Policy For the Protection of Privacy and Confidential Information

​Last updated: December 22, 2025

​

OBJECTIVE

​

This policy aims to establish the practices of Corporation Jean-Paul Morin regarding governance and protection of personal information, in compliance with applicable laws, particularly Act P-39.1 respecting the protection of personal information in the private sector. It applies to any employee, volunteer, partner, consultant, or other person associated with the organization who collects, uses, discloses, retains, destroys, or receives personal information from the organization in the course of their duties.

​

P-39.1 - Act respecting the protection of personal information in the private sector (gouv.qc.ca)

​​

​

DEFINITION

​

Personal information

​

"Personal information" means any information concerning a natural person that allows that person to be identified. This may include, without limitation, a name, email address, telephone number, credit card number, social insurance number, photograph, etc.

​

GENERAL PRINCIPLES

​

Collection

​

The organization collects only the personal information necessary to carry out its mission and activities. This may include, for example, information collected during registration for training, an activity, or service provision, or during hiring. The organization also ensures that any person affected by such collection is informed of its purposes, the methods used to carry it out, and their rights regarding such information.

​

Use of personal information

​

Personal information collected by the organization is used only for the purposes for which it was collected, unless the organization has obtained the consent of the persons concerned or unless permitted by law. Furthermore, such personal information is accessible only to representatives of the organization who need it to perform their duties.

​

Disclosure

​

The organization does not disclose personal information without the consent of the person concerned, except in cases provided by law. Consent must be given expressly when sensitive personal information is involved.

​

As provided by law, the organization may, however, transfer the personal information it collects to a service provider without the consent of the person concerned. In such cases, the organization enters into a written contract with the service provider, whereby the service provider undertakes to take the necessary measures to ensure the confidentiality of the personal information, to use it exclusively to carry out their mandate, and to destroy it once the mandate is completed.

​

Retention of personal information

​

Personal information is retained by the organization for the period necessary to accomplish the purposes for which it was collected, subject to retention periods provided by law. The organization has established a retention schedule for personal information.

​

Destruction of personal information

​

Personal information is destroyed or anonymized one year after the objectives for which it was collected are achieved or when any retention period provided by law has elapsed. When the organization destroys documents containing personal information, it ensures that an appropriate method is used to maintain the confidentiality of such information.

​

Consent

​

In situations where consent is required, the organization must ensure that it is manifest, free, informed, and given for specific purposes. It must be requested in simple and clear terms and is valid only for the period necessary to achieve the purpose for which it was given.

​

Security

​

The organization has adopted security measures designed to protect the personal information collected, used, disclosed, retained, or destroyed. These measures take into account their sensitivity and the purpose of their use. The organization uses, among others, the following security measures:

​

• Protection of the organization's physical premises;

• Protection of technological equipment, particularly through the use of secure passwords, firewalls, and current updates of security measures;

• Restriction of access to only those individuals who need to consult personal information;

• Use of secure servers;

• Awareness and training of staff on personal information protection.

​

Furthermore, the organization requires that any employee, volunteer, partner, consultant, or other person associated with the organization who, in the course of their duties, collects, uses, discloses, retains, destroys, or receives personal information from the organization, comply with this policy.

​

Privacy Impact Assessment

​

The organization conducts a privacy impact assessment before any acquisition, development, or redesign project of an information system or electronic service delivery involving personal information. It also conducts such an assessment before disclosing personal information outside Quebec or entrusting a person or organization located outside Quebec with the task of collecting, using, disclosing, or retaining such information on its behalf.

​

​

ROLES AND RESPONSIBILITIES

​

Executive Director of the Organization

​

The executive director facilitates the development of policies and practices governing personal information. They ensure that the financial, human, and material resources necessary for their implementation are available. They also support the person responsible for the protection of personal information in the performance of their duties.

​

Person Responsible for the Protection of Personal Information

​

The person designated as responsible for the protection of personal information ensures compliance with and implementation within the organization of applicable laws and regulations relating to personal information. They approve policies and practices governing personal information. They also respond to requests and complaints relating to personal information. The organization consults them particularly in case of a confidentiality incident or privacy impact assessment.

​

Employees, Volunteers, Consultants, Partners

​

These persons are responsible for protecting the personal information to which they have access in the course of their duties within the organization, by implementing the policies established in this regard by the organization, including through the following measures:

​

• Collect only the personal information necessary for the organization's activities for which they are responsible;

• Adequately inform the persons affected by any collection they carry out;

• Use personal information only for the purposes for which it was collected;

• Destroy personal information in accordance with the organization's retention schedule;

• Report any confidentiality incident to the executive director and the person designated as responsible for the protection of personal information, in accordance with the confidentiality incident management policy;

• Participate in any training and awareness activities related to the protection of personal information;

• Ensure compliance with the security measures implemented by the organization.

 

 

CONFIDENTIALITY INCIDENT

​

A "confidentiality incident" means access, use, or disclosure of personal information that is not authorized by law, as well as any other breach of the protection of such information.

Any confidentiality incident is managed by the organization in accordance with its confidentiality incident management policy. This policy describes the steps to follow in case of an incident, as well as the role of each stakeholder.

The organization maintains a registry of confidentiality incidents.

​

​

RIGHTS OF ACCESS, RECTIFICATION AND DE-INDEXING

​

Any person may request the organization to access their personal information, rectify it, or de-index it, subject to exceptions provided by law. Any request must be addressed in writing to the person responsible for the protection of personal information at the following email address: corporationjpm@gmail.com. It must contain the information necessary for its processing, as well as the name and contact information of the person making the request. The person responsible for the protection of personal information may require any additional information they deem necessary to process the request.

The person responsible for the protection of personal information evaluates requests received in light of applicable law and legislative exceptions. They respond in writing as soon as possible and no later than 30 days following the date of receipt of the request.

​

 

COMPLAINT HANDLING

​

Filing a complaint

​

Any person may file a complaint regarding personal information held by the organization. The complaint must be filed in writing with the person responsible for the protection of personal information of the organization, at the following email address: corporationjpm@gmail.com. It must include a description of the subject and reasons for the complaint as well as the name and contact information of the complainant. If the complaint is not sufficiently specific, the person responsible may request any additional information they deem necessary to evaluate the complaint.

​

Processing

​

All complaints are handled confidentially and diligently. The person responsible for the protection of personal information evaluates the complaints received. If the complaint is found to be justified, the organization commits to taking the necessary measures to correct the situation as soon as possible. The person responsible for the protection of personal information transmits their findings in writing to the complainant.

​

 

AMENDMENT

​

This policy may be amended from time to time to reflect changes to the organization's governance and personal information protection practices. The most recent version is published on the organization's website. The date of the last update is indicated at the top of the policy.

​