Policy Framework for the Governance of Personal Information

1. Preambule

In the course of its activities and mission, the Community Legal Centre of Montreal (hereinafter referred to as “CCJM” or “we”) processes personal information, in particular that of its clients, visitors to its website, and members of its staff, including employees, volunteers and job applicants. As such, it recognizes the importance of respecting privacy and protecting the personal information it holds, whether it is hosted on its premises or with a third party.

In order to fulfill its obligations in this regard, the CCJM has adopted this policy. It sets out the framework principles applicable to the protection of personal information held by the CCJM throughout its life cycle, as well as the roles and responsibilities of the parties involved in the protection of personal information and the exercise of the rights of the persons concerned.

The protection of personal information held by the CCJM is the responsibility of everyone who handles such information, including service providers, partners and consultants who collect personal information for the CCJM.

2. Purpose

This policy:

  • Sets out the CCJM’s governance principles with respect to personal information throughout its life cycle;
  • Provides a framework for the exercise of the rights of the persons concerned;
  • Sets out the process for handling complaints relating to the protection of personal information;
  • Defines the CCJM’s roles and responsibilities with regard to the protection of personal information.

3. Definitions

For the purposes of this policy, the following terms mean :

“CAI” refers to the Commission d’accès à l’information du Québec.

“Life cycle” refers to all the steps involved in the processing of personal information, i.e. its collection, use, communication, retention and destruction.

“Privacy Impact Assessment” or ‘PIA’ refers to a preventive approach aimed at better protecting personal information and respecting the privacy of individuals. This study consists of considering all factors that could have positive or negative consequences on the privacy of the individuals concerned.

“Privacy incident” means any consultation, use or disclosure of personal information that is not authorized by law, or any loss or other breach of the protection of such information.

“Act” means the Act respecting the protection of personal information in the private sector (LPRPSP) and any other act that may apply to personal information processing activities.

“Data subject” means a natural person to whom personal information relates.

“Profiling” refers to the collection and use of personal information to assess certain characteristics of an individual, in particular for the purpose of analyzing the individual’s work performance, economic situation, health, personal preferences, interests or behaviour.

“Personal information” means any information relating to a natural person which enables that person to be identified directly – either by recourse to that information alone – or indirectly – either by combination with other information.

“Sensitive personal information” means any personal information that – by its nature, including medical, biometric or otherwise intimate, or by the manner in which it is used or disclosed – gives rise to a high reasonable expectation of privacy.

“Privacy Officer” or ‘PIP’ means the person within the CCJM who is responsible for ensuring compliance with and implementation of the law concerning the protection of personal information. Within the CCJM, the PIP is Me Gilles Trudeau.

4. Scope

This policy applies to personal information held by the CCJM and to any person who processes personal information for the CCJM.

5. Treatment Of Personal Information

The protection of personal information is ensured throughout its life cycle in accordance with the following principles, unless otherwise provided by law:

5.1 Collection

5.1.1. The CCJM collects only the personal information required to carry out its activities. Before collecting personal information, it determines the purposes for which it is to be processed, which must be serious and legitimate.

5.1.2. Personal information is collected from the person concerned, unless the law permits collection from a third party.

5.1.3. At the time of collection, and thereafter upon request, the CCJM informs the persons concerned, at a minimum of:

  • The purposes for which the information is collected;
  • The means by which the information is collected;
  • The rights of access and rectification provided by law;
  • The right to withdraw consent to the communication or use of the information collected;
  • Where applicable, the name of the third party on whose behalf the information is collected;
  • When applicable, the name of the third parties or categories of third parties to whom it is necessary to communicate the information for the declared purposes;
  • When applicable, the possibility that the information may be communicated outside Quebec;
  • When applicable, the use of technology that includes functions enabling the identification or profiling of the individual;
  • The means available to activate the functions used to identify, locate or profile the individual.

5.1.4. The information listed in paragraph 5.1.3 is given in clear and simple terms, by means of a privacy policy or a “just-in-time” notice.

5.1.5. The person concerned who provides his or her personal information after having received the information in paragraph 5.1.3 is presumed to consent to its use and communication for the declared purposes.

5.1.6. At the request of a person concerned, the CCJM shall also inform him or her of the following:

  • The personal information collected from him or her;
  • The categories of persons who have access to this information within the CCJM;
  • How long the information will be kept;
  • Contact information for the CCJM’s PIP:
    • CCJM Corporate Secretary
      (Currently Me Gilles Trudeau)
      Montreal Community Legal Centre
      425, boul. West, Suite 600
      Montreal, Quebec H3A 3K5
      E-mail: gtrudeau@ccjm.qc.ca

5.1.7. Where consent is required by law, it must be manifest, free, informed and given for specific purposes. Consent is requested for each of these purposes, in clear and simple terms. Consent is valid only for the time necessary to achieve the purposes for which it was requested.

5.2. Use

5.2.1. The CCJM uses personal information only for the purposes for which it was collected. However, the CCJM may change these purposes with the prior consent of the person concerned.

5.2.2. The CCJM may also use personal information for secondary purposes without the consent of the person concerned, in any of the following cases:

  • When the use is compatible with the purposes for which the information was collected (compatible purposes do not include commercial or philanthropic prospecting);
  • When the use is clearly for the benefit of the person concerned;
  • When its use is necessary for the prevention and detection of fraud, or for the evaluation and improvement of protection and security measures;
  • When its use is necessary for the supply or delivery of a product or service requested by the data subject;
  • When its use is necessary for study, research or statistical purposes and the information is de-personalised.

5.3. Communication

5.3.1. Subject to the exceptions provided for by law, the CCJM may not disclose personal information without obtaining the consent of the person concerned. Consent must be given expressly when sensitive personal information is involved.

5.3.2. the CCJM may disclose personal information without consent to an agent or service provider under a mandate or service contract, including a technological tool hosted on a cloud platform. To this end, the CCJM must enter into a written agreement with the mandatary or service provider, which stipulates, at a minimum, the measures that the mandatary or service provider must take:

  • To protect the confidentiality of the personal information communicated;
  • To ensure that this information is only used in the performance of the mandate or contract;
  • To ensure that it is not retained after its expiry.

In addition, the agreement must specify the following:

  • The agent or supplier must promptly notify the PIP of any breach or attempted breach by any person of any of the obligations relating to the confidentiality of the information communicated;
  • The PIP of the CCJM reserves the right to carry out any verification relating to such confidentiality.

5.3.3. When personal information is communicated outside Quebec, the CCJM conducts a PIA in accordance with section 6 hereof.

5.4. Retention

5.4.1. The CCJM takes all reasonable measures to ensure that the personal information it holds is up-to-date, accurate and complete, in order to serve the purposes for which it is collected or used.

5.4.2. The CCJM retains personal information, for as long as necessary to carry out its activities, subject to applicable retention periods.

5.5. Destruction and anonymization

5.5.1. Once the purposes for which the personal information was collected have been achieved, the information is destroyed or made anonymous, in accordance with the CCJM’s retention periods.

6. Privacy Impact Assessment

6.1. The CCJM conducts a PIA in the following contexts:

  • Before undertaking a project for the acquisition, development or redesign of an information system or the electronic delivery of services that involves personal information;
  • Before communicating personal information without the consent of the individuals concerned to a person or organization wishing to use this information for study, research or statistical purposes;
  • When we intend to communicate personal information outside Québec.

6.2. In conducting a PIA, the CCJM takes into account the sensitivity of the information to be processed, the purposes for which it is to be used, its quantity, distribution and medium, as well as the proportionality of the measures proposed to protect personal information.

6.3. In addition, when personal information is disclosed outside Québec, the CCJM ensures that it is adequately protected, in particular with respect to generally accepted principles of personal information protection.

6.4. The completion of a PIA serves to demonstrate that the CCJM has complied with all obligations regarding the protection of personal information and that all measures have been taken to effective.

7. Rights Of Persons Concerned

This section will come into force on September 23, 2024.

7.1. Subject to the provisions of the law, any data subject about whom the CCJM holds personal information has the following rights, among others:

  • The right to access personal information held by the CCJM and to obtain a copy thereof, whether in electronic or non-electronic format;
    • Unless this raises serious practical difficulties, computerized personal information collected from a data subject, and not created or inferred from personal information concerning him or her, is communicated to him or her, in a structured and commonly used technological format, at his or her request. This information is also communicated, upon request, to any person or organization authorized by law to collect such information.
  • The right to rectify any incomplete or inaccurate personal information held by the CCJM;
  • The right to request the deletion of outdated or unjustified information, or to make written comments to the CCJM’s PIP;
  • The right to ask the CCJM to cease disseminating information or to de-index any hyperlink attached to its name by technological means, when the dissemination of this information contravenes the law or a court order;
  • The right to ask the CCJM to cease disseminating information or to de-index or re-index any hyperlink attached to its name, when the following conditions are met:
    • The dissemination of this information causes serious prejudice to his or her right to respect for his or her reputation or private life;
    • This prejudice manifestly outweighs the public interest in knowing the information or the interest of any person in expressing themselves freely;
    • The requested cessation of dissemination, re-indexing or de-indexing does not exceed what is necessary to prevent the harm from being perpetuated, taking into account, in particular, whether the person concerned is a public figure or not, whether the information concerns a minor, whether the information is up-to-date and accurate, the sensitivity of the information, the context in which the information is disseminated, the time elapsed between the dissemination of the information and the request made to the CCJM ;
  • The right to be informed, where applicable, that personal information is being used to make a decision based on automated processing.

7.2. Although the right of access may be exercised at any time, access to documents containing such information is subject to certain exceptions identified in the law.

7.2.1. The CCJM may refuse to disclose personal information about an individual where disclosure of the information could reasonably be expected to :

  • Prejudice an investigation conducted by its internal security service for the purpose of preventing, detecting or repressing crime or offences against the law or, on its behalf, by an external service having the same purpose or a security guard agency or investigation agency licensee issued in accordance with the Private Security Act;
  • Have an effect on legal proceedings in which any of these persons has an interest.

7.2.2. The CCJM shall refuse to disclose personal information:

  • To a person concerned where its disclosure would likely reveal personal information about a third party or the existence of such information and where such disclosure would be likely to seriously harm that third party, unless the third party consents to its disclosure or it is a case of emergency endangering the life, health or safety of the person concerned;
  • To the liquidator of the succession, the beneficiary of a life insurance policy or death benefit, the heir or successor of the person concerned by this information, unless such communication would jeopardize the interests and rights of the person requesting it as liquidator, beneficiary, heir or successor, all subject to the right of the spouse or relative of a deceased person mentioned above.

7.3. The request for access to personal information must be sufficiently precise to enable PIP to identify said personal information. The right of access applies only to existing personal information.

7.4. CCJM employees who wish to have access to their employment documents may do so directly through Me Gilles Trudeau at: gtrudeau@ccjm.qc.ca

7.5. PIP will respond to requests for access or rectification in writing, promptly and no later than 30 days from the date of receipt of the request.

7.6. Access to personal information contained in a file is free of charge. However, the CCJM may charge a reasonable fee for the transcription, reproduction or transmission of such information, after informing the applicant of the approximate amount payable, before proceeding with the transcription, reproduction or transmission of such information.

7.7. When the PIP grants a request for rectification or deletion, it notifies this rectification or deletion to any person who has received the information in the previous six months and, where applicable, to the person who holds the information. In addition, a copy of any personal information amended or added, or, as the case may be, an attestation of the personal information deleted, will be issued to the applicant free of charge.

7.8.If the CCJM fails to respond within 30 days of receipt of the request, it will be deemed to have refused to grant the request. That said, the PIP must give reasons for any refusal to grant a request and indicate the provision of the Act on which the refusal is based, the remedies available to the applicant under the Act and the time limit within which they may be exercised. He must also assist the applicant in understanding the refusal.

8. Handling Complaints

Any complaint concerning the CCJM’s privacy practices or its compliance with legal requirements concerning personal information is forwarded to the PIP, which responds within 30 days.

Privacy Officer

CCJM Corporate Secretary
(Currently Me Gilles Trudeau)
Montreal Community Legal Centre
425, boul. West, Suite 600 Montreal, Quebec H3a 3K5
E-mail: gtrudeau@ccjm.qc.ca

9. Safety

9.1. The CCJM implements reasonable security measures to ensure the confidentiality, integrity and availability of personal information that is collected, used, disclosed, retained or destroyed. These measures take into account the sensitivity of the personal information, the purpose for which it is collected, its quantity, location and medium.

9.2. The CCJM manages the access rights of its staff members so that only personnel who require access in the course of their duties have access to personal information.

10. Confidentiality Incidents

10.1. Any confidentiality incident involving personal information must be reported to the PIP. The CCJM will then take reasonable steps to reduce the risk of harm being caused and to prevent further incidents of a similar nature.

10.2. All confidentiality incidents, regardless of severity, are recorded in the Confidentiality Incident Register in accordance with the principles set out in the Confidentiality Incident Response Plan. Only the PIP is able to complete this register.

10.3. If the confidentiality incident presents a risk of serious harm to the persons concerned, the CCJM will promptly notify them and the CAI, after consulting a lawyer, in accordance with the principles set out in the Confidentiality Incident Response Plan.

11. Confidentiality Incident Log

11.1. In accordance with the law, the CCJM maintains a register of confidentiality incidents.

11.2. The PIP is responsible for maintaining the register, keeping it for the periods required by law (five years for Quebec) and updating it.

12. Roles And Responsibilities

12.1. The protection of personal information held by the CCJM relies on the commitment of all those who handle such information, and more specifically the following:

12.2. The PIP:

  • Ensures compliance with and implementation of the law;
  • Ensures the establishment and implementation of policies and practices governing the company’s governance of personal information and the protection of such information, in particular by approving such policies and practices;
  • Is consulted, for the purposes of a PIA, at the outset of any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information;
  • At any stage of a project referred to in the previous point, suggests measures to ensure the protection of personal information involved in the project, such as:
    • The appointment of a person responsible for implementing protection measures;
    • PR protection measures in all project documents;
    • A description of the responsibilities of project participants with regard to the protection of personal information;
    • Training activities on PR protection for project participants.
  • Is responsible for maintaining the confidentiality incident register;
  • Participates in the assessment of the risk of serious harm associated with a confidentiality incident, particularly with regard to the sensitivity of the information involved, the anticipated consequences of its use, and the likelihood that the information will be used for malicious purposes;
  • Where applicable, records the communication of a confidentiality incident to a person or organization likely to reduce the risk of harm;
  • Where applicable, carries out verifications of confidentiality obligations in connection with the communication of personal information under mandates or service contracts entrusted to third parties in accordance with section 5.3.2 of this policy;
  • Receives written requests from persons concerned to exercise their rights, and ensures compliance with sections 7.5 to 7.8 of this policy.

12.3. Any person, including a supplier, who handles personal information held by the CCJM:

  • Acts with care and integrates the principles set out in this policy into their activities;
  • Accesses only the information necessary for the performance of his or her duties;
  • Integrates and retains information only in files intended for the performance of its duties;
  • Keeps these files in such a way that only authorized persons have access to them;
  • Protects access to personal information in its possession or to which it has access by means of a password;
  • Refrains from communicating personal information that comes to her knowledge in the performance of her duties, unless duly authorized to do so;
  • Refrains from retaining, at the end of her employment or contract, personal information obtained or collected in the course of her duties, and maintains her confidentiality obligations;
  • Destroys all personal information in accordance with CCJM retention periods;
  • Participates in privacy awareness and training activities designed for him/her;
  • Report any breach, confidentiality incident or any other situation or irregularity that could in any way compromise the security, integrity or confidentiality of personal information in accordance with the procedure established by the CCJM.

13. Penalties

Any person who violates this policy is liable to disciplinary or contractual sanctions, including termination of employment or business relationship.

14. Updating

In order to keep pace with changes in applicable privacy legislation and CCJM practices, this policy may be updated from time to time.

15. Adoption Of The Policy

This policy was adopted by the CCJM Board of Directors on June 17, 2024.

Policy Effective Date: June 17, 2024.