Privacy Policy and Breach Procedure

  1. Our Commitment

In order to provide you with access to our services, Oracle Fiscalistes retains some of your personal information and ensures its protection. We comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy legislation.

  1. Accountability

We are responsible for the personal information we receive from our customers. We will protect this information, regardless of the medium used for transmission.

  1. Consent

We will only collect information with your consent. Your personal information will be used to find tax products, concepts and services that meet the needs you have identified. By signing the authorization form, you agree, on behalf of yourself, your executors, administrators or assignees, to:

– Provide accurate information throughout our business relationship and as your situation evolves.

– Provide accurate information throughout our business relationship and as your situation evolves.

– Provide accurate information throughout our business relationship and as your situation evolves.

– Provide accurate information throughout our business relationship and as your situation evolves.

– Provide accurate information throughout our business relationship and as your situation evolves.

– Allow us to use, transmit and disclose this information as needed to our collaborators, associates and your professionals of record, who may retain certain information in their files for future use and recommendation by us.

– Allow us to retain your personal information in our paper and electronic files for as long as you wish to do business with us or as long as we need to satisfy a business or regulatory need by retaining the information.

.

– Transfer your file, including your personal information, to another partner and/or to the Ordre des CPA, in order to continue to meet your needs in the event of disability, death, retirement or any other major event affecting our firm. However, you have the right to choose your own firm at that time, should you not agree with the one assigned to you. However, you have the right to choose your own firm at that time, should you disagree with the one assigned to you.

  1. Reasons for collection / use / retention

We collect all personal information (including medical, financial, corporate and related information) with your consent. We use and retain it only to provide advice or services you purchase through us and to advise you of new products or services that may be of interest to you.

  1. Limiting Collection

We collect and retain only the information that helps us advise you, including personal and financial information, and meet our regulatory obligations. We use only fair and lawful means to collect this information. We use only fair and lawful means to collect this information.

  1. Limiting Use / Disclosure / Retention

We will use and disclose your personal information to perform our functions, to advise you and, where applicable, to comply with the law. The personal information contained in your customer file will be disclosed only:

– To our employees and persons authorized by us, such as professionals to assist you in areas of expertise beyond our competence.
– To third-party providers of complementary services that we have authorized; if they are located abroad, then your personal information may be subject to applicable laws, including the access to information laws of public authorities, of other countries;
– To persons or entities to whom you have given access or who are authorized to access it under the law.

We are required to retain most of the information we collect for regulatory reasons, including the requirement to demonstrate that the recommendations we make are appropriate and meet your identified needs.

In accordance with applicable laws and with your written authorization, you have the right to review the personal information contained in your file. At your request, copies (not originals) of other personal documents, such as insurance policies, wills or powers of attorney, may be kept in your file.

  1. Accuracy of information

In order to make appropriate recommendations, we / I must receive accurate information. It is our responsibility to keep your information as accurate and up-to-date as possible. As circumstances permit, we will attempt to update your personal information to determine whether the recommendations we have made are still appropriate in light of your changing circumstances. However, we also rely on you to provide us with regular updates for the same reason. You may review the personal information we maintain about you upon request.

  1. Efforts made to protect your personal information

All staff members, associated tax advisors, and suppliers who have access to customer files must protect this information, keep it confidential, and use it only for its intended purpose. Information that is no longer required for the intended purpose will be destroyed. We have also implemented physical and computer safeguards, as well as other processes, to protect customer information from unauthorized access.

In Appendix A, you will find our procedure in the event of a breach / failure / breach of your personal information.

  1. Your choices regarding personal information

You may withdraw your consent at any time (subject to contractual or legal restrictions to provide us with reasonable notice) by contacting us. If you withdraw your consent, we may not be able to provide you with the services you have requested and we may have to terminate our business relationship.

  1. Your right to complain

If you have any concerns about the collection, use or disclosure of your personal information, you have the right to complain to us or to the Office of the Privacy Commissioner:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Freephone: 1-800-282-1376

Privacy Officer:

Marie-Christine Tétreault
200 Bd du Curé-Labelle Suite 201, Sainte-Thérèse, QC J7E 2X5

Appendix A – Breach Procedure

A privacy breach occurs when there is unauthorized access to personal information or unauthorized collection, use or disclosure of such information. These activities are “unauthorized” when they contravene applicable privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), or similar provincial privacy legislation. Some of the most common privacy breaches occur when the personal information of a consumer, patient, customer or employee is stolen, lost or mistakenly distributed (e.g., the theft of a computer containing personal information, or the mistaken sending of an e-mail containing personal information to the wrong person). A breach may also be the consequence of a flawed procedure or operational failure.

As determined by the Commission d’accès à l’information du Québec (www.cai.gouv.qc. ca), we will follow the following six (6) steps in the event of a breach of your personal information:

1) Preliminary assessment of the situation
2) Limiting the privacy breach
3) Assessing the risks associated with the breach
4) Notifying the persons concerned
5) Prevention
6) Follow-up

Step 1: Preliminary assessment of the situation

  1. a) Briefly define the context of the loss or theft of personal information:
    – Identify the personal information affected and its medium;
    – Identify the people, their number and the group of people (customers, employees, etc.) affected;
    – Establish the context of the loss or theft of personal information. ) affected;
    – Establish the context of the events (date, time, place, etc.);
    – Identify, if possible, the circumstances surrounding the loss (cause, people likely to be involved in the incident, etc.);
    – List the physical and IT security measures in place at the time of the incident.
  2. (before risk assessment)
    – Police department (if circumstances suggest the possibility of a crime);
    – Commission d’accès à l’information (link to form)
  3. c) Designate a person or team responsible for managing the situation.
  4. d) Inform the relevant internal stakeholders:
    – Executives of the organization or company;
    – Head of the administrative unit concerned;
    – Privacy officer;
    – Legal counsel;
    – Communications department (media and customer call management).

Step 2: Limiting the invasion of privacy

Promptly take appropriate measures to limit the consequences for affected individuals of the possible misuse of their personal information, identity theft or usurpation:

  1. a) Take steps to immediately limit the consequences of loss or theft of personal information, ensuring that the non-compliant practice is discontinued where appropriate;
  2. b) Recover physical or digital records, as appropriate;
  3. c) Revoke or change passwords or computer access codes;
  4. d) Check for gaps in security systems.

Step 3: Assess the risks associated with the breach

  1. a) Complete a preliminary risk assessment, considering the sensitivity of the personal information involved, taking into account its nature, quantity, the possibility of combining it with other information, the people involved, etc.
  2. b) Determine the context of the incident including:
    – the cause (ex. the cause (e.g. deliberate or unintentional loss or theft of personal information, human error, computer vulnerability, etc.);
    – the known or probable perpetrators of the lost or stolen personal information (e.g. criminal organization, general public, etc.);
    – the extent of the situation (number of people affected and sectors affected);
    – the systemic or non-systemic nature of the disappearance of personal information (particularly when the loss is not directly generated by human intervention);
    – an assessment of the likelihood that a similar event will occur again.
  3. c) Assess the possibility that the personal information concerned will be used in a manner prejudicial to the persons concerned, taking into account, in particular, the security measures taken to protect it, its difficulty of access and its intelligibility (password, encryption, etc.);d) Assess the reversibility or otherwise of the situation, including the possibility of recovering the personal information;e) Assess whether the immediate measures taken were adequate to limit the breach and supplement them if necessary. );
  4. d) Assess whether the situation is reversible or not, including the possibility of recovering the personal information;
  5. e) Assess whether the immediate measures taken were adequate to limit the breach and supplement them if necessary;
  6. f) Determine potential harm, including assessing the possibilities of future use of personal information by malicious persons, including for identity theft;
  7. g) Determine priorities and identify actions to be taken based on the results of these risk assessments.

Step 4: Notification to affected persons

  1. a) Determine who should be made aware of the loss or theft of personal information based on the risk assessment:
    – Police department: In cases where the disappearance may result from the commission of a crime, the police department concerned should be notified of the elements surrounding the disappearance first and, secondly, of all subsequent steps. Particular care must be taken not to interfere with the investigation, and to preserve potentially relevant evidence;
    – Affected individuals: If the loss or theft of personal information presents a risk of harm to affected individuals, they should be notified without delay. The aim is not to alarm, but to warn, so that they can take appropriate measures to protect their personal information;
    -. – Commission d’accès à l’information: If the persons concerned by the personal information are from Quebec, the Commission could initiate an inspection or investigation and play an advisory role in the search for a solution;
    – Others: It may also be necessary to notify other stakeholders, such as credit agencies, an agent, a co-contractor, a government body, a union, a professional order, etc.

However, in disseminating information concerning the loss of personal information, particular care must be taken to avoid aggravating the prejudice that could be suffered by the persons concerned (e.g. keeping personal information to a minimum in notices).

  1. b) Designate the persons responsible for notifying the external stakeholders identified above, as well as the time and means (letter, e-mail, telephone);
  2. c) If applicable, identify and record the reasons behind the decision not to notify the individuals concerned and other stakeholders.

Notification of individuals affected by loss or theft of their personal information :

Depending on the circumstances, it may be necessary to notify individuals of the loss or theft of their personal information. This notification could include some of the following elements:

– The context of the incident and when it occurred, as well as a description of the nature of the personal information affected or potentially affected, without revealing any specific personal information;
– A brief description of the measures taken to limit or prevent any harm, as well as a list of the people who have been informed of the situation (police department, Commission d’accès à l’information, etc.);
– Actions taken by organizations and companies to help the people concerned (Help and Information Service, Credit Alert Subscription, etc.);
– Measures that individuals can take to reduce the risk of harm or to better protect themselves (reference to the document “Identity Theft” available from the Commission d’accès à l’information);

– Other general information documents designed to help people protect themselves against identity theft;
– The contact details of a person within the organization who can answer questions and to whom reports can be made;
– The main measures that will be taken to prevent the situation from recurring (change of practice or process, staff training, revision or development of policies, an audit, periodic monitoring, etc.).

Step 5: Prevention

  1. a) Deepen the analysis of the circumstances surrounding the loss or theft of personal information and provide a chronological description of the events and actions taken in response to this incident, including the dates and people involved;
  2. b) List and review the internal standards, policies or directives in place at the time of the incident, both in terms of computer security, where the information is involved, and the protection of personal information in general;
  3. c) Verify whether these internal standards, policies or directives were followed by the persons involved, identify the reasons why they were not followed, if applicable;
  4. d) If it was a procedural error or operational failure, record it in the security file and adapt processes to prevent such an incident from happening again;
  5. e) Assess the need to develop a policy for dealing with loss or theft of personal information within the organization or company;
  6. f) Formulate recommendations for medium- and long-term solutions and prevention strategies;
  7. g) Ascertain the real need, for the organization or company, for the collection of the personal information concerned;
  8. h) Plan the follow-up to be provided.

Step 6: Follow-up
It’s important to follow up:

  1. a) the treatment process to be applied when personal information is lost or stolen and the results obtained in order to improve it, if necessary;
  2. b) the security measures required following the incident and their performance in order to improve processes and place and update the Privacy Policy;
  3. c) the communication of relevant information to the Commission d’accès à l’information and the police department involved, if applicable.

Record keeping

It is also mandatory to keep a record of all breach events, even if some had no risk of serious harm. All events must be kept for at least two years, so that the Office of the Privacy Commissioner can examine them on request.

Records must include, as a minimum, the following information:

– the date or estimated duration of the breach ;
– a description of the circumstances of the breach
– the nature of the information involved in the breach;
– the existence of a report to the Office of the Privacy Commissioner or the names of other organizations notified, if applicable;
– a brief explanation of why the organization has determined that there is no risk of serious harm if the breach has not been reported to the Office of the Privacy Commissioner.

Resources

Detailed information on all your privacy obligations can be found at www.priv.gc.ca