Nivii is committed to protecting the personal information it holds. Personal information is confidential, except as provided by law. Anyone who has access to personal information held by Nivii must take necessary measures to ensure its protection and confidentiality. This policy and its related procedures outline the measures to reduce the risk of a privacy incident, determine the actions to take if such an incident occurs, and prevent similar incidents from happening in the future.
1. COLLECTION OF INFORMATION BASED ON BUSINESS RELATIONSHIP AND SERVICES PROVIDED
Nivii, as part of the services provided to its clients or for marketing purposes, collects certain information that may include personal data. This information may be obtained through voluntary disclosure by the individuals concerned during our communications or via technological applications (forms, emails, apps, etc.). This information is used for selling products/providing services, or to propose such offerings.
By submitting this information to Nivii or using the technological means on our website, social media, or any other applications or services offered by Nivii, you consent to the collection and use of this information.
Nivii strives (and only if required for our activities) to share or transmit this information only to reliable partners for whom we have ensured they implement adequate security and confidentiality measures. Whenever possible, all information is stored on Quebec-based or, at least, Canadian servers.
Every individual has the right to obtain details about the information held about them and request its correction if necessary.
2. STORAGE OF INFORMATION AND DESTRUCTION
Anyone can request details about the methods of storing personal information held about them, as well as the individuals who have access to it, the purposes for which it is used, and the retention period after which the information will be destroyed.
3. PRIVACY INCIDENT AND PROCEDURE
The following procedure outlines the steps to be taken when Nivii has reasonable grounds to believe a privacy incident (or such an incident is confirmed) has occurred involving personal information it holds, in compliance with the Act respecting the protection of personal information in the private sector, chapter P-39.1, and the Regulation on privacy incidents.
4. DEFINITIONS
The definitions to consider for the application of this procedure, which may be supplemented by any other regulations, policies, directives, or procedures referencing them, are as follows:
Privacy incident: Unauthorized access, use, or disclosure of personal information, as well as its loss or any other form of breach to its protection.
Here are some examples:
- A hacker infiltrates a system;
- An individual uses personal information from a database they have access to for identity theft;
- A communication containing sensitive information is accidentally sent to the wrong person;
- An individual loses or has documents containing personal information stolen;
- An individual interferes with a database containing personal information to alter it.
Personal information: Any information that relates to an individual and can identify them. A person’s name, by itself, is not personal information. However, when this name is associated with or linked to another piece of information about the same individual, it becomes personal information.
Here are some examples of personal information:
- A person’s name and date of birth;
- Social insurance number;
- Credit card number;
- Health insurance number;
- Medical or financial information;
- A person’s name and personal phone number;
- A person’s name and home address.
Sensitive personal information: Personal information is considered sensitive when, by its nature—such as medical, biometric, or otherwise intimate information—or due to its use or communication context, it warrants a high degree of expectation regarding privacy protection.
Examples of sensitive personal information include medical, biometric, genetic, or financial data, or information about ethnic origin, political beliefs, sexual life or orientation, or religious convictions.
5. PROTECTION OF PERSONAL INFORMATION
Nivii implements appropriate and reasonable security measures to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification. Only staff members who absolutely need to access personal information as part of their duties are authorized to do so.
Staff members of Nivii or those working on its behalf must:
- Make reasonable efforts to minimize the risk of accidental disclosure of personal information;
- Take special precautions to ensure personal information is not monitored, overheard, accessed, or lost while working in locations other than Nivii’s offices;
- and
- Take reasonable steps to protect personal information when moving from one location to another.
6. REPORTING A PRIVACY INCIDENT
Anyone to whom Nivii communicates personal information (colleagues, suppliers, partners, experts including subcontractors) must report it when they have reasonable grounds to believe that a privacy incident has occurred involving personal information held by Nivii. The report must be made promptly to the person responsible for privacy protection.
Any staff member of Nivii who has reasonable grounds to believe that a privacy incident has occurred involving personal information held by Nivii must also inform their supervisor.
Any serious incident involving a large number of individuals or involving sensitive information that could cause significant harm must be disclosed to the Commission d’accès à l’information as soon as it becomes known.
7. PERSON RESPONSIBLE FOR PERSONAL INFORMATION: ROLES AND RESPONSIBILITIES
The person responsible for privacy protection for Nivii can be contacted as follows:
- Email: info@Nivii.com
- Phone: (450) 696-1290: General Director
Their role includes:
- Contributing to the implementation of the privacy incident management process;
- Maintaining the privacy incident register, documenting these incidents, and ensuring appropriate follow-up;
- Maintaining the complaints register, documenting these complaints, and ensuring appropriate follow-up;
- Contributing to risk analyses of privacy incidents to identify threats and vulnerabilities, and implement appropriate solutions.
In the event of a privacy incident, the person responsible for privacy protection handles the incident and works with any other relevant individuals based on the nature of the incident.
Their responsibilities include:
- Assessing the risk of harm and determining the severity of the incident. This includes considering the sensitivity of the personal information involved, the potential consequences of its use, and the likelihood it will be used maliciously.
- Notifying the person whose personal information is involved in the incident, promptly, when there is a risk of serious harm, unless this would hinder an investigation conducted by an authorized person or organization under the law. The notice should include the following: A description of the personal information involved in the incident or, if unknown, the reason for the inability to provide such a description;
-
- A brief description of the circumstances of the incident;
- The date or period when the incident occurred or, if unknown, an approximation;
- A brief description of the measures taken or to be taken to mitigate the risk of harm;
- Suggested measures for the affected individual to take to mitigate the potential harm;
- Contact information for further inquiries about the incident.
- Notify, as necessary, any person or organization that may help reduce the risk, sharing only the necessary personal information.
- Notify, promptly and in writing, the Commission d’accès à l’information of the privacy incident when there is a risk of serious harm. The notice must include the following:
- The company name (Nivii) and the Quebec business number assigned to it under the Business Corporations Act;
- The name and contact information of the person to contact regarding the incident;
- A description of the personal information involved in the incident or, if unknown, the reason for not providing a description;
- A brief description of the incident’s circumstances and its cause, if known;
- The date or period when the incident occurred or an approximation;
- The date Nivii became aware of the incident;
- The number of affected individuals and, if known, the number residing in Quebec;
- A description of the factors leading Nivii to conclude that there is a serious risk of harm to the affected individuals, such as the sensitivity of the personal information, the potential misuse of the data, and the likelihood it will cause harm;
- Measures Nivii has taken or intends to take to notify affected individuals, and when this notification took place or is expected to happen;
- Measures Nivii has taken or intends to take to reduce risks or mitigate harm from the incident, and to prevent similar incidents in the future;
- If applicable, mention that a person or organization outside Quebec with similar responsibilities has been notifiedof the incident.
- Notify, promptly, Nivii’s insurers, if applicable.
- Record the privacy incident in the register.
- Upon request from the Commission d’accès à l’information, provide a copy of the register.
8. PRIVACY INCIDENT REGISTER
Nivii must maintain a register of privacy incidents.
8.1 Duration of retention of information in the register
The information in the register must be kept up-to-date and retained for the longer of the following two periods: a minimum of five years after Nivii became aware of the incident or as required by any governmental body or law and regulation.
9. COMPLAINTS REGISTER AND HANDLING
Nivii must maintain a register of complaints and their handling.
9.1 Duration of retention of information in the register
The information in the register must be kept up-to-date and retained for the longer of the following two periods: a minimum of five years after Nivii became aware of the incident or as required by any governmental body or law and regulation.
10. EFFECTIVE DATE
This policy and its procedures are effective as of September 22, 2023.
11. CONTACT US
If you have questions about our privacy protection policy, wish to exercise your rights outlined above, file a complaint, or update your personal information, please contact our privacy protection officer as follows:
By email: info@Nivii.com
By mail: Nivii, Attn: Privacy Protection Policy Officer, 206-1565, boul. de l’Avenir, Laval, QC, H7S 2N5. We will make every effort to process your request promptly.