Linkedin-in

Privacy Policy

PREAMBLE

The Act to modernize legislative provisions respecting the protection of personal information (LQ 2021, c. 25) updates the framework applicable to the protection of personal information, including the Act respecting access to documents held by public bodies and the protection of personal information (RLRQ, c. A-2-1) (hereinafter the “Access Act”).It is because of this legislative obligation, but also because ESPA-Montréal recognizes the importance of having clear rules for the protection of personal information, that the Policy for the Protection of Personal Information (hereinafter the “Policy”) has been established.

1. DEFINITIONS

In this Policy, unless the context otherwise requires, the following expressions mean :

1.1 Consent

Consent of the person concerned to the collection and use of his or her personal information by ESPA-Montréal. Consent cannot be presumed. It must be manifest, free and informed. It must be given for specific purposes, in simple and clear terms, and for the duration necessary to achieve the purposes for which it was requested.

1.2 Confidentiality incident

Any access, use or disclosure of personal information that is not authorized by law or by the consent of the person concerned, as well as its loss or any other form of breach of its protection. For example, the following situations constitute confidentiality incidents:
  1. A member of staff who consults personal information not required for the performance of his or her duties by exceeding the access rights granted to him or her;
  2. A staff member who uses personal information from a database to which he or she has access in the course of his or her duties in order to impersonate a person;
  3. A person who loses or has stolen documents containing personal information;
  4. A person who interferes with a database containing personal information in order to alter or steal it;
  5. Forgetting to redact personal information in a document;
  6. Sending an e-mail containing personal information with the wrong recipient(s);
  7. The organization is the victim of a cyber attack, such as phishing or ransomware.

1.3 Manager

Senior person with authority within a department or branch, whether pedagogical or administrative.

1.4 Personal information

Any pairing of two (2) or more pieces of information (such as name, address, telephone number, e-mail address, social insurance number, date of birth, photograph, bank account information) that directly or indirectly identifies an individual. This list is not exhaustive.Personal information must be protected, regardless of the medium in which it is held, and regardless of its form: written, graphic, sound, visual, computerized or other.

1.5 ESPA-Montréal representative

Any person who, in the performance of his or her duties, collects personal information about any individual on behalf of ESPA-Montréal. Any person who, in the performance of his or her duties, consults, uses, communicates, holds or retains personal information held by ESPA-Montréal concerning any individual is also a representative of ESPA-Montréal. A representative also includesESPA-Montréal the natural or legal person who acts as a subcontractor, service provider, contractor, collaborator, partner or other for ESPA-Montréal and who has access to personal information.

2. SCOPE OF APPLICATION AND LEGAL FRAMEWORK

As a non-profit organization, ESPA-Montréal collects personal information, particularly that of participants in its activities and members of its staff. It is therefore subject to the provisions of the Access Act, the Civil Code of Québec (RLRQ, c. CCQ-1991) and the Charter of Human Rights and Freedoms (RLRQ, c. C-12). In the event of any discrepancy between the Access Act and this policy, the Access Act shall prevail.This governance framework applies to any person who, in the performance of his or her duties, collects, consults, uses, communicates, holds or retains personal information held by ESPA-Montréal concerning any individual, including teleworkers.

3. COLLECTION OF PERSONAL INFORMATION

In order to fulfill its mission, ESPA-Montréal must collect personal information. However, only Personal Information that is necessary for the performance of its duties or the implementation of an activity under its management is collected. ESPA-Montréal may also collect Personal Information if it is necessary for the exercise of its functions or the implementation of a program of the public body with which it collaborates for the provision of services or the realization of a common mission. ESPA-Montréal takes measures to ensure that the Personal Information it collects is adequate, relevant, not excessive and used for limited purposes.

4. USE OF PERSONAL INFORMATION

ESPA-Montréal uses personal information about participants in its activities, staff members and other third parties to carry out its mission and functions. We do not use personal information for purposes other than those identified at the time of collection, except with the consent of the individuals concerned, or as permitted by the Access Act.To this end, ESPA-Montréal may use personal information for another purpose without the consent of the person concerned only in the following cases:
  • When its use is compatible with the purposes for which it was collected, i.e. when there is a relevant and direct link with the purposes for which the information was collected;
  • When its use is clearly to the benefit of the person concerned;
  • When its use is necessary for the application of a law in Quebec, whether or not such use is expressly provided for by law;
  • When its use is necessary for the purposes of study, research or the production of statistics, and when it is de-personalized, i.e. when the information no longer directly identifies the person concerned and is used internally.
  • In the first three situations, the disclosure must be recorded in a personal information disclosure register.

5. CONSENT

Where required, ESPA-Montréal representatives provide consent to the collection, use or disclosure of personal information to the individuals concerned. To be valid, consent must be manifest, free, informed, given for specific purposes, in simple and clear terms, and for the duration necessary to achieve the purposes for which it was requested. When consent concerns sensitive personal information, it must be expressly given.Once consent to the collection, use and disclosure of personal information has been given, it may be withdrawn at any time. To withdraw consent, where applicable, contact info@espamontreal.ca. In the event of a refusal or withdrawal of consent, ESPA-Montréal may not be able to provide a service to that individual.

6. DISCLOSURE OF PERSONAL INFORMATION

6.1 Communication without the consent of the person concerned

6.1.1 Not requiring registration in the communication register

ESPA-Montréal may communicate certain personal information it holds to a member of its staff if he or she is entitled to receive it and if the information is necessary for the performance of his or her duties.

6.1.2 Requiring registration in the communication register

In all cases provided for in this section (6.1.2), the ESPA-Montréal representative must, prior to any communication of personal information, inform ac.laertnomapseobfsctd-89341b@ofni so that it can be recorded in the communication register.

6.1.3 To a representative of ESPA-Montréal, other than a member of staff

ESPA-Montréal may transfer the personal information it collects to representatives of ESPA-Montréal, other than members of its staff, who support it. In such cases, the contract or mandate is always in writing. The contract or mandate stipulates that these representatives are required to keep personal information confidential, to use it only for the purposes for which ESPA-Montréal discloses it, and to handle personal information in accordance with the standards set out in the Policy and in compliance with the law.

6.1.4 To a person or organization in authority or in case of emergency

ESPA-Montréal may disclose personal information in the following cases and under the following strict conditions:
  • To a person or organization that, under the law, is responsible for preventing, detecting or repressing crime or infringements of the law, if the information is necessary for the purposes of a prosecution for an offence under a law applicable in Québec;
  • To a person to whom this communication must be made because of an emergency situation endangering the life, health or safety of the person concerned;
  • To prevent an act of violence, including suicide, when there is reasonable cause to believe that there is a serious risk of death or serious injury to an identifiable person or group of persons, and the nature of the threat inspires a sense of urgency. The information may then be communicated to the person or persons exposed to this danger, to their representative or to any person likely to come to their aid.
  • To any person or organization if the communication is necessary for the application of a law in Quebec, whether or not such communication is expressly provided for by law;
  • To any person or organization if such communication is necessary for the application of a collective agreement, decree, order, directive or regulation establishing working conditions.

6.1.5 For study, research or statistical purposes

ESPA-Montréal may disclose certain personal information for study, research or statistical purposes.

6.2 Communication with the consent of the person concerned

ESPA-Montréal may communicate certain personal information it holds to an individual if it has validly obtained the consent of the person concerned.

7. RETENTION AND DESTRUCTION OF PERSONAL INFORMATION

ESPA-Montréal retains Personal Information only as long as necessary to fulfill the purposes for which it was collected, unless authorized or required by applicable laws or regulations. As a general rule, once the purpose for which Personal Information was collected or used has been fulfilled, ESPA-Montréal destroys or anonymizes it for use in the public interest. Information concerning a natural person is anonymized when it is, at all times, reasonable to foresee in the circumstances that it will no longer allow that person to be identified directly or indirectly. It should be noted that the anonymization process must be irreversible. When ESPA-Montréal destroys documents containing personal information, it takes the necessary protective measures to ensure the confidentiality of such information. The method of destruction used is determined by the sensitivity of the information, the purpose for which it is to be used, its quantity, distribution and medium.Personal information held by ESPA-Montréal must be processed and stored in Québec. In the event that a transfer of personal information outside Quebec is necessary in the performance of ESPA-Montréal’s duties, such transfer will only take place if it is assessed that the information would benefit from adequate protection, notably by considering the sensitivity of the information, the purpose for which it is to be used, the safeguards the information would benefit from and the legal regime applicable in the state or province where the information would be disclosed.

8. PROTECTION OF PERSONAL INFORMATION

ESPA-Montréal implements appropriate and reasonable physical, organizational, contractual and technological security measures to protect the personal information it holds against loss or theft, and against unauthorized access, disclosure, copying, use or modification. Personal information is accessible, without the consent of the person concerned, to any person who is entitled to receive it within ESPA-Montréal if this information is necessary for the performance of his or her duties. ESPA-Montréal takes measures to this effect.

9. REQUEST FOR ACCESS TO OR CORRECTION OF PERSONAL INFORMATION

9.1 Request for access to personal information

Any person who so requests has the right to access personal information about him or her held by ESPA-Montréal, subject to the exceptions provided for in the Access Act.The request must provide sufficient information to enable ESPA-Montréal to process it.

9.2 Rectification request

Any person who receives confirmation of the existence of personal information concerning him or her in a file may, if the information is inaccurate, incomplete or equivocal, or if its collection, communication or retention is not authorized by the Access Act, demand that the file be rectified.The request must provide sufficient information to enable ESPA-Montréal to process it.

10. CONFIDENTIALITY INCIDENT MANAGEMENT

10.1 Declaration

ESPA-Montréal staff members who are involved in or witness a confidentiality incident should report it in writing to ac.laertnomapseobfsctd-4519e9@ofni as quickly as possible. Anyone else wishing to disclose a confidentiality incident at ESPA-Montreal may do so by writing to ac.laertnomapseobfsctd-7b065b@ofni. The disclosure should be as precise as possible and should indicate the following, if known:
  1. The circumstances of the incident;
  2. The personal information involved ;
  3. Persons concerned by personal information ;
  4. The problem that caused the confidentiality incident (error, software weakness, etc.) ;
  5. Contact information for the person making the disclosure, in order to obtain further information. However, a disclosure can be made anonymously if the person fears reprisals.

10.2 Evaluation of the confidentiality incident

In order to assess the incident properly, anyone who can provide details of the incident can be interviewed. In order to assess the risk of harm being caused to an individual whose personal information is affected by a confidentiality incident, the following must be considered in particular:
  1. The sensitivity of the information concerned ;
  2. The apprehended consequences of its use and ;
  3. The likelihood that it will be used for harmful purposes.
When it is concluded that there is a risk of serious harm to the persons concerned by the confidentiality incident, the Commission d’accès à l’information must be notified with diligence, as must the persons concerned by the incident, except when this is likely to hinder an investigation by a person or body which, under the law, is responsible for preventing, detecting or repressing crime or breaches of the law.

10.3 Entry in the register of confidentiality incidents

The confidentiality incident register must be kept up to date.

11.PRIVACY COMPLAINT HANDLING PROCESS

11.1 Filing a Privacy Complaint

Any person who has reason to believe that ESPA-Montréal has failed to protect the confidentiality of the personal information it holds may file a complaint to request that the situation be corrected. To do so, send an e-mail to info@espamontreal.ca.This e-mail must indicate :
  • The complainant’s first and last name;
  • Phone number;
  • The context of the complaint, including the date(s).

11.2 Complaint handling

Any complaint relating to the protection of personal information must be dealt with within thirty (30) days of receipt. If the complaint proves to be justified, ESPA-Montréal takes the necessary measures to correct the situation as soon as possible, in accordance with paragraph 10.3 of this Policy, and registers the incident.

12. PENALTIES FOR FAILURE TO COMPLY WITH THE RULES

Failure to comply with these rules may result in legal, administrative or disciplinary measures or sanctions. The nature, seriousness and repetitive nature of the acts complained of must be taken into account when determining a sanction in accordance with the applicable legislation.

13. DISTRIBUTION AND REVISION

ESPA-Montréal must ensure that this policy is disseminated, revised and updated.

14. ENTRY INTO FORCE

This policy takes effect on the day it is adopted or revised by the Executive Committee.