Politic and procedure for the protection of personal information

At Groupe Financier Signature (GFS), we are committed to protecting the privacy of the personal information you entrust to us in the course of our business. We always act in compliance with applicable privacy laws.

When this Policy refers to Groupe Financier Signature, it also refers to our other affiliates. Our Policy applies to both GFS clients and advisors who use our services.

1. Concerns and general inquiries or queries

All general privacy concerns, inquiries or queries to GFS are referred to the Chief Compliance Officer. The Inspector will review applications and acknowledge receipt within 24 hours; In their absence, applications will be transferred to an appropriate person for processing. The client will be kept informed of the compliance manager’s progress with respect to the situation, and complete documentation of the reported concern and all related activities will be retained in the client’s file.

The Chief Compliance Officer forwards all concerns, general inquiries or queries related to privacy and the Company’s products and services to the President of GFS.

2. Client requests for access to personal information

Under privacy laws, customers have the right to access their personal information in records maintained by GFS and to challenge its accuracy, where appropriate.

Any request for access by a client to their personal information in GFS’s client files is sent to the Chief Compliance Officer for a response to the client’s request. The date and terms of the request are recorded until it is executed. The Chief Compliance Officer will assist the client in preparing their access request, if required. The information is provided to the client as soon as possible and no later than 30 days after receipt of the request, in a commonly used technological format.

Corrects or amends any personal information if its accuracy or completeness is questioned and if it is found that the information is indeed inaccurate or incomplete. Document any disagreements related to the information and, if necessary, inform third parties.

2.1 Automated Decisions

If GFS implements automated decision-making technology, at the customer’s request, it will let the customer know, no later than the time the customer informs the customer, what personal information was used to make the decision and explain to the customer, in easy-to-understand language, how the decision was made. The customer retains the right to review and correct any incorrect information.

2.2 Misuse of Personal Information

All persons contacted must promptly report any misuse of personal information or any possible breach of product and service security measures to GFS’s Chief Compliance Officer.

2.3 Processes for confidentiality incidents and privacy breaches

A privacy breach occurs when personal information is disclosed, used or accessed without authorization, or lost as a result of a breach of security safeguards. A privacy breach also includes any other breach of personal information that does not comply with privacy legislation, such as when personal information is retained even though it is no longer needed for the purposes for which it was collected.

A privacy breach can be intentional, accidental or due to criminal activity.

Examples of privacy breaches:

• Copies of customer personal information statements are stolen from a vehicle.
• An advisor’s laptop is lost or stolen and includes clients’ personal information.
• The hard drive on the advisor’s computer containing personal information about clients is compromised or has been hacked.
• The client information was sent to the wrong recipient of the email, either internally or externally.
• The client’s information was mailed to the wrong address (someone else opened the mail).
• Personal information has been disclosed or used without proper authorization.
• Information about inactive clients is retained longer than it should under retention schedules.

All breaches must be assessed to determine the risk to the client.

Assessment terminology: Assessments can be referred to as a real risk of serious harm (ROCR) or a risk of serious harm (RPS, similar to the RRPG), and will be referred to as “evaluation” throughout this document. When the assessment determines that the risk is serious or serious, the breach must be reported to the Commission d’accès à l’information (OPC) in Quebec and/or to the Office of the Federal Privacy Commissioner of Canada (OPC) and to the provincial privacy commissioners outside Quebec, as applicable, all of whom are referred to as “the Commissioner”.

2.3.1 Policy and Procedure

Suspected or actual breaches, complaints or any concerns related to a privacy issue, regardless of whether they affect an individual or a supplier, are immediately reported to GFS’s Chief Compliance Officer. GFS’s Chief Compliance Officer will prevent the disclosure of information, assess the situation, correct the situation and contribute to the improvement of control measures to prevent similar breaches in the future.

2.3.2 Breach containment process

• In the event of a privacy breach involving customer information (e.g., cyberattack, unauthorized access to data), contact: the Chief Compliance Officer
• The Chief Compliance Officer communicates with the insurer’s and/or partner’s practice and compliance officer.

2.3.2.1 Loss, theft or hacking of electronic devices

• GFS will scan computers for malware before regaining access to systems.
• Immediately contact the technology support team of each company involved to request a change to passwords.
• Contact the police to file a complaint.
• Change passwords for other systems (e.g., online banking).

2.3.2.2 Loss or theft of paper documents (e.g., policies, applications, client files)

• GFS will contact the police service to report the theft of documents.

2.3.2.3 Emails or mail sent to the wrong recipient

• GFS will immediately call back the email.
• If this is not possible, contact the wrong recipient to ask them to confirm in writing that they deleted the email and deleted it from their Deleted Items inbox, did not save it and did not forward it to another recipient.
• Ask the wrong recipient to return the mail or confirm that the mail has been securely destroyed (e.g., shredding).

2.3.2.4 Cyberattacks

• A cyberattack is a cyberattack that attempts to expose, modify, disable, destroy, steal, or obtain information through unauthorized access to or use of an asset.
• Engages the practice’s IT support team
• Contact the police

2.3.2.5 Ransomware

• Ransomware is a type of malware (malware) that prevents users from using their systems or restricts their use by locking the system screen or locking a user’s folders until an amount (a ransom) is paid.
• Engages the practice’s IT support team
• Contacts the police service to report the incident and cooperate with the investigation
• Immediately disconnects ransomware devices from the network
• Do not delete anything on our devices (computers, servers, etc.)
• Examine the ransomware and determine how it infected the device.
• Once ransomware is removed, a full system scan should be performed using antivirus, anti-malware, and any other latest security software available in order to confirm that it has been removed from the device
• If ransomware cannot be removed from the device (often the case with stealthy malware), the device must be reset using the original installation media or images. Caution before resetting from backup media/images, check that they are not infected with malware
• If the data is critical and needs to be restored, but cannot be recovered from unaffected backups, look for decryption tools available on https://www.nomoreransom.org
• The policy is not to pay the ransom, subject to the stakes involved. It is also strongly recommended to use the services of a project manager who is an expert in cyberattacks (breach coach)
• Protect systems to prevent further infection by implementing patches or routines to prevent further attacks

2.4 Documentation Process

GFS begins the process of documenting any privacy breach as soon as the breach has been contained. All records of privacy breaches must be kept secure.

In Quebec, GFS must maintain a record of all privacy breaches for five years from the time it becomes aware of the breach and be prepared to provide this record to the Commission d’accès à l’information (CAI) upon request.

Outside Quebec, keep records of all privacy breaches for 24 months. The practice should be able to provide the records to the Commissioner or other organizations upon request.

The record(s) must be kept in a secure location and include the following:

• Date of breach
• Description of the circumstances of the breach
• Number of persons covered
• Types of personal information involved
• Sensitivity of the information affected by the breach
• Likelihood of misuse
• Potential harm that could result from the breach
• An indicator to confirm:

• Whether the breach resulted in a serious or serious risk to the person, and an explanation for that conclusion
• The person(s) concerned has been notified
• The date of confirmation and notification to the Commissioner for those who live outside of Quebec and who are affected by the breach

• Measures taken to prevent similar attacks from happening again – consider the following:
  
  • What is the root cause of the privacy breach?
  • What controls failed to prevent the privacy breach?
  • Do new processes or controls need to be put in place?
  • Do any existing processes or controls need to be improved or changed?
  • Are there any gaps or vulnerabilities in security controls that need to be addressed?
  • Does training need to be strengthened or should new training be created and delivered?

• GFS must also record the following information:

• Date GFS was made aware of the incident
• If a description of the personal information is not provided, indicate why
• If it is determined that there is a serious or serious risk – the date and confirmation of the notice to the CAI and affected persons and whether and why public notices have been issued

A tracking log that includes a list of all privacy breaches by region recorded in one location may also be kept. GFS may use it as a registry for the purposes of the CAI.

2.5 Conduct an assessment

All privacy breach incidents must be assessed to determine whether they posed a serious or substantial risk.

To determine if there is a serious or serious risk, ask the following questions:

• Is the personal information involved in the breach sensitive?
  
  • Examples of levels of sensitivity of personal information: High – SIN, banking and medical information; Low – name, email address, gender, marital status
• Was the personal information obtained maliciously?
  
  • Personal information obtained through theft, fraud or hacking of a system is more likely to be used for malicious purposes and represents a high risk.
• Are 5 or more people involved?
  
  • The higher the number of people affected, the greater the likelihood of misuse.
• Has the information still not been recovered?
  
  • If personal information cannot be retrieved in a timely manner, it may mean that it has been, is being or will be misused.
• Are you still waiting for confirmation that personal information has been destroyed?
  
  • If personal information is not destroyed by the wrong recipient, it may mean that it has been, is being or will be misused.
• Was the incident the result of a systemic problem?
  
  • Systemic issues can lead to future incidents and increase the likelihood that personal information will be misused.
• Has there been more than 10 business days between the date of the incident and the date the incident was discovered?
  
  • A long delay before the incident is discovered may indicate that the wrong recipient has had time to misuse the personal information.

If you answered “no” to any of the above questions, the answer to the question on determining whether there is a serious or substantial risk will be “no”, and the levels of sensitivity and likelihood will be “low”. Go to the Enhanced Control Measures section.

If you answered “yes” to any of the above questions, you will be asked to determine the level (low or high) of the sensitivity of the personal information and the likelihood of misuse by taking into account (1) the sensitivity of the personal information that was the subject of the breach; (2) the anticipated consequences for affected individuals in the event of misuse of their personal information that was the subject of the breach; and 3) the likelihood that personal information will be misused.

2.6 Mandatory reporting of privacy breaches under the Act provincial privacy policy or the Privacy Act and the Electronic Documents (PIPEDA)

• If GFS determines that the incident poses a serious or serious risk, the affected individuals must be notified, if it does not interfere with a formal investigation, and depending on the location of the affected individuals, a report must be made to the CAI (in Quebec) and to the Commissioner, as soon as possible and even if there is only one named individual.
• GFS shall also notify any other organization or company that could mitigate the harm to individuals of the incident.

2.6.1 Notice to Affected Persons

In such cases, a notification of the breach of privacy safeguards will be provided by GFS to affected individuals and must include the following:

1. a description of the circumstances of the breach;
2. the date on which the breach occurred or the period over which it occurred, or, if the specific dates are unknown, an approximation of the dates;
3. a description of the personal information affected, to the extent that it can be determined;
4. a description of the measures that the practice has put in place to reduce the risk of harm from the breach;
5. a description of the steps that affected persons could take to reduce or mitigate the risk of harm from the breach; and
6. contact information for affected individuals to learn more about the breach.

2.6.2 Notification to Regulators in the Case of Breaches considered as ROPS/RPS by GFS

• Send a notice to the Commission d’accès à l’information (CAI) by downloading the Security Incident Breach Reporting Form from the CAI website.
• Sends a notification to the federal Office of the Privacy Commissioner of Canada using the PIPEDA Breach Report form.
• British Columbia – The law recommends reporting to the Office of the Privacy Commissioner if there is a real risk of significant harm. To find out if you need to file a notice, refer to British Columbia’s Privacy Breach Checklist.
• Sends a notice to the Office of the Information and Privacy Commissioner of Alberta using its Privacy Breach Report Form.

2.7 Enhanced Control Measures

GFS will review all processes, system updates, employee training, and then make improvements as needed to prevent incidents from happening again. As described in Section 2.4 “Documentation Process”, assess the controls that can be improved to minimize future risks and implement the new controls necessary to address the risks.

If you have any questions or concerns about our personal information handling policy or how we use your personal information, please write to us at: