Policies and Procedures
1. Protecting Personal Information and Our Business
Our clients provide personal information essential to our business operations. Protecting this information is crucial to maintaining their trust. The relevant Quebec law, the Act respecting the protection of personal information in the private sector, governs the collection, use, and disclosure of personal information. Personal information includes data that can identify an individual either alone or combined with other information, such as names and addresses, and sensitive information like medical and financial details. It excludes public information and work contact details.
The firm is responsible for managing the personal information it holds and must take all necessary measures to ensure the security of this information. In some cases, this involves adopting new business practices to protect the privacy of personal information.
Policy
The firm makes information about its policies and procedures available to the public. If the firm has a website, it will describe how personal information is collected, used, disclosed, and retained. If there is no website, this information will be available through other means (e.g., email, mail). The firm adheres to the privacy guidelines of Canada Life Insurance Company, Horizons Financial, and the life insurance companies it does business with.
2. Concerns and General Inquiries or Requests
Procedure
The name and contact details of the person responsible for protecting personal information, our compliance officer, should be displayed on the firm’s website. If there is no website, they must be accessible by other means (e.g., email, mail).
All concerns, general inquiries, or requests related to privacy and the firm are forwarded to the firm's compliance officer. This individual will review the requests and acknowledge them within 24 hours; if they are unavailable, the requests will be transferred to an appropriate person for processing. The client will be kept informed of the progress made by the compliance officer regarding the situation, and complete documentation of the concern reported and all related activities will be kept in the client's file.
2.1 Client Requests to Access Personal Information
Under privacy protection laws, clients have the right to access their personal information held in the firm's or the company's records and to challenge its accuracy if necessary. The firm has established procedures to collect and provide personal information in response to a client's access request.
Procedure
Any client request for access to their personal information held in the firm's client records is sent to the firm's compliance officer to respond to the client's request. The date and details of the request are recorded until it is fulfilled. The compliance officer will assist the client in preparing their access request if necessary. Information is provided to the client as quickly as possible, and no later than within 30 days of receiving the request, in a commonly used technological format.
Correct or amend any personal information if its accuracy or completeness is challenged and it is found to be indeed erroneous or incomplete. Record all disagreements related to the information and, where applicable, inform third parties.
If a client requests access to their personal information held by the company, follow the processes established by the company.
2.1.1 Automated Decisions
If the firm implements automated decision-making technology at the client's request, it will inform them at the latest when notifying them of the decision which personal information was used to make the decision and will explain in simple language how the decision was made. The client retains the right to review and correct any erroneous information.
2.2 Misuse of Personal Information
Procedure
The firm's compliance officer must immediately report any misuse of personal information or any potential breach of security measures regarding the company's products and services to the company's chief compliance officer.
2.3 Process for Privacy Incidents and Breaches
A privacy breach occurs through unauthorized disclosure or use of personal information, unauthorized access to such information, or loss of personal information due to a breach of security measures. A privacy breach also includes any other breach of personal information protection that does not comply with privacy protection legislation, such as retaining personal information beyond the necessary period for which it was collected.
Examples of privacy breaches:
-
Copies of client personal information records stolen from a vehicle.
-
A consultant's laptop containing client personal information is lost or stolen.
-
The hard drive of the consultant's computer containing client personal information is compromised or hacked.
-
Client information was sent to the wrong email recipient, internally or externally.
-
Client information was sent by mail to the wrong address (another person opened the mail).
-
Personal information was disclosed or used without proper authorization.
-
Information about inactive clients is retained longer than the retention schedules allow.
All breaches must be assessed to determine the risk to the client.
Terminology of Assessment : Assessments can be qualified as a real risk of serious harm (RRSH) or a risk of serious harm (similar to RRSH) and will be referred to as "assessment" throughout this document. If the assessment determines that the risk is serious, the breach must be reported to the Access to Information Commission (AIC) in Quebec and/or the Federal Office of the Privacy Commissioner of Canada (OPC) and to the provincial privacy commissioners outside Quebec, as applicable, all referred to as "the commissioner".
2.3.1 Policy
Presumed or actual breaches, complaints, or all concerns related to a privacy issue, whether they affect an individual or a supplier, are immediately declared to the firm's compliance officer and the company. The compliance officer of the firm will prevent the disclosure of the information, assess the situation, correct the situation, and contribute to the improvement of control measures to avoid any similar breaches in the future.
2.3.2 Breach Containment Process
-
In the event of a privacy breach affecting client information (e.g., cyberattack, unauthorized access to data), contact: the compliance officer of the practice and
-
The Compliance of Advisors for Canada Life Affairs – Compliance of Advisors – Quebec or Compliance of Advisors
-
The other companies involved
In addition to the steps described above, follow the steps described below.
2.3.2.1 Loss, Theft, or Hacking of Electronic Devices
-
Mobilize the firm's IT support team.
-
Perform a scan of computers to detect any malware before accessing systems again.
-
-
Immediately contact the technological support team of each concerned company to request password changes.
-
Contact the police to file a complaint.
-
Change passwords for other systems (e.g., online banking service).
2.3.2.2 Loss or Theft of Paper Documents (e.g., policies, proposals, client files)
-
Contact the police to report the theft of documents.
2.3.2.3 Emails or Mail Sent to the Wrong Recipient
-
Immediately recall the email.
-
If this is not possible, contact the wrong recipient to ask them to confirm in writing that they have deleted the email and erased it from their Deleted Items folder, that they have not saved it, and that they have not forwarded it to another recipient.
-
-
Ask the wrong recipient to return the mail or confirm that the mail has been destroyed securely (e.g., shredding).
2.3.2.4 Cyberattacks
A cyberattack targets computers or computer networks attempting to expose, modify, disable, destroy, steal, or obtain information through unauthorized access to an asset or unauthorized use of that asset.
-
Mobilize the practice's IT support team.
-
Contact the police.
Contact Details of Key Persons
Incident Management
Serge Brosseau
514-375-7000
sbrosseau@fiscalite-financiere.com
Management
Nicolas St-Vincent
514-375-7000
nstvincent@fiscalite-financiere.com
IT Managers
Gabriel Fréchette, Riopel Consultant informatique
(450) 436‑4488 # 219
gfrechette@riopel-consultant.com
Communications Manager
Julie Guénette
514-375-7000
jguenette@fiscalite-financiere.com
2.3.2.5 Ransomware
Ransomware is a type of malware (malicious software) that prevents users from using their systems or limits the use by locking the system's screen or locking a user's folders until a ransom is paid.
-
Mobilize the practice's IT support team.
-
Contact the police to report the incident and cooperate in the investigation.
-
Immediately disconnect from the network any devices targeted by ransomware.
-
Do not erase anything on your devices (computers, servers, etc.).
-
Examine the ransomware and determine how it infected the device. This will help you understand and eliminate it.
-
Once the ransomware is removed, a full system analysis must be performed using the latest available antivirus, anti-malware, and other security software to confirm that it has been removed from the device.
-
If the ransomware cannot be removed from the device (often the case with stealthy malware), the device must be reset using the original installation media or images. Before proceeding with the reset from backup media/images, verify that they are not infected by malware.
-
If the data is critical and must be restored but cannot be recovered from unaffected backups, seek decryption tools available on nomoreransom.org.
-
The policy is not to pay the ransom, subject to the issues involved. It is also strongly recommended to hire the services of a project manager expert in cyberattacks (breach coach).
-
Protect systems to prevent any new infections by implementing patches or routines to prevent further attacks.
2.4 Documentation Process
Begin the documentation process of any privacy breach as soon as the breach has been contained. All privacy breach records must be securely retained.
In Quebec, the firm must maintain a register of all privacy breaches for five years from the moment it became aware of the breach and be ready to provide this register to the Access to Information Commission (AIC) upon request.
Outside Quebec, keep records on all privacy breaches for 24 months. The practice should be able to provide the records to the commissioner or other organizations upon request.
The records must be kept in a secure place and include the following:
-
Date of the breach
-
Description of the circumstances of the breach
-
Number of people affected
-
Types of personal information involved
-
Sensitivity of the information affected by the breach
-
Probability of misuse
-
Potential harm that could result from the breach
-
An indicator to confirm:
-
If the breach has resulted in a serious or serious risk to the person and an explanation as to this conclusion
-
That the affected person(s) have been notified
-
The date of confirmation and notice to the commissioner for those living outside Quebec and affected by the breach
-
-
Measures taken to prevent similar breaches from occurring – consider the following:
-
What is the root cause of the privacy breach?
-
What control measures failed to prevent the privacy breach?
-
Do new processes or control measures need to be established?
-
Do existing processes or control measures need to be improved or modified?
-
Are there gaps or vulnerabilities in the security controls that need to be resolved?
-
Does training need to be reinforced or new training created and given?
-
Firms in Quebec must also record the following information:
-
Date the firm became aware of the incident
-
If the description of the personal information is not provided, indicate why
-
If a serious or serious risk is determined – the date and confirmation of the notice to the AIC and the affected individuals and whether public notices were issued and the reasons for doing so
A tracking register including a list of all privacy breaches by region recorded in one place can also be kept. Firms in Quebec can use this as a register for the needs of the AIC.
2.5 Conduct an Assessment
All privacy incidents must be assessed to determine whether they posed a serious or serious risk.
To determine whether there is a serious or serious risk, ask the following questions:
-
Are the personal information affected by the incident sensitive?
-
Examples of levels of sensitivity of personal information: High – SIN, banking information, and medical information; low – name, address, email, gender, marital status
-
-
Was the personal information obtained maliciously?
-
Personal information obtained through theft, fraud, or hacking of a system is more likely to be used maliciously and represents a high risk.
-
-
Are 5 or more people affected?
-
The higher the number of people affected, the greater the likelihood of misuse.
-
-
Has the information not yet been recovered?
-
If the personal information cannot be quickly recovered, this may mean that it has been, is, or will be misused.
-
-
Are you still waiting for confirmation that the personal information has been destroyed?
-
If the personal information is not destroyed by the wrong recipient, this may mean that it has been, is, or will be misused.
-
-
Does the incident stem from a systemic problem?
-
Systemic problems can lead to further incidents and increase the likelihood that personal information will be misused.
-
-
Has it been more than 10 business days between the date of the incident and the date the incident was discovered?
-
A long delay before discovering the incident may indicate that the wrong recipient has had time to misuse the personal information.
-
If you answered "no" to any of the questions above, the answer to the question of determining the existence of a serious or serious risk will be "no," and the levels of sensitivity and probability will be "low." Go to the section on Improving Control Measures.
If you answered "yes" to any of the questions above, you will need to determine the level (low or high) of sensitivity of the personal information and the likelihood that they will be misused by considering 1) the sensitivity of the personal information that was the subject of the breach; 2) the consequences envisaged for the individuals affected in case of misuse of their personal information that was the subject of the breach; and 3) the likelihood that the personal information will be misused.
If you consider that the personal information that was the subject of the breach is "very sensitive" and that the likelihood that this personal information will be misused is also "high," there is a serious or serious risk to the affected individuals; move on to the next section. In the case of Canada Life information, contact the Compliance of Advisors – Quebec or Compliance of Advisors as needed to determine whether the information is sensitive and whether the probabilities of their misuse are high.
2.6 Mandatory Reporting of Privacy Breaches under Provincial Privacy Protection Laws or the Personal Information Protection and Electronic Documents Act (PIPEDA)
-
If the firm determines that the incident presents a serious or serious risk, the affected individuals must be notified if this does not interfere with an official investigation and depending on the location of the affected individuals, a declaration must be made to the AIC (in Quebec) and to the commissioner as soon as possible, even if only one person is affected.
-
The firm must also inform any other organization or business that could mitigate the harm to the affected individuals (e.g., adding an indicator to clients' accounts). For Canada Life clients, communicate with the Compliance of Advisors – Quebec team or with the Compliance of Advisors team.
2.6.1 Notice to Affected Individuals
If applicable, a notice on the breach of measures protecting personal information will be provided by the firm to the affected individuals and it must include the following elements:
-
a description of the circumstances of the breach;
-
the date on which the breach occurred or the period over which it was staggered or if the precise dates are unknown, an approximation of the dates;
-
a description of the personal information affected to the extent that it is possible to determine;
-
a description of the measures that the practice has put in place to reduce the risks of harm resulting from the breach;
-
a description of the measures that affected individuals could take to reduce the risks of harm resulting from the breach or mitigate these harms; and
-
the contact details allowing the affected individuals to inquire further about the breach.
2.6.2 Notice to Regulatory Agencies in the Case of Breaches Considered RRSH/RPS
-
Send a notice to the Access to Information Commission (AIC) by downloading the Security Incident Reporting Form affecting personal information from the AIC website.
-
Send a notice to the Office of the Privacy Commissioner of Canada (federal) using the PIPEDA Breach Report form.
-
British Columbia – The law recommends reporting to the Office of the Privacy Commissioner if there is a real risk of serious harm. To determine whether you need to produce a notice, refer to the British Columbia Privacy Breach Checklist form.
-
Send a notice to the Office of the Information and Privacy Commissioner of Alberta using its privacy breach reporting form.
2.7 Improving Control Measures
Review all processes, all system updates, all employee training, then make improvements as needed to prevent incidents from recurring. As described in section 2.4 "Documentation Process," assess the control measures that can be improved to minimize future risks and establish the necessary new control measures to address the risks.