About Gutierrez Lawyer

(section 3.2 of the Act respecting the protection of personal information in the private sector, chapter P-39.1 and Regulation respecting confidentiality incidents; Act respecting the Barreau, chapter B-1 and its regulations.

PREAMBLE

The Gutierrez Avocat firm (hereinafter the "Firm") is responsible for protecting the personal information it holds. Personal information is confidential, except to the extent provided for by law. Any person who, in the course of their duties, has access to personal information held by the firm must take the necessary steps to ensure its protection and confidentiality. This procedure determines the measures to be taken to reduce the risk of harm being caused, in such a case, and to prevent new incidents of the same nature from occurring.

1. OBJECTIVE AND NORMATIVE FRAMEWORK

This procedure specifies the steps to be taken when the Firm has reasonable grounds to believe that a confidentiality incident involving personal information that it holds has occurred, or if such an incident is proven, in accordance with the Act respecting the protection of personal information in the private sector, chapter P-39.1 and the Regulation respecting confidentiality incidents).

2. DEFINITIONS

The definitions to be considered for the application of this procedure, which may be supplemented by any other regulation, policy, directive or procedure referring to it, are as follows:

Confidentiality incident: access, use, communication of personal information not authorized by law, as well as its loss or any other form of breach of its protection.

Here are some examples:

· A staff member consults personal information not necessary for the performance of his or her duties;

· A hacker infiltrates a system;

· A person uses personal information from a database to which he has access in the course of his duties for the purpose of usurping the identity of a person;

· A communication is made by mistake to the wrong person;

· A person loses or has documents containing personal information stolen;

· A person interferes with a database containing personal information in order to alter it.

Personal information: any information that concerns a natural person and that allows that person to be identified. A person's name, taken in isolation, is not personal information. However, when that name is associated or combined with other information concerning that same person, it then becomes personal information.

Examples of personal information include:

· A person's name and date of birth;

· Social insurance number;

· Credit Card Number ;

· Health insurance number;

· Information of a medical or financial nature;

· A person's name and personal telephone number;

· A person's name and home address.

Sensitive personal information: Personal information is considered sensitive when, by its nature, including medical, biometric or otherwise intimate, or because of the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy.

This may include, for example, medical, biometric, genetic or financial information, or information about ethnic origin, political belief, sexual life or orientation, religious beliefs.

3. PROTECTION OF PERSONAL INFORMATION

The Firm implements appropriate and reasonable security measures to protect personal information from loss or theft, and from access, disclosure, copying, use or modification not authorized by law. Only personnel who absolutely need access to personal information in the course of their duties are authorized to access it.

Persons who are members of the staff of the Firm or who work on its behalf must, in particular:

- Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;

- Take special precautions to ensure that personal information is not monitored, overheard, accessed or lost when working in premises other than the Firm's offices;

And

- Take reasonable steps to protect personal information as it moves from one location to another.

3.1 REPORTING A PRIVACY INCIDENT

Any person to whom the Firm communicates personal information (colleagues, suppliers, partners, experts including subcontractors) must report the incident when they have reasonable grounds to believe that a confidentiality incident involving personal information held by the Firm has occurred. To do this, the report must be made without delay to the person responsible for the protection of personal information.

A member of the Firm or a member of staff who has reasonable grounds to believe that a confidentiality incident involving personal information held by the Firm has occurred must also notify his or her superior or the person responsible for the protection of personal information without delay.

4. PERSONS RESPONSIBLE FOR PERSONAL INFORMATION (PRP): ROLES AND RESPONSIBILITIES

The person responsible for the protection of personal information (hereinafter “PRP”) for the firm is Mr. Antonio Gutierrez Dratcheva. He can be reached at the following contact details:

· Email: ag@gutierrezavocat.com

· Phone: (438) 870-7920

Its role is in particular to:

· Contribute to the implementation of the information security incident management process;

· Maintain the register of information security incidents that may have jeopardized information security, document these incidents and keep the Director of Information Security and the Secretary General informed;

· Contribute to information security risk analyses in order to identify threats and vulnerability situations and implement appropriate solutions.

In the event of a confidentiality incident, the person responsible for the protection of personal information takes charge of handling the incident and partners with any other useful person depending on the nature of the incident.

In this respect, the PRP:

· Assesses the risk of harm being caused and determines its severity. This assessment considers, among other things, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that it will be used for harmful purposes.

· Notify, with due diligence, the person whose personal information is concerned by the incident, when there is a risk that serious harm will be caused, except when this would be likely to hinder an investigation carried out by a person or by an organization which, under the law, is responsible for preventing, detecting or repressing crime or offences against the laws. This notice must contain the following information:

a. A description of the personal information that is the subject of the incident or, if this information is not known, the reason why it is not possible to provide such a description;

b. A brief description of the circumstances of the incident;

c. The date or period when the incident occurred or, if the latter is not known, an approximation of that period;

d. A brief description of the measures that the organization has taken or intends to take following the occurrence of the incident, in order to reduce the risks of harm being caused;

e. The measures that the organisation suggests that the individual concerned take in order to reduce the risk of harm being caused to him or her or to mitigate such harm;

f. Contact details enabling the person concerned to obtain further information regarding the incident.

· Notifies, where appropriate, any person or organization likely to reduce the risk, by communicating only the personal information necessary for this purpose, without the consent of the person concerned.

· Notifies, diligently and in writing, the Commission d’accès à l’information of the confidentiality incident when it presents a risk that serious harm will be caused. The notice must contain the following information:

a. The name of the firm and the Quebec business number assigned to it under the Act respecting the legal publicity of enterprises;

b. The name and contact details of the person to contact within the firm regarding the incident;

c. A description of the personal information that is the subject of the incident or, if this information is not known, the reason why it is not possible to provide such a description;

d. A brief description of the circumstances of the incident and, if known, its cause;

e. The date or period when the incident occurred or, if the latter is not known, an approximation of that period;

f. The date or period during which the firm became aware of the incident;

g. The number of persons affected by the incident and, among these, the number of persons who reside in Quebec or, if they are not known, an approximation of these numbers;

h. A description of the factors that lead the firm to conclude that there is a risk that serious harm will be caused to the individuals concerned, such as the sensitivity of the personal information concerned, the possible malicious uses of this information, the apprehended consequences of its use and the likelihood that it will be used for harmful purposes;

i. The steps the firm has taken or intends to take to notify individuals whose personal information is affected by the incident, as well as the date on which the individuals were notified or the anticipated time frame for completion;

j. The measures that the firm has taken or intends to take following the occurrence of the incident, in particular those aimed at reducing the risks of harm being caused or at mitigating such harm and those aimed at preventing new incidents of the same nature from occurring, as well as the time period within which the measures were taken or the planned execution time;

k. Where applicable, a statement specifying that a person or organization located outside Quebec and exercising responsibilities similar to those of the Commission d'accès à l'information with regard to monitoring the protection of personal information has been notified of the incident.

· Promptly notify the firm’s insurers, if applicable.

· Record the confidentiality incident in the register provided for this purpose.

· At the request of the Access to Information Commission, transmit a copy of this register.

5. PRIVACY INCIDENT REGISTRY

The firm must maintain a register of confidentiality incidents.

5.1 Duration of storage of information contained in the register

The information contained in the register must be kept up to date and retained for the longer of the following two periods: for a minimum period of five years after the date on which the firm became aware of the incident or the period required by the Barreau du Québec for the retention of records.

6. ENTRY INTO FORCE

This procedure shall enter into force on 29 November 2024.

Contact Us

We offer free 30-minute consultations to discuss your legal needs. Book your consultation now and let us be your partner in achieving your goals.

MAKE AN APPOINTMENT ↗

About Gutierrez Lawyer

(section 3.2 of the Act respecting the protection of personal information in the private sector, chapter P-39.1 and Regulation respecting confidentiality incidents; Act respecting the Barreau, chapter B-1 and its regulations.

PREAMBLE

1. OBJECTIVE AND NORMATIVE FRAMEWORK

2. DEFINITIONS

The definitions to be considered for the application of this procedure, which may be supplemented by any other regulation, policy, directive or procedure referring to it, are as follows:

Confidentiality incident: access, use, communication of personal information not authorized by law, as well as its loss or any other form of breach of its protection.

Here are some examples:

· A staff member consults personal information not necessary for the performance of his or her duties;

· A hacker infiltrates a system;

· A person uses personal information from a database to which he has access in the course of his duties for the purpose of usurping the identity of a person;

· A communication is made by mistake to the wrong person;

· A person loses or has documents containing personal information stolen;

· A person interferes with a database containing personal information in order to alter it.

Examples of personal information include:

· A person's name and date of birth;

· Social insurance number;

· Credit Card Number ;

· Health insurance number;

· Information of a medical or financial nature;

· A person's name and personal telephone number;

· A person's name and home address.

Sensitive personal information: Personal information is considered sensitive when, by its nature, including medical, biometric or otherwise intimate, or because of the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy.

This may include, for example, medical, biometric, genetic or financial information, or information about ethnic origin, political belief, sexual life or orientation, religious beliefs.

3. PROTECTION OF PERSONAL INFORMATION

Persons who are members of the staff of the Firm or who work on its behalf must, in particular:

- Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;

- Take special precautions to ensure that personal information is not monitored, overheard, accessed or lost when working in premises other than the Firm's offices;

And

- Take reasonable steps to protect personal information as it moves from one location to another.

3.1 REPORTING A PRIVACY INCIDENT

A member of the Firm or a member of staff who has reasonable grounds to believe that a confidentiality incident involving personal information held by the Firm has occurred must also notify his or her superior or the person responsible for the protection of personal information without delay.

4. PERSONS RESPONSIBLE FOR PERSONAL INFORMATION (PRP): ROLES AND RESPONSIBILITIES

The person responsible for the protection of personal information (hereinafter “PRP”) for the firm is Mr. Antonio Gutierrez Dratcheva. He can be reached at the following contact details:

· Email: ag@gutierrezavocat.com

· Phone: (438) 870-7920

Its role is in particular to:

· Contribute to the implementation of the information security incident management process;

· Maintain the register of information security incidents that may have jeopardized information security, document these incidents and keep the Director of Information Security and the Secretary General informed;

· Contribute to information security risk analyses in order to identify threats and vulnerability situations and implement appropriate solutions.

In the event of a confidentiality incident, the person responsible for the protection of personal information takes charge of handling the incident and partners with any other useful person depending on the nature of the incident.

In this respect, the PRP:

· Assesses the risk of harm being caused and determines its severity. This assessment considers, among other things, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that it will be used for harmful purposes.

a. A description of the personal information that is the subject of the incident or, if this information is not known, the reason why it is not possible to provide such a description;

b. A brief description of the circumstances of the incident;

c. The date or period when the incident occurred or, if the latter is not known, an approximation of that period;

d. A brief description of the measures that the organization has taken or intends to take following the occurrence of the incident, in order to reduce the risks of harm being caused;

e. The measures that the organisation suggests that the individual concerned take in order to reduce the risk of harm being caused to him or her or to mitigate such harm;

f. Contact details enabling the person concerned to obtain further information regarding the incident.

· Notifies, where appropriate, any person or organization likely to reduce the risk, by communicating only the personal information necessary for this purpose, without the consent of the person concerned.

· Notifies, diligently and in writing, the Commission d’accès à l’information of the confidentiality incident when it presents a risk that serious harm will be caused. The notice must contain the following information:

a. The name of the firm and the Quebec business number assigned to it under the Act respecting the legal publicity of enterprises;

b. The name and contact details of the person to contact within the firm regarding the incident;

c. A description of the personal information that is the subject of the incident or, if this information is not known, the reason why it is not possible to provide such a description;

d. A brief description of the circumstances of the incident and, if known, its cause;

e. The date or period when the incident occurred or, if the latter is not known, an approximation of that period;

f. The date or period during which the firm became aware of the incident;

g. The number of persons affected by the incident and, among these, the number of persons who reside in Quebec or, if they are not known, an approximation of these numbers;

i. The steps the firm has taken or intends to take to notify individuals whose personal information is affected by the incident, as well as the date on which the individuals were notified or the anticipated time frame for completion;

k. Where applicable, a statement specifying that a person or organization located outside Quebec and exercising responsibilities similar to those of the Commission d'accès à l'information with regard to monitoring the protection of personal information has been notified of the incident.

· Promptly notify the firm’s insurers, if applicable.

· Record the confidentiality incident in the register provided for this purpose.

· At the request of the Access to Information Commission, transmit a copy of this register.

5. PRIVACY INCIDENT REGISTRY

The firm must maintain a register of confidentiality incidents.

5.1 Duration of storage of information contained in the register

The information contained in the register must be kept up to date and retained for the longer of the following two periods: for a minimum period of five years after the date on which the firm became aware of the incident or the period required by the Barreau du Québec for the retention of records.

6. ENTRY INTO FORCE

This procedure shall enter into force on 29 November 2024.

Contact Us

Newsletter Subscription