(“Norbec”)
Last modified: 02-10-2024
1. Background and Scope
At Norbec, we are deeply committed to respecting the privacy of our customers and employees. To that end, we have adopted this Personal Information and Data Governance Policy (“Policy”).
This Policy sets out our practices with respect to the governance of the personal information we retain, in compliance with the legal framework applicable in Quebec, namely the Act Respecting the Protection of Personal Information in the Private Sector, as amended by the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information.
This Policy applies to all Norbec employees, including members of management and the Board of Directors, as well as interns and contractors, when they collect, use, disclose, store, or destroy personal information in the context of their duties, or when they otherwise have access to personal information retained by Norbec, including that retained by a third party.
This Policy applies to all personal information held by Norbec, including information held by a third party, regardless of the medium in which it is retained, from the time it is collected until its disposal. Thus, this Policy also applies to any person with whom Norbec does business under a mandate or service contract.
This Policy does not apply to personal information retained by our members for their own use, even if it is stored on a Norbec technology platform.
2. Definitions and Abbreviations
a) “Members” means any Norbec employee, including members of management and the Board of Directors, as well as interns and contractual employees.
b) “PPI” means Protection of Personal Information.
c) “Personal Information” means any information retained by Norbec that relates to a natural person and that makes it possible, either directly or indirectly, to identify that person, such as your name, contact information (mailing address, e-mail, telephone number), date of birth, social insurance number (for employees), and payment details (for customers).
d) “PCPPI” means the person in charge of the protection of personal information.
e) “Third Party” means any natural or legal person who collects, uses, stores, discloses, or destroys personal information on behalf of Norbec or who otherwise ensures the management of personal information collected by Norbec. This also includes any person or company from whom Norbec obtains personal information or to whom Norbec discloses personal information, but who is not otherwise related to Norbec.
3. Roles and Responsibilities of Company Personnel With Regard to Personal Information
a) Management:
i. Delegates the PCPPI function to the PCPPI and facilitates its exercise
ii. Determines PPI approaches
iii. Adopts the present Policy as well as the rules, procedures and directives relating to PPI
iv. Approves the awareness and training program for Norbec members
b) Privacy Officer:
Brad Tomalty, Director of Human Resources, is the PCPPI and can be contacted by e-mail: infoprotection@norbec.com.
The PCPPI is responsible for ensuring that Norbec’s personal information governance policies and practices are implemented in compliance with the applicable legal framework.
The responsibilities of the PCPPI are to:
i. Ensure implementation and compliance with the PPI legal framework applicable to Norbec;
ii. Collaborate in the development and ensure the implementation of this Policy, namely by:
- establishing measures to ensure compliance with governance directives
- conducting regular assessments of administrative units’ compliance with governance regulations and PPI-related risks
- recommending corrective measures where necessary
- producing periodic reports on compliance with governance regulations and PPI-related risks
iii. Coordinate the development and review of the Personal Information Inventory;
iv. Participate in the assessment of the risk of harm for an individual whose personal information is involved in a privacy breach incident;
v. Maintain records of personal information disclosures, including in the event of a privacy breach incident;
vi. Participate in Privacy Impact Assessments;
vii. Respond to requests for access to personal information and, where applicable, requests for rectification, de-indexing, portability and cessation of disclosure. The PCPPI must also assist the applicant in understanding the decision to deny them—in whole or in part—access to or rectification of personal information;
viii. Respond to requests from the Commission d’accès à l’information;
ix. Promote a privacy culture within Norbec;
x. Design and implement a PPI awareness and training program.
c) Managers
Managers are responsible for personal information under their control, as well as to:
i. Ensure compliance with this Policy;
ii. Collaborate in the development and revision of personal information files under their responsibility;
iii. Participate in evaluations performed by the PCPPI by providing all information requested for this purpose.
d) Employees
Our employees may, in the context of the performance of their duties, have access to personal information retained by Norbec. Employees’ responsibilities are to:
i. Comply with this Policy;
ii. Access solely the personal information necessary to perform their duties;
iii. Inform the PCPPI of any incident or attempted incident related to the PPI retained by Norbec;
iv. Participate in training and awareness activities offered by Norbec.
4. Protection of Personal Information
We take the necessary steps to ensure that all Norbec personnel adopt a responsible attitude throughout the life cycle of personal information.
To this end, Norbec’s practices are based on the following commitments:
i. Collect strictly the personal information necessary to perform its activities, whether with regard to its customers or its members;
ii. Inform the persons from whom personal information is collected of the purposes of the collection, in particular by means of the Privacy Policy;
iii. Obtain the consent of the persons in question about the use and disclosure of their personal information to third parties, in particular by means of the forms on which we collect personal information from our customers or employees, as well as by means of the banner relating to cookies (“cookies”) displayed on our website;
iv. Use and disclose personal information strictly within the limits prescribed by the applicable law;
v. Take reasonable measures to ensure that the personal information we retain is up-to-date, accurate and complete for as long as we use it;
vi. Take appropriate security measures to protect personal information, with consideration of the sensitivity of the information, the purposes for which it is to be used, its quantity, medium, and disclosure;
vii. Take reasonable measures to minimize the risk of harm to individuals whose personal information is the subject of a privacy breach incident and to prevent a similar incident from occurring;
viii. Take reasonable measures to ensure compliance with regulations governing the retention and disposal of personal information.
5. Request to Access or Rectify Personal Information – Request to Withdraw Consent to the Use and Disclosure of Personal Information
If a person wishes to know what personal information Norbec retains about him or her, if he or she wishes to rectify such information, or to withdraw his or her consent to the use and disclosure this personal information, a request must be submitted in writing to the CPO by e-mail at: infoprotection@norbec.com.
Norbec agrees to respond within 30 days of receipt of such a request. If the applicant is not satisfied with the response, Norbec agrees to cooperate with the authorities to whom an appeal shall be submitted.
6. Privacy Complaint
In the event that a person wishes to file a complaint about Norbec’s privacy practices, they may do so by contacting the PCPPI at: infoprotection@norbec.com.
7. Policy Implementation and Review
Norbec’s PCPPI is responsible for implementing and updating this Policy.
8. Effective Date
This Policy comes into effect upon adoption by Management. This Policy will be revised in the event of legislative amendments.
Last updated: September 24, 2024