1. Why did we adopt a policy regarding the protection of personal information?
Lavery's ( "Firm") Privacy Policy ("Policy") sets out the guidelines and specific rules which Members of the Firm must comply with regarding the collection, use, communication, conservation, and destruction of information regarding a physical person and through which it is possible to identify such person directly or indirectly.
For the purpose of this Policy, Personal Information is defined in the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1 ("APPIPS").
The objective of this Policy is to provide a general frame for the protection of Personal Information with regard to the Members of the Law Firm, its consultants and service providers, as well as the Firm's clients, its suppliers and business partners, in compliance with the laws and regulations applicable to the Firm, including the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA") and, where applicable, the General Data Protection Regulation1 ("GDPR").
2. Who does our Policy apply to?
This Policy applies to all Members of our Firm, notwithstanding their title, status, functions or professional membership, as well as to consultants and service providers, when they are specifically subject thereto in their service contract.
3. A few definitions to help you understand
"Privacy Impact Assessment" or "PIA" means an assessment which takes into consideration all factors having a positive or negative impact on the privacy of the Persons Concerned. These factors are:
- compliance with the legislation applicable to the protection of Personal Information and with the principles it is based on;
- identification of breach of privacy risks and their impact;
- setting up strategies to avoid such risks or reduce them efficiently.
"Confidentiality Incident" means non-authorized access, use or communication of Personal Information, the loss of such information, or any other breach of privacy with respect thereto.
"Information Technology Project" means any acquisition, development or overhaul project of an information system, or electronic delivery of services involving the collection, use, communication, conservation or destruction of Personal Information.
"Members of the Firm" means all the partners, professionals, employees, and staff members.
"Personal Information" means any information regarding a physical person which allows, directly or indirectly, to identify such person, whatever the nature of its medium and in whichever form it is accessible, whether it be written, graphic, acoustic, visual, digital, or other.
"Persons Concerned" means the physical persons whose personal information is collected, used, communicated, retained or destroyed by the Law Firm.
"Privacy Officer" means the person with the highest level of authority in the Firm or the person to whom such authority is delegated in writing, in whole or in part.
"Sensitive Information" means any Personal Information which by its very nature, including medical, biometric, financial or otherwise intimate information, or which, due to the way it was collected, or its use or communication, entails a high level of reasonable expectation of privacy.
"Subcontractor" means any agent, consultant, data manager or other service provider having access to the Personal Information previously communicated to them by the Firm or through another subcontractor of the Firm.
4. Your consent
Your consent to the collection, use and communication of Personal Information must be manifest, free and enlightened. It must be given for specific purposes, in clear and simple terms.
When the Person Concerned requests it, the Firm provides assistance to help understand the scope of the consent requested.
Based on the nature and sensitivity of the Personal Information, the consent may be explicit (such a consent may be given orally, in writing or by electronic means) or implied (for example, when the Person Concerned provides voluntarily the Personal Information). Whenever it is required, the consent in connection with Sensitive Information must always be given explicitly.
Consent to the collection, use and communication of Personal Information shall be obtained prior to or at the moment the information is collected, except in such cases, and according to the terms provided in the law. It shall be only valid for the period required to achieve the purposes for which it was given. For example, a consent given by a person is usually valid during the entire term of the relationship between such person and the Firm. However, in some cases, a more specific consent may only be valid for the time period required to achieve the purpose sought.
Consent may be withdrawn at any time, subject to legal and contractual restrictions and reasonable notice. In some cases where the consent is withdrawn, the Firm may no longer be able to maintain its relationship with the Person Concerned or to provide certain products or services to such person.
5. Which rules have we adopted regarding the collection and use of Personal Information?
The Firm collects only the Personal Information which is required to set up, manage, and maintain its relationship with the Members of the Firm, its consultants and service providers, or which is required to fulfill its obligations on behalf of its clients, suppliers and business partners. This information may include:
- identifying information;
- health information;
- financial information;
- employment information;
- school or training related information; and
- information pertaining to the social or family situation.
Without limiting the generality of the foregoing, the Firm collects and uses Personal Information:
(a) regarding the Members of the Firm, its consultants and its service providers
- to determine initial eligibility for employment, including checking references and qualifications, as well as for promotion and management selection: information regarding education, training, work experience, professional history, professional and personal references, initial curriculum vitae or employment application form, as well as updated curriculum vitae of the Person Concerned;
- for the management of human resources and for administrative purposes: employment offers and acceptances, employment contracts, acceptance form and certification regarding the Firm's policies and guidelines, professional history and salary history of the Person Concerned;
- information required for payroll preparation, including social insurance number, financial institution and account number of the Person Concerned;
- forms regarding a claim or a modification of the health and security benefits, short-term or long-term disability, medical or dental care, information regarding the medical or dental status and the processing of claims relating to the employment (ex.: indemnification for prejudice suffered on the work premises, insurance claims, etc.);
- information from colleagues, managers and clients regarding the performance and behaviour of the Person Concerned contained, for example, in professional evaluations, for purposes of establishing the requirements regarding training and development, the evaluation of qualifications for a particular job or task and, in connection with an inquiry, for the collection of evidence in the context of disciplinary measures or dismissal;
- information required for purposes of identification and security;
- information regarding the person to be contacted in the event of an emergency; and
- any other information required or whose access is authorized under the law (including in compliance with labour laws or for purposes of compiling internal directories).
(b) concerning its clients, suppliers and business partners
- to identify the Person Concerned in order to establish and maintain the Firm's business relationship, for example, to provide professional services to someone who wants to become, is or was a client of the Firm;
- for purposes of providing continuous services, including when the Person Concerned asks a question, participates in an event or indicates their preferences regarding the level of information they wish to receive from the Firm through its website;
- when the collection and use of Personal Information is required due to the nature of the relationship or the subject matter of the contract;
- to improve the range of our products and services;
- to avoid errors and fraud; and
- for purposes of responding to the requirements imposed by law to the Firm.
Personal Information may only be used within the Firm for the purposes it has been collected, unless the Person Concerned consents to its use or if such use is otherwise authorized under the law. The Firm may otherwise use Personal Information for another purpose without the consent of the Person Concerned, namely in the following cases:
- when its use is for purposes consistent with those it was collected for;
- when its use is clearly to the advantage of the Person Concerned; and
- when its use is required to apply a Québec statute, whether its use is expressly provided under the law or not.
In most cases, the Firm collects the Personal information from the Person Concerned. However, the Firm may collect Personal Information from a third party with the consent of the Person Concerned or without their consent if this is authorized under the law.
The Person Concerned is informed at the time the information is collected, and thereafter on demand, of the purposes for which the Personal Information is collected and the means by which it is collected and is given any other information required under the law, based on the context.
6. Which rules have we adopted regarding the communication of Personal Information?
Except in the cases hereinafter described and under the terms and conditions provided in the law, the communication of Personal Information requires the consent of the Person Concerned when such information is communicated to a third party. Notwithstanding the context of the communication of the information, the Firm only provides the minimum amount and type of Personal Information required by the communication.
Personal Information may be communicated by the Firm without the consent of the Person Concerned, in compliance with the applicable law, to the following persons:
- a person or body which has the power to compel the communication of such information and requests it in the performance of their duties, including to respond to a subpoena or a court warrant or order regarding the production of documents;
- a body whose mandate, under the law, is to prevent, detect or repress crime or offences under the law, and who requests such information in the performance of its duties, if the information is required to institute or carry out legal proceedings with respect to the breach of an applicable law; or
- a person to whom such information must be communicated in compliance with an applicable law.
Similarly, access to Personal Information within the Firm does not require the consent of the Person Concerned, but is it is strictly limited to those for whom the information is necessary in order to carry out their duties. Unauthorized access to or unauthorized communication of Personal Information by a Member of the Firm is strictly forbidden and my result in disciplinary action.
The Firm may also share, without the consent of the Person Concerned, Personal Information it keeps with its Subcontractors if such information is required for the performance of their mandate or service contract. In any case, the Firm sets up reasonable measures to ensure that the Subcontractor to whom the Personal Information is transmitted has put in place measures designed to maintain the confidentiality, integrity and availability of the Personal Information, and acts in compliance with its measures.
In such a case, the Firm entrusts the mandate or contract in writing and indicates the measures that the Subcontractor must take to ensure the protection of the confidential nature of the Personal Information transmitted. Such a contract must at least provide the following: (1) steps which the Subcontractor must take to ensure protection of the confidential nature of the information it receives, (2) the Personal Information received by the Subcontractor may only be used in connection with its mandate or with the performance of its contract, (3) the Subcontractor agrees not to keep the Personal Information received from the Firm beyond the end of its mandate or contract, (4) the Subcontractor agrees to notify the Firm's Privacy Officer of any breach or attempted breach of its con?dentiality obligations regarding the Personal Information, and (5) the Subcontractor agrees to let the Firm's Privacy Officer carry out any kind of checking with regard to such confidentiality.
If the communication of Personal Information takes place outside of the Province of Québec or if it is done in the context of an Information Technology Project, the Firm will carry out an PIA which takes into account all the factors provided in the law. The Firm may only transmit Personal Information outside the Province of Québec if the PIA shows that the Personal Information will benefit from an appropriate protection consistent with the generally recognized personal information protection rules. The written agreement with the Subcontractor will need to take into account the results of the PIA and, if applicable, the terms and conditions agreed to in order to mitigate the risks identified in connection with this PIA.
It is important to note that, if the Subcontractor to whom the Firm transmits Personal Information is located in a foreign jurisdiction, local laws may enable third parties to have access to the Personal Information without the consent of the Person Concerned.
7. How do we use cookies?
The Firm's website uses cookies to collect certain information, including the length of the website visits, the downloaded pages, the Concerned Person's IP address, preferences in terms of language, the Web browsers used, etc. It is also possible for the Firm to receive information about the server to which the Concerned Person is connected as well as this Person's Internet provider.
A cookie is a file which records information on the browser's hard drive. It enables the website to identify a computer and to recognize the Person Concerned if this person has already visited the website.
Consent to the use of cookies is required prior to each connection. Most Web browsers also offer the opportunity to block or delete the cookies from the hard drive. It is important to consult the user guide or the browser help menu to obtain more information regarding these features. However, if the Person Concerned does not consent to the use of cookies or if the Web browser's parameters are modified in order to delete or block the cookies, some of the Firm's website features may become inaccessible.
8. Accuracy, security and conservation
The Firm acknowledges it is important that the Personal Information be accurate, complete and up to date, and has put in place reasonable steps in order to ensure the accuracy and update of the information used and communicated. However, the Persons Concerned must inform the Firm of any major changes in their Personal Information which may occur in the course of their business relationship.
The Firm has put in place a series of safety measures to be taken to protect the Personal Information it collects, uses, communicates, and retains against losses and theft, as well as against the unauthorized consultation, communication, copying, use and modification of such information, regardless of the type of medium the information is saved on.
These safety measures include reasonable physical, administrative and technological measures based on the sensitivity of the information, the purpose of its use, its quantity, its distribution and the medium used, including:
- physical measures: controlled access to the Firm's premises, locked filing cabinets and restrained access to some offices;
- administrative measures: specific steps and authorizations for the consultation, copy and communication of Sensitive Information, use of dedicated filing systems for information concerning Firm Members, its consultants and service providers, retention period adapted to the information's sensitivity;
- technological meausres: mandatory use of technology belonging to the Firm, use of personalized access codes, firewalls and data encryption, limited access to Sensitive Information, periodic audits of the computer systems used for purposes of collecting, using, preserving, transmitting or destroying Personal Information.
The Firm also sets out the measures required to ensure that all the Firm Members are informed of the contents of this Policy and comply therewith.
Except for the rare cases where the collection, use, communication or conservation of Personal Information is entrusted to a foreign Subcontractor, Personal Information under the control of the Firm is kept in Canada.
The Firm retains Personal Information only as long as it takes to achieve the purpose for which it was collected, to meet the legal conservation requirements – including those applicable to the legal profession - and for as long as necessary to protect the Firm's legitimate commercial interests. Personal Information used to make a decision regarding the Person Concerned is kept for at least one year following such a decision.
9. How do you address a request for access or correction?
Every person has the right to make a request to review or obtain a copy of their Personal Information held by the Firm. Anyone can also request that their Personal Information be corrected if such information is inaccurate, incomplete or ambiguous, or if its collection, communication or conservation is not authorized under the law.
Any question relating to this Policy or regarding the collection, use or communication of Personal Information, including requests for access or correction thereto, shall be made in writing and addressed to the Firm's Privacy Officer:
Loic Berdnikoff
Chief, Conformity and Legal Operations – Privacy Officer
1 Place Ville Marie, suite 4000
Montreal (QC) H3B 4M4
T : 514-877-2981
E : lberdnikoff@lavery.ca
The Firm will respond to any access or correction request within 30 days of the date a written request to that effect is received. In the event of a refusal to provide or correct the information, the Firm shall state the reasons for its refusal, subject to the restrictions provided under the law, and shall inform the Person Concerned of the available remedies.
10. Our commitment with regard to Confidentiality Incident
Any Member of the Firm who has reasonable grounds to believe that a Confidentiality Incident involving Personal Information held by the Firm has occurred shall immediately inform in writing the Firm's Privacy Officer by providing all the relevant information required to assess the situation.
The Privacy Officer shall take all reasonable steps to reduce the risk that the Persons Concerned suffer any kind of prejudice and to prevent the re-occurrence of any similar incidents.
The Privacy Officer has the duty to determine if the Confidentiality Incident poses a risk of severe prejudice for the Persons Concerned. Where applicable, the Privacy Officer shall diligently notify the Access to Information Commission and any Person Concerned by the Confidentiality Incident, except if this is likely to hinder any inquiry conducted by a person or body responsible, under the law, for the prevention, detection or suppression of crime or breaches of the law. The Privacy Officer may also notify any person or body likely to reduce the risk by communicating to such person or body only the Personal Information required for these purposes without the consent of the Person Concerned. In the latter case, the Privacy Officer must record the communication of the information.
The Privacy Officer keeps a register of Confidentiality Incidents.
11. Processing of Personal Information of individuals who are in the European Economic Area ("EEA")
The GDPR sets out specific regulations applicable exclusively to the processing of the Personal Information of individuals who are in the EEA, to the extent that the processing takes place when the Persons Concerned are within such space and when the processing activities are related to the offer of goods or services or to the follow-up on the conduct of such individuals within the EEA. When the terms and conditions previously described apply to the Personal Information collected, used, communicated or retained by the Firm, the provisions of the GDPR shall prevail over this Policy in the event of a conflict.
12. Who is responsible for the application of this Policy?
The Firm's Chief Executive Officer delegates to the Chief, Legal Operations and Conformity the role of Privacy Officer in compliance with the IPPIPS and with this Policy.
The Privacy Officer must in particular oversee the setting up of measures to ensure compliance with the rules established in this Policy and the appropriate management of Confidentiality Incidents, participate in the implementation of the PIA, establish a procedure to process requests for access to Personal Information held by the Firm, as well as complaints concerning the protection of Personal Information, and publish on the Firm's website detailed information regarding this Policy and the collection of Personal Information via technological means.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.