Privacy Policy
Procedure for Retention, Destruction, and Anonymization of Personal Information
-
Overview
It is important to implement a procedure for the retention, destruction, and anonymization of personal information to ensure the protection of individuals' privacy, comply with personal information protection laws, prevent privacy incidents involving personal information and security breaches, maintain customer trust, and protect the organization's reputation.
-
Objective
The purpose of this procedure is to ensure the protection of individuals' privacy and comply with legal obligations regarding the protection of personal information.
-
Scope
The scope of this procedure should cover the entire life cycle of personal information, from its collection to its destruction. It applies to all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal information in accordance with legal requirements and best practices in privacy protection.
-
Definitions
-
Personal Information: Any information that allows for the direct or indirect identification of a natural person.
-
Retention: Secure storage of personal information for the required duration.
-
Destruction: Permanent deletion, elimination, or erasure of personal information.
-
Anonymization: The process of modifying personal information so that it no longer allows the identification, directly or indirectly, of the individuals concerned, in a way that is irreversible at all times.
-
Procedure
4.1 Retention Period
4.1.1 Personal information has been categorized as follows:
-
Information regarding company employees,
-
Information regarding organization members,
-
Information regarding clients.
4.1.2 The retention period for each of these categories has been established as follows:
-
Company employees: 7 years after the end of employment.
-
Members: Variable depending on the type of personal information.
-
Clients: Variable depending on the type of personal information.
For more details, refer to the complete inventory of personal information held.
Note that specific retention periods may apply.
4.2 Secure Storage Methods
4.2.1 Personal information is stored in the following locations: One Drive, Wix.
4.2.2 The sensitivity level of each storage location has been determined.
4.2.3 These storage locations, whether physical or digital, are adequately secured.
4.2.4 Access to these storage locations is restricted to authorized personnel only.
4.3 Destruction of Personal Information
4.3.1 For personal information on paper, it must be completely shredded.
4.3.2 For digital personal information, it must be permanently deleted from devices (computers, phones, tablets, external hard drives), servers, and cloud tools.
4.3.3 A destruction schedule based on the established retention period for each category of personal information must be created. It is imperative to document the scheduled destruction dates.
4.3.4 Ensure that the destruction is carried out in a way that personal information cannot be recovered or reconstructed.
4.4 Anonymization of Personal Information
4.4.1 Anonymization of personal information should only be performed if the organization wishes to retain and use it for serious and legitimate purposes.
4.4.2 The chosen method for anonymizing personal information is as follows: personal information will be deleted after the retention period.
4.4.3 Ensure that the remaining information no longer allows, in an irreversible manner, the direct or indirect identification of the individuals concerned, and regularly assess the risk of re-identification of anonymized data by conducting tests and analyses to ensure their effectiveness.
Note that, at the time of writing this template, anonymization of personal information for serious and legitimate purposes is not possible. A government regulation must be adopted to determine the criteria and modalities.
4.5 Staff Training and Awareness
4.5.1 Regular training must be provided to employees on the procedure for retention, destruction, and anonymization of personal information, as well as on the risks related to privacy breaches.
4.5.2 This also includes raising staff awareness of good data security practices and the importance of adhering to established procedures.
Last updated: August 1, 2024
Procedure for Personal Information Access Requests and Complaint Handling
-
Overview
Since individuals may request access to the personal information an organization holds about them, or may file complaints, it is important to have predefined guidelines to respond to such requests.
-
Objective
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.
-
Scope
The scope of this procedure applies to the internal actors responsible for processing access requests and complaints, as well as individuals seeking access to their personal information.
-
Access Request Procedure
4.1 Submission of the Request
4.1.1 Individuals wishing to access their personal information must submit a written request to the organization's personal information protection officer. The request can be sent by email or postal mail.
4.1.2 The request must clearly indicate that it is an access request for personal information and provide sufficient information to identify the individual and the information sought.
4.1.3 This information may include the name, address, and any other relevant information to reliably identify the individual making the request.
4.2 Receipt of the Request
4.2.1 Once the request is received, an acknowledgment of receipt is sent to the individual to confirm that their request has been taken into account.
4.2.2 The request must be processed within thirty (30) days of its receipt.
4.3 Identity Verification
4.3.1 Before processing the request, the individual's identity must be reasonably verified. This can be done by requesting additional information or verifying the individual's identity in person.
4.3.2 If the identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Response to Incomplete or Excessive Requests
4.4.1 If a request for access to personal information is incomplete or excessive, the personal information protection officer will contact the individual to request additional information or clarification.
4.4.2 The organization reserves the right to refuse a request if it is manifestly abusive, excessive, or unjustified.
4.5 Processing the Request
4.5.1 Once the identity is verified, the personal information protection officer responsible for handling access requests will collect the requested information.
4.5.2 The officer will consult relevant records to gather the requested personal information, ensuring compliance with any applicable legal restrictions.
4.6 Review of Information
4.6.1 Before disclosing the personal information to the individual, the officer carefully reviews the information to ensure it does not contain confidential third-party information or infringe on other rights.
4.6.2 If third-party information is present, the officer assesses whether it can be separated or must be excluded from disclosure.
4.7 Communication of Information
4.7.1 Once the reviews are completed, the personal information is communicated to the individual within a reasonable timeframe, in accordance with applicable legal requirements.
4.7.2 The personal information may be communicated to the individual electronically, by secure postal mail, or in person, depending on the individual's preferences and appropriate security measures.
4.8 Follow-Up and Documentation
4.8.1 All steps of the personal information access request process must be recorded accurately and comprehensively.
4.8.2 The details of the request, actions taken, decisions made, and corresponding dates must be logged in a request tracking register.
-
Date of receipt of the request;
-
Date of acknowledgment of receipt;
-
Date of identity verification;
-
Method of identity verification;
-
Decision – access request accepted or denied;
-
Date of communication of the information (if applicable).
4.9 Confidentiality Protection
4.9.1 All personnel involved in processing personal information access requests must respect confidentiality and data protection.
4.10 Complaint and Recourse Management
4.10.1 If an individual is dissatisfied with the response to their personal information access request, they must be informed of the complaint procedures and available recourse before the Commission d’accès à l’information.
4.10.2 Complaints must be handled in accordance with internal policies and procedures for complaint management (next section).
-
Complaint Handling Procedure
5.1 Receipt of Complaints
5.1.1 Complaints may be submitted in writing, by phone, by email, or through any other official communication channel. They must be recorded in a centralized register, accessible only to designated personnel.
5.1.2 The employee must immediately inform the responsible party of the receipt of complaints.
5.2 Preliminary Evaluation
5.2.1 The designated responsible party reviews each complaint to assess its relevance and severity.
5.2.2 Frivolous, defamatory, or clearly unfounded complaints may be dismissed. However, a justification must be provided to the complainant.
5.3 Investigation and Analysis
5.3.1 The person in charge of the complaint conducts an investigation by collecting evidence, interviewing the parties involved, and gathering all relevant documents.
5.3.2 The person in charge must be impartial and have the necessary authority to resolve the complaint.
5.3.3 The person in charge must maintain the confidentiality of the information related to the complaint and ensure that all parties involved are treated fairly.
5.4 Complaint Resolution
5.4.1 The person in charge of the complaint proposes appropriate solutions to resolve the complaint as quickly as possible.
5.4.2 Solutions may include corrective actions, financial compensation, or any other necessary action to satisfactorily resolve the complaint.
5.5 Communication with the Complainant
5.5.1 The person in charge of the complaint communicates regularly with the complainant to keep them informed of the progress of the investigation and the resolution of the complaint.
5.5.2 All communications must be professional, empathetic, and respectful.
5.6 Closing the Complaint
5.6.1 Once the complaint is resolved, the person in charge must provide a written response to the complainant, summarizing the actions taken and the solutions proposed.
5.6.2 All information and documents related to the complaint must be kept in a confidential file.
Last updated: August 1, 2024
Procedure for Personal Information De-Indexing and Deletion Requests
-
Overview
This procedure aims to address the privacy and personal information protection concerns of our clients.
-
Objective
The purpose of this procedure is to provide a structured mechanism to handle de-indexing and deletion requests of personal information from our clients.
-
Scope
This procedure applies to our internal team responsible for managing de-indexing and deletion requests of personal information. It covers all information published on our online platforms, including our website, mobile applications, databases, or any other digital medium used by our clients.
-
Definitions
-
Personal Information Deletion: The act of completely erasing data, making it unavailable and unrecoverable.
-
Personal Information De-Indexing: The removal of information from search engines, making it less visible but still directly accessible.
Deletion permanently eliminates the data, while de-indexing limits its online visibility.
-
Procedure
5.1 Receipt of Requests
5.1.1 De-indexing and deletion requests for personal information must be received by the designated responsible team.
5.1.2 Clients can submit their requests through specific channels such as the online form, dedicated email address, or phone number.
5.2 Identity Verification
5.2.1 Before processing the request, the individual's identity must be reasonably verified.
5.2.2 This can be done by requesting additional information or verifying the individual's identity in person.
5.2.3 If the identity cannot be satisfactorily verified, the organization may refuse to process the request.
5.3 Request Evaluation
5.3.1 The responsible team must carefully review the requests and the personal information concerned to determine their eligibility for de-indexing or deletion.
5.3.2 Requests must be handled confidentially and within the specified timeframe.
5.4 Reasons for Refusal
5.4.1 There are also valid reasons why we may refuse to delete or de-index personal information:
-
To continue providing goods and services to the client;
-
For labor law requirements;
-
For legal reasons in case of litigation.
5.5 De-Indexing or Deletion of Personal Information
5.5.1 The responsible team must take the necessary steps to de-index or delete personal information in accordance with eligible requests.
5.6 Follow-Up Communication
5.6.1 The responsible team is responsible for communicating with the requesters throughout the process, providing acknowledgment confirmations and regular updates on the status of their request.
5.6.2 Any delays or issues encountered during the processing of requests must be communicated to the requesters with clear explanations.
5.7 Follow-Up and Documentation
5.7.1 All de-indexing and deletion requests of personal information, as well as the actions taken to respond to them, must be recorded in a dedicated tracking system.
5.7.2 Records must include details of the requests, actions taken, dates, and the results of the actions performed.
Last updated: August 1, 2024
Procedure for Security Incidents and Personal Information Breaches Management
-
Overview
An incident response plan is essential for effectively managing cyber incidents. In these crisis moments, it is not always clear how to act and prioritize actions. An incident response plan reduces the stress of forgetting important aspects.
-
Objective
The purpose of this procedure is to ensure that the organization is prepared to respond in the event of a cyber incident in a way that allows for the quick resumption of its activities.
-
Scope
The scope of this procedure includes all networks and systems, as well as stakeholders (clients, partners, employees, subcontractors, suppliers) who access these systems.
-
Recognizing a Cyber Incident
A cybersecurity incident may not be recognized or detected immediately. However, certain indicators can signal a security breach, that a system has been compromised, unauthorized activity, etc. It is important to always be vigilant for any signs indicating that a security incident has occurred or is ongoing.
Some of these indicators are described below:
-
Excessive or unusual connection and system activity, particularly from any inactive user ID (user account).
-
Excessive or unusual remote access within your organization. This may involve staff or third-party suppliers.
-
The appearance of any new wireless (Wi-Fi) networks visible or accessible.
-
Unusual activity related to the presence of malware, suspicious files, or new or unapproved executable files and programs.
-
Lost, stolen, or misplaced computers or devices containing payment card data, personal information, or other sensitive data.
-
Contact Information
Company: Serge Duchesne
Responsible: Serge Duchesne
Address: 798 boul. Du Fort St-Louis, Apt 1, Boucherville, J4B 1T4
Email: acccordeon@sergeduchesne.ca
Phone: 450 641-4825
Website: https://www.accordeonduchesne.com/
-
Personal Information Protection Breach – Specific Intervention
If a security incident involving a personal information breach has been confirmed, the following steps must be taken:
-
Complete the confidentiality incident register to document the incident.
-
Review the personal information protection breach to determine if personal information has been lost due to unauthorized access or use, unauthorized disclosure, or any breach of the protection of such personal information, and assess if there is a risk of serious harm to the individuals concerned.
-
If so, report it to the Commission d’accès à l’information in Quebec.
-
Also, notify the individuals whose personal information is affected by the incident.
-
Ransomware – Specific Intervention
If a ransomware security incident has been confirmed, the following steps must be taken:
-
Immediately disconnect the devices affected by ransomware from the network.
-
Do NOT DELETE anything from your devices (computers, servers, etc.).
-
Examine the ransomware and determine how it infected the device. This will help understand how to remove it.
-
Contact local authorities to report the incident and cooperate with the investigation.
-
Once the ransomware is removed, perform a complete system analysis using the latest available antivirus, anti-malware, and any other security software to confirm it has been removed from the device.
-
If the ransomware cannot be removed from the device (often the case with stealth malware), the device must be reset using the original installation media or images.
-
Before proceeding with the reset from backup media/images, check that they are not infected with malware.
-
If the data is critical and must be restored but cannot be recovered from unaffected backups, look for decryption tools available on nomoreransom.org.
-
The policy is not to pay the ransom, subject to the issues at stake. It is also highly recommended to hire the services of a breach coach expert in cyberattacks.
-
Protect systems to prevent reinfection by implementing patches or fixes to prevent further attacks.
-
Account Hacking – Specific Intervention
If an account hacking has been confirmed, the following steps must be taken:
-
Notify our clients and suppliers that they may receive fraudulent emails from us and specify not to respond or click on the links in those emails.
-
Check if access to the online account is still available.
-
If not, contact platform support to try to regain access.
-
Change the password used to log into the platform.
-
If the password is reused elsewhere, also change all those passwords.
-
Enable two-factor authentication for the platform.
-
Delete illegitimate connections and devices from the connection history.
-
Loss or Theft of a Device – Specific Intervention
If a device loss has been confirmed, the following steps must be taken:
-
The theft or loss of a device, such as a computer, laptop, or mobile device, must be immediately reported to the local police authorities. This includes losses/thefts outside of normal business hours and on weekends.
-
If the lost or stolen device contained sensitive data and is not encrypted, conduct a sensitivity analysis of the type and volume of stolen data, including potentially affected payment card numbers.
-
If possible, lock/disable the lost or stolen mobile devices (e.g., smartphones, tablets, laptops, etc.) and perform a remote data wipe.
Last updated: August 1, 2024
Legislation
We are committed to complying with the legislative provisions set out in:
Québec