Policies and Procedures
1. Protection of Personal Information and Our Business
Clients provide personal information that is essential to the firm’s operations. It is crucial to protect this information to maintain their trust. The relevant Quebec law, the Act Respecting the Protection of Personal Information in the Private Sector, governs the collection, use, and disclosure of personal information. Personal information is data that, alone or combined with others, can identify you. This includes your name and address, as well as more sensitive information, such as medical and financial details. It does not include public information or a person’s work contact information, which encompasses their name, job title, business phone number, and business email address, as well as data used in their employment, business, or profession.
The firm is responsible for managing personal information and must take all necessary measures to ensure the security of personal information in its possession. In some cases, this may mean adopting new business practices to protect the confidentiality of personal information.
Policy
The firm makes its policies and procedures available to the public. If it has a website, it will describe how personal information is collected, used, disclosed, and retained. In the absence of a website, this information will be accessible by other means (e.g., email, mail). The firm complies with the privacy guidelines of the companies (e.g., Canada Life Assurance Company) it represents through Horizons Group.
2. Concerns and General Inquiries or Requests
Procedure
The name and contact information of the person responsible for data protection, our compliance officer, must be posted on the firm’s website. In the absence of a website, this information should be accessible through other means (e.g., email, mail).
All concerns, general inquiries, or requests related to privacy and the firm are forwarded to the firm’s compliance officer. The officer will review the requests and acknowledge receipt within 24 hours; in their absence, the requests will be transferred to an appropriate person for handling. Clients will be kept informed of the progress of their issue, and full documentation of the reported concern and related activities will be kept in the client's file.
The firm’s compliance officer forwards all concerns, general inquiries, or requests related to privacy and the company’s products and services to the company's chief compliance officer.
2.1 Client Requests for Access to Personal Information
Under privacy protection laws, clients have the right to access their personal information held in records by the firm or the company and to challenge its accuracy, if necessary. The firm has procedures in place to collect and provide personal information in response to a client’s access request.
Procedure
Any request from a client to access their personal information stored in the firm’s client records is sent to the firm’s compliance officer, who will respond to the client’s request. The date and details of the request are recorded until it is fulfilled. The compliance officer will assist the client in preparing their access request if needed. Information is provided to the client as quickly as possible and no later than 30 days after receiving the request, in a commonly used technological format.
Correct or modify any personal information if its accuracy or completeness is in question and if the information is indeed incorrect or incomplete. Record all disagreements regarding the information, and notify third parties if applicable.
If a client requests access to their personal information held by the company, follow the processes established by the company.
2.1.1 Automated Decisions
If the firm implements automated decision-making technology, it will inform the client, at the latest when the decision is communicated, which personal information was used to make the decision and will explain, in clear language, how the decision was made. The client retains the right to review and correct any inaccurate information.
2.2 Misuse of Personal Information
Procedure
The firm’s compliance officer must promptly report any misuse of personal information or any potential breach of security measures related to the company’s products and services to the company’s chief compliance officer.
2.3 Privacy Incidents and Breach Processes
A privacy breach occurs when personal information is disclosed or used without authorization, accessed without permission, or lost due to a security breach. A privacy breach also includes any other breach of personal information protection not in compliance with privacy legislation, such as retaining personal information that is no longer necessary for the purposes for which it was collected.
A privacy breach can be intentional, accidental, or due to criminal activities.
Examples of privacy breaches:
- Copies of client personal information statements are stolen from a vehicle.
- A counselor’s laptop containing client personal information is lost or stolen.
- A counselor’s computer hard drive containing client information is compromised or hacked.
- Client information is sent to the wrong email recipient, either internally or externally.
- Client information is mailed to the wrong address (another person opens the mail).
- Personal information is disclosed or used without proper authorization.
- Inactive client information is retained longer than necessary according to retention schedules.
All breaches must be assessed to determine the risk to the client.
Terminology of Assessment: Assessments may be classified as real risk of serious harm (RRPG) or risk of serious harm (RPS, similar to RRPG), and will be referred to as "assessment" throughout this document. When the assessment determines that the risk is serious or severe, the breach must be reported to the Office of Access to Information (OPC) in Quebec and/or the Federal Privacy Commissioner of Canada (CPVP) and the provincial privacy commissioners outside Quebec, as applicable, all referred to as "the commissioner."
2.3.1 Policy
Alleged or actual breaches, complaints, or any concerns related to a privacy issue, whether they affect an individual or a provider, must be immediately reported to the compliance officer of the firm and the company. The firm’s compliance officer will prevent the disclosure of information, assess the situation, rectify the issue, and contribute to the improvement of control measures to avoid similar breaches in the future.
2.3.2 Breach Containment Process
In the event of a privacy breach affecting client information (e.g., cyberattack, unauthorized access to data), contact:
- the practice’s compliance officer
- The Advisors Compliance for Canada Life – Advisors Compliance – Quebec or Advisors Compliance
- Other affected companies
In addition to the steps described above, follow the steps outlined below.
2.3.2.1 Loss, Theft, or Hacking of Electronic Devices
-
Mobilize the IT support team of the firm.
- Scan computers for any malware before regaining access to the systems.
- Immediately contact the technical support team of each affected company to request password changes.
- Contact the police to file a report.
- Change passwords for other systems (e.g., online banking).
2.3.2.2 Loss or Theft of Paper Documents (e.g., policies, proposals, client files)
-
Contact the police to report the theft of documents.
2.3.2.3 Emails or Mail Sent to the Wrong Recipient
- Immediately recall the mail.
- If this is not possible, contact the wrong recipient to request written confirmation that they have deleted the email and removed it from their Deleted Items, that they did not save it, and did not forward it to another recipient.
- Ask the wrong recipient to return the mail or confirm that the mail has been securely destroyed (e.g., shredding).
2.3.2.4 Cyberattacks
A cyberattack targets computers or computer networks that attempt to expose, modify, disable, destroy, steal, or obtain information through unauthorized access to an asset or using that asset without permission.
- Mobilize the IT support team of the practice.
- Contact the police.
Contact Information of Key Personnel
| Role | Name | Phone | Email Address |
|---|---|---|---|
| Incident response lead | Priscilla Godinho | 450-492-5688 | priscilla@landrymusi.com |
| Management | Mike Musi | 450-492-5688 | mike@landrymusi.com |
| IT lead | |||
| Communications Lead | Daniel Landry | 450-492-5688 | daniel@landrymusi.com |
| Legal counsel | |||
| Cybersecurity insurer |
2.3.2.5 Ransomware
Ransomware is a type of malicious software (malware) that prevents users from using their systems or limits access by locking the system screen or locking user files until a ransom is paid.
- Mobilize the practice’s IT support team.
- Report the incident to the police and cooperate with the investigation.
- Immediately disconnect devices affected by the ransomware from the network.
- Do not delete anything from your devices (computers, servers, etc.).
- Examine the ransomware and determine how the device was infected. This will help you understand and eliminate it.
- Once the ransomware has been removed, conduct a full system scan using the latest antivirus, antimalware, and other security software available to confirm the ransomware has been removed.
- If the ransomware cannot be removed from the device (often the case with stealth malware), the device must be reset using the original installation media or images. Before proceeding with the reset, ensure that the backup media/images are not infected with malware.
- If the data is critical and needs to be restored but cannot be recovered from unaffected backups, seek available decryption tools on nomoreransom.org.
- The policy is not to pay the ransom, subject to the issues at hand. It is also highly recommended to engage the services of a breach coach (cyberattack expert project manager).
- Protect the systems from future infection by implementing patches or routines to prevent further attacks.
2.4 Documentation Process
Begin the documentation process for any privacy breach as soon as it has been contained. All privacy breach records must be securely stored.
In Quebec, the firm must keep a record of all privacy breaches for five years from the time it became aware of the breach and be ready to provide this record to the Commission d’accès à l’information (CAI) upon request.
Outside of Quebec, retain records of all privacy breaches for 24 months. The practice should be able to provide records to the commissioner or other organizations upon request.
The records must be stored securely and include the following:
- Date of the breach.
- Description of the breach circumstances.
- Number of individuals affected.
- Types of personal information involved.
- Sensitivity of the information affected by the breach.
- Likelihood of misuse.
- Potential harm that could result from the breach.
- An indicator to confirm:
- Whether the breach posed a serious or significant risk to the individual, and an explanation of this conclusion.
- That the affected individuals were notified.
- The date of notification and confirmation of notification to the commissioner for those living outside Quebec affected by the breach.
Measures taken to prevent similar breaches from occurring – consider the following:
- What was the root cause of the privacy breach?
- What control measures failed to prevent the privacy breach?
- Should new processes or control measures be implemented?
- Do existing processes or control measures need to be improved or modified?
- Are there any gaps or vulnerabilities in the security controls that need to be addressed?
- Does training need to be enhanced, or should new training be created and provided?
Quebec firms must also document the following:
- The date the firm became aware of the incident.
- If the description of personal information is not provided, explain why.
- If a serious or significant risk is determined – the date and confirmation of notification to the CAI and the affected individuals, and whether public notices were issued and the reasons for doing so.
A follow-up register listing all privacy breaches by region recorded in one place may also be kept. Quebec firms can use this as a register for CAI purposes.
2.5 Conducting an Assessment
All privacy breach incidents must be assessed to determine whether they posed a serious or significant risk.
To determine if there is a serious or significant risk, ask the following questions:
- Is the personal information affected by the incident sensitive in nature?
- Examples of levels of sensitivity: High – Social Insurance Number, banking information, and medical records; Low – name, email address, gender, marital status.
- Was the personal information obtained maliciously?
- Personal information obtained through theft, fraud, or system hacking is more likely to be misused and represents a higher risk.
- Were five or more individuals affected?
- The higher the number of people affected, the greater the likelihood of misuse.
- Has the information not yet been recovered?
- If personal information cannot be recovered quickly, it may indicate that it has been, is, or will be misused.
- Are you still awaiting confirmation that the personal information has been destroyed?
- If personal information is not destroyed by the wrong recipient, it may indicate that it has been, is, or will be misused.
- Does the incident stem from a systemic issue?
- Systemic issues may lead to further incidents and increase the likelihood of personal information being misused.
- Has more than 10 business days passed between the date of the incident and the date of its discovery?
- A long delay before the discovery of the incident may indicate that the wrong recipient had time to misuse the personal information.
If you answered "no" to any of the above questions, the response to determining whether a serious or significant risk exists will be "no," and the levels of sensitivity and probability will be "low." Proceed to the Control Measure Improvement section.
If you answered "yes" to any of the above questions, you must determine the level (low or high) of sensitivity of the personal information and the likelihood of its misuse, considering:
- the sensitivity of the personal information involved;
- the expected consequences for the affected individuals in case of misuse of their personal information; and
- the likelihood that the personal information will be misused.
If you consider the personal information involved to be "highly sensitive" and the likelihood of misuse is also "high," there is a serious or significant risk to the affected individuals; proceed to the next section. For Canada Life information, contact Advisors Compliance – Quebec or Advisors Compliance, if necessary, for assistance in determining whether the information is sensitive and whether the likelihood of misuse is high.
2.6 Mandatory Privacy Breach Reporting under Provincial Privacy Laws or the Personal Information Protection and Electronic Documents Act (PIPEDA)
- If the firm determines that the incident poses a serious or significant risk, affected individuals must be notified, provided it does not interfere with an official investigation. Depending on the location of the affected individuals, a report must be filed with the CAI (in Quebec) and the commissioner as soon as possible, even if only one person is affected.
- The firm must also notify any other organization or business that could mitigate the harm to the affected individuals (e.g., adding a flag to client accounts). For Canada Life clients, contact the Advisors Compliance team in Quebec or Advisors Compliance.
2.6.1 Notification to Affected Individuals
If applicable, a privacy breach notice will be provided by the firm to affected individuals and must include:
- A description of the circumstances of the breach.
- The date the breach occurred or the period over which it occurred, or, if specific dates are unknown, an approximation of the dates.
- A description of the personal information affected, as far as it can be determined.
- A description of the measures the practice has implemented to reduce the risks of harm resulting from the breach.
- A description of the measures affected individuals could take to reduce or mitigate harm resulting from the breach.
- Contact information for individuals to inquire further about the breach.
2.6.2 Notification to Regulatory Bodies for RRPG/RPS Breaches
- Submit a notice to the Commission d’accès à l’information (CAI) by downloading the Security Incident Report Form for personal information breaches from the CAI website.
- Submit a notice to the Office of the Privacy Commissioner of Canada (federal) using the PIPEDA Breach Report form.
- British Columbia – The law recommends reporting to the Office of the Privacy Commissioner if there is a real risk of serious harm. To determine if a notice is required, refer to the Privacy Breach Checklist from British Columbia.
- Submit a notice to the Office of the Information and Privacy Commissioner of Alberta using its Privacy Breach Report form.
2.7 Control Measure Improvement
Review all processes, system updates, and employee training, then make improvements as needed to prevent further incidents. As outlined in section 2.4 "Documentation Process," evaluate control measures that can be improved to minimize future risks and implement new control measures needed to address those risks.
