PERSONAL INFORMATION PROTECTION POLICY
Last revised: September 22, 2023
Médico Coiffure is concerned about the protection of the personal information it holds. Personal information is confidential except as provided by law. Any person who has access to personal information held by Médico Coiffure must take the necessary means to ensure its protection and confidentiality. This policy and its related procedures determine the measures to be taken to reduce the risks of a confidentiality incident, to determine the treatment if necessary and to prevent new incidents of the same nature from occurring.
1. COLLECTION OF INFORMATION ACCORDING TO THE NEEDS OF THE BUSINESS RELATIONSHIP AND THE SERVICES PROVIDED
Médico Coiffure, as part of the services provided to its clients or its marketing, collects certain information which may include personal information. This information may be obtained by voluntary disclosure by the persons concerned during our communications or via technological applications (forms, emails, applications or others). This information is used to sell products/provide services, or to offer them. By transmitting this information to Médico Coiffure or by using the technological means of our website, social networks or any applications or services offered by Médico Coiffure, you consent to the collection and use of this information. Médico Coiffure strives (and only if required for our activities) to only exchange or transmit this information to reliable partners for whom we have taken care to verify that they apply satisfactory security and confidentiality measures. As far as possible, all information is kept on Quebec or at least Canadian servers. Everyone has the right to obtain details of the information held about them and to request its correction if necessary.
2. PRESERVATION OF INFORMATION AND DESTRUCTION
Any person may obtain, upon request, details of the methods of conservation of personal information held about them as well as details of the people who have access to it, the use made of it as well as the retention period after which the information will be destroyed.
3. CONFIDENTIALITY INCIDENT AND PROCEDURE
The following procedure specifies the steps to take when Médico Coiffure has reasonable grounds to believe that a confidentiality incident has occurred (or if such an incident is proven) involving personal information that it holds, in accordance with the Act respecting the protection of personal information in the private sector, chapter P-39.1 and the Regulation respecting confidentiality incidents.
4. DEFINITIONS
The definitions to be considered for the application of this procedure, which may be supplemented by any other regulation, policy, directive, or procedure referring to it, are as follows:
Confidentiality incident : access, use or communication of personal information not authorized by law, as well as its loss or any other form of breach of its protection.
Here are some examples:
-
A hacker infiltrates a system.
-
A person uses personal information from a database to which he has access in the course of his duties with the aim of usurping the identity of a person.
-
A communication containing sensitive information is made by mistake to the wrong person.
-
A person loses or has documents containing personal information stolen.
-
A person interferes with a database containing personal information to alter it.
Personal information: any information which concerns a natural person and which allows them to be identified. A person’s name, taken in isolation, is not personal information. However, when this name is associated or combined with other information relating to the same person, it then becomes personal information.
Examples of personal information include:
-
A person’s name and date of birth.
-
Social Insurance Number.
-
Credit Card Number.
-
Health Insurance Number.
-
Information of a medical or financial nature.
-
A person's name and phone number.
-
A person's name and home address.
Sensitive personal information : personal information is considered sensitive when, by its nature, particularly medical, biometric or intimate, or because of the context of its use or communication, it gives rise to a high degree of reasonable expectation of respect for private life.
This may include, for example, medical, biometric, genetic, or financial information, or information on ethnic origin, political belief, sexual life or orientation, religious beliefs.
5. PROTECTION OF PERSONAL INFORMATION
Médico Coiffure implements appropriate and reasonable security measures to protect personal information against loss or theft, and against access, disclosure, copying, use or modification not authorized by law. Only staff members who absolutely must have access to personal information as part of their duties are authorized to access it.
Persons who are members of Médico Coiffure staff or who work on its behalf must, in particular:
-
Make reasonable efforts to minimize the risk of unintentional disclosure of personal information.
-
Take special precautions to ensure that personal information is not monitored, overheard, accessed, or lost when working in premises other than Médico Coiffure offices.
-
Take reasonable steps to protect personal information when moving from one location to another.
6. REPORTING OF A CONFIDENTIALITY INCIDENT
Any person to whom Médico Coiffure communicates personal information (colleagues, suppliers, partners, experts including subcontractors) must make a report when they have reasonable grounds to believe that a confidentiality incident involving personal information held by Médico Coiffure has occurred. This report must be made without delay to the person responsible for the protection of personal information.
A Médico Coiffure staff member who has reasonable grounds to believe that a confidentiality incident involving personal information held by Médico Coiffure has occurred must also notify their supervisor.
Any serious incident involving a large number of people or involving sensitive information that could cause significant harm must be disclosed by a notice to the Commission d’accès à l’information, as soon as possible.
7. PERSON RESPONSIBLE OF PERSONAL INFORMATION : ROLES AND RESPONSIBILITIES
The person responsible for the protection of personal information for Médico Coiffure can be reached at the following contact details:
-
Director
-
Email : medicocoiffure@gmail.com
-
Phone : 418 622-6925
Its role is in particular to:
-
Contribute to the implementation of the confidentiality incident management process.
-
Maintain the confidentiality incident register, document these incidents, and ensure the required follow-up of their treatment.
-
Maintain the complaints register, document these complaints, and ensure the required follow-up of their processing.
-
Contribute to risk analyzes of confidentiality incidents in order to identify threats and vulnerable situations and implement appropriate solutions.
In the event of a confidentiality incident, the person responsible for the protection of personal information takes charge of handling the incident and partners with any other useful person depending on the nature of the incident.
As such, this person:
-
Assesses the risk of harm being caused and determines the degree of severity. During this assessment, the sensitivity of the information concerned, the anticipated consequences of its use and the probability that it will be used for harmful purposes are considered.
-
Diligently notifies the person whose personal information is affected by the incident, when it presents a risk that serious harm will be caused, except when this would be likely to hinder an investigation carried out by a person or by an organization who, under the law, is responsible for preventing, detecting, or suppressing crime or offenses against the laws. This notice must contain the following information:
-
A description of the personal information affected by the incident or, if this information is not known, the reason justifying the impossibility of providing such a description.
-
A brief description of the circumstances of the incident.
-
The date or period when the incident took place or, if the latter is not known, an approximation of this period. A brief description of the measures that the organization has taken or intends to take following the occurrence of the incident, in order to reduce the risk of harm being caused.
-
The measures that the organization suggests that the person concerned take in order to reduce the risk of harm being caused to them or to mitigate such harm.
-
Contact details allowing the person concerned to find out more about the incident.
-
Notify, where applicable, any person or organization likely to reduce the risk, by communicating only the personal information necessary for this purpose.
-
Notify, diligently and in writing, the Commission d’accès à l’information of the confidentiality incident when it presents a risk of serious harm being caused. The notice must contain the following information:
-
The name of the business (Médico Coiffure) and the Quebec business number assigned to it under the Act respecting the legal publicity of businesses.
-
The name and contact details of the person to contact within Médico Coiffure regarding the incident.
-
A description of the personal information affected by the incident or, if this information is not known, the reason justifying the impossibility of providing such a description.
-
A brief description of the circumstances of the incident and, if known, its cause.
-
The date or period when the incident took place or, if the latter is not known, an approximation of this period.
-
The date or period during which Médico Coiffure became aware of the incident.
-
The number of people affected by the incident and, among these, the number of people who reside in Quebec or, if not known, an approximation of these numbers.
-
A description of the elements which lead Médico Coiffure to conclude that there is a risk that serious harm will be caused to the persons concerned, such as the sensitivity of the personal information concerned, the possible malicious uses of this information, the anticipated consequences of their use and the likelihood that they will be used for harmful purposes.
-
The measures that Médico Coiffure has taken or intends to take to notify people whose personal information is affected by the incident, as well as the date the people were notified or the expected execution time.
-
The measures that Médico Coiffure has taken or intends to take following the occurrence of the incident, in particular those aimed at reducing the risks of harm being caused or at mitigating such harm and those aimed at preventing new incidents of the same nature occurs, as well as the time frame in which the measures were taken or the time frame for execution envisaged.
-
Where applicable, a statement specifying that a person or organization located outside Quebec and exercising responsibilities similar to those of the Commission d'accès à l'information with regard to monitoring the protection of information personnel was notified of the incident.
-
Diligently notify Médico Coiffure’s insurers, if applicable.
-
Record the confidentiality incident in the register provided for this purpose.
-
At the request of the Commission d’accès à l’information, send a copy of this register.
8. REGISTER OF CONFIDENTIALITY INCIDENTS
Médico Coiffure must keep a record of confidentiality incidents.
8.1 Duration of retention of information contained in the register
The information contained in the register must be kept up to date and kept for the longer of the two following periods: for a minimum period of five years after the date on which Médico Coiffure became aware of the incident or the period required by any governmental bodies or any laws and regulations.
9. REGISTER OF COMPLAINTS AND THEIR PROCESSING
Médico Coiffure must keep a register of complaints and their processing.
9.1 Duration of retention of information contained in the register
The information contained in the register must be kept up to date and kept for the longer of the two following periods: for a minimum period of five years after the date on which Médico Coiffure became aware of the incident or the period required by any governmental bodies or any laws and regulations.
10. ENTRY INTO FORCE
This policy and its procedures come into effect on September 22, 2023.
11. CONTACT US
If you have any questions about our privacy policy, you can exercise your rights set out above, file a complaint or update your personal information, please contact our privacy officer as follow:
-
By email: medicocoiffure@gmail.com
-
By mail:
Médico Coiffure, Att: Responsible for personal information protection policy
3116 Boul. Moïse-Vincent
St-Hubert (Quebec) J3Z 0C4
We will make our best efforts to process your request quickly.