THE GOLDEN

PEAK

Serving the Pontiac since 1999

Privacy Protection Policy

1. Executive Summary

INTRODUCTION AND OBJECTIVES

The protection of personal information is regulated by the Private Sector Personal Information Protection Act, the Charter of Human Rights and Freedoms, and the Civil Code of Quebec.

Personal information is information about an individual that allows them to be identified. For example: name, signature, address, medical record, phone numbers, email, image and voice, financial information, social insurance number.

COLLECTION AND USE OF PERSONAL INFORMATION

The organization collects personal information when it has a serious and legitimate interest in doing so, and retains only those necessary for its proper functioning. If you refuse to consent to this policy or its annexes, the organization may be forced to prevent you from using its products and services.

Other than for the provision of services, personal information may also be used for market research purposes, distribution of hiring newsletters. Personal information will never be sold to third parties unless the organization obtains consent to do so.

PROTECTION MEASURES FOR PERSONAL INFORMATION

Physical records containing confidential information are kept locked in a binder. Computer records containing personal information are protected by a password. They are digitally stored in an offline local network that prevents individuals from accessing the organization’s records.

POLICY RESPONSIBLE

Ms. Diane Vaillancourt is the general manager and responsible for the protection of personal information within the organization. She can be reached at (819) 683-5552 or at dvaillancourt@lemontdor.org.

RETENTION AND DESTRUCTION OF PERSONAL INFORMATION

When the purpose for which personal information was collected is achieved, the organization destroys it, except in exceptional cases. You can request that any personal information about you be provided or destroyed. Documents or data containing personal information are shredded, reformatted, rewritten, demagnetized, or information is crushed.

RIGHT OF ACCESS AND TRANSFER OF PERSONAL INFORMATION

When you or one of your authorized representatives makes a written request or completes the form for this purpose, the organization will confirm that it holds personal information about you. The organization may then, within thirty (30) days of receiving the request, allow consultation or transfer of the file and any personal information recorded therein. Refusals are motivated in writing by the organization within the same period. If no response is given within this period, this is equivalent to a refusal. It is then possible to challenge a refusal before the Commission d’accès à l’information (CAI).

Despite certain exceptions, the organization cannot refuse to disclose personal information in case of emergency unless it would result in serious harm to your health. Personal information of a medical or social nature for those aged 14 and under is only communicated to their lawyer or parents and cannot harm the care between the child and the treating professional.

REQUEST FOR RECTIFICATION OF PERSONAL INFORMATION

When you or one of your authorized representatives makes a written request or completes the form for this purpose, the organization may rectify or delete information about you within thirty (30) days of receiving the request. Refusals are motivated in writing by the organization within the same period. If no response is given within this period, this is equivalent to a refusal. It is then possible to challenge a refusal before the CAI. If the request is accepted, the organization provides evidence confirming its execution. The organization cannot be held responsible for any failure in the event that a request for rectification is not made by you when it should have been.

DISCLOSURE OF PERSONAL INFORMATION TO A THIRD PARTY

When collecting personal information, the organization will have you fill out a form. Third parties not listed must obtain your express consent to access your personal information, except in exceptional cases. The organization ensures that the policy is respected by third parties.

TRANSCRIPTION, REPRODUCTION, OR TRANSMISSION FEES FOR PERSONAL INFORMATION

The organization charges reasonable fees for the transcription, reproduction, or transmission of personal information.

PROCEDURES IN CASE OF CONFIDENTIALITY INCIDENT

In the event of an incident involving personal information, the organization ensures that it follows the procedure provided for in the Private Sector Personal Information Protection Act and its regulations. Those affected, the CAI, and certain third parties, when the situation permits, will be notified as soon as possible. When you detect an incident, you must contact the person responsible for the protection of personal information at the contact information displayed above. Complaints/reports are processed within a maximum of thirty (30) days after they are filed.
Despite all measures put in place, the organization cannot guarantee flawless security for every conceivable scenario.

POLICY INAPPLICABILITY

This policy no longer applies if you leave our website or if a law or court requires the organization to transmit personal information.

2. Introduction

The right to privacy is guaranteed by the Charter of Human Rights and Freedoms and the Civil Code of Quebec. Additionally, the protection of personal information is governed by the Private Sector Personal Information Protection Act.

This policy establishes a procedure for managing personal information by the organization, ensuring that it collects, holds, retains, uses, and discloses personal information about members, users, volunteers, staff, and directors of the organization in accordance with the law.

The person responsible for the protection of personal information (hereinafter referred to as the “responsible person”) within the organization is responsible for implementing and ensuring compliance with this policy by the organization’s representatives, whether they are current or former staff, volunteers, or directors.

In this regard, the responsible person disseminates this policy on the organization’s website and makes it available to members, users, staff, volunteers, or directors for consultation or training. Additionally, the responsible person determines the guidelines and procedures necessary for the implementation of this policy.

3. Objectives

This policy aims to inform members, users, staff, volunteers, and directors of the organization about the principles it applies in managing the personal information it holds about them.

Furthermore, it sets out the conduct rules that the organization requires its members, users, staff, volunteers, and directors to adhere to when they have access to personal information held about others by the organization.

For the application of this policy, the organization adheres to the following principles:

  • Collect only the personal information necessary for the proper management of operations;
  • Notify individuals as soon as their personal information is required of the use and disclosure that will be made of it;
  • Inform individuals of their rights, particularly regarding complaints, and obtain their consent, when required by law;
  • Ensure the security and confidentiality of the personal information it holds about others by regulating its retention, correction, and destruction while ensuring to define the roles and responsibilities of its staff members throughout their lifecycle.

In order of these principles, the organization periodically undertakes record purging and merging, reviews its forms and practices, updates, and establishes a dedicated location for the storage and consultation of personal information. The organization may also undergo inspections by an independent evaluator to validate the quality of the protection it provides for its personal information.

4. Definition of Personal Information

Personal information is information about an individual that allows them to be identified. This information is confidential and must be treated as such.

Within the organization, personal information includes, but is not limited to: name, first name, signature, residential address, medical record, medication prescription, phone numbers, email address, image and voice of a person, biometric data, health status, employment records, banking/financial information, computer data, information about their family, friends, and other related individuals, social insurance number, health insurance number, and driver’s license number, as well as any document containing this information or any document that refers to the existence of a particular person.

5. Collection of Personal Information

The organization collects personal information when it has a serious and legitimate interest in doing so. Personal information may be collected through forms integrated on its website, by telephone interviews, through paper forms, or through any interaction between individuals and the organization and/or its stakeholders.

The organization collects personal information for the management of:

  1. Member profiles;
  2. User profiles;
  3. Profiles of staff and volunteers;
  4. Incidents, including those with possible implications for the organization’s civil liability or any person associated with it;
  5. Requests for information about services.

When collecting personal information, the organization only retains those that are necessary for its proper functioning. The organization is able to justify the reason why it requires each piece of personal information.

The organization collects personal information from the individual concerned unless they consent to the organization obtaining this information from a third party. In this case, the organization submits to the individual concerned the Authorization Form for the Exchange of Personal Information with a Third Party, as outlined in Annex 1.

However, the organization may collect this personal information from a third party without the consent of the individual concerned if the collection, although in their interest, cannot be done from them in a timely manner. It may also do so to verify the accuracy of the information obtained from the individual concerned or if the law permits.

Information that is already known or becomes known to the public (information on websites or profiles on social media) may also be collected by the organization without the need to transmit it directly. In this case, the organization nevertheless undertakes to collect it reasonably and judiciously. The collection of information through cookies will be clearly explained on its website, and it will be possible to refuse those that are not necessary.

When the organization collects personal information from a legal entity, it records the source of this information unless it is part of an investigation file aimed at preventing, detecting, or prosecuting a crime or offense against the law.

Before the organization collects personal information, it informs the individual concerned of:

  1. The purposes for which this information is collected (collection);
  2. The means by which the information is collected;
  3. Their right to withdraw their consent for the communication or use of the information collected;
  4. The name of the third party for whom the collection is being made;
  5. Contact information for the person responsible for the protection of personal information;
  6. The categories of individuals, including third parties, who may have access to it;
  7. Where their personal information will be stored;
  8. The protective measures in place;
  9. Their rights of access and rectification as provided by law.

If the individual concerned refuses to provide the personal information requested by the organization or refuses to consent to the exchange of personal information with a third party, it is up to the responsible person to decide whether or not to deal with the individual concerned.

6. Protection of Personal Information

Physical records containing confidential information are kept locked in a file cabinet or in a dedicated location secured by the responsible person. Staff members are prohibited from leaving the premises with personal information without the organization’s approval. The organization’s offices are also secured with access codes known only to staff or a lock mechanism.

Computer records containing personal information are protected by encryption or a password. Personal information is stored digitally in an offline local network that prevents individuals from tampering with the organization’s records.

Personal information is stored in a cloud server for which entry of a secure password is required. A VPN connection is also required to access certain information. The organization has implemented a firewall and antivirus software to limit the scope of malicious attacks.

The categories of individuals who have access to personal information when exercising their function are as follows:

  1. Board members and senior management;
  2. Staff.

The organization requires anyone occupying a position in either of these categories to complete the Confidentiality Agreement Form, as outlined in Annex 2. The organization also ensures to define the roles and responsibilities of its staff members throughout the lifecycle of this information so that they understand how to implement the policy in their daily work.

7. Policy Responsible Person

Mrs. Diane Vaillancourt is responsible for the protection of personal information within the organization in accordance with section 3.1 of the Private Sector Personal Information Protection Act. Mrs. Diane Vaillancourt is the general director of the organization. She can be reached at (819) 683-5552, or at dvaillancourt@lemontdor.org.

In addition to her other duties, the responsible person also ensures that the organization’s staff understand the issues related to the protection of personal information.

8. Use of Personal Information

Personal information collected by the organization is used or disclosed only for the purposes for which it was collected, unless the individual concerned consents or the law requires it. Personal information is primarily used to facilitate the provision of services to members, clients, and users. However, it may also be used for market research, distribution of newsletters (subscription can be cancelled at any time), hiring personnel, or for any reason detailed at the time of collecting personal information.

Personal information will never be sold to third parties unless the organization obtains consent to do so.

Furthermore, the organization ensures that the personal information it holds about others is up-to-date and accurate at the time it is used to make a decision about the individual concerned.

9. Retention and Destruction of Personal Information

When the purpose for which personal information was collected has been achieved, the organization destroys it, except under exceptional circumstances. In accordance with the law, personal information is kept for at least one (1) year after any decision concerning the individual concerned. Personal information subject to a request for access or rectification is kept until all remedies provided by law have been exhausted. Furthermore, the organization retains personal information for the duration required by government authorities to which it is accountable.

Subject to other legal/ethical obligations regarding the retention of records that must be respected by the organization and the persons working on its behalf, the individual concerned may request that any record concerning them be returned to them and that any personal information otherwise held by the organization be destroyed. The destruction of personal information may also result in the organization’s inability to continue offering services. This is also true if the individual concerned no longer consents to this policy.

The organization does not discard any document containing personal information that could be reconstructed. Whenever possible, these pieces are destroyed or shredded. Otherwise, the organization resorts, as appropriate, to formatting, rewriting, digital shredding, demagnetization, or crushing of information.

10. Right of Access and Transfer of Personal Information

Upon verbal or written request from an individual concerned or from someone establishing their status as a representative, heir, successor, estate administrator, life insurance beneficiary, or holder of parental authority over the individual concerned, the organization confirms whether it holds personal information relating to the individual concerned.

Upon written request from an individual concerned or one of the persons designated in the previous paragraph, the organization allows them, within thirty (30) days of receiving the request, to consult or transfer, as applicable, their own or the individual’s file and discloses any personal information contained therein. However, the organization may refuse to disclose personal information in the following cases:

  1. It does not concern the interests and rights of the person requesting it as executor, beneficiary, heir, or successor to the liquidator of the estate;
  2. It would likely reveal personal information about a third party or the existence of such information and that disclosure would likely seriously harm that third party, unless the third party consents;
  3. It is prohibited by law, an ongoing investigation, or a court order.

In case of refusal, the organization provides written reasons to the individual concerned within the same thirty (30) day period and informs them of their right to challenge the decision before the Access to Information Commission. Failing to respond to an access request within this timeframe, the organization is deemed to have refused access, in which case the interested person may address the Access to Information Commission to assert their rights.

Despite the above, the organization cannot refuse to disclose personal information to an individual concerned if it concerns an emergency endangering the life, health, or safety of the individual concerned.

However, the organization may temporarily refuse access to personal health information it holds about the individual concerned if it would cause serious harm to their health and provided that it offers to designate a healthcare professional to receive such information and communicate it to them. This professional then determines when the consultation can be made and informs the individual concerned accordingly.

Finally, unless the request is made by the holder of parental authority, the organization refuses to disclose to an individual concerned under the age of 14 any medical or social information concerning them or to inform them of the existence of such information contained in a file on them, except through their lawyer in the context of a legal proceeding. Normal communications between a healthcare professional and their patient are not restricted by this.

When a request for access or rectification of personal information is made to a representative of the organization, they invite the requester to complete the Request Form for Access or Rectification of Personal Information, as outlined in Annex 3, unless the request has been made in writing. They then forward the completed form or the written request to the responsible person, who ensures to analyze it and, as appropriate, to determine the access modalities, how to make the requested corrections, or to justify the refusal.

11. Request for Rectification of Personal Information

Upon written request from the individual concerned or from a person designated in the first paragraph of the section “Right of Access and Transfer of Personal Information,” the organization proceeds to rectify inaccurate, incomplete, or ambiguous information, as applicable, in their or the individual’s file, by adding comments or deleting outdated information not justified by the purpose of the file or whose collection was not authorized by law, within thirty (30) days of receiving the request.

In case of refusal, the organization provides written reasons to the individual concerned within the same thirty (30) day period and informs them of their right to challenge the decision before the Access to Information Commission. Failing to respond to a rectification request within this timeframe, the organization is deemed to have refused to comply with it, in which case the interested person may address the Access to Information Commission to assert their rights.

By complying with a rectification request, the organization provides the requester, at no cost, with a copy of any modified or added personal information, or, as applicable, a certificate of the removal of personal information.

The organization promptly notifies the rectification or contested rectification request to anyone who received the information in the previous six (6) months and, if applicable, to the person from whom they obtained it.

It is the responsibility of individuals who have provided their personal information to notify the organization of any changes to it. The organization cannot be held responsible for any failure if a rectification request is not made when it should have been.

12. Disclosure of Personal Information to a Third Party

When collecting personal information, the organization submits the Authorization Form for the Exchange of Personal Information with a Third Party, as outlined in Annex 1, and instructs the individual concerned to complete it if they consent to the organization disclosing personal information about them to third parties. The organization will notify them of the communications that will be made following this form.

When a third party not identified in the Authorization Form for the Exchange of Personal Information with a Third Party,as outlined in Annex 1, requests the organization to disclose personal information about a member, user, staff member, volunteer, or administrator of the organization, the organization requires the third party to obtain written consent from the individual concerned containing the following information:

  1. Identification of the individual concerned;
  2. A description of the personal information to be communicated;
  3. Identification of the third party to whom the information may be communicated;
  4. The deadline for authorization;
  5. The signature of the individual concerned or their authorized representative.

However, the organization may communicate personal information to a third party not identified in the Authorization Form for the Exchange of Personal Information with a Third Party, as outlined in Annex 1, if the third party is:

  1. The attorney of the individual concerned;
  2. The Attorney General if the information is required for the prosecution of an offense under a law applicable in Quebec;
  3. A person authorized by law to prevent, detect, or suppress crime or offenses against the law, who requires it in the exercise of their functions, if the information is necessary for the prosecution of an offense under a law applicable in Quebec;
  4. A person to whom it is necessary to communicate the information in the course of law enforcement or a collective agreement and who requires it in the exercise of their functions;
  5. A public body that, through a representative, can collect it in the exercise of its duties or in the implementation of a program it manages;
  6. A person or organization empowered to compel their communication and who requires it in the exercise of their functions (e.g., courts);
  7. A person to whom this communication must be made due to an emergency situation endangering the life, health, or safety of the individual concerned;
  8. A person or organization, in accordance with sections 18.1, 18.2, 18.3 (as of September 22, 2023 for this article), and 18.4 of the Private Sector Personal Information Protection Act;
  9. A person authorized to use this information for study, research, or statistical purposes;
  10. A person who, by law, can recover debts for others and who requires it in the exercise of their functions;
  11. A person if the information is necessary for the purpose of recovering a debt owed to the organization.

The organization must record in the file of the individual concerned any communication made under paragraphs f) to k).

When the organization entrusts another organization with the task of holding, using, or communicating personal information on its behalf, it must, before communicating this personal information, receive written commitment from this organization that it respects this personal information protection policy.

When the organization communicates personal information outside Quebec, it ensures that this information will not be used for purposes unrelated to the purpose of the file or communicated to third parties without the consent of the individual concerned, except to the third parties described in paragraphs a) to j) of this section. If the organization believes that these conditions will not be met, it must refuse communication.

13. Fees for Transcription, Reproduction, or Transmission of Personal Information

The organization charges reasonable fees for the transcription, reproduction, or transmission of personal information. These fees are determined by the responsible person and are subject to periodic review.

Before proceeding with the transcription, reproduction, or transmission of this information, the organization informs the requester of the approximate amount payable.

14. Transmission of Documents Containing Personal Information

In the event of transmission by email, the organization’s representatives indicate in the subject line the confidential nature of the transmission and, in the message, include a confidentiality notice inviting the recipient to contact the sender immediately in case of receipt in error. The representatives of the organization include in the email signature their name, as well as the address and telephone and fax numbers to reach them at work.

In the event of transmission by mail, the representatives of the organization clearly indicate on the packaging the name and address of the authorized person to receive the documents. They include with the shipment a letter specifying the confidential nature of the information and a confidentiality notice inviting the recipient to contact the sender immediately in case of receipt in error.

15. Definition of a Confidentiality Incident

In accordance with the Private Sector Personal Information Protection Act, a confidentiality incident may take the following forms:

  • Unauthorized access by law to personal information;
  • Unauthorized use by law of personal information;
  • Unauthorized communication by law of personal information;
  • Loss of personal information or any other breach of the protection of such information.

16. Process in Case of Confidentiality Incident

In the event of an incident involving personal information, the organization ensures that it follows the procedure provided for in the Private Sector Personal Information Protection Act and its related regulations. When an incident presents a risk of serious harm, the Access to Information Commission (CAI) as well as the individuals affected by the incident will be notified to the extent possible, and as soon as possible following the awareness of the incident. The content of these notices is provided in Appendices 4 and 5 respectively.

If third parties need to be contacted to mitigate the damages that may result from the incident, the person responsible for the protection of personal information will ensure to communicate only the necessary personal information for this purpose and to record this communication. An incident log will be updated by the person responsible for the protection of personal information. The content of this register is found in Annex 6.

By transmitting personal information to the organization, it is understood that the individuals concerned understand that the organization deploys best practices and protection mechanisms to limit the possibility of any incident, leak, or misuse of personal information. However, the organization cannot guarantee fail-safe security for every conceivable scenario.

When an individual notices that an incident regarding their personal information may have occurred within the organization, they must contact the person responsible for the protection of personal information at the contact information displayed above. Complaints/reports are processed within a maximum of thirty (30) days after they are filed.

17. Non-application of the Policy

When an individual leaves the organization’s website for any other website whose link appears on that of the organization, this policy no longer applies. Reference should then be made to their policy, if any.

When a law, regulation, or court order compels the organization to transmit personal information, it is understood that the organization cannot guarantee the level of confidentiality and security established by the person or government conferring them.

In the event of a merger or other legal restructuring of the organization, the latter may transmit all personal information to the new legal entity thus created.

18. Policy Modification

Any modification will be updated on the organization’s website and sent to the email address of the individuals concerned if they have been provided.

19. Adoption and Entry into Force of this Policy

This policy is adopted on: March 25, 2024

This policy comes into force on: March 25, 2024