GROUPE BAILLARGEON is committed to protecting all personal information collected and used in the management of its activities.
OBJECTIVES OF DATA COLLECTION
All individuals working with, for or on behalf of GROUPE BAILLARGEON are required to respect the confidentiality of personal information and the right to privacy of any individual, in accordance with the Privacy Act, when collecting, using, disclosing, retaining, or disposing of personal information in the course of their duties.
Personal information under the custody or control of GROUPE BAILLARGEON is only created, collected, retained, used, disclosed, and disposed of in a manner that complies with the Privacy Act. We respect the privacy rights of individuals whose personal information is in our possession, in accordance with these requirements.
Personal information is defined as any information or combination of information that relates to a physical person and allows that person to be identified. However, an individual’s name, business title, business address, business telephone number and business e-mail address are not personal information.
Personal information must be protected regardless of the medium in which it is conveyed or its form: written, graphics, audio, visual, computerized or other.
The organization obtains an individual’s written consent in the following situations:
- prior to collecting personal information, except where seeking consent would result in the collection of inaccurate information, defeat the purpose of collecting the information, or compromise the use of the information collected. For example, the organization will generally consult with the complainant to indirectly collect personal information for the purpose of conducting an investigation;
- before using or disclosing personal information for any purpose that does not respect the purposes for which the information was collected or prepared;
- prior to any disposal of personal information, unless such disposal is expressly authorized by law;
- if it intends to disclose a complaint received by the company or any privileged or confidential information obtained during an investigation or proceeding. In such cases, the written consent of all individuals whose rights or interests may reasonably be affected must be obtained.
Obtaining an individual’s consent to the collection of personal information does not replace or establish the authority to collect such information under the Privacy Act; rather, the organization must ensure that the personal information being collected is directly related and necessary for the organization’s regulatory activities.
COLLECTION OF PERSONAL INFORMATION
Personal information may only be collected or created (e.g., assigning a license number or imposing restrictions on a license constitutes the creation of personal information) under the following conditions:
- personal information is directly related to a regulatory activity of the organization;
- collection of this personal information is necessary to enable the organization to meet its legal or regulatory objectives.
To determine whether personal information is directly related to a regulatory activity, it is necessary to consult the policies that require or authorize the collection of personal information. The organization’s policies provide guidance and advice on the need to collect personal information enabling the organization to achieve its objectives. Before collecting or creating new personal information, the organization must:
- determine what personal information will be collected;
- identify the purposes for collecting each type of personal information;
- collect only the personal information required to fulfill the identified purposes.
The organization collects or creates personal information intended for administrative use directly from the person concerned, except when:
- the individual authorizes the organization to collect personal information from another source;
- personal information is collected for the purpose that it may be disclosed to the organization;
- collecting personal information directly from the individual could result in the collection of inaccurate information; or
- collecting personal information directly from the individual could defeat the purpose or compromise the use for which the personal information is collected. For example, the organization will generally consult the author of a complaint to indirectly collect personal information for the purpose of investigating.
We limit the collection, use and disclosure of your personal information to the identified purposes. Your personal information may only be accessed by certain authorized personnel, and then only for the purposes for which they have been assigned.
DISCLOSURE OF PERSONAL INFORMATION
Personal information held by the organization will not be disclosed without the consent of the individual concerned or unless disclosure is authorized or required under the Privacy Act.
Any individual subject to this policy must:
- disclose only the minimum amount of personal information required to fulfill the identified purposes;
- consult the person in charge of privacy protection before disclosing any personal information other than that which is required in the course of his or her duties.
We retain your personal information for the duration necessary to fulfill the purposes for which it was collected. We must destroy this information in accordance with the law and our record retention policy. When we destroy your personal information, we take the necessary steps to ensure its confidentiality and that no unauthorized person has access to it during the destruction process.
The organization takes reasonable steps to ensure that personal information is as accurate, complete and up-to-date as is necessary for the purposes intended, and to minimize the possibility that inaccurate or incomplete information will be used to make a decision that directly affects an individual.
The organization has documented procedures allowing individuals to request a correction of their personal information when they believe an error or omission has occurred.
We do not systematically update personal information unless necessary to fulfill the purposes for which it was collected. The degree of accuracy, currency and completeness of personal information will depend on the data you enter when consenting to its collection.
We are responsible for personal information in our possession or custody, including information we entrust to third parties for processing. We require these third parties to maintain this information in compliance with strict confidentiality and security standards.
Our Privacy Officer oversees this data privacy protection policy as well as related processes and procedures to protect your personal information.
Our personnel are informed and properly trained on our privacy policies and practices.
The organization is required to protect personal information in its custody or control from risks such as unauthorized access, collection, use, disclosure or disposal, by taking reasonable security measures. These include a combination of technical, administrative and physical security measures. The reasonable nature of security measures takes into account factors such as the sensitivity, quantity, distribution, format and storage method of the information to be protected.
We have implemented and continue to elaborate rigorous security measures to ensure that your personal information remains strictly confidential and is protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
These security measures include organizational measures such as restricting access to what is necessary; backing up and archiving data on an external system, etc.); and technological measures such as the use of passwords and encryption (for example, frequent password changes and the use of firewalls).
ACCESS TO PERSONAL INFORMATION
The organization requires that access to personal information be role-based and limited to the minimum amount of information necessary for authorized purposes.
The organization monitors access and use of personal information in order to promptly detect cases of inappropriate or unauthorized access or processing of personal information by means such as auditing.
The organization requires service providers to respect the organization’s legal obligations regarding the processing and protection of personal information, and service providers are required to comply with this data privacy protection policy.
REQUEST FOR ACCESS TO INFORMATION AND MODIFICATIONS
Subject to the exceptions stipulated in the Privacy Act, any individual may access, examine or receive a copy of his or her personal information held by the organization by submitting a written request to that effect to the organization’s Privacy Officer.
We will provide you with such information within a reasonable time after receipt of your written request. A reasonable fee may also be charged for processing your request.
Under certain circumstances, we may refuse to provide you with the information you have requested. Exceptions to your right of access include the fact that the information requested concerns other individuals, that the information cannot be disclosed for legal, security or copyright reasons, that the information was obtained as part of a fraud investigation, that the information can only be obtained at prohibitive cost, or that the information is the subject of litigation or is privileged.
When we hold medical records about you, we may refuse to disclose them directly to you and ask that they be forwarded to a health care worker designated by you.
You may verify the accuracy and sufficiency of your personal information and, if necessary, request that it be amended. Any request for an amendment will be processed within a reasonable period of time.
Requests for access or modification of personal information may be sent to the address below:
Name: Sara-Michèle Baillargeon
Phone number: (418)-387-4533 Extension no.: 701
COMPLAINTS AND QUESTIONS
You may contact the Privacy Officer at the above address.
Any complaint concerning the protection of personal information should be sent to the Privacy Officer at the above address.
We will investigate all complaints. If a complaint is found to be justified, we will take appropriate action, including, if necessary, amending our policies and practices.
TRAINING AND AWARENESS
The company promotes better practices and greater respect for rights in terms of transparency and protection of personal information in several ways:
- She informs all the personnel in her team (consent form);
- She posts the name and contact information of the person responsible for PR;
- She mobilizes various means of awareness, including:
Information sessions on the protection of personal information, reminders at team meetings, training for employees, an action plan for the protection of personal information, a logbook, and so on.
This policy must be reviewed every three years. It should also be updated whenever there is a substantial change in legislation or regulatory requirements.