POLICY ON THE PROTECTION OF PERSONAL INFORMATION
PURPOSE OF THE POLICY
This policy aims to provide guidelines for the Grey Sisters of Montreal (hereinafter referred to as “SGM”) to ensure the respect and protection of the privacy of personal information held, collected, used, and disclosed by them. In doing so, it must comply with Law 25 or the Law modernizing legislative provisions on the protection of personal information (hereinafter referred to as “the Law”). It also aims to hold its managers and members accountable for access to documents and the protection of personal information.
As a responsible religious congregation, the SGM must protect the personal information it holds, collects, uses, or discloses. Personal information is considered to be any information concerning an individual that directly or indirectly allows for their identification. Improper use of this information could cause harm by compromising reputation and privacy. In this regard, the SGM is committed to taking and implementing all necessary security measures to ensure the protection and confidentiality of personal information.
The SGM ensures the collection, protection, and use of personal information. The SGM is committed to taking the necessary measures with respect to individuals who do not comply with the policy.
PERSON RESPONSIBLE FOR ACCESS AND PROTECTION OF INFORMATION
The Director of Archives and Collections Service or their representative is responsible for access to and protection of personal information held by the SGM. They are also responsible for handling requests for rectification of personal information, ensuring the rights of the individuals concerned are respected.
All requests for access to personal information must be sent to them via email or mail. They will process these requests within the prescribed period of thirty (30) days and, if necessary, provide reasons for denying access based on relevant provisions of the Law.
MANAGEMENT OF PERSONAL INFORMATION
The SGM maintains various types of records, each with a valid purpose. No personal information is retained without a valid reason. Documents are in both analog (paper) and digital formats.
A register of personal information has been established to manage personal information located on computer servers as well as in staff offices. This register serves as a useful and practical tool that provides a complete picture of the types of personal information retained, their access, and the measures taken to protect them.
The Identification of the File section indicates the types of documents included in the file, the categories and types of personal information contained therein, as well as the purposes for which they are retained.
The File Management section specifies the type(s) of media on which these documents are recorded, their location, and their retention period.
The Access to the File section specifies who may consult them.
The Security Measures section documents the types of measures taken to protect access to documents containing personal information, whether in analog or digital form.
The register can be accessed on the server or as an attachment to this policy.
PROTECTION OF RECORDS
The Archives and Collections Service must ensure that records held by the SGM, both in paper and digital formats, are kept in a secure location with limited access.
Individuals authorized to access records containing personal information in administrative offices and on the computer server are designated by various department heads.
Access to personal information is granted only to authorized individuals and only when the information is necessary for the performance of their duties.
Concrete Measures Implemented
- Analog records (in paper format) are grouped to better control circulation and access.
- Filing cabinets are locked and kept in locked rooms.
- For digital records, access is configured only for individuals authorized by department heads.
COLLECTION OF PERSONAL INFORMATION
In accordance with the Law, the organization must explicitly inform individuals of the purposes for which their information is collected.
CONSULTATION AND DISCLOSURE OF PERSONAL INFORMATION
The register of personal information explains, in the Access to Files section, the terms of access for each type of file.
Unless the individual concerned consents or the Law requires it, personal information should only be disclosed for the purposes for which it was collected.
In accordance with the provisions of the Law, the individual concerned is entitled to request rectification of personal information. They can make corrections to this information if it is inaccurate.
The disclosure of personal information to “third parties” (external individuals) must be done with the consent of the individual concerned, except in the following cases:
- The employer’s lawyer, a judge, attorney general
- A police officer investigating a presumed crime
- A physician in an emergency situation
- A person who, under the Law, can recover debts on behalf of others and requests it in the course of their duties (bailiff, person or organization in possession of a court order, etc.)
- Revenue departments, the Employment Insurance Commission, the CSST, as well as any organization that requires it in the course of their duties. In these cases, written justification for such a request should be obtained, based on the Law.
- When an external person wishes to obtain references on an employee (or former employee) or confirmation regarding them, it is advisable to require this person to submit a copy of the authorization by email. In cases where you do not have the employee’s consent, it is recommended to confirm only the requested information.
Each request for access or rectification of information should be assessed on a case-by-case basis. Careful consideration of the contents of the file is necessary to ensure that the information contained is relevant and does not cause moral or material harm to others.
The person responsible for access and protection of personal information must maintain a record of communications for each access request. This record should include the name of the requesting person, their affiliated company or institution, the date of the request, the type of information requested and disclosed, if applicable, and the name of the person providing the information.
They must also maintain a record of privacy incidents. This record should include details such as the type of information involved, the circumstances of the event, the date the organization became aware of it, the number of people involved, the nature of the harm, and the measures taken by the organization to address the incident.
Penalties of up to $25,000,000 or 4% of the global revenue from the previous fiscal year may apply. Personal liability may be imposed on administrators or leaders of the organization who tolerate non-compliance.