In-Sec-M is a federally incorporated not-for-profit corporation that processes personal information in the course of its activities.
The purpose of this policy is to ensure the protection of personal information and to govern the manner in which In-Sec-M collects, uses, communicates, retains and destroys it or otherwise manages it. In addition, it aims to inform all interested parties on how In-Sec-M handles their personal information. It also covers the treatment of personal information collected by In-Sec-M by technological means.
This policy applies to In-Sec-M, which includes, but is not limited to, its officers, employees, consultants, volunteers, and any person who otherwise provides services on behalf of In-Sec-M. It also applies with respect to the In-Sec-M website, as well as all websites controlled and maintained by In-Sec-M.
It applies to all types of personal information managed by In-Sec-M, whether it be information about its clients, potential or actual clients, consultants, employees, members or any other person (such as visitors to its websites or others).
For the purposes of this Policy, personal Information is information about an individual that directly or indirectly identifies the individual. For example, it could be an individual’s name, address, e-mail address, telephone number, gender, banking information, health information, ethnic origin, language, etc.
Sensitive personal information is information for which there is a high reasonable expectation of privacy, e.g., health information, banking information, biometric information, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.
Generally speaking, an individual’s business or professional contact information is not personal information, for example, an individual’s name, title, address, e-mail address or business telephone number. More specifically, and for greater certainty, under the Québec Act Respecting the Protection of Personal Information in the Private Sector, and as of September 22, 2023, sections 3 (collection, use, disclosure), 4 (retention and destruction) and 6 (data security) do not apply to information of an individual relating to the performance of a function in an enterprise, such as the name, title, position, address, e-mail address and telephone number of the individual’s workplace.
These same paragraphs also do not apply to personal information that is public information by law upon the coming into force of this policy.
In-Sec-M may collect different types of information for different purposes in the course of its activities. The types of information that In-Sec-M may collect, its use (or purpose) and the means by which the information is collected are set out in Schedule A of this policy.
In-Sec-M will also inform individuals, at the time of collection of personal information, of any other information collected, the purposes for which it is collected and the means of collection, in addition to other information required by law.
In-Sec-M applies the following general principles to the collection, use and disclosure of personal information:
In some situations, In-Sec-M may also collect personal information from third parties, without the consent of the individual, if it has a substantial and legitimate interest in doing so and (a) the collection is in the individual’s best interests and it is not possible to collect it from the individual in a timely manner, or (b) if such collection is necessary to ensure the accuracy of the information
In-Sec-M may also collect personal information, indirectly, through the use of :
This collection through third parties may be necessary to use certain services or programs, or to otherwise do business with In-Sec-M. When required, In-Sec-M will obtain consent from the individual at the appropriate time.
Holding and Use:
In these cases, In-Sec-M must have written contracts with these suppliers that indicate the measures they must take to ensure the confidentiality of the personal information disclosed, that the use of this information is only for the purpose of performing the contract and that they may not retain this information after the contract has expired. In addition, these contracts must provide that suppliers must notify In-Sec-M’s Privacy Officer (identified in this policy) of any breach or attempted breach of confidentiality obligations regarding the personal information disclosed and must allow the Privacy Officer to conduct any audit related to such confidentiality.
Additional Information on the Technologies Used:
Cookies are data files that are sent to a website visitor’s computer by their web browser when they visit a website and can serve several purposes.
The websites controlled by In-Sec-M use the following types of cookies:
Some cookies may be disabled by default and visitors may choose to enable or disable these features when visiting In-Sec-M websites.
Information from Google Analytics will never be shared by In-Sec-M with third parties.
It is possible to install a browser add-on to disable Google Analytics.
In-Sec-M also collects personal information through technological means such as web forms embedded in a website controlled by In-Sec-M (e.g., its contact form, membership application form, newsletter and seminar registration form), questionnaires available online on its platforms and applications, and other platforms or form tools (e.g., Microsoft Forms).
If In-Sec-M collects personal information by offering a technology product or service that has privacy settings, In-Sec-M shall ensure that those settings provide the highest level of privacy by default (cookies are not covered).
Unless a minimum retention period is required by applicable law or regulation, In-Sec-M shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.
Personal information used by In-Sec-M to make a decision about an individual must be retained for a period of at least one year after the decision is made, or up to seven years after the end of the fiscal year in which the decision was made if the decision has tax implications, for example, the circumstances of a termination of employment.
At the end of the retention period or when the personal information is no longer needed, In-Sec-M will ensure
The destruction of information by In-Sec-M must be done in a secure manner to ensure the protection of this information.
This section may be supplemented by any policy or procedure adopted by In-Sec-M regarding the retention and destruction of personal information, if any. Please contact In-Sec-M’s Privacy Officer (identified in this policy) for further information.
In-Sec-M is generally responsible for the protection of the personal information it holds.
In-Sec-M’s Privacy Officer is the Director of Operations of the organization. The Privacy Officer is generally responsible for ensuring compliance with applicable privacy legislation. The Privacy Officer is responsible for approving policies and practices governing the governance of personal information. In particular, this individual is responsible for implementing this policy and ensuring that it is known, understood and followed. In the event that the Privacy Officer is absent or unable to act, the President of In-Sec-M will assume the duties of the Privacy Officer.
In-Sec-M staff members who have access to personal information or are otherwise involved in the management of personal information must ensure its protection and respect this policy.
The roles and responsibilities of In-Sec-M employees throughout the life cycle of personal information may be specified by any other In-Sec-M policy in this regard, if any.
In-Sec-M is committed to implementing reasonable security measures to protect the personal information under its control. The safeguards in place are appropriate to the purpose, amount, distribution, medium and sensitivity of the information. This means that information that may be considered sensitive (as defined in Section 2) will require enhanced security safeguards and protection. In particular, and in accordance with what was mentioned above regarding limited access to personal information, In-Sec-M must put in place the necessary measures to impose constraints on the rights of use of its information systems so that only employees who need to have access to it are authorized to access it.
To exercise his or her rights of access, rectification or withdrawal of consent, the person concerned must submit a written request to this effect to the Privacy Officer of In-Sec-M, at the e-mail address indicated in the following section.
Subject to certain legal restrictions, individuals may request access to and correction of their personal information held by In-Sec-M if it is inaccurate, incomplete or misleading. They may also request that the dissemination of their personal information be stopped or that any hyperlink attached to their name allowing access to this information by a technological means be de-indexed, when the dissemination of this information contravenes the law or a court order. They may do the same, or require that the hyperlink to the information be re-indexed, where certain statutory conditions are met.
In-Sec-M’s Privacy Officer shall respond in writing to such requests within 30 days of receipt of the request. Reasons must be given for any refusal and the legal provision justifying the refusal. In these cases, the response must indicate the remedies available under the law and the time limit for exercising them. The official shall assist the applicant in understanding the denial if necessary.
Subject to applicable legal and contractual restrictions, individuals may withdraw their consent to the disclosure or use of the information collected.
They may also ask In-Sec-M what personal information is collected from them, what categories of people at In-Sec-M have access to it, and how long it is kept.
Any person who wishes to make a complaint regarding the application of this policy or, more generally, regarding the protection of his or her personal information by In-Sec-M, must do so in writing to the person responsible for the protection of personal information at In-Sec-M, at the email address indicated in the following section.
The individual will be asked to provide his or her name, contact information, including a telephone number, and the subject matter and reasons for the complaint in sufficient detail to allow In-Sec-M to assess the complaint. If the complaint is not specific enough, the Privacy Officer may request any additional information that he or she deems necessary to assess the complaint.
In-Sec-M is committed to treating all complaints received in a confidential manner.
Within 30 days of receipt of the complaint or receipt of any additional information deemed necessary and required by In-Sec-M’s Privacy Officer to process the complaint, the Privacy Officer shall assess the complaint and provide a written response, with reasons, to the complainant by e-mail. The purpose of this assessment will be to determine whether In-Sec-M’s handling of personal information is in compliance with this policy, any other policies and practices in place within the organization, and applicable legislation or regulations.
If the complaint cannot be processed within this time frame, the complainant shall be informed of the reasons for the extension, the status of the complaint and the reasonable time required to provide a final response.
In-Sec-M is required to maintain a separate file for each complaint received. Each file contains the complaint, the analysis and documentation supporting its assessment, and the response sent to the person who filed the complaint.
You may also file a complaint with the Commission d’accès à l’information du Québec or any other privacy oversight body responsible for the application of the law concerned by the subject of the complaint.
However, In-Sec-M invites any interested person to first contact its Privacy Officer and wait for the end of the treatment process by In-Sec-M.
This policy is approved by In-Sec-M’s Privacy Officer, whose business contact information is as follows
283, boul. Alexandre-Taché Suite F3006,
Gatineau, Quebec J9A 1L8
If you have any requests, questions or comments regarding this policy, please contact the person in charge by e-mail.
This policy is published on In-Sec-M’s website, as well as on all websites controlled and maintained by In-Sec-M, to which this policy applies, with respect to the personal information collected therein. This policy is also disseminated by any means appropriate to reach the persons concerned.
In-Sec-M shall also do the same for all changes to this policy, which shall also be notified to the affected individuals.
*Notes: Please note that the use of the masculine gender is intended to lighten this policy and make it easier to read.
Table of Versions and Changes:
|Version||Effective Date||Changes Since the Last Version|
|1.0||February 28, 2023||N/A – First version|
The following is a non-exhaustive list of the types of information that In-Sec-M may collect, its use, or purpose, and the means by which it is collected. This includes, but is not limited to, the following.
Please note that most of the personal information managed by In-Sec-M is the personal information of employees, job applicants and consultants. For the other categories of individuals listed in the table below, the information provided is, in the majority of cases, professional or business information (see section 2 on business contact information). Note that in the majority of cases, In-Sec-M also collects the individual’s professional title/function, the name of the organization and/or the address of the organization (see section 2 on professional contact information).
|Relationship with In-Sec-M, Services, Program, etc.||Type of Personal Information||End of Collection / Uses
|How to Collect Information (Means)|
|Either of these information, when necessary:||Used for :||May be collected:|
|Job applicants and employees||
|Members (individuals and organizations)||
|In-Sec-M network (ecosystem actors)||
|Partners of In-Sec-M||
|Organization of the Cybersecurity and Identity Summit (CIS)||