Our policies for managing and protecting personal information
We are committed to protecting personal and confidential information collected while carrying out the mandates entrusted to us and ensuring the security of the information held by implementing security measures appropriate to the circumstances.
To this end, we have adopted governance policies and practices regarding personal and confidential information to ensure its protection. Details regarding personal information is presented below. Personal information is only used in the context of professional activities, solely to provide the requested services and in accordance with legal requirements. We never sell personal information held by us.
Personal information means any information concerning a natural person, which allows them to be directly or indirectly identified, and which is not public within the meaning of the Act respecting the protection of personal information in the private sector.
The personal and confidential information thus protected includes its physical or technological support as well as the information system or technology through which this information is processed, transmitted or stored for the purposes of the intended use (the “Information”).
Our policies apply to our employees, lawyers, notaries, partners, consultants, suppliers and business partners (the “Users”).
The reasons why this information is necessary are explained to clients to obtain their informed consent.
Find out more about our Confidentiality and Privacy of Personal Data.
Information Security Policy
This policy defines the responsibility of each User, depending on the circumstances and the degree of sensitivity of the Information to which they have access, to ensure its protection and reasonable and appropriate use, to reduce the risk of incidents and to minimize impacts, if any.
Our Users formally undertake not to disclose or use the Information for purposes other than in the exercise of their duties and in compliance with professional secrecy, or without having previously obtained the consent of the person about whom information is held or of its representative, unless otherwise permitted by law.
Our Users also undertake to access Information only within the framework of Stein Monast’s operations and only through the tools provided and approved by Stein Monast. They must not attempt to access or save Information on systems other than those we provide them with or by using cloud services that we have not approved.
Our Users must use strong passwords and take all necessary measures to prevent the unauthorized disclosure of these passwords. Laptops, mobile devices and other IT tools left unattended should be physically secured and inaccessible to unauthorized persons.
Users do not benefit from any expectation of privacy in relation to the use they make of the information systems made available to them in the context of their work. We therefore retain the right to audit and monitor any use of the information systems at any time and without notice.
We provide reasonable and appropriate physical and electronic safeguards to prevent unauthorized access to Information, both at our physical facilities and in our IT environment. Users must use the double identification method for remote access.
When Information must be shared with an agent, a supplier, a subcontractor or a consultant in the exercise of our duties or in the context of a professional mandate, we first obtain from them a written commitment to take the necessary measures to ensure the confidentiality and integrity of the Information within the meaning of our Information Security Policy and applicable laws and not to keep any information beyond the duration necessary for the mandate or contract prior to their access to such Information.
Handling of complaints
The managing partner of Stein Monast is responsible of the privacy protection and can be contacted at the following address: confidentialite@steinmonast.ca.
Information Security Incident Management Policy
An information security incident (an “Incident”) means an event that affects or is likely to affect the availability, integrity or confidentiality of information held by Stein Monast, including any Information.
Together with our Information Security Policy, the purpose of this policy is to ensure, in a reasonable manner depending on the circumstances, that each potential, apprehended or actual Incident is detected, identified, reported, contained, documented, analyzed and remedied promptly, in accordance with the applicable law, so as to minimize any negative impact.
Any real or suspected Incident must therefore be reported to the policy manager and to Stein Monast’s Office IT Department. This may be, for example, access to information or computer systems by an unauthorized person, physical access to a secure or sensitive area, unauthorized sharing of a login ID or password, loss of a device containing Information, hacking, malfunction of software or hardware, sending information to the wrong recipient, etc.
This reporting triggers an investigation, which makes it possible to collect all the relevant information, to assess the seriousness of the Incident, to quickly take all the reasonable and appropriate corrective measures required, as the case may be, to contain without delay any actual or potential breach of Information security.
Once the Incident is contained and the Information secured, an assessment of the scope and impact of the Incident is carried out after a full investigation and collection of collectable information. When the cause of the Incident is identified, a correction strategy must be planned and implemented.
This policy also addresses how affected individuals will be notified. If client Information has been compromised, a written notice will be sent to the client within a maximum period of 30 days, with a general description of the Incident, the list of compromised Information, a description of the measures we have taken to protect the Information and to avoid the occurrence of a similar Incident as well as the contact details of the person who can be contacted for more information. A notice to the Commission d’accès à l’information will also be sent when the Incident presents a serious risk that harm will be caused.
File Closure Policy
The Information obtained and held by Stein Monast is for the purposes of the professional mandates entrusted to it and for the management and day-to-day operations of the company.
As for the Information obtained and held for the purposes of the professional mandates entrusted, it must be kept in each of the files opened specifically for each mandate and used to provide the agreed-upon professional services.
The professional obligations imposed on our lawyers and notaries state that we must keep a copy of the file, including the Information, for a period of seven (7) years after the end of the mandate given to a lawyer and ten (10) years in the case of a notary. When this period has elapsed, the file and the Information it contains are securely destroyed.