(section 3.2 of the Act respecting the protection of personal informationin the private sector, chapter P-39.1 and Regulation respecting confidentiality incidents; Act respecting the Barreau du Québec, chapter B-1 and its regulations)
PREAMBLE
The firm is responsible for the protection of the personal information it holds. Personal information is confidential, except as required by law. Any person who, in the course of his or her duties, has access to personal information held by the firm must take the necessary measures to ensure its protection and confidentiality.
This procedure sets out the measures to be taken to reduce the risk of harm being caused in such cases and to prevent similar incidents from occurring.
1. OBJECTIVE AND NORMATIVE FRAMEWORK
This procedure specifies the steps to be taken when the firm has reasonable grounds to believe that a confidentiality incident involving personal information under its control has occurred, or
if such an incident is proven, in accordance with the Act respecting the protection of personal informationin the private sector, chapter P-39.1 and the Regulation respecting confidentiality incidents).
2. DEFINITIONS
The definitions to be considered for the purposes of this procedure, which may be supplemented by any other regulation, policy, directive or procedure referring to it, are as
follows:
Confidentiality incident : access, use, disclosure of personal information not authorized by law, as well as its loss or any other form of breach of its protection.
Here are a few examples:
• A staff member accesses personal information that is not necessary for the
performance of his or her duties;
• A hacker infiltrates a system;
• An individual uses personal information from a database to which he or she has
access in the course of his or her duties for the purpose of impersonating an individual;
• A communication is made by mistake to the wrong person;
• A person loses or has documents containing personal information stolen;
• An individual interferes with a database containing personal information in order to alter it.
Personal information: any information that relates to a natural person and that allows him or her to be identified. An individual’s name, taken in isolation, is not personal information. However, when that name is combined or combined with other information about that same person, it becomes personal information.
Examples of personal information include:
• A person’s name and date of birth;
• Social Insurance Number;
• Credit card number;
• Health insurance number;
• Medical or financial information;
• A person’s name and personal telephone number;
• A person’s name and home address.
Sensitive personal information: Personal information is considered sensitive when, by its nature, including medical, biometric or otherwise intimate, or because of the context in which it was used or disclosed, it gives rise to a reasonable expectation of privacy.
This may include, for example, medical, biometric, genetic or financial information, or information about ethnic origin, political belief, sexual life or orientation, religious beliefs.
3. PROTECTION OF PERSONAL INFORMATION
The Firm implements appropriate and reasonable security measures to protect personal information against loss or theft, and against unauthorized access, disclosure, copying, use or modification. Only those staff members who are required to access personal information in the course of their duties are authorized to access it.
Individuals who are members of the firm’s staff or who work on behalf of the firm must, among other things:
– Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;
– Take special precautions to ensure that personal information is not monitored, heard, accessed or lost when working in premises other than the firm’s offices;
and
– Take reasonable steps to protect personal information as it moves from one location to another.
4. REPORTING A PRIVACY INCIDENT
Any person to whom the firm discloses personal information (colleagues, suppliers, partners, experts including subcontractors) must make a report when he or she has reasonable grounds to believe that a confidentiality incident involving personal information held by the firm has occurred. To do this, this report must be made without delay to the person responsible for the protection of personal information.
A member of the firm or a member of staff who has reasonable grounds to believe that a confidentiality incident involving personal information held by the firm has occurred must
also notify his or her supervisor or the person responsible for the protection of personal information without delay.
5. RESPONSIBLE FOR PERSONAL INFORMATION (PIP): ROLES AND RESPONSIBILITIES
The persons responsible for the protection of personal information (hereinafter “PRP”) for the firm are Me Natale Screnci and Me Ghislain Hamon. They can be reached at the following
coordinates:
• Email: ns@hamonscrenci.com and gh@hamonscrenci.com
• Telephone: (514) 252-0550 ext. 2 or 3 or (450) 759-1074 ext. 2 or 3.
Their role includes:
• Contribute to the implementation of the information security incident management
process;
• Maintain the record of information security incidents that may have jeopardized information security, document such incidents and keep the Director of Information Security and the Secretary General informed;
• Contribute to information security risk analyses to identify threats and situations of vulnerability and implement appropriate solutions. In the event of a confidentiality incident, the persons responsible for the protection of personal information take charge of the handling of the incident and associate with any other useful person depending on the nature of the incident.
As such, the PRP :
• Assesses the risk of harm and determines its severity. In making this assessment, consideration shall be given in particular to the sensitivity of the intelligence concerned, the anticipated consequences of its use and the likelihood that it will be used for harmful purposes.
• Promptly notify the individual whose personal information is affected by the incident where the personal information poses a risk of serious harm, except where doing so would be likely to interfere with an investigation by a person or body responsible under the law for preventing, detecting or suppressing crime or statutory offences.
The notice must contain the following information:
a. A description of the personal information involved in the breach or, if the information is not known, the reason why such a description cannot be provided;
b. A brief description of the circumstances of the incident;
c. The date or period when the incident occurred or, if unknown is not known, an approximation of that period;
d. A brief description of the actions the organization has taken or intends to take following the occurrence of the incident, in order to reduce the risk of harm being
caused;
e. The measures that the organization suggests the individual take to reduce the risk of harm or to mitigate harm;
f. Contact information that allows the person concerned to learn more about the incident.
• Notify any person or organization likely to reduce the risk, by disclosing only the personal information necessary for that purpose, without the consent of the individual concerned.
• Promptly notify the Commission d’accès à l’information in writing of the confidentiality incident when it presents a risk of serious harm being caused. The notice must contain the following information:
a. The name of the firm and the Québec enterprise number assigned to it under the Act respecting the legal publicity of enterprises;
b. The name and contact information of the person to be contacted within the firm in relation to the incident;
c. A description of the personal information involved in the breach or, if the information is not known, the reason why such a description cannot be provided;
d. A brief description of the circumstances of the incident and, if known, its cause;
e. The date or period when the incident occurred or, if unknown is not known, an approximation of that period;
f. The date or period during which the firm became aware of the incident;
g. The number of persons affected by the incident and, among them, the number of persons residing in Québec or, if they are not known, an approximation of these
numbers;
h. A description of the factors that lead the firm to conclude that there is a risk of serious harm to the individuals concerned, such as the sensitivity of the personal information concerned, the possible misuse of the information, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes ;
i. The measures that the firm has taken or intends to take to notify the individuals whose personal information is affected by the incident, as well as the date on which the individuals were notified or the proposed turnaround time;
j. The measures that the firm has taken or intends to take following the occurrence of the incident, including those aimed at reducing the risk of harm being caused or mitigating such harm and those aimed at preventing future incidents of the same nature from occurring, as well as the time frame within which the measures were taken or the envisaged time frame for execution;
k. If applicable, a statement that a person or organization located outside Québec and exercising responsibilities similar to those of the Commission d’accès à l’information with respect to monitoring the protection of personal information has been notified of the incident.
• Notifies, with diligence, the firm’s insurers, if applicable.
• Enter the confidentiality incident in the register provided for this purpose.
• At the request of the Commission d’accès à l’information, send a copy of the register.
6. PRIVACY INCIDENT LOG
The firm must keep a record of confidentiality incidents.
6.1 Retention period of the information contained in the register
The information contained in the register must be kept up to date and kept for the longer of the following two periods: for a minimum period of five years after the date
on which the firm became aware of the incident or the period required by the Barreau du Québec for the preservation of the records.
7. ENTRY INTO FORCE
This procedure comes into force on September 22nd 2023.
