Privacy policy - Denise Duquette

Policy regarding the protection of personal information

DENISE DUQUETTE, NOTARY (hereinafter referred to as the “Organization”)

The right to privacy is a universally recognized principle. In many instances, individuals provide their personal information to obtain specific services or products from a variety of organizations, including public entities.

Therefore, it is important, indeed paramount, to adequately protect this personal information to prevent significant and unnecessary inconveniences for individuals.

In Quebec, the provisions of the Personal Information Protection Act in the Private Sector, R.S.Q., c. P-39.1, address the protection of personal information belonging to any individual. However, an amendment was made to this law by the new Act Modernizing Legislative Provisions for the Protection of Personal Information, commonly referred to as Law 25, which was adopted on September 21, 2021, and sanctioned on September 22, 2021 (these two aforementioned laws, as well as any laws that may replace them from time to time, are collectively referred to as the “Quebec Legislation”).

In the course of its activities, the Organization acknowledges that it collects and holds the personal information of others. Therefore, it is obligated to comply with Quebec Legislation.

Furthermore, the professional members of the Organization, as well as their collaborators, are always subject to the rules of confidentiality and the protection of professional secrecy specific to the notarial profession.

The Purpose of this Policy – The Measures

This Organization’s policy aims to inform its staff of the measures outlined herein that are related to Quebec Legislation and are suitable for safeguarding personal information :

Measures required for compliance with Quebec Legislation.
Measures for its computer system.
Measures for the inventory of personal information.
Measures for its staff.
Measures for its website.
Measures for the physical vault.

This Organization’s policy addresses the measures described below for the benefit of its staff members, to whom this policy is directed, including :

→ The measures already implemented by the Organization

→ The measures the Organization intends to implement in a timely manner

→ The measures the Organization does not intend to implement

Information Sessions for Organization’s Staff

The Organization plans to provide training and/or information sessions to its staff members who handle or work with personal information in the course of their duties. These sessions will cover topics related to personal information, its protection, and the necessary confidentiality associated with such information.

The Organization’s staff is expected to consistently adhere to this policy to best safeguard the personal information of its clients. Furthermore, all staff members are required to comply with the measures implemented by the Organization from time to time in connection with this policy.

The Organization will ensure that a copy of this policy is provided or made accessible to each of its staff members, both current and future, regardless of whether they are employees or freelancers.

The Organization reserves the right to modify this policy at its discretion and from time to time. In such a case, all staff members will be informed by providing or granting access to the revised policy.

Interpretation

For the purposes of this policy, the term ‘Organization’ is used to refer to a professional office.

Indeed, any natural person or legal entity that owns, operates, or constitutes a professional office subject to the Code of Professions and providing services to the public qualifies as a ‘business’ under Quebec legislation and is therefore required to comply with its provisions.

The term ‘clients’ shall refer to both clients and users of an Organization.

Part 1

QUEBEC LEGISLATION AND ITS IMPLICATIONS FOR THE ORGANIZATION

General Principle Regarding Privacy

Everyone has the right to the respect of their privacy, including their personal information, except with their consent in case of an invasion of privacy.

Purpose of Quebec Legislation

Quebec Legislation aims to ensure the protection and confidentiality of personal information and the privacy of individuals doing business with what is referred to as a “business” subject to Quebec Legislation.

Operating a “Business” under Quebec Legislation

Any business that collects, holds, communicates, and/or uses personal information as part of its activities, whether commercial or not, is subject to Quebec Legislation because it then operates as a “business” under Quebec Legislation, and as such, it must comply with its provisions.

Two Key Principles Established by Quebec Legislation

Quebec Legislation has put forth the following two principles: 1) a business can only collect personal information that is necessary for the purposes determined for their collection and can only use this information for the purposes for which it was collected, except with the consent of the concerned individual; and 2) no one can disclose personal information about another to a third party unless the concerned individual consents or unless Quebec Legislation provides for or requires it.

What Constitutes Personal Information – Examples

It is the definition of personal information, as established by Quebec Legislation, that determines whether the information collected and held by a business constitutes a “personal information” under Quebec Legislation. Indeed, if a business collects no personal information from its clients, it is not required to comply with the provisions of Quebec Legislation.

According to Quebec Legislation, any information concerning an individual that allows for their identification is considered to be personal information, regardless of the nature of the medium or form in which this information is made accessible, whether written, graphic, auditory, visual, computerized, or other.

Personal information, therefore, encompasses any information related to or concerning a specific individual that allows for their identification or can be used to identify them in a specific manner, whether by using this information alone or in combination with other information held by a business, including information provided to the business by the clients themselves. This is why it is sometimes referred to as personally identifiable information.

Information or data that has become anonymous, depersonalized, or aggregated in a way that it can no longer identify a specific individual in any manner is not considered to constitute personal information.

For example, if a business offers individuals accessing its website to subscribe to its newsletters, then that business collects and holds personal information about the individuals requesting this subscription, such as their name, home address, phone number, email address, age, etc., even if it’s not a transactional website.

On the other hand, the act of a person connecting to a business’s website implies that the business has access to that person’s IP address. However, this access alone does not allow for the identification of that person in particular, in the sense that this access to the IP address alone is not considered to constitute the collection of personal information.

What Constitutes “Sensitive” Personal Information ?

Personal information is considered sensitive when it “by its nature or due to the context of its use or communication, gives rise to a high degree of reasonable privacy expectations.” However, this notion, as presented, appears highly subjective, as the sensitivity of personal information depends on the context of its use or communication.

Nevertheless, certain categories of personal information are generally considered sensitive due to the particular risks associated with the collection, use, or communication of these categories of information. Indeed, some categories of personal information are often regarded as sensitive and, as such, require enhanced protection with appropriate and increased security measures.

These categories include information related to health, finances or income, individuals’ reputation, ethnic and racial origins, political opinions, sexual life or sexual orientation, religious or philosophical beliefs, as well as genetic and biometric data.

In the assessment of whether personal information is considered sensitive or not, it will vary depending on the facts of each case. In fact, any personal information can become sensitive depending on the context in which it is applied.

For example, seemingly innocuous information when taken in isolation, such as a name and email address, can become sensitive when associated with services that can reveal users’ activities and personal preferences, meaning if this information is used in a different context. Thus, the names and addresses of subscribers to an information magazine are generally not considered sensitive information, but the names and addresses of subscribers to certain specialized periodicals could be.

Additionally, if personal information is combined, it could potentially be used by malicious individuals to impersonate the affected individuals, which then requires higher security measures.

For example, if the unauthorized collection, use, or communication of sensitive personal information, such as a person having a sexually transmitted infection, could lead to social stigmatization, emotional issues, and long-term damage to the reputation of the individuals concerned, the information must be protected by rigorous and heightened security measures.

Organizations and Personal Information

It is recognized that professional offices collect, hold, and sometimes disclose personal information belonging to their clients, primarily to provide the services requested by these clients.

Quebec Legislation applies to personal information held by any professional office where some or all of the members are part of a professional order or professional association, as provided for by the Professional Code (RLRQ c. 26).

It might be argued that professionals, who are already subject to their code of ethics or the Professional Code, would thus be exempt from the provisions of Quebec Legislation. However, the same cannot be said for other members of the staff of professional offices, as they are not subject to a code of ethics or the Professional Code.

This means that a professional office is subject to the provisions of Quebec Legislation, not only the professionals practicing in the office.

Different Obligations of the Organization According to Quebec Legislation – Exceptions

Responsibility for Protecting Information

The Organization is responsible for protecting the personal information of its clients that it collects and holds. The highest authority of the Organization must assume the function of the personal information protection officer (hereinafter referred to as the “Officer”) or delegate this role in writing to another person within the Organization. The title and contact information of this Officer must be accessible to the clients of the Organization.

In this case, the Officer designated by the Organization is :

Me Denise Duquette, notary

7160, boulevard Pie IX, bureau 201

Montréal (Québec) H2A 2G4

(514) 376-3660

dduquette@notarius.net

Policies and Practices for Regulating Personal Information Governance

The Organization must establish and implement policies and practices approved by the Officer, which are aimed at governing its handling of personal information of its clients, ensuring their protection and confidentiality. Furthermore, the Organization must make information regarding these implemented policies accessible. These policies should include provisions for the storage and destruction of personal information of its clients, defining the roles and responsibilities of its staff members throughout the life cycle of this information, and outlining a process for addressing complaints related to the protection of its clients’ information.

Obligations Related to the Collection of Personal Information

The Organization must determine the purposes for which it intends to collect personal information before proceeding with its collection. It should collect only the information necessary for the specified purposes.

The Organization is particularly required to collect personal information to verify the identity of the parties involved in a notarial act or necessary stakeholders or to register sensitive documents such as wills or protection mandates.

Obligation to Inform Concerned Individuals

The Organization must inform any individual affected by the collection of their information, both at the time of collection and subsequently upon request, about the following: 1) the purposes for which their information is being collected; 2) the means by which it is collected; 3) their rights regarding access and rectification of their information; and 4) their right to withdraw consent for the communication or use of their collected information.

Any concerned individual has the right to know the name of any third party for whom their information is collected, if applicable, and the names of the third parties or categories of third parties to whom their personal information may be disclosed, if applicable.

Obligation to Disclose Any Confidentiality Incidents – Keeping a Register

In the event of a confidentiality incident involving personal information held by the Organization, it must take reasonable steps to reduce the risks of harm and prevent further similar incidents. To assess whether such an incident presents such a risk, the Organization must consider the sensitivity of the information, potential consequences of its use, and the likelihood of it being used for harmful or malicious purposes.

The Organization must maintain a register of confidentiality incidents and, upon request, provide a copy to the Commission d’accès à l’information du Québec (the “Commission”). This register must be retained for a minimum of five years following any incident of which the Organization becomes aware. The Organization is also obligated to report any incident through written notice sent to the Commission and any affected individuals. Regulations have specified the content of these notices and the required contents of the register of incidents.

Exceptions for Use for Another Purpose Without the Consent of the Concerned Individual

Quebec legislation stipulates that personal information can only be used for the purposes for which it was collected, except with the consent of the individual concerned. However, it also provides two exceptions to this principle for all organizations subject to Quebec legislation, enabling them to use information for another purpose without obtaining prior consent, in either of the following cases: 1) if the use of the information is necessary for providing a service requested by the individual concerned; and 2) if the use of the information is manifestly for the benefit of the individual concerned.

Exceptions for Disclosure Without the Consent of the Concerned Individual

Quebec legislation states that personal information cannot be disclosed to others, except with the consent of the individual concerned. However, it also provides two exceptions to this principle for organizations subject to Quebec legislation. These organizations may disclose personal information they have collected to any person or organization if the disclosure is necessary for the execution of a mandate or the performance of a service or business contract entrusted to that person or organization. However, two conditions must apply: 1) the mandate or contract must be in writing, and 2) it must include provisions that the agent or contractor must take measures to ensure the confidentiality of the information.

Organizations subject to Quebec legislation can also disclose personal information if it is necessary for the conclusion of a commercial transaction. The recipient of this information must agree to use it solely for the purpose of concluding that transaction and not to disclose it without prior consent, except if provided or required by Quebec legislation.

Impact of Quebec Legislation on Staff

According to Quebec legislation, personal information may be accessed by staff members of an organization subject to Quebec legislation who are authorized to have access to that information, provided that such information is necessary for the performance of their duties. Thus, Quebec legislation restricts the use of personal information.

Part 2

ELEMENTSOF QUEBEC LEGISLATION APPLICABLE TO THE ORGANIZATION

It is understood that the Organization collects, holds, and retains the personal information of its clients, information generally considered sensitive. It may also occasionally disclose this information to provide the requested products and/or services.

The Organization can only collect information necessary for the execution of its work or services for its clients. Additionally, it can only use this information for the purposes for which it was collected, subject to any applicable exceptions.

The Organization maintains digital records, which are stored on notarial practice management software managed by a provider authorized by the Chambre des notaires du Québec. The Organization also possesses a physical vault where its clients’ records are kept.

The Organization must designate a Responsible Officer who is responsible for safeguarding the information collected from its clients and make the title and contact details of the Responsible Officer accessible.

The Organization is required to establish and implement policies and practices approved by the Responsible Officer to govern its handling of the personal information of its clients. These policies should be accessible to its clients.

During the collection of information, the Organization must inform any individual concerned of the following:

The purposes for which their information is being collected.

The means by which this information is being collected.

Their rights to access and correct their information.

Their right to withdraw consent for the communication or use of their information.

Based on the various services offered by the Organization, it must collect, either verbally through video conferences or telephone exchanges, or in writing via email, secure email, or a secure electronic form, the following information :

Estate Matters

Personal information concerning the deceased, their spouse, heirs, or successors, and executors may be used by the Organization for the following purposes and shared with the third parties defined below in the situations described, without being limited to them :

Research in the wills registry of the Chambre des notaires du Québec and the wills registry of the Barreau du Québec (deceased’s name, date of birth, date of death, social insurance number, address at the time of death, previous addresses, marital status, spouse and/or ex-spouse names, date of the union and/or divorce)
Director of Civil Status (person’s name, date and place of birth, date and place of death, address, parents’ names, spouse’s name, spouse’s parents’ names, spouse’s date of birth, date and place of marriage)
Personal and Movable Real Rights Registry during the publication of notices required by law or during the consultation of the Registry (deceased’s name, date of birth, executors’ names, their date of birth, heirs’ names, their date of birth, the address of the person with custody of the inventory)
Gazette during the publication of a notice of inventory closure (deceased’s name, address, date of death, executors’ names, and the address of the person responsible for safeguarding the inventory)
Land Registry during the publication of a transmission declaration or other documents (deceased’s name, address, date of death, place of death, occupation, marital status, executors’ names, heirs’ names, and their addresses).

Wills and Mandates

The client’s personal information may be used by the Organization for the following purposes and shared with the Chambre des notaires du Québec :

Registration of the will in the wills registry and the registration of the protection mandate in the mandates registry of the Chambre des notaires du Québec (name, address, social insurance number, health insurance number, marital status, consent or refusal of organ donation)

Advance Medical Directives

The client’s personal information may be used by the Organization for the following purposes :

Publication of the long-form act in the Registre de l’assurance-maladie du Québec, which includes the client’s name, occupation, address, Quebec health insurance number, and the client’s wishes.

Non-Contentious Proceedings

Personal information of the involved party, or the deceased, the applicants, interested persons, and those who may be summoned to the assembly of parents, allies, and friends, if applicable, may be used by the Organization for the following purposes :

In procedural documents to be served and/or notified to the involved party, interested persons, those who may be summoned to the assembly of parents, allies, and friends, the Curateur public du Québec, the bailiff, and the relevant court :
For the involved party: name, occupation, address, marital status, date of birth, names of descendants, spouse, parents, siblings, diagnosis, and information regarding capacity, depending on the relevant procedure;
For the applicants, interested persons, those who may be summoned to the assembly of parents, allies, and friends, or any other necessary interveners: name, occupation, address, email address, relationship with the involved party;
For the deceased: name, occupation, address, marital status, information related to their holographic or witnessed will, and the wishes described in it.

Personal information may also be collected and shared with the social worker as part of the homologation of a mandate or the opening of a protection measure.

Real Estate Matters

Personal information of buyers, sellers, or any other party involved in a real estate transfer may be used by the Organization for the following purposes :

Notarial deed (mortgage, sale, or other types of real estate transfers): name, occupation, address, and marital status of each party, as well as copies of identification documents, banking details of sellers and buyers, if applicable;
Concerned financial institutions: names, addresses, information related to mortgage guarantees, and any other loans to be repaid.

In the context of a real estate transaction, certain information will be shared with third parties to ensure the proper execution of the transaction, particularly the names and addresses of the parties, not only with the relevant financial institution but also with the Personal and Movable Real Rights Registry, Assyst Immobilier, Assyst Paiement, Stewart Title Guaranty Co.

Other Family Matters

The personal information of spouses/future spouses may be used by the Organization for the following purposes :

Notarial deed: name, occupation, address, marital status, parents’ names, social insurance number (only in case of donation);
Marriage registration: name, address, phone number, date of birth, marital status, date and place of marriage, years of schooling, mother tongue, age, parents’ names, witnesses’ names.

Corporate Matters

The following personal information may be collected by the Organization to fulfill its mandate:

Incorporation of a corporation: 1) first name, last name, address of founders, administrators, shareholders, and ultimate beneficiaries; 2) identification documents of administrators for identity verification and transmission to the Registraire des entreprises du Québec, if required, to comply with the requirements of the Loi sur la publicité légale des entreprises (Law on the legal advertisement of companies); 3) date of birth of administrators and ultimate beneficiaries, address of the corporation to be formed, business activities of the company; 4) any other information necessary for the incorporation of the corporation and obtaining various numbers from tax authorities.

Annual updates: 1) first name and last name of administrators and shareholders for the relevant period; 2) examination of the company’s financial statements; 3) examination of the company’s book. Any other necessary or useful information will be determined based on the specific characteristics of the mandate.

The described lists of personal information are not exhaustive and are included in this policy for transparency purposes.

In anticipation of the possibility of a privacy incident occurring, the Organization must establish reasonable measures to reduce the risks of harm resulting from such an incident and maintain a record of privacy incidents.

The Organization benefits from an exception for alternative use of collected personal information without obtaining the consent of the individuals concerned, on the condition that such use is necessary to provide a service to the client or is in the client’s interest.

The Organization may disclose the personal information of its clients to any individual or entity when it is necessary for: 1) carrying out a mandate or fulfilling a service or business contract entrusted to them, provided that the Organization adheres to two conditions: the mandate or contract is put in writing, and it includes provisions outlining the measures the agent or contract performer must take to ensure the confidentiality of the transmitted information; and 2) completing a commercial transaction.

The Organization shall not, without obtaining the consent of the individuals concerned, make personal information accessible to its staff members with the authority to access it, except on the condition that this information is necessary for the performance of their duties.

Part 3

ORGANIZATION’S COMPLIANCE MEASURES WITH QUEBEC LEGISLATION

→ Measures already implemented

The organization has already implemented one or more of the measures mentioned below to comply with the provisions of Quebec legislation for the purpose of ensuring the protection and confidentiality of its clients’ personal information. Some measures may be general, while others are specific.

Appoint an organization representative, Me. Denise Duquette, notary, as the Responsible Person and make the name, title, and contact information of the Responsible Person accessible to clients. This information is also published on the organization’s website, if applicable.

Define the purposes for which the organization may collect information from its clients.

Establish standardized secure communication protocols and security measures, including encryption processes, for the transmission of clients’ personal information to third parties, where applicable.

Identify the necessary information for the execution of the organization’s work or services for clients and ensure that this information is used only for the purposes for which it was collected. Implement control measures for this purpose.

Determine situations requiring the disclosure of clients’ personal information to any individual or organization. Define the conditions for such disclosure and ensure that the involved parties sign an agreement outlining measures to protect the confidentiality of the transmitted information.

Have individuals receiving clients’ personal information sign a confidentiality agreement specifying the measures to be taken to protect the information’s confidentiality.

Disclose clients’ collected information to third parties, without prior consent, if necessary to fulfill a mandate or execute a written service or business contract. Ensure that the contract specifies measures to protect the information’s confidentiality.

Share clients’ collected information with third parties without prior consent, if necessary to complete a commercial transaction. The recipient must agree to use the information solely for that transaction and not disclose it further without prior consent.

→ Measures to be implemented

The organization will promptly implement one or more of the measures mentioned below to comply with Quebec legislation and ensure the protection and confidentiality of clients’ personal information. Some measures may be general, while others are specific.

Determine the key elements and prepare and draft policies and practices related to the protection of clients’ personal information. These policies and practices must be approved by the Responsible Person for implementation within the organization. Make these policies and practices accessible to clients. Prepare a summary of these policies and practices for clients, to be delivered in person, via email, or published on the organization’s website, if applicable. These policies and practices provide guidance for the retention and destruction of clients’ information, the roles and responsibilities of staff members throughout the information’s lifecycle, and a process for handling complaints related to the protection of clients’ information.

Determine the specific points to be verbally presented to each client of the organization when collecting their information. Inform clients about the following: 1) the purposes for which their information is collected; 2) the methods of collection; 3) their rights to access and correct their information; and 4) their right to withdraw their consent for the use or disclosure of their information.

Prepare and draft templates for agreements required to benefit from certain exemptions outlined in Quebec legislation regarding the prior consent of a concerned individual.

Disclose any confidentiality incidents to the affected individuals and the Commission d’accès à l’information via written notice.

In the event of a confidentiality incident, implement measures to reduce the risk of causing harm. Maintain a record of confidentiality incidents, considering cases where such incidents might occur. This record must follow the content established by regulation and be regularly updated. In case of such an incident, the organization must provide written notice to the Commission d’accès à l’information du Québec and all concerned individuals, following the content specified by regulation.

→ Measures not to be implemented by the Organization

The organization does not intend to implement one or more of the measures mentioned below. Some measures may be general, while others are specific.

Determine the retention period for clients’ personal information and, when necessary, establish a retention schedule for better management. Considering that the organization’s purpose is to ensure the longevity of notarial acts, several pieces of personal information must be retained without an applicable date or schedule for destruction.
Determine the transmission of clients’ personal information to which types of companies or enterprises (suppliers, subcontractors, etc.) and to which locations outside Quebec.
Determine situations requiring an alternative use of information collected from clients by the organization without obtaining the consent of the individuals concerned.

Part 4

ORGANIZATION’S MEASURES FOR ITS INFORMATION SYSTEM

It is acknowledged that a high-performing and efficient information system significantly enhances the protection of the personal information of clients of any organization subject to Quebec legislation.

→ Measures already implemented

The Organization or its information technology providers have already implemented one or more of the measures outlined below to establish an effective information system and manage the personal information contained within it, as well as the personnel with access to it.

Manage access for its staff members to its information system, using simple yet effective measures for access management.

Ensure that the required security measures, including passwords, are in place to access the information system. Implement a mechanism to determine secure access to the information system.

Define the necessary security levels for each of its staff members with access to the information system.

Establish password operation guidelines for staff members accessing the information system and ensure compliance by implementing control measures.

Set up selective access to data on the information system for authorized staff members only.

Enforce restrictions to allow only authorized personnel to access predetermined information system equipment.

Define the roles and responsibilities of staff members responsible for protecting clients’ personal information within its information system throughout the information’s lifecycle.

Establish protective measures for its information system in connection with the collection and storage of clients’ personal information.

Appoint an individual responsible for implementing personal information protection measures for its information system.

Use and regularly update antivirus and anti-spyware software on its information system.

Utilize a secure data encryption process, specifically encrypting clients’ personal information.

Employ firewall mechanisms on its information system to prevent uncontrolled intrusions from the Internet.

Implement automatic session timeout mechanisms to deactivate inactive Internet connections after a certain period.

→ Measures to be implemented

The Organization or its information technology providers will promptly implement one or more of the measures outlined below to establish an efficient information system and ensure the proper management of personal information within it, as well as personnel with access to it.

Conduct training activities regarding the protection of clients’ personal information for staff members responsible for information protection within its information system.
Compile a comprehensive inventory of clients’ personal information collected and held by the Organization.
Determine the staff members responsible for maintaining the inventory of clients’ personal information.
Instruct authorized personnel with access to clients’ personal information to clear their browser cache to prevent information from previous sessions falling into the wrong hands.
Implement mechanisms to safeguard data, particularly against unauthorized access to personal information.
Establish a methodology to differentiate active and inactive records of the Organization and put in place mechanisms to classify records into one of these two types.

Part 5

ESTABLISHING A LIST (INVENTORY) OF PERSONAL INFORMATION COLLECTED BY THE ORGANIZATION

It is important for the Organization to understand and manage the flow of personal information it collects from its clients to ensure effective, easy, and rapid protection.

To achieve this, it’s important for the Organization to create a comprehensive list (inventory) of the personal information it collects and holds. This enables the Organization to ensure that none of this information enters or exits its system without being documented. The Organization can then easily demonstrate that it has adopted a culture of privacy respect, including personal information protection. Such a list can also be highly useful when conducting privacy impact assessments that the Organization may be required to perform.

Indeed, if the Organization doesn’t understand the flow of information it collects, it becomes challenging to ensure that its activities comply with the provisions of Quebec legislation.

To build this comprehensive list, the Organization must first choose the approach to adopt and the preferred format.

Process for Creating a Comprehensive List of Collected Personal Information

The Organization needs to identify the primary source from which personal information is collected and compile an exhaustive list (inventory) while determining whether this information is sensitive or not. It must also establish where this information is stored. Subsequently, the Organization should link the information in this comprehensive list to the consents it has obtained for the purposes of collection, use, and transmission. Additionally, it should define the objectives for collecting, using, and transmitting this information.

This process also involves the following for the Organization :

Determine the retention period for this information and, if possible, establish a retention schedule for better management.

Select security measures to adequately protect this information, depending on its sensitivity level.

Identify to whom or to which locations this information is transmitted, considering the geographical areas involved, and establish applicable protocols for its transmission to third parties to enhance protection.

The Organization should also designate the personnel responsible for creating this comprehensive list, the automated means to be used for its establishment, and formulate a strategy for its periodic updates.

Organization’s Measures for a Comprehensive List of Personal Information

→ Measures Already Implemented

The Organization or its IT providers have already implemented one or more of the measures mentioned below regarding the comprehensive list of personal information that it collects and holds.

Establish the retention period for the listed information and, when applicable, create a retention schedule.

Confirm the locations where the transmission of the listed information occurs.

Determine the geographical locations to which the listed information is communicated.

Develop protocols to protect personal information during its transmission to third parties.

Identify only the members of its staff who can access sensitive client information and the information contained in the IT system.

→ Measures to Be Implemented

The Organization will promptly implement one or more of the following measures concerning the comprehensive list of personal information that it collects and holds.

Determine the staff members responsible for creating the comprehensive list of personal information and keeping it up to date.

Choose the format for establishing this comprehensive list.

Establish the exhaustive list (inventory) of all collected personal information and data and associate them with the consents already obtained, where applicable.

Determine where to store the listed information.

Define appropriate security measures for protecting the listed information.

Identify, from the comprehensive list of information, the sensitive information of its clients and the information contained in its IT system.

Establish security measures that specifically apply to the sensitive information of its clients to adequately protect them.

Part 6

MEASURES TAKEN BY THE ORGANIZATION FOR ITS STAFF

→ Measures already implemented

The Organization has already implemented one or more of the measures mentioned below to effectively manage its personnel, especially those with access to clients’ personal information.

Identify the members of its personnel authorized to access clients’ personal information, excluding sensitive information.

Have all personnel members with regular or occasional access to clients’ personal information sign confidentiality agreements.

Determine and apply control measures for personnel authorized to access clients’ personal information.

Identify the personnel responsible for the retention and destruction of clients’ personal information.

Make clients’ personal information accessible to personnel members with authorization to access them without obtaining consent from the concerned individuals, only if this information is necessary for the performance of their duties, and establish control measures for such access.

→ Measures to Be Implemented

The Organization will promptly implement one or more of the following measures to effectively manage its personnel, particularly those with access to clients’ personal information.

Conduct pre-employment investigations or verifications before hiring any staff member.

Part 7

MEASURES TAKEN BY THE ORGANIZATION FOR ITS WEBSITE

→ Measures already implemented

The Organization or its IT providers have already implemented one or more of the measures mentioned below to effectively manage its website.

Secure the pages of its website to ensure the protection of information transmitted by its clients through its website.

→ Measures the Organization or its IT providers do not intend to implement

The Organization or its IT providers do not intend to implement one or more of the measures mentioned below to effectively manage its website.

Use data encryption certificates to ensure the encoding of all personal information entered on its website.

Part 8

MEASURES BY THE ORGANIZATION REQUIRED TO HAVE A PHYSICAL VAULT

→ Measures already implemented

The Organization has already implemented one or more of the measures mentioned below regarding the physical vault it possesses.

Ensure the proper locking of the physical vault.

Determine the staff members with access to the physical vault and provide them with security codes for access.

Designate a staff member responsible for the physical vault.

Determine measures to safeguard the personal information of its clients located in the physical vault.

Establish the necessary protocols for accessing the physical vault and keep them up to date.

Determine the security and control measures applicable to maintain the confidentiality of data within the physical vault and ensure their implementation and ongoing maintenance.

❧❧❧❧❧❧❧❧❧

Approved by the Organization on September 21, 2023.

(Signed by Notary Denise Duquette)

Name and signature of the Organization’s representative