Policy For the Protection of Privacy and Confidential Information
Last updated: December 13, 2024
OBJECTIVE
The purpose of this policy is to establish the practices of Corporation Jean-Paul Morin regarding the governance and protection of personal information, in accordance with applicable laws, including Act P36.1 on the protection of personal information in the private sector. It applies to any person employed, volunteering, partnering, consulting, or otherwise connected with the organization who collects, uses, discloses, retains, destroys, or receives personal information from the organization in the course of their duties towards the organization.
P-39.1 - Act respecting the protection of personal information in the private sector (gouv.qc.ca)
DEFINITION
Personal information
"Personal information" means any information that relates to a natural person and allows them to be identified. This may include, without limitation, a name, email address, phone number, credit card number, social insurance number, photograph, etc.
GENERAL PRINCIPLES
Collection
The organization collects only the personal information necessary for the fulfillment of its mission and activities. For example, this may include information collected as part of registration for a training course, an activity, a service delivery, or an employment. The organization ensures that anyone affected by such a collection is informed of the purposes for which their information is collected, the means by which the information is collected, and their rights regarding this information.
Use of personal information
Personal information collected by the organization is not used for purposes other than those for which it was collected, unless the organization has obtained the consent of the individuals concerned or the law permits it. Furthermore, this personal information is only accessible to representatives of the organization who need it in the exercise of their duties.
Disclosure
The organization does not disclose personal information without the consent of the individual concerned, subject to exceptions provided by law. Consent must be given expressly when sensitive personal information is involved.
As provided by law, the organization may transfer the personal information it collects to any service provider without the consent of the individual concerned. In such a case, the organization puts in place a written contract that specifies the measures the co-contracting party undertakes to take to keep the personal information confidential, to use it solely for the purpose of executing its mandate, and to destroy it once the mandate is completed.
Retention of personal information
Personal information is retained by the organization for the time necessary to fulfill the purposes for which it was collected, subject to any retention period provided by law. The organization has implemented a personal information retention schedule.
Destruction of personal information
Personal information is destroyed or anonymized one year after the purposes for which it was collected have been fulfilled or when any retention period provided by law has expired. When the organization proceeds with the destruction of documents containing personal information, it ensures the use of an adequate destruction method to ensure the confidentiality of such information.
Consent
In situations where consent is required, the organization must ensure that this consent is manifest, free, informed, and given for specific purposes. This consent must be requested in simple and clear terms and is only valid for the time necessary to achieve the purposes for which it was requested.
Security
The organization has adopted security measures designed to ensure the protection of personal information collected, used, disclosed, retained, or destroyed. These measures take into account, in particular, their sensitivity and the purpose of their use. The organization uses, among others, the following security measures:
-
Protection of the organization's physical premises;
-
Protection of technological equipment, particularly through the use of secure passwords, firewalls, and current updates of security measures;
-
Restriction of access to only those individuals who need to consult personal information;
-
Use of Canadian servers;
-
Awareness and training of staff on personal information protection.
In addition, the organization requires that any person employed, volunteering, partnering, consulting, or otherwise connected with the organization who collects, uses, discloses, retains, destroys, or receives personal information from the organization in the course of their duties towards the organization complies with this Policy.
Privacy Impact Assessment
The organization conducts a privacy impact assessment before any project involving the acquisition, development, or redesign of information systems or electronic service delivery involving personal information. The organization also conducts such an assessment before disclosing personal information outside Quebec, or entrusting a person or organization outside Quebec with the task of collecting, using, disclosing, or retaining such information on its behalf.
ROLES AND RESPONSIBILITIES
General Management of the Organization
General Management facilitates the development of policies and practices governing the governance of personal information. It ensures the availability of financial, human, and material resources necessary for their implementation. It facilitates the exercise of the functions of the person in charge of the protection of personal information.
Person in charge of the protection of personal information
The person designated as the Person in charge of the protection of personal information ensures compliance with and implementation within the organization of applicable law and regulations related to personal information. They approve policies and practices governing the governance of personal information. Also, they respond to requests and complaints related to personal information. The organization consults them particularly in the event of a confidentiality incident or a privacy impact assessment.
Employees, volunteers, consultants, partners
These individuals are responsible for ensuring the protection of personal information to which they have access in the course of their duties with the organization by implementing the policies established in this regard by the organization, notably by:
-
Collecting only the personal information necessary for the organization's activities for which they are responsible
-
Adequately informing individuals concerned by any collection they carry out
-
Using personal information only for the purposes for which it was collected
-
Destroying personal information in accordance with the organization's retention schedule
-
Reporting any confidentiality incident to General Management and the person designated as the Person in charge of the protection of personal information, in accordance with the Confidentiality Incident Management Policy
-
Participating in any training and awareness activities related to the protection of personal information; and
-
Ensuring compliance with the security measures put in place by the organization
CONFIDENTIALITY INCIDENT
A "confidentiality incident" means any access, use, disclosure not authorized by law, or loss of personal information, as well as any other breach of the protection of such information.
Any confidentiality incident is managed by the organization in accordance with its Confidentiality Incident Management Policy. This policy describes the steps to follow in such an eventuality as well as the role of each person involved.
The organization keeps a register of confidentiality incidents.
RIGHTS OF ACCESS, RECTIFICATION AND DE-INDEXATION
Any person may make a request to the organization to exercise their right of access, rectification or de-indexation in relation to personal information held by the organization concerning them, subject to the exceptions provided by the Act. Such a request must be addressed in writing to the Person in charge of the protection of personal information at the following email address: corporationjpm@gmail.com. It must contain the information necessary for its processing as well as the name and contact details of the person making the request. The person in charge of the protection of personal information may request any additional information they deem necessary to process the request.
The person in charge of the protection of personal information evaluates the requests received by the organization in light of applicable law and legislative exceptions. They respond in writing to the request diligently and no later than 30 days from the date of receipt of the request.
COMPLAINT HANDLING
Filing a complaint
Any person may file a complaint regarding the protection of personal information held by the organization. The complaint must be submitted in writing to the organization's person in charge of personal information protection by email at corporationjpm@gmail.com. It must include a description of the subject and reasons for the complaint, as well as the name and contact details of the complainant. If the complaint formulated is not sufficiently precise, the person in charge of personal information protection may request any additional information they deem necessary to evaluate the complaint.
Processing
All complaints are handled confidentially and diligently. The person in charge of personal information protection evaluates complaints received by the organization. If a complaint is found to be justified, the organization commits to taking the necessary measures to correct the situation as soon as possible. The person in charge of personal information protection transmits their conclusions in writing to the complainant.
MODIFICATION
This policy may be modified from time to time to reflect changes in the organization's governance and personal information protection practices. The most recent version is published on the organization's website. The last update date is indicated at the top of the policy.