This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
POLICY REGARDING THE PROTECTION OF PERSONAL INFORMATION
- CONTEXT AND OBJECTIVES
As part of its activities, the Employer, SOTREM (1993) INC., collects, processes, stores and communicates personal information.
The Employer is responsible for protecting the personal information it holds.
The purpose of this policy is to govern the management of personal information, ensure its protection and establish practices to uphold the Employer’s obligations to all individuals from whom it holds personal information.
- DEFINITIONS
Commission:
Commission d’Accès à l’Information.
Personal Information:
Any information concerning an individual that directly or indirectly enables their identification.
Person Responsible:
Person responsible for protecting the personal information held by the Employer, ensuring compliance with and implementation of the Act Respecting the Protection of Personal Information in the Private Sector.
Breach of Security Safeguards:
Unauthorized access, use, or disclosure of personal information contrary to the law, as well as its loss or any other breach of its protection.
Act: Act Respecting the Protection of Personal Information in the Private Sector (RLRQ c P-39.1).
- SCOPE
This policy applies to all employees, suppliers and partners of the Employer regarding personal information held by the Employer or by third parties on its behalf, regardless of the nature of its format (written, graphic, audio, visual, electronic, or otherwise), whether it pertains to its employees or any other individual.
- PROCEDURE PERTAINING TO THE LIFE CYCLE OF PERSONAL INFORMATION
In collecting personal information, the Employer, in collaboration with the third party, agent, or service provider, where applicable:
- Determines the purposes of the collection. In this respect, there must be a serious and legitimate interest in compiling a file on an individual.
- Limits the collection of personal information. In this respect, the information collected is limited to the information necessary for the specified purposes. In the event of doubt, information is deemed unnecessary.
- Collects personal information by legal and legitimate means. In this respect, subject to exception, the data is collected directly from the person concerned.
- Informs the person concerned, before preparing a file:
- The purpose of the file;
- Purposes for which the information is collected;
iii. Means by which the information is collected;
- How the personal information will be used;
- The categories of individuals within the Employer’s organization who will have access to it;
- The location of where they will be stored;
vii. The rights of access and rectification;
viii. Obtains consent of the persons concerned before collecting their personal information from third parties, unless an exception provided by law applies.
If personal information is collected for a third party, the person concerned is informed of the name of the third party for whom the information is being collected, its category, and the possibility that the information may be disclosed outside of Quebec, subject to exceptions provided by law.
In the use of personal information, the Employer, in collaboration with the third party, agent, or service provider, where applicable:
- Limits access to personal information to only those persons within the organization who are entitled to receive it, where such information is necessary for the performance of their duties.
- Limits the use of personal information, except where an exception provided by law applies. The Employer obtains the consent of the person concerned to use their information once the purpose of the file is fulfilled.
In communicating personal information, the Employer, in collaboration with the third party, agent, or service provider, where applicable:
- Obtains the consent of the persons concerned to communicate their information to a third party (e.g., insurer or service provider), unless an exception provided by law applies.
- Complies with its legal obligations when it discloses personal information without the consent of the person concerned.
- Complies with the specific obligations applicable to the communication of personal information outside Quebec.
In the retention of personal information, the Employer, in collaboration with the third party, agent, or service provider, where applicable:
- Ensures the quality of personal information by ensuring that the information it holds is up to date and accurate at the time it is used to make a decision about the person concerned. This information is kept for at least one (1) year following the decision.
- Takes appropriate security measures to ensure the safety of personal information.
In the destruction of personal information, the Employer, in collaboration with the third party, agent, or service provider, where applicable:
- Destroys personal information securely as soon as the purpose for which it was collected has been fulfilled, subject to the time frame provided by law or a retention schedule established by government regulation (e.g., for tax obligations).
- ROLES AND RESPONSIBILITIES
General Manager
- Ensures that this policy is implemented, monitored and kept up to date.
- Oversees the application of the Act Respecting the Protection of Personal Information in the Private Sector (RLRQ c P-39.1) and the present policy.
- Informs the Person Responsible of privacy breaches so that they can be saved in a record.
Network and Systems Administrator
- Implements reasonable measures to detect and address privacy breaches.
- Maintains the record of privacy breaches required by law and informs the Commission of events recorded therein.
- Acts as the Person Responsible for the protection of personal information held by the Employer.
- Ensures compliance and implementation of the Act Respecting the Protection of Personal Information in the Private Sector.
Management Committee
- Implement reasonable means to ensure that personal information under their responsibility is collected, stored, secured and used in compliance with applicable frameworks (notably laws, policies and directives).
- Report privacy breaches brought to their attention to the Person Responsible.
Employees of the Organization
- Comply with the present policy.
- Act in accordance with the procedure relating to the life cycle of personal information.
- Report privacy breaches brought to their attention to the Person Responsible.
- Declare any breach of this policy, or any event that may cause a risk of prejudice within the meaning of this policy brought to their attention to the Person Responsible.
- SERVICE OR BUSINESS CONTRACT
The Employer may, without the consent of the individual concerned, disclose personal information to any person or body if the disclosure is necessary for the performance of a mandate, or the fulfillment of a contract for services or undertakings entrusted by the Employer to that person or body.
In this case, the Employer:
- Awards the mandate or contract in writing.
- Indicates in the mandate or contract the measures that the mandatary or contract performer must ensure the protection of the confidential nature of the personal information communicated, to ensure that this information is only used in the performance of their mandate or contract and is not retained after its expiration.
The person or body exercising the mandate, or performing a service or enterprise contract in accordance with this section, must notify the Person Responsible without delay of any breach or attempted breach by any person of an obligation relating to the confidentiality of the information communicated and allow the Person Responsible to conduct any verification relating to this confidentiality.
However, paragraph 2 of the second division does not apply when the mandate or service or business contract is entrusted to a public body within the meaning of the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information or a member of a professional order.
- PERSON RESPONSIBLE FOR THE APPLICATION
The person holding the position of network and systems administrator.
The Employer ensures that the title and contact details of the Person Responsible are published on its website or are otherwise accessible by any other appropriate means.
Request for Access or Rectification
The Person Responsible will respond to requests for access or rectification in writing, with diligence and no later than thirty (30) days from the date of receipt of the request.
Otherwise, the Person Responsible is deemed to have refused the request. Any refusal to grant a request must be justified and supported by a provision of the Act.
They indicate the remedies available to the claimant under the law and the time limit within which they may be exercised. The Person Responsible must provide assistance to the applicant who requests it, to help them understand the refusal.
When the Person Responsible agrees to a request for access or rectification, they provide, at no cost to the person making the request, a copy of any modified or added personal information, or, as applicable, a statement confirming the deletion of such information.
In terms of a request for access, the Employer may charge the applicant reasonable fees for the transcription, reproduction or transmission of such information. To this end, the Employer will inform the applicant of the approximate amount payable before transcribing, reproducing or transmitting this information.
- PRIVACY BREACH
- Record of privacy breaches
The Employer will keep a record of all privacy breaches involving personal information held by it, even those which do not present a risk of serious harm. The Employer will send a copy of the record to the Commission when it so requests.
The record of privacy breaches describes primarily:
–Personal information affected by the breach;
–Information on the circumstances of the breach;
–The number of people targeted;
–Assessment of the severity of the risk of harm;
–Measures taken in response to the breach;
–Relevant dates:
- Occurrence of the breach;
- Detection by the organization;
- Transmission of notices (if applicable), etc.
The information contained in the record of breaches is kept up to date and retained for a minimum period of five (5) years after the date or period during which the organization became aware of the incident.
- Procedure to follow in the event of a security breach
Where the Employer has reason to believe that a security breach involving personal information held by the Employer has occurred, the Employer will:
- Takes measures to reduce the risk of harm being caused and to prevent further breaches of a similar nature.
- Evaluates the risks of harm.
To assess the risks, the Employer considers:
- The sensitivity of the information concerned;
- The perceived consequences of its use;
- The likelihood of it being used for harmful purposes.
They must also consult the Person Responsible.
iii. If the incident poses a risk of serious harm, the Employer will notify the Commission d’Accès à l’Information and the individual whose personal information is affected by the incident.
The Employer may also notify any person or body likely to reduce this risk, communicating only the information necessary for this purpose without the consent of the person concerned.
The Person Responsible records the communication in this case.
However, a person whose personal information is affected by the breach is not required to be notified as long as doing so is likely to impede an investigation conducted by a person or body who, under the law, is responsible for preventing, detecting or punishing crime or offences against the law.
- Completes the record of privacy breaches.
- COMPLAINTS HANDLING PROCEDURE
An individual who believes that they have been the subject of a breach by the Employer with respect to the protection of their personal information can make their complaint in writing directly to the Person Responsible, using the complaint form provided in Appendix I of this document. The Employer will ensure that this form is available on its website. All complaints are handled confidentially.
The Person Responsible will process the complaint within a reasonable period of time, i.e., within thirty (30) days of receiving all the information required to investigate the complaint.
Once the complaint has been examined and the analysis completed, the Person Responsible will send the complainant a final written response, with reasons.
- REPRESENTATIVES
It is prohibited to take reprisals against a person on the grounds that they have in good faith filed a complaint with the Commission or cooperated in an investigation, or to threaten a person to dissuade them from doing so.
- APPROVAL OF THE PERSON RESPONSIBLE
I, the undersigned, Simon Duhamel, Person Responsible for the protection of personal information, declare that I have reviewed and approve this policy.
_____________________________
SIMON DUHAMEL
Network and Systems Administrator
CONTACT DETAILS OF COMPLAINANT
CONTACT DETAILS OF THE PERSON RESPONSIBLE
LAST NAME AND FIRST NAME OF THE PERSON RESPONSIBLE: SIMON DUHAMEL
CONTACT DETAILS OF THE PERSON RESPONSIBLE:
1685, rue Manic, Chicoutimi
(Quebec) G7K 1G8
Tel. : (418) 696-2019
Ext.: 146
Email: sduhamel@sotrem-maltech.com