1. Purpose of the Policy
1.1 The protection of personal information is paramount to Vet et Nous (hereinafter, the “Company”). This Policy on the management of personal information (hereinafter, the “Policy”) sets out the governance framework for the management of personal information.
1.2 It outlines the rules that guide the Company’s practices in managing the personal information it holds. It also defines the roles and responsibilities of Vet et Nous employees with regards to personal information throughout its life cycle, from its collection to its destruction.
2. Scope
2.1 The Policy applies to all Vet et Nous personnel, including students, interns, and temporary employees.
2.2 It covers all personal information held by the Company, including information stored by a third party, regardless of the medium on which it is stored, from the time it is collected until it is destroyed. Any information that relates to a natural person and allows that person to be identified, directly or indirectly, constitutes personal information.
2.3 It also applies to any person to whom the Commission entrusts personal information as part of the fulfillment of a mandate or service contract.
3. Legislative, Regulatory and Administrative Framework
3.1 The present policy is supported by the following documents:
- Act to modernize legislative provisions as regards the protection of personal information (law 25)
- Act to establish a legal framework for information technology (chapter C-1.1)
- Archives Act (chapter A-21.1)
4. Guiding Principles
In conducting its business, the Company collects and processes personal information. The Company is subject to the Access Act and must protect the personal information it holds. To this end, the Company is committed to taking appropriate measures to ensure the protection of personal information. Its personal information protection practices are based on the following principles:
4.2 Responsibility
The Company is responsible for the personal information it holds. To that end, it:
- Implements appropriate policies and practices to fulfill its privacy obligations and to demonstrate compliance.
- Evaluates the privacy impacts of a proposed acquisition, development or redesign project for an information system or electronic service delivery involving personal information, from the earliest conceptual stages.
- Regularly raises awareness among its personnel and provides them with information protection training. These activities take a variety of formats, depending on the situation and the desired outcomes: onboarding training for new employees, refresher training and a range of awareness-raising activities in the form of presentations, webinars, information spots, newsletters, workshops, team meetings, etc.
- Implements a procedure for addressing complaints related to the management of personal information kept by the company.
4.3 Necessity
The Company only collects personal information that is necessary for the performance of its duties or the execution of programs under its responsibility. Company employees only have access to the personal information they need to perform their duties.
4.4 Consent
Whenever required by the Access Act, Vet et Nous ensures that it obtains valid consent from the person whose personal information it concerns, for example, to use it for a different purpose than the one for which it was collected or to disclose it to third parties. Valid consent is clear, free, informed and provided for specific purposes. It is requested for each of these purposes in simple, clear terms, thus allowing the person to understand the scope of what is being asked of them. In the case of sensitive information, consent must be given expressly.
4.5 Confidentiality
Vet et Nous ensures that the personal information it collects remains confidential. It takes the necessary security measures to protect personal information, from its collection to its destruction. These measures take into account the sensitivity, purpose, amount, distribution, and medium of the personal information. Vet et Nous implements the necessary measures to limit the use and disclosure of such information.
4.6 Accuracy
Vet et Nous ensures that the personal information it holds is up-to-date, accurate, and complete for the purposes for which it is collected.
4.7 Right of Access and Rectification
Any individual may ask to review or obtain a copy of their personal information held by the Company, and have it corrected to the extent provided by the Access Act.
4.8 Destruction
Vet et Nous ensures that the personal information it holds is destroyed once the purposes have been fulfilled, subject to the deadlines set out in its retention schedule.
4.9 Transparency
Vet et Nous is committed to transparency in the management of the personal information it holds. When personal information is collected, the person concerned is informed of the purpose of the collection, how it will be used, and a number of other elements required by law. In the event of collection by technological methods, this information is included in the privacy policies published on our website. Vet et Nous also publishes its personal information governance rules.
4.10 Personal Information Processing
Personal information is protected throughout its life cycle. Personal information held by the Company is confidential and subject to the protection rules set out in the Access Act. However, the Act specifies certain situations in which this information is not confidential. Vet et Nous may share your information in these specific situations.
4.11 Collection of Personal Information
Vet et Nous employees only collect personal information that is necessary for the performance of their duties, including the provision of services and the hiring and management of employees.
4.12 Human Resources Management
4.12.1 For the purposes of hiring personnel, the Company’s human resources staff collects only the personal information required to complete the evaluation of applicants. This generally consists of information provided by candidates.
4.12.2 Human resources employees collect the information required to manage Vet et Nous’ employee files, specifically:
- Information related to the employee’s position.
- Their contact information.
- Their attendance record.
- Events related to training and professional development, occupational health and safety, their performance and their compensation.
4.13 Retention of Personal Information
4.13.1 Company employees ensure the confidentiality of personal information in the performance of their duties. To this end, they:
- Adhere to Vet et Nous personal information protection policies, guidelines, and procedures.
- Abstain from revealing any personal information that has been obtained in the performance of their duties without being authorized to do so.
- Attend training and awareness activities organized by the Company.
- Access only the personal information required to perform their duties.
- Ensure that the personal information they handle is complete, up-to-date, and accurate for the purposes of collection and use intended by the Company.
- Abstain from keeping, on a physical (paper) or electronic medium other than those of the Company, any personal information obtained in the course of their duties, and continue to maintain its confidentiality.
4.13.2 In the event of doubt regarding the confidentiality of an item of information, or for any questions about the management of personal information, human resources employees contact their manager or the Personal Information Protection Officer.
4.14 Use of Personal Information
4.14.1 Vet et Nous employees only use personal information for the purposes for which it was collected. Any other use must be pre-approved by the manager or Access Officer. The latter ensures that the new intended use complies with the Act (authorized by law or requiring the consent of the person involved).
4.14.2 Vet et Nous employees who use personal information in the course of their duties are required to:
- Limit the use they make of the information to the performance of their duties.
- Ensure that confidentiality is maintained in all circumstances.
- Immediately inform their immediate superior and the Access Officer of any situation where the confidentiality of personal information may have been compromised.
4.15 Use of Personal Information for Survey Purposes
The use of personal information to conduct a survey must comply with the “Directive sur les sondages réalisées par la Commission d'accès à l'information”.
4.16 Disclosure of Personal Information
4.16.1 Vet et Nous employees are not permitted to disclose confidential personal information to a third party without the consent of the person involved. However, the law provides for certain exceptions:
- In case of an emergency or to prevent an act of violence.
- To carry out a mandate or service agreement with a third party.
- When an individual or organization submits a written request to use personal information for research, study, or statistical purposes.
- In the event of a privacy incident, to notify an individual or organization likely to reduce the risk of serious harm. The confidentiality incident management procedure is applicable.
4.16.2 Before disclosing any confidential personal information to a third party, Vet et Nous employees must consult their manager. The manager may consult the Access Officer if necessary.
4.16.3 Some of the information may be disclosed to third parties in accordance with service agreements between the Company and third parties.
4.17 Destruction of Personal Information
Vet et Nous employees securely destroy personal information once the purposes for which it was collected have been fulfilled, according to the retention schedule and document management rules.
4.18 Rights of the person involved in personal information
4.18.1 Access
Individuals involved in personal information kept by the Company have the right to be informed of the existence of such information and to have access to it, within the limits and under the conditions provided by the Act.
4.18.2 Portability
An individual may request access to their electronic personal information provided directly to Vet et Nous in a structured and commonly used technological format. This does not include personal information collected in paper form.
4.18.3 Rectification
Any individual whose personal information is inaccurate, incomplete or equivocal, or whose collection, communication or retention is not authorized by the Act, may request that the information be corrected, within the limits and under the conditions set out in the Act.
4.18.4 Access or Rectification Requests
Any request for access or rectification of personal information must be addressed to the Personal Information Protection and Access Officer:
Any request for access or rectification received by another department must be forwarded to the right recipient immediately upon receipt.
5. ROLES AND RESPONSIBILITIES
5.1 The President:
- Ensures that the provisions of the Access Act are respected and implemented within the Company.
- May delegate responsibility for access to documents and the protection of personal information in writing, to a member of the Company’s management team.
- Facilitates the Officer’s performance of duties with respect to the protection of personal information.
- Approves the present policy and its application.
- Supports the implementation and distribution of this policy.
5.2 The Personal Information Protection and Document Access Officer:
- Ensures compliance with and implementation of the provisions of the Access Act within the Company.
- Ensures compliance with this policy and with legal, regulatory, and administrative obligations relating to access to documents and the protection of personal information.
- Coordinates the Company’s activities in terms of access to documents and protection of personal information.
- Coordinates the work of the Company’s Access to Documents and Privacy Committee.
- Supports managers and assumes an advisory, support and coaching role with the organization’s personnel.
- Proposes the tools needed to implement this policy.
- Collaborates with the managers responsible for computer security and document management in implementing measures to ensure optimal protection of personal information.
- Processes complaints relating to the protection of personal information in accordance with the Access Act, and records them in the Personal information management complaints registry.
- Processes requests for access to documents and personal information, as well as requests for rectification, in accordance with the Access Act.
- Performs a privacy impact assessment of any project involving the acquisition, development or redesign of an information system or the electronic delivery of services that involves the collection, use, disclosure, retention or destruction of personal information, at the project’s inception.
- Conducts a privacy impact assessment for any disclosure of personal information outside Quebec and determines whether the disclosure is adequately protected.
5.3 Managers
Managers are the holders of personal information under their responsibility. As such, they are responsible for the management and protection of personal information held by personnel in their administrative unit. More specifically, they:
- Ensure compliance with this policy and related procedures or directives within their administrative unit.
- Ensure that personnel under their responsibility use secure methods to collect, use, retain, communicate, or destroy personal information.
- Collaborate with the Personal Information Protection and Document Access Officer and with the committee responsible for the Commission’s compliance with legislative, regulatory, and administrative obligations regarding the protection of personal information.
- Take appropriate action in the event of a breach of this policy or of the rules governing the protection of personal information by a member of staff under their responsibility.
- Raise awareness of the importance of protecting personal information among employees under their responsibility, in collaboration with the Personal Information Protection and Document Access Officer.
- Ensure that employees under their responsibility take part in Vet et Nous personal information protection training sessions.
- Ensure that the personal information retention periods set out in the Vet et Nous retention schedule comply with the applicable standards.
- Ensure that the means used to destroy personal information are secure and maintain its confidentiality.
- Ensure that personal information is accessible and retained in a manner that preserves its confidentiality and complies with legislative, regulatory, and administrative requirements.
- Ensure that personal information held by Vet et Nous is complete, up-to-date, and accurate for the purposes for which it is collected or used.
- Include contractual requirements for the protection and confidentiality of personal information when contracts involve the disclosure of such information. These clauses govern the collection, use, retention, communication, and destruction of personal information by suppliers and service providers.
- Ensure the security of information resources and information held or used in accordance with Vet et Nous policies and directives.
- Assist management in determining strategic orientations and intervention priorities with regards to information security.
5.4 Vet et Nous Employees
- Review the present policy and abide by its intent, provisions, and procedures.
- Take the necessary measures to ensure the protection of personal information to which they have access.
- Access only the personal information required to perform their duties.
- Use the personal information to which they have access for the purposes for which it was collected.
- Inform their manager and the Personal Information Protection Officer of any incident involving the protection of personal information held by Vet et Nous.
- Attend awareness-raising and training activities on the protection of personal information made available by Vet et Nous.
6. COMPLAINTS RELATED TO PERSONAL INFORMATION
6.1 Procedure for handling complaints related to the protection of personal information.
Complaint Handling Procedure. Clients may file a complaint regarding the handling of their personal information by Vet et Nous. Complaints must be submitted in writing to the Privacy Officer within 15 days of the event leading to the complaint, at the following address: . Complaints must include the following informations :
- Name and contact information of the client filing the complaint
- A detailed description of the grounds for the complaint
The manager will acknowledge receipt of the complaint within 5 business days of its reception. An investigation will be made into the complaint's allegations, during which the manager may request any relevant information or documents from the complainant or the company. Within 30 days of receiving the complaint, the manager will notify the complainant of their findings. If no response is received within this period, the complaint will be deemed to have been dismissed.
6.1.1 Privacy and Consent The handling of the complaint will be kept confidential.
However, the manager may have to disclose the complainant's identity to employees involved in the complaint as part of the investigation. An anonymous complaint will be considered admissible but may interfere with a complete assessment of the situation.
6.1.2 Complaint Admissibility. A complaint will not be considered admissible in the following circumstances:
- Dissatisfaction with or request for review of a decision by the person in charge of document access
- Matter pertaining to a judicial or quasi-judicial decision
- Subject of ongoing legal proceedings
- Situations beyond Vet et Nous' control
- Hateful, threatening or harassing remarks
The purpose of this procedure is to ensure that complaints regarding the protection of clients personal information are handled fairly and confidentially, in accordance with applicable laws.
6.2 Any person who considers that the Company is not respecting their rights with regards to the protection of personal information may promptly submit a complaint in writing to the Personal Information Protection and Document Access Officer.
6.3 The procedure for handling complaints about the protection of personal information specifies how to file a complaint and how it will be handled by Vet et Nous.
7. ADOPTION, REVIEW AND EFFECT
This policy is reviewed every three (3) years from the date of its adoption, or earlier if circumstances warrant. It comes into effect upon publication.
Last updated : June 13th, 2024