Data Privacy Protection Management

The purpose of this procedure is to define the rules to be respected for the management of data and documents related to the processing of our customers' goods in terms of creation, distribution, protection, modification and archiving.

General

Protecting employees and the public, customer goods and data, and company assets from risks and hazards is essential and required by FAIM 3.1.

Control can be best maintained by an orderly system of management and retention of paper and electronic documents and data. This will allow our organization to know:

1. What documents we have in our possession;
2. Where should these documents be located;
3. If these documents are where they need to be;
4. Who had access to these documents;
5. Who has or had access to these documents.

Good practices

The following best practices should be applied to the management of client documents and data:

1. Access to customer data and goods processing documents should be limited to persons who need it in the exercise of their functions and who are therefore authorized to have access to it. This is called the “need to know” principle;
2. The degree of protection of the information must be specified by the author of the information or by Management;
3. Management must instruct staff not to disclose any confidential information or data concerning a client without authorization from Management. Each recipient of information should be responsible for ensuring that it is only disclosed to authorized persons;
4. Likewise, Management should adopt protective measures for information shared with third parties (Correspondents, Airlines), thus ensuring the prevention of inappropriate use or disclosure;
5. Our customers' trust in our company risks being compromised by the unauthorized publication, of part or all, of the data and documents concerning them.

Application domain

The provisions of this annex are applicable to the following documents:

Moving files

Transit transport files

Internal reporting

Accounting documents

These provisions apply regardless of the form of these documents: written, graphic, audio, visual, computerized or other.

Responsibilities

Management is responsible for the definition and proper application of the provisions of this appendix and compliance with the principles set out below.

Definitions

Verification :Action aimed at ensuring that the content of a document complies with Management requirements.

Approval :Action aimed at validating the content of the document (form and substance) in relation to the requirements of Management.

Principle of “need to know”

One of the fundamental principles of all aspects of the protection of documents and sensitive data of our customers is to communicate this information only to those who need it in the exercise of their functions. As such, agents and other entities receive this information:

1. Only because they “must know” to carry out their functions;
2. Not because it would be convenient for them to know;
3. And especially not, by virtue of their status, position, rank or level of authorized access.

Respecting the "need to know" principle helps protect both the employee and the document or data. If there is any doubt as to whether or not a particular recipient is authorized to access a specific document, staff must consult their manager or, failing that, Management.

Targeted training and awareness-raising actions should ensure that staff and other recipients are fully aware of their personal responsibility to apply the “need to know” principle.

Principle of “need to conserve”

Staff and entities should only retain documents or data while they are under review or use. Once review or use of a data or document is no longer necessary, it must be returned to the sender or destroyed in accordance with applicable procedures.

Classification of documents

Responsibility

The Directorate is responsible for assigning each document or part of a document to the following three categories: public document, restricted document or confidential document.

Public document

The use of this category of documents is not subject to any restrictions. These documents can be consulted by the general public.

Restricted document

The list of users and the method of distribution of this type of document are set in advance by Management.

Confidential document

The confidential classification is reserved for documents whose unauthorized disclosure would harm the interests of our customers or the company.

Access to this category of document is subject to a written request and prior authorization from Management.

Preparation and manipulation of information

To protect our customers' information, an effective control system is essential. Such a system should allow our company to know:

1. What information is held;
2. What level of protection is required;
3. Where is this information stored or held;
4. Who is authorized to view or use this information; and at the highest classification level who has accessed or used this information in the past.

The control system should apply to the following aspects of the classified information processing process:

1. Preparation ;
2. Annotations and personal notes;
3. Recording and classification;
4. Reproduction;
5. Protection and maintenance of protection;
6. Sample verification;
7. Destruction.

Document handling

Preparation of documents

Documents should only be prepared and processed by duly authorized personnel. The relevant officials will need to regularly reassess the security arrangements regarding the production and reproduction of documents. As such, they must ensure:

1. The availability of facilities and equipment specially dedicated to photocopying or reproducing documents;
2. To maintain an up-to-date inventory of copies as they are produced or reproduced;
3. To proceed, as quickly as possible, to the elimination of corrupted copies using a shredder or other appropriate means so that the contents cannot be reconstructed;
4. To keep available copies secure when not in use, to prevent unauthorized access, and to dispose of appropriately when it is determined that they are surplus or not needed;
5. To familiarize staff with the precautions to be taken to avoid unauthorized use of reproduction equipment such as photocopiers, printers, faxes or scanners;
6. That instructions for handling, destruction or disposal of classified documents are specific, practical and effective.

The following rules must be followed when developing a document:

1. When little-known terms, expressions or abbreviations are used, their definition is given in a “Definitions” paragraph;
2. Any document will be characterized by a version, a title and a classification.

When preparing documents, classification stamps or annotations must be clearly and distinctly marked on the documents,at the document header level.

Removable digital storage media, such as CD-ROMs, DVDs and flash drives containing sensitive documents must be clearly and visibly marked as sensitive material on the surface of the storage media.

For documents published in series, such as directives or circulars, a sequential number must be included, to enable tracking.

Regardless of their classification, all documents must have page numbers.

All documents of a sensitive nature issued in circulation must have a unique number for each copy. This makes it possible to record the broadcast and narrow the scope of an investigation if necessary.

When developing a document, we must:

1. Keep in mind that the provisions of the document must be applicable on a technical or organizational level;
2. Use language that is easily understandable by end users;
3. Propose a classification for the document;
4. Affix your visa “Written by:…” to identify the origin of the document;
5. Send the document to the verifier.

Verification

For any document, the Department will designate the entity or person responsible for verifying the document. The “checker” is always different from the writer and approver.

When verifying, the verifier must:

1. Check that the provisions of the document are applicable on a technical or organizational level;
2. Check that the document is written in language that allows it to be easily understood by the recipients;
3. Check the classification of the document: Ensure for restricted documents that the list of recipients is well defined;
4. Affix your visa “Verify by:…” to confirm the verification;
5. Forward the document to the approver.

Document approval

For any document, the Department will designate the entity or person responsible for approving the document.

Upon approval, one must:

1. Ensure that the document is drawn up in accordance with the guidelines of this procedure;
2. Ensure that the document is consistent with the requirements of the FAIM 3.1 standard;
3. Affix your visa “Approved…” to confirm approval;
4. Send the document to the person responsible for distribution or archiving.

NB: For the document to be valid, theeditor, the verifier and approver must have signed the document.

Document management

Distribution of documents

Any verified and approved document will be distributed to recipients according to the requirements of the classification cited above.

Date of application

All documents will include a date which will be mentioned on the first page corresponding to the date of application of the provisions described in this document.

Update and modification

Updating or modifying a document is done according to the same circuit as when it was created.

Archiving

The archiving department within BEDEL will be responsible for the archiving of documents, which constitutes the rule regarding the retention and disposal of documents.

Protection

For documents classified as confidential, secure storage and filing must be established when these files are stored centrally. Only personnel responsible for storage and filing should be authorized to handle these documents. It is recommended that authorized individuals sign a “confidentiality undertaking” before allowing them access to such documents.

If a file classified as confidential is passed directly to another person in an emergency, the person transmitting the file must:

1. Inform personnel responsible for recording and filing classified documents as quickly as possible;
2. Inform your supervisor or appropriate line manager that the file has been transmitted directly and detail the reasons for this distribution.

All documents classified as confidential must be returned to Management if they are not used for an ongoing action.

Identification of documents to be destroyed

In addition to routine document destruction, all departments/sections handling classified documents will periodically conduct special destruction exercises. These exercises should help identify unwanted copies of classified documents, particularly when originals exist.

Sample verification

Sample checks discourage the consultation or manipulation of classified, restricted or confidential documents outside of storage premises for unauthorized purposes. These sample checks should be carried out:

1. Unexpectedly;
2. At frequent but irregular intervals;
3. During normal working hours.

Securing storage

During normal working hours, if classified documents are protected in security cabinets, locked rooms or safes, officers and their supervisors must ensure that the documents cannot be read, manipulated or removed by the unauthorized personnel.

Managers within the company must ensure the protection of restricted or confidential documents within their respective units.

Restricted or confidential documents, including thoseexpiredmust be protected in security cabinets whenever the premises are unoccupied.

When cleaning staff and other auxiliary personnel have access to an office containing documents classified as restricted or confidential in the absence of the usual occupant of the office, all documents of restricted or confidential distribution must be secured in filing cabinets. security.

Office storage and screen protection policy

the Management must have in force:

1. A clear document storage policy as well as removable storage media;
2. A clear policy for protecting computer screens and other workstations.

A clear policy for protecting computer screens and other workstations significantly reduces the risk of unauthorized access, loss or alteration of information.

All company personnel must apply the following instructions:

1. Store paper and computer media in appropriate containers when not in use, even during working hours;
2. Lock or appropriately secure classified documents when not necessary, particularly when the office is unoccupied;
3. Log off computer terminals, workstations and printers when left unattended;
4. Protect personal computers, computer terminals, workstations and printers with passwords or other appropriate means;
5. Protect all media that can send or receive electronic mail, faxes and telex machines;
6. Lock photocopiers and scanners outside normal working hours (or otherwise protect them from unauthorized use);
7. Immediately delete all classified information from printers and scanners.

End of Day Procedures

Managers of different entities are required to develop and implement appropriate procedures for the protection of classified documents outside of normal working hours. This could include a requirement to check all relevant premises at the end of each working day.

Identification of staff working outside normal working hours

Entities holding classified documents should implement a staff timekeeping system to identify individuals who stay beyond normal hours or who come in at unusual times. This timekeeping system must make it possible to record the employee's names as well as the date and times of arrival and departure. This will not only prevent unauthorized reproduction, copying or removal of classified documents but also protect the employee himself in the event of an investigation.

If an employee with authorized access to classified documents is regularly present at work at unusual times and for no obvious reason, the head of the unit or entity concerned should conduct a discreet investigation to determine the reasons.

Removal of classified document

A classified document should only be removed if:

1. The document is necessary for a known reason;
2. The employee performing the document removal is appropriately authorized.

Tamper-indicator seals, strips and envelopes

Envelopes containing classified documents intended to be distributed outside a particularly protected area must be sealed appropriately.

Destruction of classified documents

Waste from destroyed classified documents is a possible source of information. All these documents must therefore be destroyed in such a way that their recovery and reconstitution are highly unlikely.

Protection of information received

Management is held responsible for:

1. Protection of information received or shared;
2. Disclosure of information received or shared; And
3. Dissemination of information received or shared.

Management must institute the following measures for the protection of information received or shared:

1. Any sensitive information relating to our business received from or shared with a client or organization will be classified as confidential and protected in a secure filing cabinet or database and protected against unauthorized access;
2. Access to any sensitive information relating to our business received from or shared with a customer or organization will be limited to individuals within the company or national supply chain on a “need to know” basis;