DOCUMENT written by Thibaut Magnette, reworked with the Action Femmes et handicap team.
Final version proposed by Marie-Hélène Tanguay, seconded by Patricia Landry and adopted by the Board of Directors on 2024-09-16.
1. Preamble
Action Femmes et handicap is a community organization offering support, training and accompaniment services to its members. It processes its members’ personal information primarily for identification and statistical purposes, but may also process sensitive information as part of its complaints support, even without directly possessing this information: members are responsible for making their own complaints. It is very rare for the organization to have a copy of this information in its possession.
This policy sets out the principles and rules of conduct concerning the collection, protection and access to personal information of the Corporation’s members and staff. With respect to the protection of personal information, the Corporation undertakes to comply with the Act respecting the protection of personal information in the private sector. With respect to access to its books and records, the Corporation undertakes to comply with the relevant provisions of the “Companies Act”.
2. Definitions
Unless otherwise specified or the context otherwise requires, in this document, the term:
- “Coordination”: refers to the person occupying the position of coordinator of the Corporation;
- “Corporation”: refers to the organization Action Femmes et handicap;
- “Cookie”: refers to the text file storing small amounts of information that is uploaded to the computer or wireless device by websites visited by a user (cookie);
- ‘Law’: refers to the legal framework in force in Quebec, including the Act respecting the protection of personal information in the private sector;
- “Member of the Corporation”: refers to all categories of members of the Corporation;”
- Staff member“: refers to any external employee or contractor of the Corporation;
- ‘Director’: refers to a member of the Corporation who holds the position of director;
- ”Third party”: refers to a relative or a professional authorized by a member or a partner
3. Objectives
The objectives of this policy are to:
- Promote the application of the Act and its interpretation;
- Ensure the confidentiality of the Corporation’s files and information;
- Ensure the confidentiality of personal information;
- Lay down a framework for the management of personal data collected by the Corporation;
- Establish a relationship of trust between the public, members, staff and partners.
4. Scope of Application and Limitation of Liability
This policy applies to all personal information collected by the Corporation, its employees and directors within the framework established by this policy and the Act.
5. Type of information collected
The following section explains the types of data that may be collected by the Corporation in the course of its activities.
Public data
In the case of a person working for a company or public body, his or her professional information is generally considered public: full name, title, position, professional contact details, and even salary in the case of government bodies. All this information is accessible to the public, generally via government websites. Depending on the type of job, however, this data could be categorized as sensitive. Information on the Corporation’s Facebook page must be treated with the utmost caution. Indeed, jurisprudence, particularly in employment law, often considers information present on Facebook or collected on Facebook in certain circumstances to be public.
Confidential data
This refers to all information that can be used to identify an individual, such as full contact details, means of communication (e-mail addresses, telephone numbers, etc.), personal information (date of birth, physical characteristics, etc.), financial information (bank details, secret codes, etc.) and relevant legal information (tracking of complaints files, for example).
Sensitive data
Generally speaking, this refers to any information that presents a high degree of invasion of privacy. This includes all personal data concerning a person’s health, habits, interests, sexual orientation, ideals or other confidential information. Financial information not directly related to institutions can be found here: assets, property, debts, in other words, the general financial situation. This data does not enable us to trace a person, but rather to draw up a profile for the Corporation’s statistical purposes. In the event of loss or theft of this data, together with confidential data, it could be used to the detriment of the person concerned.
6. Privacy Impact Assessment
Following the assessment of the personal information collected by the Corporation and necessary for its proper operation, in keeping with its mission, all the items listed in this section may be required by the Corporation at one time or another. They are presented here according to the person to whom they may be requested at some point in his or her interactions with the Corporation. For details, please refer to the attached table.
Staff information
Full name, telephone number, e-mail address, complete address, banking information, date of birth, medical information, self-help needs, employment history, level of education.
Member information
First and last name, telephone number, e-mail address, age, family situation, type of disability, assisted living needs.
Administrator information (additional to member information)
Date of birth, government identification number (health insurance number, driver’s license, passport, etc.).
7. Authorization and means of collection
This section presents all the means used by the Corporation to obtain the information presented in the previous point
Authorization
The individual’s authorization to proceed with the collection of his or her personal information is given in the following situations:
- When registering as a member, the individual must give consent, preferably in writing, to the collection of information relevant to the provision of services by the Corporation, as well as to the subsequent modification of this information and the addition of new information during the provision of services;
- When receiving a communication from an individual to the Corporation, authorization to retain the information given at that time is automatic;
- When using and sending forms via the Corporation’s website or social media, if the platform used allows it, authorization to send information must be requested from the user before it can be sent;
- When using the Corporation’s website, a notice concerning the collection of cookies must be validated.
Web site
One of the Corporation’s gateways is its web site: it presents the organization, but also allows citizens to register via the online form. For a complete list of forms used on the website, please refer to the “Web forms” appendix.
Facebook page, social media and chat applications
The Facebook page is the main tool for mobilizing and communicating with members and partners: Messenger messaging and its independent application are included in the “Facebook” designation. However, little personal information passes through this application, apart from that which may be transmitted by users of the platform. All the guidelines set out in this policy also apply to other platforms and media that the Corporation may use, with the necessary adaptations depending on the situation.
All types of information may be collected via the social media targeted here. Any information transacted through a chat application is considered privileged information, addressed only to the userˑtriceˑs-interlocutorˑs of the discussion: this information is sorted by the Corporation according to the grids and procedures mentioned in this policy. The level of attention and security afforded to Messenger or any other chat application should be at least equivalent to that of e-mail or person-to-person exchanges.
It should be noted that although a chat application such as Messenger is “end-to-end encrypted”, thus guaranteeing the inviolability of the communication, there is always a risk that the user to whom the Corporation is speaking may be someone other than the person he or she claims to be. The Corporation therefore reserves the right to disclose confidential or sensitive information via these sites and applications, and prefers to communicate in person, by telephone or by video call.
This refers to all e-mails received or sent by the Corporation. Any e-mail from a Corporation business address must contain a statement indicating the privileged and confidential nature of the communication. Any type of information may be collected by e-mail, but it is up to the professional judgment of staff and Board members to transmit the right information to the right recipients in the right circumstances. If circumstances permit, all staff and Board members of the Corporation should ideally be able to use a professional e-mail address in the course of their duties.
Telephone and person-to-person
Any information transmitted by telephone is not automatically recorded by the Corporation. Only the information needed to identify the person is automatically recorded. The rest of the information varies according to the situation and is therefore kept in accordance with the guidelines of this policy. The Corporation encourages its personnel to give preference to notes on a secure digital medium but leaves to their discretion and judgment the use of the paper medium, which in the latter case must be securable in the employeeˑe absence through the means made available by the Corporation.
8. Archiving rules
In the absence of a policy or procedure dedicated to the retention and archiving of information collected by the Corporation, the present rules apply to all types of information, whether personal or otherwise, with the adaptations required according to the circumstances.
8.1 General Guidelines
- The Corporation must act with rigor and diligence, taking the most appropriate measures according to its capabilities to ensure the security and protection of all the information it possesses or is in the process of obtaining;
- Access to any document of the Corporation, including personal information, must be restricted and secured;
- All records must be classified in a way that allows for easy retrieval of information exchanges with the relevant individuals;
- All records should be archived electronically, except in cases prescribed by law.
- The term “Archives” must be clearly identified on the targeted file.
- A copy of the data for daily use should be separated from the second copy for conservation in case of alteration or loss of the main copy.
- The Corporation should not retain confidential or sensitive information beyond ten (10) years from an inactive file or according to the rules prescribed by law.
8.2 Duration of Archiving
- Any information not relevant to the functioning of the Corporation or the follow-up of a member’s file should be destroyed within thirty (30) days following collection
- Any information that has not been used or consulted for more than five (5) years should be archived.
- Any information archived for more than five (5) years should be anonymized.
- Any anonymized information that the Corporation has not accessed or that has not been used for more than five (5) years should be destroyed, except in cases provided for by law and in the case of promotional tools or information or any other situation where written authorization from the concerned person can be produced to prove the consent.
- Minutes, statistics, audited financial statements, and documents serving as the Corporation’s history must be compiled in designated books and archived electronically for permanent conservation as long as the Corporation exists.
9. Security of Information
9.1 Electronic Media
This category includes all common existing electronic media, such as:
9.1 Electronic Media
- Local Computer: Any professional or personal computer of the employees and administrators of the Corporation configured for use in the collection of any type of data identified in this policy.
- Physical Server: Private server of the Corporation, accessible in a closed network, either locally via the internet network in the Corporation’s premises or remotely through a VPN or any other secure connection software.
- Cloud Server: Private server, purchased or rented by the Corporation, accessible outside the closed network, on computers, tablets, or cell phones.
- USB drive and external hard drive (HDD/SSD): Any physical electronic storage medium that must be connected to a data reader to be usable.
All these media must at least be protected by a sufficiently secure password reserved for the Corporation’s personnel or its administrators, with access restricted according to respective positions and mandates. Any access over an open network (at home, on a public or free network) should also be done using two (2) step validation, such as through email validation, phone number, text message, or dedicated electronic application.
9.2 Physical Media
This category includes all physical media other than USB drives and external hard drives: paper documents and promotional items, among others, that identify a person. For the sake of savings, risk management, and prevention of physical deterioration, the digitization of physical documents should be automatic if the document must also be physically retained.
Physical archives should be kept in secured filing cabinets (physical key or code), preferably in a room whose access can be restricted to the coordination or presidency of the Corporation, if possible at the Corporation’s headquarters, and whose access must also be secured.
9.3 Passwords and Login Identifiers
If circumstances allow, all identification and login information used by the Corporation should ideally be listed and saved in a central access management file or software. Only the coordination, presidency, and IT support resources should have access to it.
10. Insurance and Compensation
In the event of a loss or theft of personal data, the Corporation commits to compensating, within the limits of its capabilities, the person whose information has been lost or stolen. Such a victim will not be compensated automatically, but the board of directors must ensure that all reasonable measures are taken to indemnify and protect its members, employees, and the reputation of the Corporation, as well as any person who has voluntarily provided their personal information to the Corporation, within reasonable timeframes following the incident.
11. Designated Responsible Person
The person responsible for the protection of personal information is designated annually by a resolution of the board of directors within two (2) months of the end of the Corporation’s financial year. At the end of their term, this person must present an activity report to the board of directors for the past year. If the designated person is reappointed annually, no changes should be made to this section.
11.1 Functions of the Responsible Person
The responsible person for the protection of personal information assumes various important functions within the Corporation.
- Respond to access and rectification requests.
- Maintain a record of uses and communications of personal information without consent.
- Participate in assessing the harm caused by a confidentiality incident.
- Receive and process notices of breaches of confidentiality obligations by agents.
- Respond to requests from individuals regarding the right to portability.
The currently designated person is: Laurence Perreault-Rousseau
12. Access and Modification of Information
Access to the data collected by the Corporation is reserved for the coordination and personnel according to the level of access related to their position. The presidency of the Corporation automatically obtains these accesses but temporarily if coordination is not authorized to do so at the required time. Applications allowing modifications to the concerned person’s file should enable tracing of the user who made the changes.
A request for access or change (modification, removal) of a person’s information for their own file must be made in writing to the person responsible for the protection of personal data for the Corporation. This written request must justify the reason for the request, provide the full details of the requested change, and its duration if applicable. This procedure is the same for any change in the consent to transmit information previously given.
A person who cannot benefit from this right due to a disability (e.g., visual impairment, intellectual disability, or other) must undertake this procedure through a person authorized to do so and provide proof of this mandate.
A copy of the information held by the Corporation must then be provided to the concerned person, or their representative, within thirty (30) days, unless a refusal is justified and supported by the legal provisions justifying it.
The Corporation does not need to systematically request the consent of the person to update the information concerning them when they communicate it to the Corporation.
13. Sharing and Collecting Information from Third Parties
Every member of the Corporation must sign, upon admission, the appendix “Sharing Information with a Third Party” which outlines what information can be communicated and to which third party. Any other sharing of information that is not identified in this appendix must be approved by the member, in writing, or in certain exceptional cases, noted in a signed note by the employee receiving it; a digital identifier allowing the identification of the employee is also acceptable.
All staff members of the Corporation must give their written consent for the Corporation to request personal information concerning them from a third party (e.g., from health network personnel or a government entity).
The Corporation will not share with anyone and will not request personal information from any third party without the consent of the individual concerned unless a situation prescribed by law requires it, the safety of the individual is at stake, a situation of fraud is detected, or if the accuracy of the information must be verified. In such cases, the Corporation will share the required information with the designated contact as prescribed by law (for example: 911, police service, etc.).
14. Incident Management
A confidentiality incident refers to any unauthorized access, use, or communication of personal information under the law, as well as its loss or any other breach of its protection.
When a person detects a confidentiality incident, they must report it to the person responsible for the protection of personal information. To do so, they must fill out the reporting form and send it to the designated responsible person; they may also fill out the form directly with this same person if needed (for example: disability or other).
The reporting form must contain at least the following information:
- The most precise time possible when the incident occurred;
- A brief description of the circumstances of the incident;
- A precise description of the personal information affected by the incident or the reasons why such a description cannot be provided;
- The number of people concerned by the incident;
- The date the report is submitted to the Corporation.
The person responsible for the protection of personal information must then retain this report, enter it into a register designed for this purpose, for a period of five (5) years, and follow up and update as required.
. The register must only indicate:
- The full name of the person who made the report;
- The date it was received;
- The status of the report processing:
- Not started;
- In progress;
- Completed;
- Or invalid.
Not started;
In progress;
Completed;
Or invalid. The person responsible for the protection of personal information must first verify that the report is admissible: the information received must be complete, and the incident must have occurred within the framework established by this policy. If the report is found to be inadmissible, the person responsible for the protection of personal information must inform the reporting individual, explaining the reasons for the refusal. If the incident is admissible, they then identify reasonable measures to reduce the risk of harm and prevent further incidents of this kind. They must also determine whether the incident presents a “serious risk of harm.” If the incident presents a serious risk of harm, they must notify the Commission d’accès à l’information, the individuals concerned by the incident, as well as the board of directors of the Corporation using appropriate means.
15. Complaint Management
Anyone wishing to file a complaint regarding the protection of their personal information must do so in writing, addressing it to the designated responsible person. If a disability prevents this, the person must authorize another individual to do so on their behalf.
The individual must provide their name, contact details including a phone number, as well as the subject and reasons for their complaint, giving enough details for the Corporation to evaluate the complaint. If the complaint is not sufficiently precise, the designated responsible person may request any additional information they deem necessary to assess the complaint.
All complaints are treated confidentially.
Within thirty (30) days of receiving the complaint or following the receipt of all additional information deemed necessary and required by the designated responsible person to process it, they must evaluate it and formulate a written response. If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons justifying the extension of the deadline, the status of the processing of their complaint, and the reasonable timeframe needed to receive a final response.
The evaluation aims to determine whether the processing of personal information complies with this policy, any other policy and practice in place within the Corporation, and applicable legislation or regulation.
The designated responsible person must record the complaint in a register and keep each complaint file separately.
The register must only indicate:
- The full name of the person who made the complaint;
- The date the complaint was received;
- The status of the complaint processing:
- Not started;
- In progress;
- Completed;
- Or invalid.
It is also possible to file a complaint with the Commission d’accès à l’information du Québec or any other oversight body responsible for enforcing the law related to the subject of the complaint.
16. Procedure for De-indexing and Deleting Personal Information
Each organization must comply with the requirements of Law 25. This procedure is a first step and may require the assistance of a lawyer. Regular updates will be necessary to ensure the Corporation remains compliant with the law.
16.1 Objective
This procedure helps manage requests for deletion and de-indexing of personal information from members, staff, and partners of the Corporation.
16.2 Scope
It applies to all information stored on our online platforms (website, applications, databases).
16.3 Definitions
- Deletion of personal information: complete erasure of data, rendering it unrecoverable.
- De-indexing of personal information: removal of information from search engines, making it less visible.
16.4 Procedure
16.4.1 Receiving Requests
Requests must be received by the responsible team via an online form, a dedicated email, or by phone.
16.4.2 Identity Verification
Before processing the request, the identity of the requester must be verified. If identity cannot be verified, the request may be denied.
16.4.3 Evaluating Requests
The responsible team examines requests to determine if they are admissible, respecting confidentiality and deadlines.
16.4.4 Reasons for Refusal
The team may refuse to delete or de-index personal information for:
- Continuing to provide services to members and partners of the Corporation;
- Meeting labor law requirements;
- Legal reasons in case of litigation.
16.4.5 De-indexing or Deleting Personal Information
The responsible team takes necessary measures to de-index or delete personal information from admissible requests.
16.4.6 Follow-up Communication
The team informs requesters of the status of their request, sending acknowledgments of receipt and regular updates.
16.4.7 Follow-up and Documentation
All requests and actions taken must be recorded in a dedicated tracking system, with details of the requests, actions taken, dates, and outcomes.
17. Final Provisions
17.1 Accessibility
This document aims to be as universally accessible as possible, and any suggestions for improvement in this regard can be reported directly to the Corporation’s coordination.
17.2 Entry into Force
This document takes effect automatically upon its adoption by the board of directors.
17.3 Update
To remain abreast of best practices in personal information protection, it has been agreed that the organization will review this document at least every 3 years from the date of entry into force.
17.4 References
P-39.1 – Act on the Protection of Personal Information in the Private Sector,
Stefan Timotijevic, cybersecurity specialist and facilitator in the MaLoi25 program, AKBKO.
