+1 819 349 5801
PRIVACY POLICY
Procedure for Access Requests and Complaint Handling
​
1. Overview
Since individuals may request access to the personal information an organization holds about them, or may also file complaints, it is important to have predefined guidelines to respond to such requests.
​
2. Purpose
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly, and accurately, while respecting the rights of the individuals concerned.
​
3. Scope
This procedure applies to internal staff responsible for processing access requests and handling complaints, as well as individuals wishing to access their own personal information.
​
4. Access Request Procedure
​
4.1 Submitting a Request
-
The individual must submit a written request to the organization’s Privacy Officer.
-
Requests may be submitted by email or postal mail.
-
The request must clearly state it is an access request and provide sufficient information to identify the individual and the requested records.
4.2 Receipt of Request
-
An acknowledgment of receipt must be sent to confirm the request has been received.
-
Requests must be processed within 30 days of receipt.
4.3 Identity Verification
-
The individual’s identity must be reasonably verified before processing the request.
-
If identity cannot be verified, the organization may refuse to disclose personal information.
4.4 Handling Incomplete or Excessive Requests
-
If a request is incomplete or excessive, the Privacy Officer will contact the individual for clarification.
-
Requests may be refused if they are abusive, excessive, or unjustified.
4.5 Processing the Request
-
The Privacy Officer gathers the requested information from relevant records.
-
Legal restrictions must be respected.
4.6 Review of Information
-
Before disclosure, the information is reviewed to ensure it does not contain third-party data or information that may infringe on others’ rights.
-
Third-party information must be removed or excluded if necessary.
4.7 Communication of Information
-
Information must be communicated within a reasonable timeframe.
-
It may be provided electronically, by secure mail, or in person, depending on security considerations.
4.8 Recordkeeping
-
Each step of the request process must be documented: date received, acknowledgment, identity verification, decision, disclosure date, etc.
4.9 Confidentiality
-
All staff involved must maintain confidentiality.
4.10 Complaints and Remedies
-
If dissatisfied, individuals must be informed of complaint procedures and their right to escalate to the Commission d’accès à l’information du Québec.
Procedure for De-indexing and Deletion of Personal Information
​
1. Overview
This procedure addresses client concerns regarding privacy and personal information protection.
2. Purpose
​
The goal is to provide a structured mechanism to handle client requests for de-indexing or deletion of their personal information.
3. Scope
​
Applies to the internal team managing de-indexing and deletion requests. Covers all information published on online platforms, websites, apps, databases, or digital tools.
4. Definitions
​
-
Deletion: permanent removal of data, making it unavailable and unrecoverable.
-
De-indexing: removal of information from search engines, making it less visible but still directly accessible.
5. Procedure
5.1 Receipt of Requests
​
-
Requests must be received by the designated team via online form, dedicated email, or phone.
5.2 Identity Verification
​
-
The individual’s identity must be reasonably verified before processing.
-
If identity cannot be confirmed, the organization may refuse the request.
5.3 Evaluation of Requests
​
-
The team reviews each request to determine eligibility for deletion or de-indexing.
-
Requests must be processed confidentially and within legal deadlines.
5.4 Grounds for Refusal
​
Requests may be refused if the data is required for:
-
Providing goods or services;
-
Employment law compliance;
-
Legal obligations in case of disputes.
5.5 Implementation
​
-
The team takes appropriate measures to delete or de-index personal information.
5.6 Communication
​
-
Applicants receive confirmation and regular updates on the status of their request.
5.7 Recordkeeping
​
-
All requests, actions taken, and results must be documented in a dedicated tracking system.
Procedure for Managing Security Incidents and Personal Information Breaches
1. Overview
​
An incident response plan is essential for handling cyber incidents effectively.
2. Purpose
​
To ensure the organization is prepared to respond to cyber incidents quickly and resume operations.
​
3. Scope
​
Includes all networks, systems, and stakeholders (clients, partners, employees, contractors, suppliers) who access these systems.
​
4. Recognizing a Cyber Incident
​
Signs include:
-
Unusual login/system activity;
-
Excessive remote access;
-
Appearance of unknown Wi-Fi networks;
-
Malware or suspicious files;
-
Lost or stolen devices containing sensitive data.
5. Key Contacts
​
-
Role: Owner
-
Name: Nathalie Patry
-
Location: Magog
-
Phone: 819-349-5801
-
Email: n.patry@axion.ca
6. Personal Information Breach – Response
​
-
Record the incident in the confidentiality incident log.
-
Assess whether unauthorized access, disclosure, or use has occurred, and if serious harm is likely.
-
Report to the Commission d’accès à l’information du Québec.
-
Notify affected individuals.
7. Ransomware – Response
​
-
Disconnect infected devices immediately.
-
Do not delete files.
-
Contact local authorities.
-
Perform full antivirus/anti-malware scans.
-
If data cannot be restored, reset affected devices with clean backups.
-
Do not pay ransom (policy).
8. Account Hacking – Response
​
-
Notify clients/suppliers of possible fraudulent emails.
-
Attempt to recover account access.
-
Change and secure all passwords; enable 2FA.
-
Remove unauthorized connections/devices.
9. Loss or Theft of Device – Response
​
-
Report to local police immediately.
-
Assess sensitivity and volume of data lost.
-
Lock or remotely wipe lost/stolen devices.
Last updated: August 2025