Personal information governance policy
Policy Owner | IT Support |
Policy Endorser | Isabelle Mailloux Guillaume Tran Van Hoï |
Related Policies | Incident Response Policy Cybersecurity and privacy awareness training on CIRA |
Related Procedures | Consent assistance procedure Notice to the Commision d’accès à l’information Privacy Impact Assessment (PIA) Tool |
Effective Date | September 22, 2023 |
Next Policy Review Date | September 22, 2024 |
Purpose
Groupe Lebel recognizes as part of our operations, we need to collect and process data. The goal of this policy is to describe how personal data have to be collected, processed, and stored to meet data protection rules of Groupe Lebel, to comply with applicable privacy and data protection laws, and to respect individual rights. The purpose of this policy is to :
- Respect legislation regarding data protection and follow the best practices.
- Protect the rights of staff members, clients, and any person concerned.
- Ensure the transparency on how Groupe Lebel collects, stores and processes individual data.
Scope
This data protection policy applies to all business processes, information systems and components, personnel and physical areas of Groupe Lebel and its affiliates. This policy applies to the collection, processing, storage and handling of personal data and to any other procedure relating to personal data of any individual in digital and manual form.
Individuals and groups to whom this policy applies include, but are not limited to :
- Managers, vice-presidents, and administrators
- All Groupe Lebel employees, full-time or part-timel
- All previous Groupe Lebel employees, full-time or part-time
- All job candidates at Groupe Lebel
- All subcontractors, suppliers, and other people working on behalf of Groupe Lebel
- All Groupe Lebel’s clients
- Any other relevant person identified in the normal course of business by Groupe Lebel
DEFINITIONS
Data : Information in a format that can be processed, including electronic data and physical data.Individual data : Any information regarding a concerned physical person that can be identified, directly or indirectly, notable by referring to an identifier such as a name, an identification number, localization data, an online identification, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Those data can be a name, an e-mail address, geolocation data, or even a username or IP address.
Sensitives personal data : Any personal data related to, or that could be specifically attributed to an individual, revealing sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, personal health information.
Concerned person : An identifiable person is a person that can be identified, directly or indirectly, notable by referring to an identifier such as a name, an identification number, localization data, an online identification, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Consent : Consent is any freely given, specific, informed and unambiguous indication of the will of a concerned person by which the concerned person, either by a declaration or by a clear affirmative action, signifies their agreement to the processing of personal data concerning them.
Processing controller : The physical or legal person, public authority, company or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
Subcontractor : A physical or legal person, a public authority, an agency, or any other body that processes personal data on behalf of the controller.
Data processing : Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or changing, recovering, consulting, using, diffusing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or suppressing.
Data storage : These rules describe how and where data are to be stored securely. Questions about the safe storage of data can be addressed to the IT Manager or the Data Protection Officer.
Applicable laws, regulations and standards
Councils | Clarification/Section |
An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25 | Québec’s Act respecting the protection of personal information |
Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) | Canada’s Privacy Act |
The European Union’s General Data Protection Regulation 2016/679 | The European Union’s General Data Protection Regulation |
Sharing personal Information
Groupe Lebel can share information about you to clients, potential clients, partners or advisors regarding transactions, service delivery, business collaboration, or even regarding their advice or their assistance.When we choose our suppliers and partners, we take their data processing into consideration.
Under certain circumstances, personal information can be required to disclose personal information to government agencies in order to comply with a court order, a court order or a pleading. In certain cases, Groupe Lebel can disclose personal information to regulatory bodies. It can also share your personal information to protect its rights and property, or to protect the rights and property of its business partners, suppliers, clients, and other parties.
Your Rights
You possess certain rights regarding the processing of your personal information. You can consult the content of this document to find out about the rules within Groupe Lebel, but also :
- Ask to access to your personal information we possess and update, to modify them, and to remove them. You can, according to applicable law, have additional rights regarding your personal information.
- Ask questions regarding this document about personal information protection and the resulting practices. Your message will be forwarded to the appropriate member of our privacy team at Groupe Lebel, including data protection officers.
- File a complaint to Groupe Lebel if you are not satisfied with the way Groupe Lebel is processing your personal information.
Your rights may be subject to limitations and exceptions under applicable law. For example, there may be some cases where we would not be able to share certain information you are asking for if disclosing them means disclosing information about other people.
Policy Declaration
Basic requirements :
- Employees will keep all data secure by taking reasonable precautions and following the guidelines described in this policy and all associated procedures.
- Data will not be shared informally; defined data access levels will be determined according to role and existing access controls.
- Groupe Lebel will offer training to all employees to help them understand their responsibility during the processing of data.
- Personal data will not be shared to any unauthorized person, within or outside the organization.
Data collection :
- Groupe Lebel and users or affiliated partners will collect personal data in a way that is totally transparent for the persons concerned and in compliance with the law.
- Users shall refrain from knowingly collecting personal data from any data subject without the permission of the direct manager or data protection officer.
- If personal data are collected from someone who is not the concerned person, the concerned person will be informed of it, unless one of those criteria applies :
- The person concerned has received the required information by other means.
- All information must remain confidential, as we are bound by professional secrecy
- A national law expressly provides for the collection, processing or transfer of personal data.
- When it is determined that notifying the concerned person is required, the notice has to be done quickly and has to respect guidelines for the consent procedure.
- If necessary, Groupe Lebel will obtain the consent from the concerned people accordingly to the consent procedure assistance guideline and with the authorization of the data protection officer.
- Concerned person’s consent will be provided in writing when necessary.
- Groupe Lebel’s external web site(s) will have a privacy notice and a cookie notice.
Data Storage :
- When data are stored electronically, they are protected against unauthorized access, accidental deletion, and malicious hacking attempts.
- Groupe Lebel will protect personal data with powerful passwords.
- Users will refrain as much as possible from using removable storage; if data are stored on removable storage, they will be stored safely.
- Groupe Lebel’s data will be stored on designated drives and servers and will only be downloaded to approved cloud computing services.
- Servers with personal data are located in a safe place.
- Users will refrain from saving data directly on devices.
- Users will refrain from storing data on paper and will only print them when necessary.
- If they are not necessary, documents or files must be kept in a locked drawer, filing cabinets or space.
- Groupe Lebel’s users will ensure that paper documents are not left where unauthorized people can see them (for example, on a printer).
Data use :
- If so, Groupe Lebel will provide information to each concerned person regarding the processing of their data.
- Groupe Lebel will take into consideration the concerned person’s point of view during the processing of their personal data.
- When working with personal data, users ensure that screens are locked when left unattended.
- Groupe Lebel will not informally share personal data unless adequate means of protection are implemented.
- Users will refer to the data protection officer(s) if it is planned that personal data are to be transferred outside the users’ zone.
- Wherever possible, users will access personal data via a master copy or data set.
Data accuracy :
- Groupe Lebel will take reasonable extent to ensure personal data stay accurate everywhere in the organization.
- All Groupe Lebel’s users will take reasonable extent to ensure all personal data are kept as accurate as possible and are updated.
- Stored data at Groupe Lebel will be kept in centralized vaults. Users will not create unnecessary additional data sets.
- If need be, Groupe Lebel will ensure the concerned person will be able to easily update their information.
Data retention :
- Data will be regularly reviewed in relation to the purpose for which it was collected. If no longer required, data must be deleted and disposed of.
- Paper documents will be shredded and disposed of safely when no longer required.
Data protection :
- Security staff will use the necessary physical and technical controls and organizational measures to ensure that all infrastructure containing data is protected and secure.
- Users will follow associated procedures and inform appropriate personnel when reporting incidents or data breaches. Please refer to the Incident Response Policy for further details.
Giving information - Requests from those concerned :
- Groupe Lebel will make sure that requests based on each of the following rights of the concerned person can be satisfied: :
- Objection to processing
- Objection to automated decision-making and profiling
- Processing limitation
- Data portability
- Data rectification
- Data deletion
- Objection to processing
- Groupe Lebel aim to ensure that each person is aware that their data are being processed and that they understand:
- How data are used
- How to exercise their rights
- How data are used
- On demand, Groupe Lebel will verify the concerned person’s identity
- Concerned person’s requests for rights will be handled by the Data Protection Officer.
- Groupe Lebel will reply to each concerned person’s request within 30 days.
- When a request from the data subject cannot be dealt with adequately, the following information will be provided to the data subject :
- Acknowledgement of receipt of the request
- Any information located to date
- Details of all information or modification requested that would not be provided to the concerned person, the reason(s) or the refusal and any available procedure for appealing the decision
- An estimated date by which all remaining answers will be provided
- An estimate of the costs to be paid by the person concerned (for example, when the request is excessive in nature)
- Groupe Lebel's contact point
Relevant policies and procedures
- Cybersecurity and privacy awareness training on CIRA
- Incident response policy
- Consent assistance procedure
- Incident record
- Notice to the Commission d'Accès à l'information
- Privacy Impact Assessment (PIA) Tool
Non-compliance
Violation of this policy will the treated as other allegations of wrongdoing at Groupe Lebel. Allegations of misconduct will be dealt with in accordance with established procedures. Sanctions for non-compliance may include, but are not limited to, one or more of the following :
- Disciplinary measures in accordance with Groupe Lebel’s applicable policies.
- Termination.
- Legal action in accordance with applicable laws and contractual agreements.
Reviews History
Version ID | Date of modification | Author | Reason |
1.0 | 22 septembre 2023 | Philippe Landry | First version |