Brunel Immigration

Information Security Policy

This policy was adopted in accordance with Law 25, which requires companies to adopt and implement an information security policy, keep it up to date, and ensure its application.

1. Objective

The firm, hereinafter referred to as "BIA," is committed to ensuring the protection of confidential information entrusted to it.

BIA commits to restricting access to confidential and sensitive data to prevent it from being lost or compromised, so as not to harm our clients, our employees, to avoid non-compliance sanctions and to not damage our reputation. Simultaneously, we must ensure that users can access the data they need to work effectively.

This Policy is not expected to eliminate all data theft. Its main objective is rather to raise user awareness and prevent scenarios of accidental loss, which is why it describes the requirements for data leak prevention.

2. Scope

2.1 Within the scope

This Data Security Policy applies to all customer information, personal data, or other BIA data that relates to a physical person and allows their identification. It therefore applies to all servers, databases, and computer systems that process these data, including any device regularly used for email, web access, or other professional tasks. Any user who interacts with BIA's IT services is also subject to this Policy.

We collect personal information in several ways, including through our website (cookies), our online forms, when you communicate with us by phone and email, or post content on our social media accounts, as well as following the mandates entrusted to us. This information includes your name, first name, mailing address email address, phone number, and any other information necessary for the performance of the entrusted mandates.

Our site collects the necessary cookies for the use of Google Analytics, these include public statistics, IP address, the date and time of connection, the time and duration of the visit, as well as the pages viewed. We use these cookies to compile statistical data on the use of our website to improve the experience.

Financial data is managed by our external providers, namely our financial institution and the secure payment service Square. If we must temporarily collect your credit card data by phone at your request to help you complete a transaction, this data will be entered into our provider Square's system and the temporary support will be destroyed.

2.2 Outside the scope

Information classified as public is not subject to this Policy.

The BIA site offers hyperlinks to other sites. Information exchanged on these sites is not subject to this Privacy Policy, but to that of the external site, if one exists.

3. Policy

3.1 Principles

Personal information held by BIA is essential to its current activities. As such, the firm recognizes that they must be subject to constant evaluation, appropriate use, and adequate protection. The level of protection that personal information must be subject to is established based on their importance, confidentiality, and the risks of accident, error, and malice to which they are exposed.

BIA will provide all its employees and subcontractors access to the information they need to do their job as efficiently as possible.

3.2 Generalities

  • a) Each user must read this data security policy and sign a statement stating that they understand the access conditions.
  • b) Each user is identified by a unique user ID, so that all can be held accountable for their actions.
  • c) Each user must respect the security measures in place at their workstation and on any equipment containing data to be protected and not modify their configuration or disable them;
  • d) Each user must immediately report to the personal information officer any act of which they are aware, which may constitute an actual or presumed violation of security rules as well as any anomaly that may harm the protection of BIA's personal information.
  • e) User access logs may be used as evidence in the context of a security incident investigation.
  • f) Access must be granted based on the principle of least privilege, meaning that each program and each user will only obtain the privileges necessary for their work.

3.3 Access Control Authorization

Access to BIA's IT resources and services will be granted through a unique user account and a complex password.

3.4 Access to BIA Data in the Cloud

  • a) All employees and subcontractors with remote access to BIA data must be authenticated by Microsoft's two-factor authentication mechanism.
  • b) BIA has a 24-hour monitoring service for suspicious activities on its users' workstations and on its data storage systems.
  • c) BIA data is hosted on Microsoft's servers, located in Canada.

3.5 User Responsibilities

  • a) All users must lock their screen every time they leave their office, to reduce the risk of unauthorized access
  • b) All users must ensure that no sensitive or confidential information is left around their workstation.
  • c) All users must keep their passwords confidential and not share them.

3.6 Access to Applications and Information

  • a) All BIA employees and subcontractors have access to data and applications necessary for their professional function.
  • b) All employees and subcontractors only access sensitive data and systems in case of professional necessity and with the agreement of management.

3.7 Access to Confidential and Restricted Information

Access to data classified as "confidential" or "restricted" is limited to authorized persons whose professional responsibilities require it, as determined by the Data Security Policy or management.

3.8 Data Retention

The firm retains personal information as long as necessary for the purposes described in this Policy. These personal data will be retained, to comply with legal obligations of the profession, for a minimum of 7 years after the completion of a mandate.

4. Technical Guidelines

Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications, websites, cloud storage, and services.

5. Reporting Requirements

  • Incident reports will be produced and processed by the personal information officer and his team and transmitted to the competent authorities as well as to the persons involved, as appropriate.
  • Highly prioritized incidents discovered will be immediately escalated. The personal information officer and his team will be contacted as quickly as possible, as well as the competent authorities and the persons involved.

6. Responsibilities

  • The personal information protection officer:
    Ms. Rosalie Brunel, founding lawyer.
    3575 boul. Saint-Laurent, bur. 507, Montréal, Québec H2X 2T7
    514-316-9255, extension 0
    RP@brunelimmigration.com
  • The users:
    Include everyone who has access to IT resources, for example employees, trusted entities, subcontractors, consultants, probationary employees, and temporary employees.
  • The incident response team:
    Is led by Ms. Brunel and includes employees from services such as, for example: IT infrastructure, computer application security, legal, financial, and human resources.

7. Enforcement

Any user who violates this policy is subject to disciplinary sanctions, up to and including dismissal. Any third-party partner or subcontractor caught in violation may have their network connection suspended.

8. Revision History

Version Revision Date Author Description of Changes
1.0 2023-09-12 R. Brunel, Personal Information Protection Officer Initial Version