessary authority to resolve the complaint.
5.3.3 The officer must maintain the confidentiality of the information related to the complaint and ensure that all parties involved are treated fairly.
5.4 Complaint Resolution
5.4.1 The officer proposes appropriate solutions to resolve the complaint as promptly as possible.
5.4.2 Solutions may include corrective measures, financial compensation, or any other necessary action to satisfactorily resolve the complaint.
5.5 Communication with the Complainant
5.5.1 The officer communicates regularly with the complainant to keep them informed of the progress of the investigation and the resolution of the complaint.
5.5.2 All communications must be professional, empathetic, and respectful.
5.6 Closing the Complaint
5.6.1 Once the complaint is resolved, the officer must provide the complainant with a written response summarizing the actions taken and the proposed solutions.
5.6.2 All information and documents related to the complaint must be kept in a confidential file.
Last updated: August 1, 2024
Procedure for De-indexing and Deleting Personal Information
1. Overview
This procedure aims to address the privacy concerns and personal information protection needs of our clients.
2. Objective
The purpose of this procedure is to provide a structured mechanism for handling de-indexing and deletion requests of personal information submitted by our clients.
3. Scope
This procedure applies to our internal team responsible for managing de-indexing and deletion requests of personal information. It covers all information published on our online platforms, including our website, mobile applications, databases, or any other digital media used by our clients.
4. Definitions
-
Deletion of Personal Information: The act of permanently erasing data, making it unavailable and irretrievable.
-
De-indexing of Personal Information: The removal of information from search engines, making it less visible but still directly accessible.
Deletion permanently removes data, while de-indexing limits its online visibility.
5. Procedure
5.1 Receipt of Requests
5.1.1 De-indexing and deletion requests must be received by the designated responsible team.
5.1.2 Clients can submit their requests through specific channels such as the online form, the dedicated email address, or the phone number.
5.2 Identity Verification
5.2.1 Before processing the request, the individual's identity must be reasonably verified.
5.2.2 This can be done by requesting additional information or by verifying the individual's identity in person.
5.2.3 If the identity cannot be satisfactorily verified, the organization may refuse to proceed with the request.
5.3 Evaluation of Requests
5.3.1 The responsible team must carefully review the requests and the personal information in question to determine their eligibility for de-indexing or deletion.
5.3.2 Requests must be handled confidentially and within the prescribed timeframes.
5.4 Reasons for Refusal
5.4.1 There are also valid reasons why we may refuse to delete or de-index personal information:
-
To continue providing goods and services to the client;
-
For labor law compliance;
-
For legal reasons in case of litigation.
5.5 De-indexing or Deletion of Personal Information
5.5.1 The responsible team must take the necessary steps to de-index or delete personal information in accordance with eligible requests.
5.6 Communication and Follow-up
5.6.1 The responsible team is tasked with communicating with the requesters throughout the process, providing acknowledgments of receipt and regular updates on the status of their request.
5.6.2 Any delays or issues encountered during the processing of requests must be communicated to the requesters with clear explanations.
5.7 Follow-up and Documentation
5.7.1 All de-indexing and deletion requests, as well as the actions taken to address them, must be recorded in a dedicated tracking system.
5.7.2 Records must include the details of the requests, the actions taken, the dates, and the outcomes of the actions performed.
Last updated: August 1, 2024
Procedure for Managing Security Incidents and Personal Information Breaches
1. Overview
An incident response plan is essential for effectively managing cyber incidents. During these crisis moments, it's not always clear how to act and prioritize actions. An incident response plan helps reduce the stress of forgetting important aspects.
2. Objective
The purpose of this procedure is to ensure that the organization is prepared to respond to cyber incidents in a way that allows for the quick resumption of activities.
3. Scope
This procedure covers all networks and systems, as well as stakeholders (clients, partners, employees, subcontractors, suppliers) who access these systems.
4. Recognizing a Cyber Incident
A cybersecurity incident may not be immediately recognized or detected. However, certain indicators may signal a security breach, a compromised system, unauthorized activity, etc. It is crucial to always be alert to any signs indicating that a security incident has occurred or is ongoing.
Some of these indicators are described below:
-
Excessive or unusual connection and system activity, especially from any inactive user identifier (user account).
-
Excessive or unusual remote access within your organization. This could involve staff or third-party vendors.
-
The appearance of any new visible or accessible wireless networks (Wi-Fi).
-
Unusual activity related to the presence of malware, suspicious files, or new or unapproved executable files and programs.
-
Lost, stolen, or misplaced computers or devices containing payment card data, personal information, or other sensitive data.
5. Contact Information
-
Company: Huma, Assistance Services
-
Responsible Person: Manon Savoie
-
Address: 103 Brigg's East, Longueuil J4J 1R5
-
Email: info@serviceshuma.com
-
Phone: 514 647 2753
-
Website: www.serviceshuma.com
6. Personal Information Breach – Specific Response
If it has been confirmed that a security incident involving a personal information breach has occurred, the following steps must be taken:
-
Complete the confidentiality incident register to document the incident.
-
Review the personal information breach to determine if any personal information has been lost due to unauthorized access or use, unauthorized disclosure, or any breach of personal information protection and if there is a risk of serious harm to the individuals concerned.
-
In such a case, report it to the Commission d'accès à l'information in Quebec.
-
Additionally, notify the individuals whose personal information was affected by the incident.
7. Ransomware – Specific Response
If it has been confirmed that a ransomware security incident has occurred, the following steps must be taken:
-
Immediately disconnect the devices affected by ransomware from the network.
-
Do NOT DELETE anything from your devices (computers, servers, etc.).
-
Examine the ransomware and determine how it infected the device. This will help understand how to remove it.
-
Report the incident to local authorities and cooperate with the investigation.
-
Once the ransomware is removed, perform a thorough system scan using the most up-to-date antivirus, anti-malware, and other security software available to confirm it has been removed from the device.
-
If the ransomware cannot be removed from the device (often the case with stealthy malware programs), the device must be reset using original installation media or images.
-
Before proceeding with a reset from backup media/images, ensure they are not infected with malware.
-
If the data is critical and needs to be restored but cannot be recovered from unaffected backups, search for decryption tools available on nomoreransom.org.
-
The policy is not to pay the ransom, subject to the stakes involved. It is also strongly recommended to hire the services of a breach coach, an expert in cyberattack response.
-
Protect systems from future infections by implementing patches or updates to prevent further attacks.
8. Account Hacking – Specific Response
-
If it has been confirmed that an account has been hacked, the following steps must be taken:
-
Notify our clients and suppliers that they may receive fraudulent emails from us, and specify that they should not respond or click on any links in those emails.
-
Check if we still have access to the online account.
-
If not, contact the platform’s support to attempt to regain access.
-
Change the password used to log in to the platform.
-
If the password is reused elsewhere, change all those passwords as well.
-
Enable two-factor authentication for the platform.
-
Remove any illegitimate connections and devices from the login history.
9. Loss or Theft of a Device – Specific Response
-
If it has been confirmed that a loss of equipment has occurred, the following steps must be taken:
-
The theft or loss of property, such as a computer, laptop, or mobile device, must be immediately reported to local law enforcement authorities. This includes losses/thefts outside normal business hours and over weekends.
-
If the lost or stolen device contained sensitive data and is not encrypted, conduct a sensitivity analysis of the type and volume of the stolen data, including any potentially affected payment card numbers.
-
As much as possible, lock/disable lost or stolen mobile devices (e.g., smartphones, tablets, laptops, etc.) and proceed with remote data wiping.
Last updated: August 1, 2024
Legislation
We are committed to complying with the legislative provisions set out in: Quebec