Caroline Simard avocate inc. is committed to protecting the confidentiality and ensuring the security of Personal Information (hereinafter “PI”) in accordance with Law 25 and the ethical rules of the profession.

This Policy applies to all lawyers, notaries, paralegals, employees, and subcontractors of the firm, as well as to all PI managed by the firm, regardless of its form: paper, digital, or oral.

1. Roles and Responsibilities

The Person Responsible for the Protection of Personal Information (PRPPI)

Caroline Simard, Lawyer, President and sole shareholder.
Contact Information: avocate@carolinesimard.ca

The PRPPI oversees the application of all policies, manages access/rectification requests, and acts as the point of contact with the Commission d’accès à l’information (CAI).

Management Responsibilities

Ensure the necessary resources (training, technology) for the protection of PI.

Staff Responsibilities

Mandatory training, enhanced duty of confidentiality regarding the professional secrecy related to the legal profession, immediate reporting of any incidents, and maintenance of confidentiality by default (jump to the confidentiality section).

2. Collection and Use of Personal Information

Minimization Principle (Law 25)

Collect only the PI strictly necessary for the execution of the mandate, for example: conflict of interest verification, legal representation, billing.

Consent

Documented procedure to obtain free and informed consent: “File Opening Form and Professional Fee Agreement.” Management of consent withdrawal: withdrawal of consent must be as simple as the manner in which it was given.

Use

Strict prohibition from using PI for secondary purposes, such as marketing and case studies, without explicit and separate consent, unless permitted by law.

3. Retention and Destruction of Personal Information

Retention Policy

Respect the minimum retention period imposed by the rules of the Barreau du Québec, which is 7 years after the end of the mandate.

Destruction Procedures

Physical Destruction: Systematic use of a high-security shredder (cross-cut) for paper documents.

Digital Destruction: Use of secure deletion or degaussing methods for files and storage media ensuring impossibility of recovery.

Anonymization: Procedures to anonymize data for statistical or archival purposes (if applicable) ensuring that the person can no longer be identified directly or indirectly. The destruction of PI is documented.

4. Security Measures (Protection and Access)

Physical Security

Access control to offices; archiving of files in locked cabinets.
Protocols for remote work (securing documents taken out of the office).

Technological Security and Confidentiality by Default

Encryption: Encryption of email communications containing sensitive information and client databases.
Access Management: Access to client files based on the need-to-know principle; only lawyers and staff directly involved in the mandate have access.
Passwords: Policy for complex and regularly renewed passwords.
Confidentiality by Default: All of the firm’s information systems are configured, by default, to ensure the highest level of confidentiality without user intervention.

Transfer of Data Outside Quebec

Require a Privacy Impact Assessment (PIA) before any transfer, ensuring that the laws of the recipient country offer adequate protection (e.g., use of US cloud services).

5. Management of Requests to Exercice Rights (Clients)

Receipt of the Request

All requests must be addressed to the PRPPI in writing. (jump to the PRPPI section)

Identity Verification

Rigorous procedure to verify the identity of the applicant, so as not to disclose confidential information to the wrong person.

Processing Time

Respond to access or rectification requests within 30 days of receipt, which is the legal deadline.

Refusal

Procedure for justified refusal, particularly if the disclosure violates professional secrecy or if it risks harming a third party. The refusal response must indicate the possible recourse with the CAI.

6. Management of Confidentiality Incidents (Data Breaches)

Definition

Identification of an incident: unauthorized access, use, or disclosure of PI.

Intervention Protocol

1. Contain the incident, for example: disconnect the device, change passwords.
2. Assess the risk of serious injury. Evaluation of severity factors, including the sensitivity of the PI involved, the apprehended consequences, and the probability of use for harmful purposes.
3. Notify the CAI: Obligation to notify the Commission d’accès à l’information if the risk of injury is serious.
4. Notify the person concerned: Obligation to notify the person whose data has been compromised.
5. Documentation: Maintain a detailed register of all confidentiality incidents, whether they require notification or not.