We protect your personal data

By selecting “Accept all cookies”, you consent to the use of cookies on your device to optimize your experience on our site, analyze its performance and improve the effectiveness of our campaigns.

Preferences
Continue without cookies
Accept
Novo legal solutions

Privacy Incident Management Policy and Procedure

(section 3.2 of the Act Respecting the Protection of Personal Information in the Private Sector, chapter P-39.1 and Confidentiality Incident Regulation; Law Society Act, chapter B-1 and its regulations)

PREAMBLE
The firm is responsible for the protection of the personal information it holds. Personal information is confidential except as required by law.

Anyone who, in the course of their duties, has access to personal information held by the firm must take the necessary measures to ensure its protection and confidentiality.

This procedure sets out the measures to be taken to reduce the risk of harm being caused in such cases and to prevent new incidents of the same nature from occurring.

1. OBJECTIVE AND NORMATIVE FRAMEWORK
This procedure specifies the steps to be taken when the firm has reasonable grounds to believe that a confidentiality incident has occurred, involving personal information in its possession, or if such an incident is true, in accordance with the Act Respecting the Protection of Personal Information in the Private Sector, chapter P-39.1 and the Confidentiality Incident Regulation).

2. DEFINITIONS
The definitions to be considered for the application of this procedure, which may be supplemented by any other regulation, policy, directive or procedure referring to them,
are as follows:

Confidentiality incident: access, use, disclosure of personal information that is not authorized by law, as well as its loss or any other form of breach of its protection.

Here are a few examples:

• A staff member consults personal information that is not necessary for the performance of their duties;
• A hacker breaks into a system;
• An individual uses personal information from a database to which he has access in the course of his duties in order to impersonate a person;
• A communication is made by mistake to the wrong person;
• An individual loses or is robbed of documents containing personal information;
• An individual enters a database containing personal information in order to alter it.

Personal information: any information that concerns a natural person and that allows him to be identified. An individual's name, taken in isolation, is not personal information. However, when this name is combined or combined with other information about the same individual, it then becomes personal information.

Examples of personal information include:

• A person's name and date of birth;
• Social insurance number;
• Credit card number;
• Health insurance number;
• Medical or financial information;
• A person's name and personal telephone number;
• A person's name and home address.

Sensitive personal information: Personal information is considered sensitive when, because of its nature, including medical, biometric, or otherwise intimate, or because of the context in which it is used or disclosed, it raises a high level of reasonable expectation of privacy.

This may include, for example, medical, biometric, genetic, or financial information, or information about ethnicity, political beliefs, sexual life or orientation, or religious beliefs.

3. PROTECTION OF PERSONAL INFORMATION
The firm puts in place appropriate and reasonable security measures to protect personal information against loss or theft, and against access, disclosure, copying, use, or modification that is not authorized by law.

Only staff members who absolutely need access to personal information in order to perform their duties are authorized to access it.

Persons who are members of the firm's staff or who work on behalf of the firm must, in particular:

— Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;

— Take special precautions to ensure that personal information is not monitored, heard, accessed, or lost while working on premises
other than firm offices;

And

— Take reasonable steps to protect personal information as it moves from one location to another.

4. REPORTING A PRIVACY INCIDENT
Anyone to whom the firm discloses personal information (colleagues, suppliers, partners, partners, experts including subcontractors) must report when they have reasonable cause to believe that a confidentiality incident involving personal information held by the firm has occurred.

To do so, this report must be made without delay to the person responsible for the protection of personal information.

A member of the firm or a staff member who has reasonable cause to believe that a confidentiality incident has occurred involving personal information held by the firm must also notify their line manager or the person responsible for the protection of personal information without delay.

5. PERSONS RESPONSIBLE FOR PERSONAL INFORMATION (PRP): ROLES AND RESPONSIBILITIES
The persons responsible for the protection of personal information (hereinafter “PRP”) for the firm are Me Natale Screnci and Me Ghislain Hamon. They can be reached at
following coordinates:

• Email: ns@novolegal.ca and gh@novolegal.ca
• Telephone: (514) 252-0550 extension 2 or 3 or (450) 759-1074 extension 2 or 3.

Their role is in particular to:

• Contribute to the implementation of the information security incident management process;

• Maintain the register of information security incidents that may have endangered information security, to document these incidents and to inform the Director of Information Security as well as the Secretary General;

• Contribute to information security risk analyses in order to identify threats and situations of vulnerability and to implement appropriate solutions. In the event of a privacy incident, the individuals responsible for the protection of personal information take charge of the incident and partner with any other useful person depending on the nature of the incident.

As such, the PRP:

• Assesses the risk of harm being caused and determines the degree of severity of harm. During this assessment, consideration is given in particular to the sensitivity of the information concerned, the expected consequences of its use and the probability that it will be used for harmful purposes.

• Expeditiously notify the individual whose personal information is involved in the incident when there is a risk of serious harm being caused, except where this would be likely to interfere with an investigation by a person or organization that, by law, is responsible for the prevention, detection or suppression of crime or legal violations.

This notice must include the following information:

a. A description of the personal information that was the subject of the incident or, if that information is not known, the reason why it was not possible to provide such a description;

b. A brief description of the circumstances of the incident;

c. The date or period when the incident took place or, if the date or period is not known, an approximation of that period;

D. A brief description of the actions that the organization has taken or intends to take following the occurrence of the incident in order to reduce the risk of harm being caused;

e. The measures that the organization suggests that the person concerned take in order to reduce the risk of harm being caused to them or in order to mitigate such harm;

f. Contact information that allows the person concerned to find out more about the incident.

• Advise, where appropriate, any person or organization likely to reduce the risk, by providing them with only the personal information necessary for this purpose, without the consent of the person concerned.

• Diligently and in writing, notify the Commission d'Accès à l'Information of the confidentiality incident when there is a risk of serious harm being caused.

The notice must include the following information:

a. The name of the firm and the Quebec business number assigned to it under the Act Respecting the Legal Publicity of Businesses;

b. The name and contact details of the person to contact within the firm in relation to the incident;

c. A description of the personal information that was the subject of the incident or, if that information is not known, the reason why it was not possible to provide a
such description;

D. A brief description of the circumstances of the incident and, if known, its cause;

e. The date or period when the incident took place or, if unknown, an approximation of this period;

f. The date or period during which the firm became aware of the incident;

G. The number of people involved in the incident and, among these, the number of people residing in Quebec or, if they are not known, a
approximation of these numbers;

H. A description of the factors that lead the firm to conclude that there is a risk of serious harm to the individuals concerned, such as the sensitivity of the personal information concerned, the possible malicious uses of that information, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes;

i. The steps that the firm has taken or intends to take to notify individuals whose personal information is affected by the incident, as well as the date on which the individuals were notified or the anticipated timeframe for completion;

J. The measures that the firm has taken or intends to take as a result of the occurrence of the incident, including those aimed at reducing the risk of harm being caused or mitigating such harm and those aimed at preventing new incidents of the same nature from occurring, as well as the time frame in which the measures were taken or the envisaged timeframe for their implementation;

k. If applicable, a statement indicating that a person or organization located outside Quebec and exercising responsibilities similar to those of the Commission d'Access to Information with respect to the monitoring of the protection of personal information was notified of the incident.

• Diligently notify the firm's insurers, if necessary.

• Enter the confidentiality incident in the log provided for this purpose.

• At the request of the Commission for Access to Information, send a copy of this
register.

6. PRIVACY INCIDENT LOG
The firm should keep a record of confidentiality incidents.

6.1 Retention period of information contained in the register

The information contained in the register must be kept up to date and kept for the longest of the following two periods: for a minimum period of five years after the date on which the firm became aware of the incident or the period required by the Barreau du Québec for the retention of records.

7. ENTRY INTO FORCE
This procedure takes effect on September 22, 2023