Governance Rules

Introduction
Roles and Responsibilities
Cybersecurity
Retention and Destruction
Incident Management
Privacy Impact Assessment

Introduction

In September 2021, the Act to modernize legislative provisions as regards the protection of personal information ('Law 25') was adopted by the National Assembly of Quebec. This law adds and modifies several provisions to the legal framework applicable to private educational enterprises regarding the collection, use, communication to third parties, retention, and security of personal information.

These requirements apply both to the personal information of students and their parents (holders of parental authority, tutors) and to that of employees or different partners of private educational enterprises. Among these requirements, it is expected that private educational enterprises demonstrate transparency and adopt governance rules regarding the management of the personal information they hold, even if it is entrusted to a third party.

This requirement came into effect on September 22, 2023. It is integrated into both the Act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector.

Roles and Responsibilities

Person Responsible for the Protection of Personal Information

Raby Bouras

Director

Ensuring respect for the protection of personal information within the company, but also regarding those entrusted to a third party. Promoting the right to privacy and the protection of personal information within the company.

Responsibilities

Advising on the protection of personal information.
Sitting on the committee on access to information and protection of personal information.
Establishing and implementing policies and practices framing the company's governance regarding personal information and ensuring its periodic review.
Participating in the company's organizational position on personal information protection.
Intervening at any stage of a privacy impact assessment for a project involving an operating system or electronic service delivery involving personal information.
Being consulted during the assessment of the risk of serious injury being caused to a person whose personal information is concerned by a confidentiality incident.
In collaboration with the human resources department, keeping registers of communications of personal information, including in case of confidentiality incidents.
Being notified in case of a confidentiality incident occurring at a representative or the executor of a service or business contract / proceeding (alone or with the departments concerned) with the inventory of contracts with suppliers, external providers and, if necessary, reviewing them.
Performing any verification related to the confidentiality of personal information entrusted to a third party.
Responding to complaints and requests for access to personal information or rectification.
Assisting the requester in understanding the decision to refuse them – in whole or in part – access to or rectification of personal information.
Implementing training and awareness mechanisms for personal information protection within the company.
Responding to requests from the Commission d’accès à l’information.

Marketing Agency

Klimb Ascension d'Entreprise

Ensuring the application of security best practices for the management of digital marketing campaigns and web hosting, with an emphasis on the protection of personal information. Promoting the importance of privacy and personal data protection in all digital marketing activities.

Responsibilities

Implementing robust security measures, such as two-factor authentication (2FA), to protect personal data within the scope of offered services.
Collaborating with clients to ensure they understand the security practices in place and their role in data protection.
Performing regular updates of software used to mitigate potential risks related to the management of Google Ads campaigns, newsletters, and Facebook campaigns.
Developing intervention plans to react quickly in case of a confidentiality incident.
Maintaining an inventory of technologies and tools used for the collection, communication, and retention of personal information.
Offering training and awareness activities on information security to strengthen the vigilance of the internal team and external stakeholders.

While the agency is committed to using best practices to secure data, it cannot be held responsible for security incidents resulting from factors beyond its control, such as inadequate use of technologies by clients or security flaws in third-party platforms.

Law 25 Committee

Supporting the company in exercising its responsibilities and fulfilling its obligations regarding personal information protection (PIP). Approving governance rules regarding personal information. Being consulted during privacy impact assessments for any project involving the acquisition, development, or redesign of an information system or electronic service delivery involving personal information.

Responsibilities

Creating an inventory of personal information held by each department.
Approving governance rules.
Being consulted from the start of a project involving personal information and for privacy impact assessment purposes for all acquisition, development, and redesign projects of an information system or electronic service delivery involving personal information.

Cybersecurity

The company is committed to following security best practices to protect the personal information of our website users.

Keeping our systems up to date through regular updates and application of security patches.
Using encrypted and reputable services for data management and storage.
Protecting organization data by using proven security solutions.
Optimizing prevention against cybercrime through proactive practices.
Personal information is accessible only to staff members who need it to perform their tasks, thus ensuring secure data management.

Retention and Destruction

In accordance with applicable laws, regarding the retention and destruction of personal information, when the objectives are achieved, the information must be destroyed or anonymized, subject to the retention period provided by law.

In this regard, the company refers to the Archive Management Guide for private educational enterprises in Quebec prepared by the Federation of private educational enterprises and transmitted to Bibliothèques et Archives nationales (February 2016) and the Commission d’accès à l’information.

Incident Management

In the event of a confidentiality incident, the company, in accordance with related laws, commits to:

Recording the incident in the register provided for this purpose.
Assessing privacy risk factors and/or identity theft.
Informing the Commission d’accès à l’information and the persons concerned, in case of an incident presenting a risk of serious injury.

A security intervention plan, including confidentiality incidents, has been put in place. This includes the introduction of the incident, the incident response team, and the various steps and procedures to be carried out for incident management.

If you are a victim of a security and/or confidentiality incident, you must first communicate in writing with the person responsible.

With diligence, confidentiality, and if necessary, the company reserves the right to discuss an incident with Law 25 Committee members or seek legal advice from a law firm or from the Commission d’accès.

Privacy Impact Assessment

The company commits to carrying out, beforehand, privacy impact assessments (PIA) in the following situations:

During a project to acquire, develop, or redesign an information system or electronic service delivery involving personal information.
During the communication of personal information outside of Quebec or when the task of collecting, using, communicating, or retaining such information on its behalf is entrusted to a person or organization outside of Quebec.
During the collection of personal information necessary for the exercise of duties or the implementation of a program of a public body with which it collaborates for the delivery of services or for the realization of a common mission.
During the communication of personal information without the consent of the persons concerned, in accordance with section 68 of the Access Act.

When the company must perform a PIA, it can be proportionate but must take into account:

The sensitivity of the personal information or its nature or type.
The purpose of its use.
Its quantity, distribution, and medium.
The security measures in place including, in the case of communications outside Quebec, the analysis of the legal regime applicable in the state where the personal information will be communicated.