Under the QPL & GDPR, the Person in charge of the Protection of Personal Information (“PPPI”) is:
Mr. Jean Mignault
Gestion Mignault Inc. dba MusicTeam®
1000 de la Commune East St., Suite 922
Montreal, QC H2L 5C1
Email: [email protected]
We have created a Privacy Committee consisting of Jean Mignault, Chloé Dagenais-Mignault and Fiona Ham, which has established and approved governance policies and practices regarding Personal Information.
Processing Personal Information
Personal Information Management Policy
In the course of its activities, Our organization collects, holds, uses and communicates Personal Information. This information may be of various kinds such as, but not limited to, legal, administrative, financial, customer management, etc. and is essential to Our activities.
- Collection – This Policy only authorizes the collection of PI necessary for the performance of Our business, which PI may only be obtained from authorized persons, with the knowledge and consent of the person to whom the PI relates, unless otherwise required (e.g., by law) or exempted by law.
- Use – this policy governs the collection, use and retention of PI exclusively for the purposes for which it was collected.
- Protection of PI – this policy requires the organization to take the necessary steps to ensure that its officers and employees respect the confidentiality of PI and protect it from unauthorized disclosure, access or use.
- Retention of PI – this policy also covers the safe retention of PI and is supported by the Retention Schedule set by the Company.
- Destruction of PI – this policy provides that PI that is no longer required for its intended use and/or the purposes for which it was collected will be destroyed in a secure manner in accordance with the Company’s policies and applicable laws.
- De-indexing PI – this policy provides, where applicable, for PI to be de-indexed to the greatest extent possible, for example by removing it from computer search engines and the Company’s websites where appropriate.
- Rights of the person concerned by the PI – the present policy intends to rigorously respect the right of the person concerned to require that their consent be obtained before using their PI, to refuse to give certain PI subject to applicable laws, to correct or complete their PI, to access their PI at any time and to obtain answers to any questions they may have about their PI.
Policy for the Exchange or Transmission of Personal Information
The purpose of this policy is to define the rules for the collection, use, storage, disclosure and destruction of Personal Information collected by Our Company, as well as the rules for the use of such information by third parties, destruction of Personal Information collected by Our Company, as well as rules for the transmission of such Personal Information to third parties.
- Internal Exchange – Authorization of PI within the organization is permitted only in the course of employment duties and only when justified by need.
- External exchange – No exchange or transmission of PI to Service Providers and/or third parties is authorized, except as necessary to fulfill the purposes for which the PI was collected and in accordance with the user’s consent, or except for a legal or contractual obligation or if We have obtained the consent of the person concerned.
Access Control Policy
The objectives of this policy are to ensure the protection of PI collected, held and communicated by Our organization, in conjunction with Our PI management policy. It is also to deploy safeguards to reduce the risk of privacy breaches, such as unauthorized access to PI, including theft of information.
- Principle of least privilege – access controls are allocated on the basis of business needs and “least privilege”. Users have only the required access rights and authorizations to the systems, services, information and resources they need to fulfill their professional role.
- User account management – user account management procedures have been implemented for the registration, modification and deregistration of users on all information systems.
- User access monitoring – systems are able to record events related to possible security breaches.
We are committed to keeping multiple registries in order to comply with the law:
- Confidentiality Incidents Registry: We keep records of all Confidentiality Incidents in accordance with Our Confidentiality Incidents Management Procedure.
- Complaints Registry: We keep records of all complaints in accordance with our Complaints Management Procedure.
- Privacy Impact Assessment (PIA) Registry: We keep records of all PIAs the Company carries out.
Privacy Impact Assessments
The Company carries out a PIA, in particular in the context of the following processing of Personal Information:
- before undertaking a project for the acquisition, development or redesign of an information system or the electronic delivery of services involving Personal Information;
- when it intends to disclose Personal Information outside Quebec or to entrust a person or organization outside Quebec with the task of collecting, using, communicating or retaining such information.
In carrying out a PIA, the Company takes into account the sensitivity of the Personal Information to be processed, the purposes for which it is to be used, its quantity, distribution and medium, as well as the proportionality of the measures proposed to protect it.
In addition, when Personal Information is communicated outside Quebec, the Company ensures that it is adequately protected, in particular with respect to generally accepted and reasonable principles for the protection of Personal Information.
The completion of a PIA serves to demonstrate that the Company has complied with all obligations regarding the protection of Personal Information and that all measures have been taken to effectively protect this information.
Complaints Handling Procedure
Complaints are processed within a maximum of 30 working days of receipt.
In the event that a complaint cannot be processed within this timeframe, the complainant will be informed of the reasons for the delay and the steps taken to date to process the complaint. The complainant will also be informed of the timeframe within which the decision will be communicated to them. Once the complaint has been examined and the analysis completed, the Director of Operations will provide the complainant with a final, written, reasoned response.
Complaints Management Procedure
This procedure is designed to enable Our organization to react and deal effectively with complaints, including those involving the Commission d’Accès à l’Information (CAI).
This procedure applies to all written complaints received by email or through Our messaging and support system (Intercom).
Receiving a complaint – Individuals wishing to make a complaint must do so:
- in writing via Our messaging and support system (Intercom)
- in writing to the following email: [email protected]
Once the notice of complaint is received, an email with the processing procedures will be sent out providing the complainant with all of the required elements to log a formal complaint.
Creating a complaint file – to ensure proper handling, a separate file is created for each complaint. The file includes the following elements:
- the written complaint,
- the outcome of the complaint handling process (the analysis and related documents),
- the final response to the complainant, in writing and with reasons.
Security of Personal Information
The Company implements appropriate security measures to ensure the confidentiality, integrity and availability of Personal Information that is collected, used, communicated, stored or destroyed. These measures take into account the sensitivity of the Personal Information, the purpose for which it is collected, its quantity, location and medium.
The Company manages the access rights of its employees to ensure that only those who require access in the course of their duties have access to Personal Information, which abides by Our Access Control Policy.
Confidentiality Incidents Management Procedure
This procedure is designed to enable Our Company to respond effectively to Confidentiality Incidents (“CI”). As soon as a CI occurs, measures must be taken immediately to limit its impact.
Reporting – Incidents can be discovered and reported by a director, committee member, staff member, employee, partner, supplier, service provider, user or other stakeholder.
The procedures We have put in place require Us to conduct a thorough analysis of the situation and depending on Our conclusions, We may be required to notify You and the CAI. We will analyze all possible measures to rectify the situation.
Recording and follow-up – Once this procedure has been completed, the CI is finally and completely recorded in the registry provided for this purpose.
Roles and Responsibilities
The PPPI is responsible for the following:
- Ensure employees are trained in policies, guidelines, processes, procedures, etc. relating to the protection of PI, including, but not limited to, information security.
- Provide advice and guidance to the Company on all privacy matters, including regulatory obligations.
- Collaborate with employees and external resources (subcontractor, supplier, etc.) to improve the protection of PI.
- Work closely with others in the Company to promote the security of PI and ensure that privacy risks are considered in strategic business decisions.
- Ensuring awareness among staff, partners and third parties of the importance of protecting PI.
- Acting as a point of contact with the public and the regulator regarding the protection of PI.
Fiona Ham, Head of Operations, is responsible for:
- Responding to inquiries from individuals regarding the Company’s collection, use, disclosure or other processing of their PI.
- Supporting the management of Confidentiality Incidents involving PI, including notification to the CAI and to the individuals concerned, if applicable.
- Managing requests for PI from users of the Service.
- Managing complaints regarding PI.
- Maintaining a Complaints Registry.
- Contributing to the management of Confidentiality Incidents.
- Maintaining a Confidentiality Incidents Registry.
Chloe Dagenais-Mignault, Head of Product, is responsible for:
- Identifying risks relating to the protection of PI within the Company, and ensuring that measures are put in place to mitigate the risks.
- Establishing monitoring and verification protocols to ensure compliance with Law 25 and other laws and regulations regarding the protection of PI.
- Conducting Privacy Impact Assessments (PIAs).
- Conducting a PI mapping and risk assessment.
- Approval of the PI Retention Schedule.
- The application of the PI Retention Schedule and brings it to the attention of all managers/employees/stakeholders through adequate dissemination.
- Implementation of measures and controls necessary for the application of the PI Retention Schedule.
- Implementation of the Access Control Policy.
- Supervising, managing and reviewing user access rights and roles.
The Privacy Committee, in particular, is in charge of:
- Creating and applying policies and practices to govern aspects of PI governance.
- Assessing the Company’s compliance with applicable data protection laws and regulations.
- Ensuring that Privacy Impact Assessments (PIAs), when required, are duly completed.
- Developing, updating and implementing policies, guidelines, processes, procedures, etc. relating to the protection of PI.
Any person who handles Personal Information held by the Company:
- acts with care and integrates the principles set out in this document into their activities;
- accesses only to information required for the performance of their duties;
- protects access to PI in its possession or to which they haves access by means of a password;
- refrains from disclosing any PI that comes to their knowledge in the course of their duties, unless duly authorized to do so;
- refrains from retaining, at the end of their employment or contract, any PI obtained or collected in the course of their duties and maintains their confidentiality obligations;
- destroys all PI in accordance with the Company’s Retention Schedule;
- participates in privacy awareness and training activities;
- reports any breach, Confidentiality Incident or any other situation or irregularity that could compromise in any way the security, integrity or confidentiality of PI in accordance with the procedure established by the Company.