1. RESPONSIBILITIES

Summary:

• The Congregation is responsible for the information it collects, uses, or communicates, either directly or through agents or service providers.
• The Congregation implements governance policies and practices to ensure the protection of personal information, including its retention, destruction, and the handling of complaints.
• These policies, which are proportionate to the organization’s activities, are approved by the Information Protection Officer.
• The Information Protection Officer approves policies, supervises the destruction of personal information, and is consulted in the event of confidentiality incidents, if necessary.
• When undertaking new projects, the Congregation conducts a privacy impact assessment in collaboration with its Privacy Officer, taking into account the sensitivity and use of personal information.

Governance

: The Congregation establishes and implements policies and practices governing its governance of personal information and ensuring the protection of such information. These policies and practices include guidelines for the retention and destruction of such information, the roles and responsibilities of its staff throughout the life cycle of such information, and a process for handling complaints relating to the protection of such information. They are proportionate to the nature and scale of the Congregation’s activities and are approved by the individual who acts as the person in charge of the protection of personal information within the Congregation (the “Delegate“). Detailed information about these policies and practices is published in plain, clear language on the Congregation’s website.

Control

: This statement primarily concerns personal information under the control of the Congregation, which corresponds to the information that the Congregation decides to collect and for which the Congregation establishes the purposes for which it is collected, used, or communicated, whether the Congregation collects, uses, or communicates it itself or whether an agent or service provider does so on its behalf.

Roles

:

• The Congregation: The Congregation is responsible for the protection of the personal information it holds.
• Person with the highest authority: Within the Congregation, the person with the highest authority ensures compliance with and implementation of privacy laws applicable to the Congregation.
• Delegate: The role and function of person in charge of the protection of personal information held by the Congregation has been delegated in writing, in its entirety, to the main Controller of the Congregation, whose title and contact information are:
  

  Controller
  Email:	controleur@ofmca.com
  Address:	6455 Louis-Riel Ave. Montreal, Quebec H1M 1P1 Canada

  The responsibilities and duties of the Delegate include the following:

  • Approving policies and practices governing the management of personal information;
  • Consultation on privacy impact assessments for any project involving the acquisition, development, or redesign of an information system or electronic service delivery that involves the collection, use, communication, retention, or destruction of personal information;
  • Receiving and processing requests for access to or correction of personal information, cessation of dissemination of personal information, de-indexing of a hyperlink, and requests related to the right to portability of computerized personal information;
  • Supervision of the destruction of personal information held by the Congregation;
  • Managing requests for communication of personal information concerning a deceased person (if applicable);
  • Receiving and processing notices of breaches or attempted breaches of confidentiality obligations transmitted (if applicable) by the Congregation’s agents or service contract contractors;
  • Consultation on the assessment of risks of harm to individuals following a confidentiality incident (if applicable); and
  • Communicating with specialized supervisory authorities, such as the Commission d’accès à l’information (the “Commission”) and the Office of the Privacy Commissioner of Canada (the “OPC”) (if applicable).
• Congregation employee or agent: In the organizational functioning of the Congregation, personal information is accessible, without the consent of the individual concerned, to any Congregation employee or agent who has a legitimate need to know it, provided that such information is necessary for the performance of their duties.

Assessment in the event of change

: The Congregation conducts a privacy impact assessment of any project involving the acquisition, development, redesign of an information system, or electronic delivery of services that involves the collection, use, communication, retention, or destruction of personal information. For the purposes of this assessment, the Congregation consults its Delegate at the outset of the project. The privacy impact assessment is proportionate to the sensitivity of the information concerned, the purpose for which it is used, its quantity, distribution, and medium. The Congregation also ensures that this project allows computerized personal information collected from the individual concerned to be communicated to them in a structured and commonly used technological format. The Delegate may, at any stage of such a project, suggest measures to protect personal information applicable to that project, such as:

1. the appointment of a person responsible for implementing personal information protection measures;
2. measures to protect personal information in any document relating to the project;
3. a description of the responsibilities of project participants with regard to the protection of personal information;
4. the provision of training on the protection of personal information for project participants.

2. CONFIDENTIALITY

Summary:

• The Congregation publishes a clear and accessible confidentiality policy on its website.
• When collecting personal information through technological products or services, privacy settings are configured by default to provide the highest level of protection. Sensitive personal information is defined as information that requires increased protection due to its nature or context, giving rise to a high degree of reasonable expectation of privacy.
• The Congregation implements appropriate security measures to protect personal information based on its sensitivity and use. Individuals’ business contact information is not subject to the same privacy requirements.
• When using de-identified information, the organization limits the risks of identification. The Congregation maintains a record of confidentiality incidents and, in the event of an incident, takes measures to reduce the risks of harm.
• Incidents are assessed based on the sensitivity of the information and its potential consequences, and the organization informs the Commission d’accès à l’information, the Privacy Commissioner of Canada, and the individuals concerned, if necessary.

Confidentiality policy

: As an organization that collects personal information by technological means, the Congregation publishes a confidentiality policy on its website, written in clear and simple terms, and disseminates it by other means appropriate for reaching the individuals concerned. It does the same for any changes to this confidentiality policy. The Congregation’s confidentiality policy is incorporated by reference into this statement and is available at the following URL:

Privacy settings

: When collecting personal information by offering the public a technological product or service with privacy settings, the Congregation shall ensure that, by default, these settings provide the highest level of privacy, without any intervention by the individual concerned. As an exception, cookie settings are not covered.

Sensitivity of personal information

: In the policies and practices referred to in this statement, personal information is “sensitive” when, by its nature or in the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy.

Security measures

: The Congregation takes security measures to ensure the protection of personal information that is collected, used, communicated, retained, or destroyed, which are reasonable considering, among other things, the sensitivity of the information, the purpose for which it is used, the amount of information, its distribution, and its medium.

Business contact information

: The Congregation acts on the basis that applicable privacy laws allow for the exemption from their requirements regarding collection and confidentiality of information that allows contact—or facilitates contact—with an individual in the course of their employment, business, or profession, or that otherwise relates to the individual’s role within a business (such as their name, position, job title, work address, work phone or fax number, or work email address).

De-identified information

: When using de-identified information (i.e., information that no longer directly identifies the individual concerned), the Congregation takes reasonable measures to limit the risk of anyone identifying a natural person from that information.

Confidentiality incidents

• Incident response: When the Congregation has reason to believe that a confidentiality incident involving personal information in its possession has occurred, it takes reasonable steps to minimize the risk of harm and prevent further incidents of the same nature from occurring.
• Definition of incident: In the policies and practices referred to in this statement, “confidentiality incident” means:
  1. the use or communication of personal information not authorized by law, or access to personal information not authorized by law;
  2. the loss of personal information or any other breach of the protection of such information, including a “breach of security safeguards” referred to in section 10.1 of the Personal Information Protection and Electronic Documents Act (LC 2000, c 5) and its Breach of Security Safeguards Regulations (SOR/2018-64).
• Incident log: The Congregation keeps a log of confidentiality incidents, the content of which is determined by government regulations, in particular the Regulation respecting confidentiality incidents (CQLR c A-2.1, r 3.1). Upon request by the Commission, a copy of this log is sent to it.
• Incident assessment: When assessing the risk of harm to a person whose personal information is affected by a confidentiality incident, the Congregation considers, among other things, the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes. It also consults with its Delegate.
• Notification of the Commissioner in the event of an incident: If the incident presents a risk of serious or grave harm, the Congregation shall promptly notify the Commission d’accès à l’information and/or, where applicable, the Privacy Commissioner of Canada. This notification contains the information prescribed, as applicable, by the Privacy Breach Notification Regulations (at the provincial level) and/or the Security Breach Notification Regulations (at the federal level).
• Notice to the individual in the event of an incident: If the incident presents a risk of serious or grave harm, the Congregation also notifies any individual whose personal information is affected by the incident. (As an exception, an individual whose personal information is affected by the incident does not have to be notified if doing so would interfere with an investigation by a person or agency that is responsible under the law for preventing, detecting, or prosecuting crime or violations of the law.) The notice contains sufficient information to enable the individual to understand the significance of the incident to them and, if possible, to take steps to reduce the risk of harm that could result or to mitigate such harm. It also contains any other information prescribed by any regulation applicable to the situation.
• Notice to other persons or organizations: If the incident presents a risk of serious or grave harm, the Congregation may also notify any person or organization that could reduce that risk, communicating only the personal information necessary for that purpose without the consent of the individual concerned. In the latter case, the Delegate shall record the communication.

3. CONSENT

Summary:

• The fact that an individual provides personal information to the Congregation generally implies consent to its use and communication.
• Any consent given must be clear, free, informed, and for specific purposes, after having been requested for each of these purposes, in simple and clear terms, and valid only for the time necessary for these purposes.
• When consent is requested in writing, it is requested separately from other information, and assistance may be provided to understand its scope.
• The Congregation collects personal information primarily from the individual, unless the individual consents to the collection from third parties or unless permitted by law.
• Collection from a third party is also permitted if it is in the individual’s interest and cannot be done in a timely manner, or to verify the accuracy of the information.
• If an individual refuses to provide personal information, the Congregation may refuse a request for goods or services, or an employment application, if the collection of such information is necessary for a contract, authorized by law, or justified on the grounds that the request is unlawful.

Consent to use and communication for purposes

: By operation of law, an individual who provides personal information under the paragraph “Information at the time of collection or upon request” in section 4 of this statement consents to its use and communication for the purposes indicated at the time of collection by the Congregation.

Characteristics of consent

: Consent must be express, free, informed, and given for specific purposes. It is requested for each of these purposes, in simple and clear terms, and is valid only for the time necessary to fulfill the purposes for which it was requested. When the request for consent is made in writing, it is presented separately from any other information communicated to the individual concerned. When requested, assistance is provided to help the individual understand the scope of the consent requested.

Commercial electronic messages

: The Congregation refrains from sending a commercial electronic message to an email address, having it sent there, or allowing it to be sent there, unless the person to whom the message is sent has expressly or tacitly consented to receive it and the message complies with regulatory requirements regarding its form and includes (1) the regulatory information identifying the person who sent it and, where applicable, the person on whose behalf it was sent, (2) information enabling the person who received it to easily communicate with either of these persons, and (3) a description of an opt-out mechanism in accordance with the laws governing such mailings.

Collection from third parties

: When the Congregation collects personal information about others, it does so in principle from the individual concerned, unless that individual consents to the collection from third parties. However, the Congregation may, without the consent of the individual concerned, collect such information from a third party if permitted by law. It may do so if it has a serious and legitimate interest and if one of the following conditions is met:

1. the information is collected in the interest of the individual concerned and cannot be collected from that individual in a timely manner;
2. collection from a third party is necessary to ensure the accuracy of the information.

Refusal

: In any of the following circumstances, the Congregation may refuse to comply with a request for goods or services or a request relating to employment because the individual making the request refuses to provide personal information:

1. the collection is necessary for the conclusion or performance of the contract (bearing in mind that, in case of doubt, personal information is deemed unnecessary);
2. the collection is authorized by law;
3. there are reasonable grounds to believe that such a request is not lawful.

4. TRANSPARENCY

Summary:

• When collecting personal information, the Congregation informs individuals of the purposes and means of collection, as well as their rights of access, rectification, and withdrawal of consent.
• If the information is intended for a third party or transferred outside Quebec, individuals are also informed.
• The information is provided in simple and clear terms, and additional details may be provided upon request, including the retention period and the person responsible.
• When technology enabling identification, location, or profiling is used, the Congregation informs individuals in advance.
• In the case of automated decisions, the individuals concerned are informed and may request explanations or a review.

Information at the time of collection or upon request

: When the Congregation collects personal information from the individual concerned, at the time of collection and subsequently upon request, it informs them:

1. the purposes for which the information is being collected;
2. the means by which the information is collected;
3. the rights of access and rectification provided for by law;
4. the individual’s right to withdraw consent to the communication or use of the information collected.

Where applicable, the individual concerned shall be informed of the name of the third party for whom the information is being collected, the names of the third parties or categories of third parties to whom it is necessary to communicate the information for the purposes referred to in paragraph 1 of the preceding subsection, and the possibility that the information may be communicated outside Québec.

The information that the Congregation provides to the individual concerned at the time of collection is included in “just-in-time” notices or otherwise in the Congregation’s Confidentiality policy, which is discussed in the section entitled “Confidentiality policy.”

Upon request, the individual concerned is also informed of the personal information collected from him or her, the categories of persons who have access to this information within the Congregation, the length of time this information will be retained, and the contact details of the person responsible for the protection of personal information.

The information is provided to the individual concerned in plain and clear language, regardless of the means used to collect the personal information.

Identification, location, or profiling technologies

: When the Congregation collects personal information from individuals using technology that includes functions to identify, locate, or profile them, it informs them in advance:

1. of the use of such technology;
2. the means available to activate functions that identify, locate, or “profile” an individual, i.e., collecting and using personal information to evaluate certain characteristics of a natural person, including for the purposes of analyzing that person’s work performance, economic situation, health, personal preferences, interests, or behavior.

Information about sources

: If the Congregation collects personal information under its control from another person who operates a business or a public body, it will inform the individual concerned, at their request, of the source of that information. (This does not apply to an investigation file created for the purpose of preventing, detecting, or prosecuting a crime or offense.)

Decision by automated processing

: If the Congregation uses personal information to make a decision based solely on automated processing of that information, it will inform the individual concerned no later than when it informs them of the decision. The Congregation shall give the individual concerned an opportunity to present his or her observations to a member of the Congregation’s staff who is in a position to review the decision. At the request of the individual concerned, the Congregation shall also inform him or her:

1. the personal information used to make the decision;
2. the reasons, as well as the main factors and parameters, that led to the decision; and
3. their right to have the personal information used to make the decision corrected.

5. LIMITATIONS

Summary:

• The Congregation determines the purposes for which personal information is collected before collecting it, ensuring that only necessary information is collected and by lawful means.
• This personal information is used only for the predetermined purposes, unless additional consent is obtained for a new purpose or certain exceptions apply, such as a purpose that is compatible with a predetermined purpose, the prevention of fraud, or the provision of a requested service.
• The Congregation identifies itself to the individual concerned and informs them of their right to withdraw their consent for any use for commercial or philanthropic prospecting purposes.

Determination of purposes

: When the Congregation collects personal information about others for serious and legitimate reasons, it determines the purposes of such collection before the information is collected.

Limiting collection to specified purposes

: When collecting personal information about others, the Congregation collects only the information necessary for the purposes identified before collection. This information is collected by lawful means.

Limiting use, with or without consent

: Personal information is used within the Congregation, in principle, only for the purposes for which it was collected. Use for a new purpose generally requires consent, which must be expressly given in the case of sensitive personal information. However, applicable privacy laws generally allow personal information to be used for another purpose without the consent of the individual concerned in the following cases:

1. when its use is for purposes consistent with those for which it was collected;
2. when its use is clearly for the benefit of the individual concerned;
3. when its use is necessary for the purposes of preventing and detecting fraud or evaluating and improving protection and security measures;
4. when its use is necessary for the purpose of supplying or delivering a product or providing a service requested by the individual concerned;
5. when its use is necessary for the purposes of study, research, or the production of statistics, and it is depersonalized.

Use for compatible purposes

: For a purpose to be compatible within the meaning of point 1 in the previous paragraph, there must be a relevant and direct link to the purposes for which the information was collected. However, commercial or philanthropic prospecting is not considered a compatible purpose.

Commercial or philanthropic solicitation purposes

: In accordance with the laws governing the sending of commercial electronic messages and subject to exceptions, particularly with regard to business contact information in applicable privacy laws, if the Congregation uses personal information for commercial or philanthropic prospecting purposes, it identifies itself to the individual to whom it is addressing and informs them of their right to withdraw their consent to the use of their personal information for these purposes. When the individual concerned withdraws their consent to such use of their personal information, it ceases to be used in this manner.

6. RETENTION AND DESTRUCTION OR ANONYMIZATION

Summary:

• The Congregation retains personal information only for as long as necessary to fulfill the purposes for which it was collected or to comply with the law.
• The length of time varies depending on the type of data, generally ranging from 3 to 10 years, with a minimum retention period of one year after a decision concerning the individual.
• Once the retention period has expired, the information is securely destroyed in accordance with documented procedures.
• The Congregation may anonymize personal information after use, following recognized practices to prevent re-identification.

Retention guidelines and procedures

: Personal information for which applicable privacy laws impose processing or confidentiality obligations is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with applicable laws and regulations. The minimum and maximum retention periods for personal information vary depending on the categories of personal information and the applicable legislative and regulatory requirements. Subject to exceptions and the fact that personal information used to make a decision about an individual concerned is retained for at least one year after the decision, the retention periods are as follows for personal information that is part of the following, unless otherwise required by law or regulation:

• 3 years for:
  • personal information relating to a specific year that appears in any record system or register kept by the Congregation under the Act respecting Labor Standards and not subject to longer mandatory retention periods; and
  • personal information that may be required or used as evidence of a legal act or fact in an action to assert a personal right or a right in rem.
• 6 years for:
  • records of information used to determine any amount that must be deducted, withheld, collected, or paid under a tax law;
  • records and accounting books determining contributions payable under the Employment Insurance Act, as well as accounts and supporting documents necessary for their control, following the end of the year for which the documents in question were kept;
  • information used to evaluate and complete any pay equity program; and
  • supporting documentation for eligible or approved training expenses.
• 10 years for:
  • personal information that may be required or used as evidence of a legal act or fact in an action to assert a right where the limitation period is 10 years (e.g., a real property right, a right resulting from a judgment, a statute of limitations or extinctive prescription not otherwise set by law, , etc.).
• More than 10 years for:
  • personal information that may be required or used as evidence of a legal act or fact in proceedings based on grounds that are not subject to a limitation period.

As also indicated in the “Transparency” section above, an individual concerned is informed, upon request, of the retention period for personal information collected from him or her.

Destruction guidelines and procedures

: Once the retention period for personal information has expired, the Congregation will destroy it in a secure and permanent manner, in accordance with its established procedures. The destruction of personal information will be documented and recorded to ensure traceability and accountability. The heads of the relevant departments or divisions of the Congregation will periodically identify personal information whose retention period has expired and which must be destroyed. Personal information will be destroyed in an appropriate manner, depending on the format in which it is stored; for paper documents: shredding, grinding, or incineration; for digital media: secure erasure. The destruction of personal information will be supervised by the Delegate, who will ensure that the appropriate procedures are followed and documented. This documentation will include the date of destruction, the method used, the types of personal information destroyed, and the name of the person responsible for the destruction.

Anonymization

: Once the purposes for which personal information was collected or used have been fulfilled, the Congregation may anonymize it if it wishes to use it for serious and legitimate purposes, subject to any retention period provided for by law. (In the policies and practices referred to in this statement, information about an individual is anonymized when it is reasonable to expect, in the circumstances, that it will no longer be possible to directly or indirectly identify that individual. Information is anonymized in accordance with generally accepted best practices and the criteria and procedures set out in the regulations.) More specifically:

• Before beginning an anonymization process, the Congregation establishes the purposes for which it intends to use the anonymized information. It ensures that these purposes comply with the requirements of applicable privacy laws.
• At the beginning of an anonymization process, the Congregation removes all personal information that directly identifies the individual concerned from the information it intends to anonymize. It then conducts a preliminary analysis of the risks of re-identification, considering in particular the criteria of individualization, correlation, and inference, as well as the risks that other reasonably available information, particularly in the public domain, could be used to directly or indirectly identify an individual.
• Based on the re-identification risks identified, the Congregation establishes the anonymization techniques to be used, which are in line with generally accepted best practices. It also establishes reasonable protection and security measures to reduce the risks of re-identification.
• After implementing the established anonymization techniques for the anonymization process and the protection and security measures, the Congregation conducts a re-identification risk analysis. The results of the analysis must demonstrate that it is reasonable to expect, at all times and under the circumstances, that the information produced as a result of an anonymization process no longer allows, irreversibly, for the direct or indirect identification of an individual. (It is not necessary to demonstrate zero risk; however, taking into account the elements prescribed by the regulations, the results of the analysis must demonstrate that the residual risks of re-identification are very low.)
• The Congregation periodically evaluates the information it has anonymized to ensure that it remains so. To do so, it updates the latest re-identification risk analysis it has performed, taking into account, in particular, technological advances that may contribute to re-identifying an individual. (The results of the updated analysis must comply with the criteria established previously; otherwise, the information is no longer considered anonymized.) The frequency of this assessment is determined based on the residual risks identified in the latest re-identification risk analysis and other factors prescribed by regulations.
• When anonymizing personal information, the Congregation shall record the following information in a register:
  • a description of the anonymized personal information;
  • the purposes for which it intends to use this anonymized information;
  • the anonymization techniques used and the protection and security measures established;
  • the date of the re-identification risk analysis;
  • and, where applicable, the date on which this analysis was updated.

7. ACCURACY

Accuracy for decisions

: The Congregation ensures that the personal information it holds about others is up to date and accurate at the time it is used to make a decision about the individual concerned. The information used to make such a decision is retained for at least one year after the decision.

Non-routine updates

: The Congregation refrains from routinely updating the personal information it holds unless it is necessary to achieve the purposes for which it was collected.

8. COMMUNICATION

Summary:

• The Congregation respects professional secrecy and the confidentiality of personal information.
• It communicates personal information to third parties only with the consent of the individual concerned or if permitted or required by law.
• Before transmitting information outside Quebec, the Congregation assesses privacy factors and establishes written agreements to ensure adequate protection.
• Without consent, personal information may be communicated in specific situations such as to an archival service, to an agent or service provider for processing, for commercial transactions preceded by an agreement, or to prevent danger.
• The Congregation may also communicate personal information for study, research, or statistical purposes, on an exceptional basis and in accordance with the conditions provided for by law.

The information in this section is subject to professional secrecy and confidentiality obligations, whether ethical, contractual, or otherwise.

Communication to third parties

: The Congregation does not communicate any personal information it holds about others to third parties, unless permitted or required by applicable privacy laws or unless the individual concerned consents to such communication by operation of law or otherwise. In such cases, consent must be expressly given when sensitive personal information is involved.

Communication by a third party

: Consent to the communication of personal information by a third party may be given by the individual concerned to the Congregation, which may then collect it from that third party.

Communication outside Quebec

: Before disclosing personal information outside Quebec for which no exception exists under applicable privacy laws, the Congregation conducts a privacy impact assessment. It takes into account the following factors, among others:

1. the sensitivity of the information;
2. the purpose for which it will be used;
3. the protective measures, including contractual measures, that would apply to the information;
4. the legal regime applicable in the State where the information would be communicated, in particular the principles of personal information protection applicable there.

The applicable privacy laws allow communication if the assessment shows that the information would be adequately protected, in particular with regard to generally recognized principles of personal information protection. Where applicable, such communications shall be the subject of a written agreement that takes into account, in particular, the results of the assessment and, where applicable, the terms and conditions agreed upon to mitigate the risks identified in the assessment. The same applies when the Congregation entrusts a person or organization outside Quebec with the task of collecting, using, disclosing, or retaining such information on its behalf.

Communication without consent

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information it holds about others to certain persons or categories of persons, including (1) those listed in section 18 of theAct respecting the protection of personal information in the private sector (CQLR c P-39.1) (some of which have the power to communicate if they themselves, to the extent that such communication is necessary in the performance of their duties for the purposes for which they received the information), or (2) in the cases referred to in paragraphs (3)(a) to (h.1) of the Personal Information Protection and Electronic Documents Act (LC 2000, c 5), where applicable. The Congregation records any communication made under the provisions required by applicable privacy laws.

Communication to an agent or service provider

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information to any person or organization if such communication is necessary for the performance of a mandate or the execution of a service or business contract that it entrusts to that person or organization. In this case, the Congregation:

1. entrusts the mandate or contract in writing;
2. specifies in the mandate or contract the measures that the agent or contractor must take to ensure the protection of the confidentiality of the personal information communicated, so that the information is used only in the exercise of the mandate or the performance of the contract and is not retained after its expiry.

A person or organization that exercises such a mandate or performs such a service or business contract is required to notify the Delegate without delay of any violation or attempted violation by any person of any of the obligations relating to the confidentiality of the information communicated and must also allow the Delegate to carry out any verification relating to such confidentiality.

Communication of information about professionals, authorized by the Commission

: The Congregation recognizes that applicable privacy laws allow the Commission d’accès à l’information, upon written request and after consulting with the relevant professional orders, to grant a person authorization (which may be revoked or suspended by the Commission in certain specific circumstances) to receive personal information about professionals relating to their professional activities, without the consent of the professionals concerned, if it has reasonable grounds to believe that:

1. the communication preserves professional secrecy, in particular by not allowing the identification of the person to whom the professional service is provided, and does not otherwise infringe on the privacy of the professionals concerned;
2. the professionals concerned will be notified periodically of the intended uses and purposes and will have a reasonable opportunity to refuse to allow the information to be retained or used for the intended uses or purposes;
3. security measures ensure the confidentiality of personal information.

Communication to an archival service

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information contained in a file it holds on another person to an archival service, if that archive service is provided by a service provider whose purpose is to acquire, preserve, and disseminate documents for their general informational value and if that information is communicated in connection with a transfer or deposit of the Congregation’s archives.

Communication for commercial transactions

: When the communication of personal information is necessary for the purposes of entering into a “commercial transaction” (i.e., the sale or lease of all or part of a business or its assets, a change in its legal structure through merger or otherwise, the obtaining of a loan or any other form of financing by the Congregation or a security taken to guarantee one of its obligations) to which the Congregation intends to be a party, the applicable privacy laws authorize it to communicate such information, without the consent of the individual concerned, to the other party to the transaction. Where applicable, an agreement shall be entered into in advance with the other party, stipulating in particular that the latter party undertakes:

1. to use the information solely for the purpose of completing the commercial transaction;
2. not to communicate the information without the consent of the individual concerned, unless authorized to do so by applicable privacy laws;
3. to take the necessary measures to ensure the protection of the confidentiality of the information;
4. to destroy the information if the commercial transaction is not completed or if its use is no longer necessary for the purposes of completing the commercial transaction.

Communication in case of danger

: Applicable privacy laws also allow the Congregation to communicate personal information it holds about others, without the consent of the individuals concerned, in order to protect an identifiable person or group of persons when there are reasonable grounds to believe that there is a serious risk of death or serious injury (i.e., any physical or psychological injury that significantly impairs the physical integrity, health, or well-being of an identifiable person or group of persons) , such as a disappearance or an act of violence, including attempted suicide, threatens that person or group of persons and the nature of the threat inspires a sense of urgency. The information may then be communicated to the person or persons exposed to this danger, their representative, or any person likely to come to their aid. When disclosing information pursuant to this paragraph, the Congregation shall communicate only the information necessary for the purposes of the communication. When information is communicated in this manner by the Congregation, it shall record the communication.

Communication for bereavement purposes

: Applicable privacy laws allow the Congregation to communicate to the spouse or close relative of a deceased person personal information it holds about that person, if knowledge of that information is likely to assist the requester in the bereavement process and the deceased person has not recorded in writing his or her refusal to grant that right of access.

Communication after a period of time specified by law

: Applicable privacy laws also allow the Congregation to communicate personal information to any person, without the consent of the individual concerned, if this information is contained in a document that is more than 100 years old or if more than 30 years have elapsed since the death of the individual concerned. However, unless the individual concerned consents, the Congregation will not communicate any information relating to an individual’s health until 100 years have elapsed since the date of the document.

Communication for study, research, or statistical purposes

: Under certain conditions, applicable privacy laws allow the Congregation to communicate personal information without the consent of the individuals concerned to a person or organization that wishes to use this information for study, research, or statistical purposes. Where applicable, such communication shall only be made in accordance with the requirements of applicable privacy laws, including a privacy impact assessment concluding that:

1. the objective of the study, research or production of statistics can only be achieved if the information is communicated in a form that allows the individuals concerned to be identified;
2. it is unreasonable to require the person or organization in question to obtain the consent of the individuals concerned;
3. the purpose of the study, research, or production of statistics outweighs, in the public interest, the impact of the communication and use of the information on the privacy of the individuals concerned;
4. the personal information is used in a manner that ensures its confidentiality;
5. only the necessary information is communicated.

9. ACCESS, CORRECTION, AND OTHER RIGHTS AND REQUESTS

Summary:

• The Congregation allows individuals to access their personal information and obtain a copy of it, including in a structured digital format.
• Individuals may also request the correction of this personal information if it is inaccurate or processed in an unauthorized manner.
• Requests for access or correction should be addressed to the responsible Officer, who will respond within 30 days.
• Access is free of charge, but reasonable fees may apply for the reproduction or transmission of personal information.
• The Congregation may refuse to communicate personal information in certain cases, particularly if it would harm a third party, an investigation, or legal proceedings.

Request for access

: When the Congregation holds personal information about another person, it will, at the request of the individual concerned, confirm the existence of that information and communicate it to the individual by providing a copy. At the request of the applicant, any computerized personal information shall be communicated in the form of a written and intelligible transcript. Unless this raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred from personal information concerning him or her, shall, at his or her request, be communicated in a structured and commonly used technological format. Such information shall also be communicated, at his request, to any person or body authorized by law to collect such information. Where the applicant is a person with a disability, reasonable accommodation measures shall be taken, upon request, to enable him to exercise the right of access provided for in this section.

Request for correction

: In addition to the rights provided for in the first paragraph of section 40 of theCivil Code of Québec, any individual may, if the personal information concerning him or her is inaccurate, incomplete, or ambiguous, or if its collection, communication, or retention is not authorized by law, require the Congregation to correct it.

Information held for the Congregation

: Applicable privacy laws allow a person who holds personal information on behalf of the Congregation, when presented with a request for access or rectification by an individual concerned, to forward the request to the Congregation. This is not intended to limit the right of access or correction of a data subject with a personal information agent.

Information held by the Congregation for an individual

: Applicable privacy laws allow the Congregation, when it holds personal information on behalf of an individual who operates a business and receives a request for access or correction from an individual concerned, to forward the request to that individual who operates the business. This is not intended to limit the right of access or correction of an individual concerned to a personal information officer.

Request to cease dissemination or indexing

: The individual concerned by personal information may require the Congregation to cease disseminating that information or to de-index any hyperlink attached to their name that allows access to that information by technological means, when the dissemination of that information contravenes the law or a court order. They may do the same, or require that the hyperlink providing access to this information be reindexed, when the following conditions are met:

1. the dissemination of this information causes him serious harm in relation to his right to respect for his reputation or privacy;
2. the harm clearly outweighs the public interest in knowing the information or the interest of any person in expressing themselves freely;
3. the cessation of dissemination, reindexing, or deindexing requested does not exceed what is necessary to prevent the perpetuation of the harm.

When granting the request, the Delegate shall certify in his or her written response that the dissemination of the personal information has been discontinued or that the hyperlink has been deindexed or reindexed.

Exercise of rights

: When the Congregation holds personal information about others, it takes the necessary measures to ensure that the individuals concerned can exercise their rights under sections 37 to 40 of theCivil Code of Québec and their rights under applicable privacy laws. In particular, the Congregation informs the public of the location where this personal information is accessible and the means of accessing it.

Admissibility of a request

: A request, particularly for access or rectification, will only be considered if it is addressed to the Delegate, made in writing (except in cases where applicable privacy laws require that it may also be made verbally) by a person who can prove their identity as the individual concerned, as a representative, heir, successor of that individual, as the liquidator of the estate, as the beneficiary of life insurance or death benefits, as the holder of parental authority even if the minor child has died, or as the spouse or close relative of a deceased person in cases of bereavement covered by section 40.1 of theAct respecting the protection of personal information in the private sector (CQLR c P-39.1).

Assistance with a request

: When the request is not sufficiently specific or when an individual so requests, the Delegate provides assistance in identifying the information sought. This does not restrict the communication to an individual of personal information concerning him or her or its correction resulting from the provision of a service to be rendered to him or her.

Response to a request

: The Delegate responds in writing to the request for access or correction, diligently and no later than 30 days after the date of receipt of the request. If no response is provided within 30 days of receipt of the request, the Delegate is deemed to have refused to comply.

Free access and reasonable fees

: Access to personal information is free of charge. However, reasonable fees may be charged to the requester for the transcription, reproduction, or transmission of such information. When the Congregation intends to charge fees, it shall inform the requester of the approximate amount payable before proceeding with the transcription, reproduction, or transmission of such information.

Acceptance of a request

: When the Delegate grants a request for correction, in addition to the obligations set out in the second paragraph of section 40 of theCivil Code of Québec, he or she shall issue, free of charge, to the individual concerned who made the request, a copy of any personal information that has been modified or added or, as the case may be, a certificate of the deletion of such information.

Refusal of a request

: The Delegate shall give reasons for any refusal to grant a request and indicate the provision of the law on which the refusal is based, the remedies available to the applicant under the law, and the time limit within which they may be exercised. He or she shall also assist the applicant who so requests in understanding the refusal. If the Congregation holds information that is the subject of a request for access or correction to which it does not agree, it shall retain it for the time necessary to allow the individual concerned to exhaust the remedies provided by law.

Refusal in the event of an investigation or legal proceedings

: Applicable privacy laws allow the Congregation to refuse to communicate personal information about an individual to that individual when communication of the information would likely:

1. to interfere with an investigation conducted by its internal security service for the purpose of preventing, detecting, or prosecuting crime or violations of the law, or on its behalf by an external service with the same purpose or a holder of a security agency or investigation agency license issued in accordance with the Private Security Act (chapter S-3.5);
2. affecting legal proceedings in which any of these persons has an interest.

Refusal in the event of communication harmful to a third party

: The Congregation shall refuse to communicate to an individual personal information concerning him or her where communication would be likely to reveal personal information about a third party or the existence of such information and where such communication would be likely to cause serious harm to the third party, unless the third party consents to the communication or it is an emergency that endangers the life, health, or safety of the individual concerned.

Refusal concerning a liquidator, beneficiary, heir, or successor

: Subject to the cases referred to in section 40.1 of theAct respecting the protection of personal information in the private sector (relating to assistance in the grieving process), the Congregation must refuse to communicate personal information to the liquidator of the estate, the beneficiary of a life insurance policy or death benefit, or the heir or successor of the individual concerned by this information, unless the information affects communicationthe interests or rights of the person requesting it as liquidator, beneficiary, heir, or successor.

10. COMPLAINTS

Summary:

• To file a complaint with the Congregation regarding the protection of personal information, the individual concerned is asked to read the Congregation’s Confidentiality policy and check the applicable legislation.
• The complaint must be made in writing, specify the facts, be accompanied by supporting documents, and be addressed to the Delegate.
• While the complaint is being processed, the individual concerned is asked to give the Congregation the opportunity to respond before contacting the public authorities.
• If the complaint is not satisfactorily resolved, depending on the case, it is possible to request a review of the disagreement by the Commission d’accès à l’information du Québec (Quebec Access to Information Commission) or to file a complaint with the Privacy Commissioner of Canada.

Complaint to the Congregation

: Here is an overview of the Congregation’s process for handling complaints related to the protection of personal information.

Before filing a complaint

:

• Read the Congregation’s Confidentiality policy: Read the Congregation’s Confidentiality policy, which can be accessed at the following URL:
  

  https://www.franciscanfriars.ca/confidentiality-policy

• Verify the applicable law: Identify and familiarize yourself with the applicable law or laws among the various privacy laws, as well as the rights and remedies available to the individuals concerned.

When filing the complaint

:

• Substantive and formal requirements: All complaints must clearly detail the facts and circumstances giving rise to the complaint, be made in writing by a person who can prove their identity as the individual concerned or other interested party, and be addressed and sent to the Congregation’s designated representative using their contact details.
• Attach the necessary documents: Include all relevant supporting documents in support of the complaint.

During the processing of the complaint

:

• Give the Congregation the opportunity to respond: Before contacting public authorities with the power to review, audit, investigate, or issue orders regarding a company’s practices in relation to the protection of personal information that is the subject of a complaint against a company, they generally recommend giving the company concerned the opportunity to review and respond to the complaint, in order to try to resolve the issue directly with the company first.
• Follow-up on the complaint: If a complaint is not handled according to the process and time frames indicated, it is possible to contact the Delegate for the Congregation to request an update on the status of the complaint.

After the complaint has been processed, if the outcome is unsatisfactory

• Request for review of disagreement: Any interested person may submit a request to the Commission d’accès à l’information du Québec for a review of a disagreement relating to the application of a legislative provision concerning access to or rectification of personal information in the Act respecting the protection of personal information in the private sector (CQLR c P-39.1) or the application of section 28.1 of that Act, which deals with the cessation of dissemination or indexing of personal information.
• Complaint to the Privacy Commissioner of Canada: Any interested person may file a complaint with the Privacy Commissioner of Canada against an organization that contravenes any provision of Division 1 or 1.1 of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), or that fails to implement a recommendation set out in Schedule 1 of that Act.