menu

Governance of personal information

Introduction

As a religious congregation that holds personal information, the Corporation des Syndics Apostoliques des Frères Mineurs ou Franciscains, the Corporation des Syndics Apostoliques des Frères Mineurs ou Franciscains de la Province Saint-Joseph du Canada and L’Oeuvre Franciscaine – Les Franciscains (collectively hereinafter the “Congregation,” also known as the “Franciscans of Canada”) must establish and implement governance policies and practices regarding personal information it holds and ensuring its protection.

The information set out below is intended to meet the requirement that detailed information explaining, in simple and clear terms, its policies and practices in this regard be published on the Congregation’s website in a manner that makes them easily accessible.

Overview
 

1. RESPONSIBILITIES

Summary:

  • The Congregation is responsible for the information it collects, uses, or communicates, either directly or through agents or service providers.
  • The Congregation implements governance policies and practices to ensure the protection of personal information, including its retention, destruction, and the handling of complaints.
  • These policies, which are proportionate to the organization’s activities, are approved by the Information Protection Officer.
  • The Information Protection Officer approves policies, supervises the destruction of personal information, and is consulted in the event of confidentiality incidents, if necessary.
  • When undertaking new projects, the Congregation conducts a privacy impact assessment in collaboration with its Privacy Officer, taking into account the sensitivity and use of personal information.

Governance

: The Congregation establishes and implements policies and practices governing its governance of personal information and ensuring the protection of such information. These policies and practices include guidelines for the retention and destruction of such information, the roles and responsibilities of its staff throughout the life cycle of such information, and a process for handling complaints relating to the protection of such information. They are proportionate to the nature and scale of the Congregation’s activities and are approved by the individual who acts as the person in charge of the protection of personal information within the Congregation (the “Delegate“). Detailed information about these policies and practices is published in plain, clear language on the Congregation’s website.

Control

: This statement primarily concerns personal information under the control of the Congregation, which corresponds to the information that the Congregation decides to collect and for which the Congregation establishes the purposes for which it is collected, used, or communicated, whether the Congregation collects, uses, or communicates it itself or whether an agent or service provider does so on its behalf.

Roles

:

  • The Congregation: The Congregation is responsible for the protection of the personal information it holds.
  • Person with the highest authority: Within the Congregation, the person with the highest authority ensures compliance with and implementation of privacy laws applicable to the Congregation.
  • Delegate: The role and function of person in charge of the protection of personal information held by the Congregation has been delegated in writing, in its entirety, to the main Controller of the Congregation, whose title and contact information are:
    Controller
    Email:controleur@ofmca.com
    Address:6455 Louis-Riel Ave.
    Montreal, Quebec H1M 1P1
    Canada

    The responsibilities and duties of the Delegate include the following:

    • Approving policies and practices governing the management of personal information;
    • Consultation on privacy impact assessments for any project involving the acquisition, development, or redesign of an information system or electronic service delivery that involves the collection, use, communication, retention, or destruction of personal information;
    • Receiving and processing requests for access to or correction of personal information, cessation of dissemination of personal information, de-indexing of a hyperlink, and requests related to the right to portability of computerized personal information;
    • Supervision of the destruction of personal information held by the Congregation;
    • Managing requests for communication of personal information concerning a deceased person (if applicable);
    • Receiving and processing notices of breaches or attempted breaches of confidentiality obligations transmitted (if applicable) by the Congregation’s agents or service contract contractors;
    • Consultation on the assessment of risks of harm to individuals following a confidentiality incident (if applicable); and
    • Communicating with specialized supervisory authorities, such as the Commission d’accès à l’information (the “Commission”) and the Office of the Privacy Commissioner of Canada (the “OPC”) (if applicable).
  • Congregation employee or agent: In the organizational functioning of the Congregation, personal information is accessible, without the consent of the individual concerned, to any Congregation employee or agent who has a legitimate need to know it, provided that such information is necessary for the performance of their duties.

Assessment in the event of change

: The Congregation conducts a privacy impact assessment of any project involving the acquisition, development, redesign of an information system, or electronic delivery of services that involves the collection, use, communication, retention, or destruction of personal information. For the purposes of this assessment, the Congregation consults its Delegate at the outset of the project. The privacy impact assessment is proportionate to the sensitivity of the information concerned, the purpose for which it is used, its quantity, distribution, and medium. The Congregation also ensures that this project allows computerized personal information collected from the individual concerned to be communicated to them in a structured and commonly used technological format. The Delegate may, at any stage of such a project, suggest measures to protect personal information applicable to that project, such as:

  1. the appointment of a person responsible for implementing personal information protection measures;
  2. measures to protect personal information in any document relating to the project;
  3. a description of the responsibilities of project participants with regard to the protection of personal information;
  4. the provision of training on the protection of personal information for project participants.

2. CONFIDENTIALITY

Summary:

  • The Congregation publishes a clear and accessible confidentiality policy on its website.
  • When collecting personal information through technological products or services, privacy settings are configured by default to provide the highest level of protection. Sensitive personal information is defined as information that requires increased protection due to its nature or context, giving rise to a high degree of reasonable expectation of privacy.
  • The Congregation implements appropriate security measures to protect personal information based on its sensitivity and use. Individuals’ business contact information is not subject to the same privacy requirements.
  • When using de-identified information, the organization limits the risks of identification. The Congregation maintains a record of confidentiality incidents and, in the event of an incident, takes measures to reduce the risks of harm.
  • Incidents are assessed based on the sensitivity of the information and its potential consequences, and the organization informs the Commission d’accès à l’information, the Privacy Commissioner of Canada, and the individuals concerned, if necessary.

Confidentiality policy

: As an organization that collects personal information by technological means, the Congregation publishes a confidentiality policy on its website, written in clear and simple terms, and disseminates it by other means appropriate for reaching the individuals concerned. It does the same for any changes to this confidentiality policy. The Congregation’s confidentiality policy is incorporated by reference into this statement and is available at the following URL:

https://www.franciscanfriars.ca/confidentiality-policy

Privacy settings

: When collecting personal information by offering the public a technological product or service with privacy settings, the Congregation shall ensure that, by default, these settings provide the highest level of privacy, without any intervention by the individual concerned. As an exception, cookie settings are not covered.

Sensitivity of personal information

: In the policies and practices referred to in this statement, personal information is “sensitive” when, by its nature or in the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy.

Security measures

: The Congregation takes security measures to ensure the protection of personal information that is collected, used, communicated, retained, or destroyed, which are reasonable considering, among other things, the sensitivity of the information, the purpose for which it is used, the amount of information, its distribution, and its medium.

Business contact information

: The Congregation acts on the basis that applicable privacy laws allow for the exemption from their requirements regarding collection and confidentiality of information that allows contact—or facilitates contact—with an individual in the course of their employment, business, or profession, or that otherwise relates to the individual’s role within a business (such as their name, position, job title, work address, work phone or fax number, or work email address).

De-identified information

: When using de-identified information (i.e., information that no longer directly identifies the individual concerned), the Congregation takes reasonable measures to limit the risk of anyone identifying a natural person from that information.

Confidentiality incidents

  • Incident response: When the Congregation has reason to believe that a confidentiality incident involving personal information in its possession has occurred, it takes reasonable steps to minimize the risk of harm and prevent further incidents of the same nature from occurring.
  • Definition of incident: In the policies and practices referred to in this statement, “confidentiality incident” means:
    1. the use or communication of personal information not authorized by law, or access to personal information not authorized by law;
    2. the loss of personal information or any other breach of the protection of such information, including a “breach of security safeguards” referred to in section 10.1 of the Personal Information Protection and Electronic Documents Act (LC 2000, c 5) and its Breach of Security Safeguards Regulations (SOR/2018-64).
  • Incident log: The Congregation keeps a log of confidentiality incidents, the content of which is determined by government regulations, in particular the Regulation respecting confidentiality incidents (CQLR c A-2.1, r 3.1). Upon request by the Commission, a copy of this log is sent to it.
  • Incident assessment: When assessing the risk of harm to a person whose personal information is affected by a confidentiality incident, the Congregation considers, among other things, the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes. It also consults with its Delegate.
  • Notification of the Commissioner in the event of an incident: If the incident presents a risk of serious or grave harm, the Congregation shall promptly notify the Commission d’accès à l’information and/or, where applicable, the Privacy Commissioner of Canada. This notification contains the information prescribed, as applicable, by the Privacy Breach Notification Regulations (at the provincial level) and/or the Security Breach Notification Regulations (at the federal level).
  • Notice to the individual in the event of an incident: If the incident presents a risk of serious or grave harm, the Congregation also notifies any individual whose personal information is affected by the incident. (As an exception, an individual whose personal information is affected by the incident does not have to be notified if doing so would interfere with an investigation by a person or agency that is responsible under the law for preventing, detecting, or prosecuting crime or violations of the law.) The notice contains sufficient information to enable the individual to understand the significance of the incident to them and, if possible, to take steps to reduce the risk of harm that could result or to mitigate such harm. It also contains any other information prescribed by any regulation applicable to the situation.
  • Notice to other persons or organizations: If the incident presents a risk of serious or grave harm, the Congregation may also notify any person or organization that could reduce that risk, communicating only the personal information necessary for that purpose without the consent of the individual concerned. In the latter case, the Delegate shall record the communication.

3. CONSENT

Summary:

  • The fact that an individual provides personal information to the Congregation generally implies consent to its use and communication.
  • Any consent given must be clear, free, informed, and for specific purposes, after having been requested for each of these purposes, in simple and clear terms, and valid only for the time necessary for these purposes.
  • When consent is requested in writing, it is requested separately from other information, and assistance may be provided to understand its scope.
  • The Congregation collects personal information primarily from the individual, unless the individual consents to the collection from third parties or unless permitted by law.
  • Collection from a third party is also permitted if it is in the individual’s interest and cannot be done in a timely manner, or to verify the accuracy of the information.
  • If an individual refuses to provide personal information, the Congregation may refuse a request for goods or services, or an employment application, if the collection of such information is necessary for a contract, authorized by law, or justified on the grounds that the request is unlawful.

Consent to use and communication for purposes

: By operation of law, an individual who provides personal information under the paragraph “Information at the time of collection or upon request” in section 4 of this statement consents to its use and communication for the purposes indicated at the time of collection by the Congregation.

Characteristics of consent

: Consent must be express, free, informed, and given for specific purposes. It is requested for each of these purposes, in simple and clear terms, and is valid only for the time necessary to fulfill the purposes for which it was requested. When the request for consent is made in writing, it is presented separately from any other information communicated to the individual concerned. When requested, assistance is provided to help the individual understand the scope of the consent requested.

Commercial electronic messages

: The Congregation refrains from sending a commercial electronic message to an email address, having it sent there, or allowing it to be sent there, unless the person to whom the message is sent has expressly or tacitly consented to receive it and the message complies with regulatory requirements regarding its form and includes (1) the regulatory information identifying the person who sent it and, where applicable, the person on whose behalf it was sent, (2) information enabling the person who received it to easily communicate with either of these persons, and (3) a description of an opt-out mechanism in accordance with the laws governing such mailings.

Collection from third parties

: When the Congregation collects personal information about others, it does so in principle from the individual concerned, unless that individual consents to the collection from third parties. However, the Congregation may, without the consent of the individual concerned, collect such information from a third party if permitted by law. It may do so if it has a serious and legitimate interest and if one of the following conditions is met:

  1. the information is collected in the interest of the individual concerned and cannot be collected from that individual in a timely manner;
  2. collection from a third party is necessary to ensure the accuracy of the information.

Refusal

: In any of the following circumstances, the Congregation may refuse to comply with a request for goods or services or a request relating to employment because the individual making the request refuses to provide personal information:

  1. the collection is necessary for the conclusion or performance of the contract (bearing in mind that, in case of doubt, personal information is deemed unnecessary);
  2. the collection is authorized by law;
  3. there are reasonable grounds to believe that such a request is not lawful.

4. TRANSPARENCY

Summary:

  • When collecting personal information, the Congregation informs individuals of the purposes and means of collection, as well as their rights of access, rectification, and withdrawal of consent.
  • If the information is intended for a third party or transferred outside Quebec, individuals are also informed.
  • The information is provided in simple and clear terms, and additional details may be provided upon request, including the retention period and the person responsible.
  • When technology enabling identification, location, or profiling is used, the Congregation informs individuals in advance.
  • In the case of automated decisions, the individuals concerned are informed and may request explanations or a review.

Information at the time of collection or upon request

: When the Congregation collects personal information from the individual concerned, at the time of collection and subsequently upon request, it informs them:

  1. the purposes for which the information is being collected;
  2. the means by which the information is collected;
  3. the rights of access and rectification provided for by law;
  4. the individual’s right to withdraw consent to the communication or use of the information collected.

Where applicable, the individual concerned shall be informed of the name of the third party for whom the information is being collected, the names of the third parties or categories of third parties to whom it is necessary to communicate the information for the purposes referred to in paragraph 1 of the preceding subsection, and the possibility that the information may be communicated outside Québec.

The information that the Congregation provides to the individual concerned at the time of collection is included in “just-in-time” notices or otherwise in the Congregation’s Confidentiality policy, which is discussed in the section entitled “Confidentiality policy.”

Upon request, the individual concerned is also informed of the personal information collected from him or her, the categories of persons who have access to this information within the Congregation, the length of time this information will be retained, and the contact details of the person responsible for the protection of personal information.

The information is provided to the individual concerned in plain and clear language, regardless of the means used to collect the personal information.

Identification, location, or profiling technologies

: When the Congregation collects personal information from individuals using technology that includes functions to identify, locate, or profile them, it informs them in advance:

  1. of the use of such technology;
  2. the means available to activate functions that identify, locate, or “profile” an individual, i.e., collecting and using personal information to evaluate certain characteristics of a natural person, including for the purposes of analyzing that person’s work performance, economic situation, health, personal preferences, interests, or behavior.

Information about sources

: If the Congregation collects personal information under its control from another person who operates a business or a public body, it will inform the individual concerned, at their request, of the source of that information. (This does not apply to an investigation file created for the purpose of preventing, detecting, or prosecuting a crime or offense.)

Decision by automated processing

: If the Congregation uses personal information to make a decision based solely on automated processing of that information, it will inform the individual concerned no later than when it informs them of the decision. The Congregation shall give the individual concerned an opportunity to present his or her observations to a member of the Congregation’s staff who is in a position to review the decision. At the request of the individual concerned, the Congregation shall also inform him or her:

  1. the personal information used to make the decision;
  2. the reasons, as well as the main factors and parameters, that led to the decision; and
  3. their right to have the personal information used to make the decision corrected.

5. LIMITATIONS

Summary:

  • The Congregation determines the purposes for which personal information is collected before collecting it, ensuring that only necessary information is collected and by lawful means.
  • This personal information is used only for the predetermined purposes, unless additional consent is obtained for a new purpose or certain exceptions apply, such as a purpose that is compatible with a predetermined purpose, the prevention of fraud, or the provision of a requested service.
  • The Congregation identifies itself to the individual concerned and informs them of their right to withdraw their consent for any use for commercial or philanthropic prospecting purposes.

Determination of purposes

: When the Congregation collects personal information about others for serious and legitimate reasons, it determines the purposes of such collection before the information is collected.

Limiting collection to specified purposes

: When collecting personal information about others, the Congregation collects only the information necessary for the purposes identified before collection. This information is collected by lawful means.

Limiting use, with or without consent

: Personal information is used within the Congregation, in principle, only for the purposes for which it was collected. Use for a new purpose generally requires consent, which must be expressly given in the case of sensitive personal information. However, applicable privacy laws generally allow personal information to be used for another purpose without the consent of the individual concerned in the following cases:

  1. when its use is for purposes consistent with those for which it was collected;
  2. when its use is clearly for the benefit of the individual concerned;
  3. when its use is necessary for the purposes of preventing and detecting fraud or evaluating and improving protection and security measures;
  4. when its use is necessary for the purpose of supplying or delivering a product or providing a service requested by the individual concerned;
  5. when its use is necessary for the purposes of study, research, or the production of statistics, and it is depersonalized.

Use for compatible purposes

: For a purpose to be compatible within the meaning of point 1 in the previous paragraph, there must be a relevant and direct link to the purposes for which the information was collected. However, commercial or philanthropic prospecting is not considered a compatible purpose.

Commercial or philanthropic solicitation purposes

: In accordance with the laws governing the sending of commercial electronic messages and subject to exceptions, particularly with regard to business contact information in applicable privacy laws, if the Congregation uses personal information for commercial or philanthropic prospecting purposes, it identifies itself to the individual to whom it is addressing and informs them of their right to withdraw their consent to the use of their personal information for these purposes. When the individual concerned withdraws their consent to such use of their personal information, it ceases to be used in this manner.

6. RETENTION AND DESTRUCTION OR ANONYMIZATION

Summary:

  • The Congregation retains personal information only for as long as necessary to fulfill the purposes for which it was collected or to comply with the law.
  • The length of time varies depending on the type of data, generally ranging from 3 to 10 years, with a minimum retention period of one year after a decision concerning the individual.
  • Once the retention period has expired, the information is securely destroyed in accordance with documented procedures.
  • The Congregation may anonymize personal information after use, following recognized practices to prevent re-identification.

Retention guidelines and procedures

: Personal information for which applicable privacy laws impose processing or confidentiality obligations is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with applicable laws and regulations. The minimum and maximum retention periods for personal information vary depending on the categories of personal information and the applicable legislative and regulatory requirements. Subject to exceptions and the fact that personal information used to make a decision about an individual concerned is retained for at least one year after the decision, the retention periods are as follows for personal information that is part of the following, unless otherwise required by law or regulation:

  • 3 years for:
    • personal information relating to a specific year that appears in any record system or register kept by the Congregation under the Act respecting Labor Standards and not subject to longer mandatory retention periods; and
    • personal information that may be required or used as evidence of a legal act or fact in an action to assert a personal right or a right in rem.
  • 6 years for:
    • records of information used to determine any amount that must be deducted, withheld, collected, or paid under a tax law;
    • records and accounting books determining contributions payable under the Employment Insurance Act, as well as accounts and supporting documents necessary for their control, following the end of the year for which the documents in question were kept;
    • information used to evaluate and complete any pay equity program; and
    • supporting documentation for eligible or approved training expenses.
  • 10 years for:
    • personal information that may be required or used as evidence of a legal act or fact in an action to assert a right where the limitation period is 10 years (e.g., a real property right, a right resulting from a judgment, a statute of limitations or extinctive prescription not otherwise set by law, , etc.).
  • More than 10 years for:
    • personal information that may be required or used as evidence of a legal act or fact in proceedings based on grounds that are not subject to a limitation period.

As also indicated in the “Transparency” section above, an individual concerned is informed, upon request, of the retention period for personal information collected from him or her.

Destruction guidelines and procedures

: Once the retention period for personal information has expired, the Congregation will destroy it in a secure and permanent manner, in accordance with its established procedures. The destruction of personal information will be documented and recorded to ensure traceability and accountability. The heads of the relevant departments or divisions of the Congregation will periodically identify personal information whose retention period has expired and which must be destroyed. Personal information will be destroyed in an appropriate manner, depending on the format in which it is stored; for paper documents: shredding, grinding, or incineration; for digital media: secure erasure. The destruction of personal information will be supervised by the Delegate, who will ensure that the appropriate procedures are followed and documented. This documentation will include the date of destruction, the method used, the types of personal information destroyed, and the name of the person responsible for the destruction.

Anonymization

: Once the purposes for which personal information was collected or used have been fulfilled, the Congregation may anonymize it if it wishes to use it for serious and legitimate purposes, subject to any retention period provided for by law. (In the policies and practices referred to in this statement, information about an individual is anonymized when it is reasonable to expect, in the circumstances, that it will no longer be possible to directly or indirectly identify that individual. Information is anonymized in accordance with generally accepted best practices and the criteria and procedures set out in the regulations.) More specifically:

  • Before beginning an anonymization process, the Congregation establishes the purposes for which it intends to use the anonymized information. It ensures that these purposes comply with the requirements of applicable privacy laws.
  • At the beginning of an anonymization process, the Congregation removes all personal information that directly identifies the individual concerned from the information it intends to anonymize. It then conducts a preliminary analysis of the risks of re-identification, considering in particular the criteria of individualization, correlation, and inference, as well as the risks that other reasonably available information, particularly in the public domain, could be used to directly or indirectly identify an individual.
  • Based on the re-identification risks identified, the Congregation establishes the anonymization techniques to be used, which are in line with generally accepted best practices. It also establishes reasonable protection and security measures to reduce the risks of re-identification.
  • After implementing the established anonymization techniques for the anonymization process and the protection and security measures, the Congregation conducts a re-identification risk analysis. The results of the analysis must demonstrate that it is reasonable to expect, at all times and under the circumstances, that the information produced as a result of an anonymization process no longer allows, irreversibly, for the direct or indirect identification of an individual. (It is not necessary to demonstrate zero risk; however, taking into account the elements prescribed by the regulations, the results of the analysis must demonstrate that the residual risks of re-identification are very low.)
  • The Congregation periodically evaluates the information it has anonymized to ensure that it remains so. To do so, it updates the latest re-identification risk analysis it has performed, taking into account, in particular, technological advances that may contribute to re-identifying an individual. (The results of the updated analysis must comply with the criteria established previously; otherwise, the information is no longer considered anonymized.) The frequency of this assessment is determined based on the residual risks identified in the latest re-identification risk analysis and other factors prescribed by regulations.
  • When anonymizing personal information, the Congregation shall record the following information in a register:
    • a description of the anonymized personal information;
    • the purposes for which it intends to use this anonymized information;
    • the anonymization techniques used and the protection and security measures established;
    • the date of the re-identification risk analysis;
    • and, where applicable, the date on which this analysis was updated.

7. ACCURACY

Accuracy for decisions

: The Congregation ensures that the personal information it holds about others is up to date and accurate at the time it is used to make a decision about the individual concerned. The information used to make such a decision is retained for at least one year after the decision.

Non-routine updates

: The Congregation refrains from routinely updating the personal information it holds unless it is necessary to achieve the purposes for which it was collected.

8. COMMUNICATION

Summary:

  • The Congregation respects professional secrecy and the confidentiality of personal information.
  • It communicates personal information to third parties only with the consent of the individual concerned or if permitted or required by law.
  • Before transmitting information outside Quebec, the Congregation assesses privacy factors and establishes written agreements to ensure adequate protection.
  • Without consent, personal information may be communicated in specific situations such as to an archival service, to an agent or service provider for processing, for commercial transactions preceded by an agreement, or to prevent danger.
  • The Congregation may also communicate personal information for study, research, or statistical purposes, on an exceptional basis and in accordance with the conditions provided for by law.

The information in this section is subject to professional secrecy and confidentiality obligations, whether ethical, contractual, or otherwise.

Communication to third parties

: The Congregation does not communicate any personal information it holds about others to third parties, unless permitted or required by applicable privacy laws or unless the individual concerned consents to such communication by operation of law or otherwise. In such cases, consent must be expressly given when sensitive personal information is involved.

Communication by a third party

: Consent to the communication of personal information by a third party may be given by the individual concerned to the Congregation, which may then collect it from that third party.

Communication outside Quebec

: Before disclosing personal information outside Quebec for which no exception exists under applicable privacy laws, the Congregation conducts a privacy impact assessment. It takes into account the following factors, among others:

  1. the sensitivity of the information;
  2. the purpose for which it will be used;
  3. the protective measures, including contractual measures, that would apply to the information;
  4. the legal regime applicable in the State where the information would be communicated, in particular the principles of personal information protection applicable there.

The applicable privacy laws allow communication if the assessment shows that the information would be adequately protected, in particular with regard to generally recognized principles of personal information protection. Where applicable, such communications shall be the subject of a written agreement that takes into account, in particular, the results of the assessment and, where applicable, the terms and conditions agreed upon to mitigate the risks identified in the assessment. The same applies when the Congregation entrusts a person or organization outside Quebec with the task of collecting, using, disclosing, or retaining such information on its behalf.

Communication without consent

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information it holds about others to certain persons or categories of persons, including (1) those listed in section 18 of theAct respecting the protection of personal information in the private sector (CQLR c P-39.1) (some of which have the power to communicate if they themselves, to the extent that such communication is necessary in the performance of their duties for the purposes for which they received the information), or (2) in the cases referred to in paragraphs (3)(a) to (h.1) of the Personal Information Protection and Electronic Documents Act (LC 2000, c 5), where applicable. The Congregation records any communication made under the provisions required by applicable privacy laws.

Communication to an agent or service provider

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information to any person or organization if such communication is necessary for the performance of a mandate or the execution of a service or business contract that it entrusts to that person or organization. In this case, the Congregation:

  1. entrusts the mandate or contract in writing;
  2. specifies in the mandate or contract the measures that the agent or contractor must take to ensure the protection of the confidentiality of the personal information communicated, so that the information is used only in the exercise of the mandate or the performance of the contract and is not retained after its expiry.

A person or organization that exercises such a mandate or performs such a service or business contract is required to notify the Delegate without delay of any violation or attempted violation by any person of any of the obligations relating to the confidentiality of the information communicated and must also allow the Delegate to carry out any verification relating to such confidentiality.

Communication of information about professionals, authorized by the Commission

: The Congregation recognizes that applicable privacy laws allow the Commission d’accès à l’information, upon written request and after consulting with the relevant professional orders, to grant a person authorization (which may be revoked or suspended by the Commission in certain specific circumstances) to receive personal information about professionals relating to their professional activities, without the consent of the professionals concerned, if it has reasonable grounds to believe that:

  1. the communication preserves professional secrecy, in particular by not allowing the identification of the person to whom the professional service is provided, and does not otherwise infringe on the privacy of the professionals concerned;
  2. the professionals concerned will be notified periodically of the intended uses and purposes and will have a reasonable opportunity to refuse to allow the information to be retained or used for the intended uses or purposes;
  3. security measures ensure the confidentiality of personal information.

Communication to an archival service

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information contained in a file it holds on another person to an archival service, if that archive service is provided by a service provider whose purpose is to acquire, preserve, and disseminate documents for their general informational value and if that information is communicated in connection with a transfer or deposit of the Congregation’s archives.

Communication for commercial transactions

: When the communication of personal information is necessary for the purposes of entering into a “commercial transaction” (i.e., the sale or lease of all or part of a business or its assets, a change in its legal structure through merger or otherwise, the obtaining of a loan or any other form of financing by the Congregation or a security taken to guarantee one of its obligations) to which the Congregation intends to be a party, the applicable privacy laws authorize it to communicate such information, without the consent of the individual concerned, to the other party to the transaction. Where applicable, an agreement shall be entered into in advance with the other party, stipulating in particular that the latter party undertakes:

  1. to use the information solely for the purpose of completing the commercial transaction;
  2. not to communicate the information without the consent of the individual concerned, unless authorized to do so by applicable privacy laws;
  3. to take the necessary measures to ensure the protection of the confidentiality of the information;
  4. to destroy the information if the commercial transaction is not completed or if its use is no longer necessary for the purposes of completing the commercial transaction.

Communication in case of danger

: Applicable privacy laws also allow the Congregation to communicate personal information it holds about others, without the consent of the individuals concerned, in order to protect an identifiable person or group of persons when there are reasonable grounds to believe that there is a serious risk of death or serious injury (i.e., any physical or psychological injury that significantly impairs the physical integrity, health, or well-being of an identifiable person or group of persons) , such as a disappearance or an act of violence, including attempted suicide, threatens that person or group of persons and the nature of the threat inspires a sense of urgency. The information may then be communicated to the person or persons exposed to this danger, their representative, or any person likely to come to their aid. When disclosing information pursuant to this paragraph, the Congregation shall communicate only the information necessary for the purposes of the communication. When information is communicated in this manner by the Congregation, it shall record the communication.

Communication for bereavement purposes

: Applicable privacy laws allow the Congregation to communicate to the spouse or close relative of a deceased person personal information it holds about that person, if knowledge of that information is likely to assist the requester in the bereavement process and the deceased person has not recorded in writing his or her refusal to grant that right of access.

Communication after a period of time specified by law

: Applicable privacy laws also allow the Congregation to communicate personal information to any person, without the consent of the individual concerned, if this information is contained in a document that is more than 100 years old or if more than 30 years have elapsed since the death of the individual concerned. However, unless the individual concerned consents, the Congregation will not communicate any information relating to an individual’s health until 100 years have elapsed since the date of the document.

Communication for study, research, or statistical purposes

: Under certain conditions, applicable privacy laws allow the Congregation to communicate personal information without the consent of the individuals concerned to a person or organization that wishes to use this information for study, research, or statistical purposes. Where applicable, such communication shall only be made in accordance with the requirements of applicable privacy laws, including a privacy impact assessment concluding that:

  1. the objective of the study, research or production of statistics can only be achieved if the information is communicated in a form that allows the individuals concerned to be identified;
  2. it is unreasonable to require the person or organization in question to obtain the consent of the individuals concerned;
  3. the purpose of the study, research, or production of statistics outweighs, in the public interest, the impact of the communication and use of the information on the privacy of the individuals concerned;
  4. the personal information is used in a manner that ensures its confidentiality;
  5. only the necessary information is communicated.

9. ACCESS, CORRECTION, AND OTHER RIGHTS AND REQUESTS

Summary:

  • The Congregation allows individuals to access their personal information and obtain a copy of it, including in a structured digital format.
  • Individuals may also request the correction of this personal information if it is inaccurate or processed in an unauthorized manner.
  • Requests for access or correction should be addressed to the responsible Officer, who will respond within 30 days.
  • Access is free of charge, but reasonable fees may apply for the reproduction or transmission of personal information.
  • The Congregation may refuse to communicate personal information in certain cases, particularly if it would harm a third party, an investigation, or legal proceedings.

Request for access

: When the Congregation holds personal information about another person, it will, at the request of the individual concerned, confirm the existence of that information and communicate it to the individual by providing a copy. At the request of the applicant, any computerized personal information shall be communicated in the form of a written and intelligible transcript. Unless this raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred from personal information concerning him or her, shall, at his or her request, be communicated in a structured and commonly used technological format. Such information shall also be communicated, at his request, to any person or body authorized by law to collect such information. Where the applicant is a person with a disability, reasonable accommodation measures shall be taken, upon request, to enable him to exercise the right of access provided for in this section.

Request for correction

: In addition to the rights provided for in the first paragraph of section 40 of theCivil Code of Québec, any individual may, if the personal information concerning him or her is inaccurate, incomplete, or ambiguous, or if its collection, communication, or retention is not authorized by law, require the Congregation to correct it.

Information held for the Congregation

: Applicable privacy laws allow a person who holds personal information on behalf of the Congregation, when presented with a request for access or rectification by an individual concerned, to forward the request to the Congregation. This is not intended to limit the right of access or correction of a data subject with a personal information agent.

Information held by the Congregation for an individual

: Applicable privacy laws allow the Congregation, when it holds personal information on behalf of an individual who operates a business and receives a request for access or correction from an individual concerned, to forward the request to that individual who operates the business. This is not intended to limit the right of access or correction of an individual concerned to a personal information officer.

Request to cease dissemination or indexing

: The individual concerned by personal information may require the Congregation to cease disseminating that information or to de-index any hyperlink attached to their name that allows access to that information by technological means, when the dissemination of that information contravenes the law or a court order. They may do the same, or require that the hyperlink providing access to this information be reindexed, when the following conditions are met:

  1. the dissemination of this information causes him serious harm in relation to his right to respect for his reputation or privacy;
  2. the harm clearly outweighs the public interest in knowing the information or the interest of any person in expressing themselves freely;
  3. the cessation of dissemination, reindexing, or deindexing requested does not exceed what is necessary to prevent the perpetuation of the harm.

When granting the request, the Delegate shall certify in his or her written response that the dissemination of the personal information has been discontinued or that the hyperlink has been deindexed or reindexed.

Exercise of rights

: When the Congregation holds personal information about others, it takes the necessary measures to ensure that the individuals concerned can exercise their rights under sections 37 to 40 of theCivil Code of Québec and their rights under applicable privacy laws. In particular, the Congregation informs the public of the location where this personal information is accessible and the means of accessing it.

Admissibility of a request

: A request, particularly for access or rectification, will only be considered if it is addressed to the Delegate, made in writing (except in cases where applicable privacy laws require that it may also be made verbally) by a person who can prove their identity as the individual concerned, as a representative, heir, successor of that individual, as the liquidator of the estate, as the beneficiary of life insurance or death benefits, as the holder of parental authority even if the minor child has died, or as the spouse or close relative of a deceased person in cases of bereavement covered by section 40.1 of theAct respecting the protection of personal information in the private sector (CQLR c P-39.1).

Assistance with a request

: When the request is not sufficiently specific or when an individual so requests, the Delegate provides assistance in identifying the information sought. This does not restrict the communication to an individual of personal information concerning him or her or its correction resulting from the provision of a service to be rendered to him or her.

Response to a request

: The Delegate responds in writing to the request for access or correction, diligently and no later than 30 days after the date of receipt of the request. If no response is provided within 30 days of receipt of the request, the Delegate is deemed to have refused to comply.

Free access and reasonable fees

: Access to personal information is free of charge. However, reasonable fees may be charged to the requester for the transcription, reproduction, or transmission of such information. When the Congregation intends to charge fees, it shall inform the requester of the approximate amount payable before proceeding with the transcription, reproduction, or transmission of such information.

Acceptance of a request

: When the Delegate grants a request for correction, in addition to the obligations set out in the second paragraph of section 40 of theCivil Code of Québec, he or she shall issue, free of charge, to the individual concerned who made the request, a copy of any personal information that has been modified or added or, as the case may be, a certificate of the deletion of such information.

Refusal of a request

: The Delegate shall give reasons for any refusal to grant a request and indicate the provision of the law on which the refusal is based, the remedies available to the applicant under the law, and the time limit within which they may be exercised. He or she shall also assist the applicant who so requests in understanding the refusal. If the Congregation holds information that is the subject of a request for access or correction to which it does not agree, it shall retain it for the time necessary to allow the individual concerned to exhaust the remedies provided by law.

Refusal in the event of an investigation or legal proceedings

: Applicable privacy laws allow the Congregation to refuse to communicate personal information about an individual to that individual when communication of the information would likely:

  1. to interfere with an investigation conducted by its internal security service for the purpose of preventing, detecting, or prosecuting crime or violations of the law, or on its behalf by an external service with the same purpose or a holder of a security agency or investigation agency license issued in accordance with the Private Security Act (chapter S-3.5);
  2. affecting legal proceedings in which any of these persons has an interest.

Refusal in the event of communication harmful to a third party

: The Congregation shall refuse to communicate to an individual personal information concerning him or her where communication would be likely to reveal personal information about a third party or the existence of such information and where such communication would be likely to cause serious harm to the third party, unless the third party consents to the communication or it is an emergency that endangers the life, health, or safety of the individual concerned.

Refusal concerning a liquidator, beneficiary, heir, or successor

: Subject to the cases referred to in section 40.1 of theAct respecting the protection of personal information in the private sector (relating to assistance in the grieving process), the Congregation must refuse to communicate personal information to the liquidator of the estate, the beneficiary of a life insurance policy or death benefit, or the heir or successor of the individual concerned by this information, unless the information affects communicationthe interests or rights of the person requesting it as liquidator, beneficiary, heir, or successor.

10. COMPLAINTS

Summary:

  • To file a complaint with the Congregation regarding the protection of personal information, the individual concerned is asked to read the Congregation’s Confidentiality policy and check the applicable legislation.
  • The complaint must be made in writing, specify the facts, be accompanied by supporting documents, and be addressed to the Delegate.
  • While the complaint is being processed, the individual concerned is asked to give the Congregation the opportunity to respond before contacting the public authorities.
  • If the complaint is not satisfactorily resolved, depending on the case, it is possible to request a review of the disagreement by the Commission d’accès à l’information du Québec (Quebec Access to Information Commission) or to file a complaint with the Privacy Commissioner of Canada.

Complaint to the Congregation

: Here is an overview of the Congregation’s process for handling complaints related to the protection of personal information.

Before filing a complaint

:

  • Read the Congregation’s Confidentiality policy: Read the Congregation’s Confidentiality policy, which can be accessed at the following URL:
    https://www.franciscanfriars.ca/confidentiality-policy
  • Verify the applicable law: Identify and familiarize yourself with the applicable law or laws among the various privacy laws, as well as the rights and remedies available to the individuals concerned.

When filing the complaint

:

  • Substantive and formal requirements: All complaints must clearly detail the facts and circumstances giving rise to the complaint, be made in writing by a person who can prove their identity as the individual concerned or other interested party, and be addressed and sent to the Congregation’s designated representative using their contact details.
  • Attach the necessary documents: Include all relevant supporting documents in support of the complaint.

During the processing of the complaint

:

  • Give the Congregation the opportunity to respond: Before contacting public authorities with the power to review, audit, investigate, or issue orders regarding a company’s practices in relation to the protection of personal information that is the subject of a complaint against a company, they generally recommend giving the company concerned the opportunity to review and respond to the complaint, in order to try to resolve the issue directly with the company first.
  • Follow-up on the complaint: If a complaint is not handled according to the process and time frames indicated, it is possible to contact the Delegate for the Congregation to request an update on the status of the complaint.

After the complaint has been processed, if the outcome is unsatisfactory

  • Request for review of disagreement: Any interested person may submit a request to the Commission d’accès à l’information du Québec for a review of a disagreement relating to the application of a legislative provision concerning access to or rectification of personal information in the Act respecting the protection of personal information in the private sector (CQLR c P-39.1) or the application of section 28.1 of that Act, which deals with the cessation of dissemination or indexing of personal information.
  • Complaint to the Privacy Commissioner of Canada: Any interested person may file a complaint with the Privacy Commissioner of Canada against an organization that contravenes any provision of Division 1 or 1.1 of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), or that fails to implement a recommendation set out in Schedule 1 of that Act.
close-enCLOSE
Main Menu
Main Menu

Confidentiality Policy

Introduction

As a religious congregation that collects personal information through technological means in Quebec, the Corporation des Syndics Apostoliques des Frères Mineurs ou Franciscains, the Corporation des Syndics Apostoliques des Frères Mineurs ou Franciscains de la Province Saint-Joseph du Canada and L’Oeuvre Franciscaine – Les Franciscains (collectively hereinafter the “Congregation,” also known as the “Franciscans of Canada”) must publish on its website a confidentiality policy that is written in simple and clear terms.

This confidentiality policy is part of a set of policies and practices governing the Congregation’s handling of personal information, detailed information about which is also published on its website.

Overview

The following are the main questions that this confidentiality policy answers, in relation to the following elements:

  1. Organization
    • Who is accountable for the personal information collected?
  2. Categories
    • What personal information is collected and according to what criteria?
  3. Consent, refusal, and withdrawal
    • What forms of consent are required for the use and communication of the personal information collected?
    • What should you do and what are the consequences if you refuse to provide personal information or the means to provide it?
    • How can you withdraw your consent to the use or communication of the personal information collected?
  4. Purposes
    • For what purposes is personal information collected?
  5. Means
    • By what means is personal information collected?
    • How are you informed in advance of the use of cookies, including, where applicable, functions that allow you to be identified, recognized, located, or profiled, and the means to activate these functions?
  6. Communication
    • To which categories of third parties may it be necessary to communicate personal information collected for the specified purposes?
    • Can personal information be communicated outside Quebec?
  7. Protection and security
    • What measures are taken to ensure the confidentiality and security of personal information?
  8. Access and correction
    • What are your rights of access and rectification with respect to the personal information collected about you, and how can you exercise them?
  9. Questions, requests, and complaints
    • Who can you contact with any questions or requests regarding this confidentiality policy or any complaints regarding the protection of personal information under the responsibility of the Congregation?
  10. Effective date and amendments
    • When did this confidentiality policy come into effect and when was it last amended?

1. PERSONAL INFORMATION UNDER THE CONGREGATION’S CONTROL

When the Congregation decides to collect personal information and establishes the purposes for which it is collected, used, or communicated (whether it collects, uses, or communicates it itself or has an agent or service provider do so on its behalf), that personal information is under the control of the Congregation.

If the Congregation acts as an agent and the communication of personal information to the Congregation is necessary for the performance of the mandate, such personal information is instead under the control of the principal.

2. COLLECTED PERSONAL INFORMATION

Collection for specified purposes: Privacy laws allow the Congregation to collect, for a serious and legitimate interest, personal information about another person that is relevant to the stated purpose of the file, provided that the purposes of the collection are determined before the collection takes place.

Thus, in the context of your relationship with the Congregation or when you use a digital platform, an application service, or any other virtual space controlled by the Congregation (website), you may be asked to provide certain personal information about yourself.

Categories of information from members, employees, or the public: Provided that it is necessary for the purposes determined prior to collection, the Congregation may collect personal information from its members, employees, or the public, including the following categories:

CATEGORIES OF INFORMATION EXAMPLES
Identification : Full name, date of birth, sex at birth, portrait photo, government identification codes, family relationships, genealogy, height, weight, physical characteristics, etc.
Personal contact information: Email address, residential or mailing address, telephone numbers, emergency contacts, residential history, etc.
Religious information: Date of sacraments and ordination, role and activities within the Congregation, missionary projects, missions, pilgrimages, retreats, conferences, etc.
Education: Degrees, institutions attended, fields of study, years of schooling, academic results, training, certificates, certifications, etc.
Financial situation: Salary and other sources of income, credit history, bank details, billing and payment information, etc.
Behavior: Participation in events and other activities, social media and website posts, etc.
Personal preferences: Preferences regarding communication methods, charitable giving, donations made, donation tax receipts, pledges, newsletters, etc.
Technical information: IP address, browser type and version, operating system, screen resolution, information about the device used, etc.
Web audience measurement: Connection dates and times, pages visited, actions taken on a website or other interactions with online content, etc.
Demographics: Age, ethnicity, nationality, language(s), membership in an identifiable group, etc.
Sensitive information: Information that gives rise to a high degree of reasonable expectation of privacy, particularly because of its medical, biometric, or otherwise intimate, or due to the context of its use or communication, including criminal and/or disciplinary records, police reports, etc.

Limitation: The Congregation will only collect your personal information that is necessary for its legitimate and specified purposes for which it is collected, and will not use or communicate this personal information for any other purpose, unless you give your additional consent or the Congregation is authorized or required to do so by applicable law.

Exceptions:You should be aware that personal information which by law is public or concerning the performance of duties within an enterprise by an individual, as well as the collection, retention, use, or disclosure of journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public, is excluded from the application of laws protecting privacy or certain parts of laws protecting privacy.

3. CONSENT, REFUSAL, AND WITHDRAWAL

Consent by operation of law: Generally, privacy laws ensure that when you provide the Congregation with personal information about yourself, you consent to its use and communication to third parties for the purposes for which the information is collected, provided that you are informed at the time of collection (and subsequently upon request) of certain matters, including: (1) the purposes in question, (2) the means by which the information is collected, (3) the rights of access and correction provided for by law, (4) your right to withdraw your consent to the communication or use of the information collected; (5) the name of the third party for whom the information is being collected, if applicable, and (6) the possibility that the information may be communicated outside Quebec.

Consent for other purposes: When personal information is to be used within the Congregation for purposes other than those for which it was collected, additional consent from you as the individual concerned is generally required. When sensitive personal information is involved (information that gives rise to a high degree of reasonable expectation of privacy), this consent must be expressly given.

Refusal: If you refuse to provide personal information or to have it collected by a particular means, or to have it used or communicated for a purpose mentioned at the time of collection, please notify our person in charge of the protection of personal information. Of course, the Congregation can only comply with certain requests if you provide the personal information required to process those requests. As a result, the Congregation may be unable to respond to a request you make or carry out a mandate you entrust to it if you refuse to provide this information.

Withdrawal of consent: You may withdraw your consent to the use or communication of personal information collected about you, subject to restrictions provided for by law or contract and reasonable notice. If you wish to withdraw your consent, please notify our person in charge of the protection of personal information.

4. PURPOSES OF COLLECTION

We collect personal information for the purposes listed below.

  • The purposes for collecting information from its members generally relate to establishing and maintaining a record of the member’s commitment and status within the Congregation and their history prior to joining the Congregation.
  • The purposes for collecting information from employees generally relate to the hiring, evaluation, and compensation of employees and the management of the employment relationship between employees and the Congregation.
  • The purposes for collecting information from the public generally relate to communications between the Congregation and individuals in the public, prayer intentions, donations, and the interest or participation of individuals in activities or projects related to the Congregation.

More generally, the Congregation collects personal information for the following purposes:

  • Administration, audits, and enforcement:
    • administering the Congregation’s business;
    • opening and maintaining files and processing requests;
    • soliciting and evaluating applications for job openings, including verifying references, credentials, and background checks;
    • managing billing and processing payments.
  • Communication and publication:
    • communicate with our members, staff, suppliers, relevant members of the public, or stakeholders;
    • responding to questions addressed to us;
    • distributing or transmitting notices, announcements, publications, invitations, correspondence, and other mail.
  • Compliance and prevention:
    • complying with our legal and regulatory obligations;
    • prevent and detect fraud-related risks.
  • Quality control and improvements:
    • improve our website, including through web analytics;
    • processing and resolving reservations, dissatisfaction, and complaints.
  • Protection, security, and defense:
    • protecting your rights;
    • protecting the property or security of the Congregation or ensuring its defense.
  • Internal management and profiling:
    • acquiring, developing, redesigning, or managing our own information systems;
    • managing knowledge and expertise among staff;
    • use and communicate your information for the purposes and to the third parties or categories of third parties identified prior to the use of technology that includes features that identify you, locate you, or profile you, in accordance with your privacy settings applicable to that technology (e.g., a widget that manages cookies).
    • enforce the terms of use of the website.
  • Purposes determined at a later date:
    • any other purposes to which you have consented, either expressly, implicitly, or by operation of law.

In addition, privacy laws generally allow the Congregation, without your consent, to use personal information for purposes other than those for which it was collected, particularly when its use is:

  • for purposes consistent with those for which it was collected;
  • clearly to your benefit;
  • necessary for the prevention and detection of fraud or the evaluation and improvement of security and safety measures; or
  • necessary for study, research, or statistical purposes, and the personal information is de-identified.

5. METHODS OF COLLECTION

Personal information relevant to the Congregation will be collected by various technological or other means, such as forms, conversations (by telephone or in person), correspondence, or any other means of communication through which you contact us. More specifically, personal information may be collected by the following means, among others:

  • Voicemail
  • Chat
  • Email
  • Documents (on paper or other media), including technological documents
  • Video and/or audio recording
  • Electronic form
  • Online books and registers
  • Social media messaging
  • Electronic notifications
  • Portals
  • Authentication service
  • Electronic signatures
  • Cloud file storage
  • Fax
  • Cookies and other technologies that include features that identify, recognize, or locate you, or that profile you
  • Text messages

Cookies: Certain personal information may be collected using technology that includes features that identify, locate, or profile visitors to the Congregation’s website, including cookies (commonly known ascookies). Before such technology is used in relation to you, the Congregation will inform you, via a widget or other appropriate means, of the use of this technology and the means available to activate the functions that identify, locate, or profile a visitor. (A cookie is a piece of information that, when visiting a website or using a mobile application, is transmitted between a server and a web browser or device.)

6. COMMUNICATION OF PERSONAL INFORMATION

Limitation on communication: In principle, no one may communicate to a third party the personal information they hold about you, unless you consent to it or the applicable privacy laws provide for it.

Categories of recipients: If necessary, the Congregation may, without your consent, communicate personal information to certain third parties, including those belonging to any of the categories of persons listed below, to the extent that such communication is necessary, in the performance of their duties, to achieve the purposes for which they received the information:

  • service providers and/or agents, including an organization or individual if such communication is necessary for the performance of a mandate or the execution of a service or business contract that the Congregation entrusts in writing to that organization or individual (e.g., our service providers for hosting our website, cloud storage of files, or outsourcing of data processing), indicating in the mandate or contract the measures that the agent or contractor must take to ensure the protection of the confidentiality of the personal information communicated, so that this information is used only in the exercise of their mandate or the performance of their contract and so that they do not retain it after its expiration;
  • government authorities and law enforcement agencies, when required by applicable laws. For greater clarity, we may communicate personal information and other information if we are required to do so by law, if we believe in good faith that such communication is necessary to comply with applicable laws, in response to a court order, subpoena, government search warrant, or otherwise to such government authorities and law enforcement agencies;
  • the Congregation’s insurers;
  • spouse or close relative of a deceased person, if knowledge of this information is likely to assist the requester in the grieving process and the deceased individual has not documented in writing their refusal to grant this right of access; and
  • any other entity or person, when the law allows or requires us to communicate personal information without your consent.

Communication outside Quebec: Your personal information may be communicated outside Quebec, where legal regimes applicable to the protection of personal information differ from those in Quebec. Such communication outside Quebec is possible, in particular, when the Congregation entrusts a person or organization outside Quebec with the task of collecting, using, disclosing, or retaining such personal information on its behalf. However, before disclosing personal information outside Quebec, the Congregation conducts a privacy impact assessment to ensure that it will be adequately protected. Nevertheless, pursuant to a legal order issued in Quebec or outside Quebec, your personal information may be made available to government authorities or law enforcement agencies in that jurisdiction, since no contract or other means can override the laws of a government administration, whether domestic or foreign.

Communication to the Congregation: Generally, privacy laws do not allow a person who operates a business to communicate personal information about you to third parties without your consent, except in certain circumstances (e.g., to their attorney, agent, or service provider under certain conditions, or to other categories of persons provided for by privacy laws applicable to the situation). If, as a business operator, you communicate personal information about an individual other than yourself to the Congregation (or its service providers and agents), you may only do so with the consent of the individual concerned or if the law allows you to do so without the consent of the individual concerned.

7. PROTECTION AND SECURITY MEASURES

Reasonable measures: The Congregation takes physical, organizational, and technical security measures to ensure the protection of personal information that is collected, used, communicated, retained, or destroyed, which are reasonable considering, in particular, the sensitivity of the information, the purpose for which it is used, the amount of information, the method of storage, its distribution, format, and medium.

Scope of measures: Security measures protect personal information against, among other things, loss or theft, as well as unauthorized access, communication, copying, use, or modification, and include reasonable measures to authenticate your identity as the individual to whom the information relates.

Description of measures: We implement, among other things, the measures briefly described below.

  • Physical measures
    • We restrict access to our offices to authorized persons and control this access through individualized access keys.
    • We lock filing cabinets when the sensitivity of the personal information they contain warrants it.
  • Organizational measures
    • Staff training and awareness: We ensure that Congregation staff who have access to your personal information undergo training to acquire and maintain vigilance and appropriate behavior with regard to privacy and the protection of personal information.
    • Minimization: We limit the personal information we collect to what is necessary to fulfill the predetermined purposes for which the information is collected.
    • Governance policies and practices: We have established and implemented policies and practices governing the Congregation’s governance with respect to personal information and ensuring the protection of such information.
  • Technical measures
    • Data encryption: We use encryption technologies for both data in transit and data at rest to render it unusable by anyone who does not have the necessary cryptographic key to decrypt it.
    • Firewalls: We implement firewall systems to filter data flows between our internal network and external networks.
    • Intrusion detection systems and tests: We monitor and block unauthorized access to our networks and information systems.
    • Regular backups: We perform regular data backups to enable recovery in the event of loss or damage.
    • Updates and patch management: We keep our software and systems up to date with the latest security patches to protect against known vulnerabilities.
    • Two-factor authentication: To verify and validate the identity of authorized users, we require a control process where they must regularly provide two elements from two separate authentication factors.

8. ACCESS AND CORRECTION

Right of access: When the Congregation holds personal information about you, it will, at your request, confirm its existence and provide you with access to that information by allowing you to obtain a copy. At your request, any computerized personal information will be provided in the form of a written and intelligible transcript. Unless this raises serious practical difficulties, computerized personal information collected from you, and not created or inferred from personal information about you, will be provided to you, at your request, in a structured and commonly used technological format. This information shall also be communicated, at your request, to any person or organization authorized by law to collect such information. Where the applicant is a person with a disability, reasonable accommodation measures shall be taken, upon request, to enable him or her to exercise the right of access provided for in this section.

Right of rectification: In addition to the rights provided for in the first paragraph of section 40 ofthe Civil Code of Québec, you may, if the personal information concerning you is inaccurate, incomplete, or ambiguous, or if its collection, communication, or retention is not authorized by law, require the Congregation to rectify it.

9. QUESTIONS, REQUESTS, AND COMPLAINTS

Handling of questions, requests, or complaints: Any questions or requests regarding this confidentiality policy or any complaints regarding the protection of personal information under the Congregation’s control may be submitted, in accordance with the established handling process, to the Congregation’s controller, to whom the role of person in charge of the protection of personal information has been delegated. His contact information is published in this section of the Congregation’s website, among the detailed information about the policies and practices governing the Congregation’s handling of personal information.

10. EFFECTIVE DATE AND AMENDMENTS

Effective date: This confidentiality policy is effective as of the date indicated below.

Amendments: Any amendments to this confidentiality policy will be subject to a notice of amendment published on the Congregation’s website and disseminated by any means appropriate to reach the individuals concerned.

Notice of change: Unless circumstances warrant a shorter period, any change shall take effect only after a period of 15 days from the date of publication of a notice to that effect. This notice shall indicate:

  1. the date of its publication;
  2. the general purpose of the changes to the confidentiality policy, which may be specified in the section devoted to the confidentiality policy on the Congregation’s website;
  3. the date on which the changes take effect;
  4. the reasons why the policy must be amended within this shorter period if the notice mentions a period shorter than 15 days.

Effective date of this version: October 10, 2025.

Previous version effective since November 22, 2021.

Governance of personal information

Introduction

As a religious congregation that holds personal information, the Corporation des Syndics Apostoliques des Frères Mineurs ou Franciscains, the Corporation des Syndics Apostoliques des Frères Mineurs ou Franciscains de la Province Saint-Joseph du Canada and L’Oeuvre Franciscaine – Les Franciscains (collectively hereinafter the “Congregation,” also known as the “Franciscans of Canada”) must establish and implement governance policies and practices regarding personal information it holds and ensuring its protection.

The information set out below is intended to meet the requirement that detailed information explaining, in simple and clear terms, its policies and practices in this regard be published on the Congregation’s website in a manner that makes them easily accessible.

Overview
 

1. RESPONSIBILITIES

Summary:

  • The Congregation is responsible for the information it collects, uses, or communicates, either directly or through agents or service providers.
  • The Congregation implements governance policies and practices to ensure the protection of personal information, including its retention, destruction, and the handling of complaints.
  • These policies, which are proportionate to the organization’s activities, are approved by the Information Protection Officer.
  • The Information Protection Officer approves policies, supervises the destruction of personal information, and is consulted in the event of confidentiality incidents, if necessary.
  • When undertaking new projects, the Congregation conducts a privacy impact assessment in collaboration with its Privacy Officer, taking into account the sensitivity and use of personal information.

Governance

: The Congregation establishes and implements policies and practices governing its governance of personal information and ensuring the protection of such information. These policies and practices include guidelines for the retention and destruction of such information, the roles and responsibilities of its staff throughout the life cycle of such information, and a process for handling complaints relating to the protection of such information. They are proportionate to the nature and scale of the Congregation’s activities and are approved by the individual who acts as the person in charge of the protection of personal information within the Congregation (the “Delegate“). Detailed information about these policies and practices is published in plain, clear language on the Congregation’s website.

Control

: This statement primarily concerns personal information under the control of the Congregation, which corresponds to the information that the Congregation decides to collect and for which the Congregation establishes the purposes for which it is collected, used, or communicated, whether the Congregation collects, uses, or communicates it itself or whether an agent or service provider does so on its behalf.

Roles

:

  • The Congregation: The Congregation is responsible for the protection of the personal information it holds.
  • Person with the highest authority: Within the Congregation, the person with the highest authority ensures compliance with and implementation of privacy laws applicable to the Congregation.
  • Delegate: The role and function of person in charge of the protection of personal information held by the Congregation has been delegated in writing, in its entirety, to the main Controller of the Congregation, whose title and contact information are:
    Controller
    Email:controleur@ofmca.com
    Address:6455 Louis-Riel Ave.
    Montreal, Quebec H1M 1P1
    Canada

    The responsibilities and duties of the Delegate include the following:

    • Approving policies and practices governing the management of personal information;
    • Consultation on privacy impact assessments for any project involving the acquisition, development, or redesign of an information system or electronic service delivery that involves the collection, use, communication, retention, or destruction of personal information;
    • Receiving and processing requests for access to or correction of personal information, cessation of dissemination of personal information, de-indexing of a hyperlink, and requests related to the right to portability of computerized personal information;
    • Supervision of the destruction of personal information held by the Congregation;
    • Managing requests for communication of personal information concerning a deceased person (if applicable);
    • Receiving and processing notices of breaches or attempted breaches of confidentiality obligations transmitted (if applicable) by the Congregation’s agents or service contract contractors;
    • Consultation on the assessment of risks of harm to individuals following a confidentiality incident (if applicable); and
    • Communicating with specialized supervisory authorities, such as the Commission d’accès à l’information (the “Commission”) and the Office of the Privacy Commissioner of Canada (the “OPC”) (if applicable).
  • Congregation employee or agent: In the organizational functioning of the Congregation, personal information is accessible, without the consent of the individual concerned, to any Congregation employee or agent who has a legitimate need to know it, provided that such information is necessary for the performance of their duties.

Assessment in the event of change

: The Congregation conducts a privacy impact assessment of any project involving the acquisition, development, redesign of an information system, or electronic delivery of services that involves the collection, use, communication, retention, or destruction of personal information. For the purposes of this assessment, the Congregation consults its Delegate at the outset of the project. The privacy impact assessment is proportionate to the sensitivity of the information concerned, the purpose for which it is used, its quantity, distribution, and medium. The Congregation also ensures that this project allows computerized personal information collected from the individual concerned to be communicated to them in a structured and commonly used technological format. The Delegate may, at any stage of such a project, suggest measures to protect personal information applicable to that project, such as:

  1. the appointment of a person responsible for implementing personal information protection measures;
  2. measures to protect personal information in any document relating to the project;
  3. a description of the responsibilities of project participants with regard to the protection of personal information;
  4. the provision of training on the protection of personal information for project participants.

2. CONFIDENTIALITY

Summary:

  • The Congregation publishes a clear and accessible confidentiality policy on its website.
  • When collecting personal information through technological products or services, privacy settings are configured by default to provide the highest level of protection. Sensitive personal information is defined as information that requires increased protection due to its nature or context, giving rise to a high degree of reasonable expectation of privacy.
  • The Congregation implements appropriate security measures to protect personal information based on its sensitivity and use. Individuals’ business contact information is not subject to the same privacy requirements.
  • When using de-identified information, the organization limits the risks of identification. The Congregation maintains a record of confidentiality incidents and, in the event of an incident, takes measures to reduce the risks of harm.
  • Incidents are assessed based on the sensitivity of the information and its potential consequences, and the organization informs the Commission d’accès à l’information, the Privacy Commissioner of Canada, and the individuals concerned, if necessary.

Confidentiality policy

: As an organization that collects personal information by technological means, the Congregation publishes a confidentiality policy on its website, written in clear and simple terms, and disseminates it by other means appropriate for reaching the individuals concerned. It does the same for any changes to this confidentiality policy. The Congregation’s confidentiality policy is incorporated by reference into this statement and is available at the following URL:

https://www.franciscanfriars.ca/confidentiality-policy

Privacy settings

: When collecting personal information by offering the public a technological product or service with privacy settings, the Congregation shall ensure that, by default, these settings provide the highest level of privacy, without any intervention by the individual concerned. As an exception, cookie settings are not covered.

Sensitivity of personal information

: In the policies and practices referred to in this statement, personal information is “sensitive” when, by its nature or in the context of its use or communication, it gives rise to a high degree of reasonable expectation of privacy.

Security measures

: The Congregation takes security measures to ensure the protection of personal information that is collected, used, communicated, retained, or destroyed, which are reasonable considering, among other things, the sensitivity of the information, the purpose for which it is used, the amount of information, its distribution, and its medium.

Business contact information

: The Congregation acts on the basis that applicable privacy laws allow for the exemption from their requirements regarding collection and confidentiality of information that allows contact—or facilitates contact—with an individual in the course of their employment, business, or profession, or that otherwise relates to the individual’s role within a business (such as their name, position, job title, work address, work phone or fax number, or work email address).

De-identified information

: When using de-identified information (i.e., information that no longer directly identifies the individual concerned), the Congregation takes reasonable measures to limit the risk of anyone identifying a natural person from that information.

Confidentiality incidents

  • Incident response: When the Congregation has reason to believe that a confidentiality incident involving personal information in its possession has occurred, it takes reasonable steps to minimize the risk of harm and prevent further incidents of the same nature from occurring.
  • Definition of incident: In the policies and practices referred to in this statement, “confidentiality incident” means:
    1. the use or communication of personal information not authorized by law, or access to personal information not authorized by law;
    2. the loss of personal information or any other breach of the protection of such information, including a “breach of security safeguards” referred to in section 10.1 of the Personal Information Protection and Electronic Documents Act (LC 2000, c 5) and its Breach of Security Safeguards Regulations (SOR/2018-64).
  • Incident log: The Congregation keeps a log of confidentiality incidents, the content of which is determined by government regulations, in particular the Regulation respecting confidentiality incidents (CQLR c A-2.1, r 3.1). Upon request by the Commission, a copy of this log is sent to it.
  • Incident assessment: When assessing the risk of harm to a person whose personal information is affected by a confidentiality incident, the Congregation considers, among other things, the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes. It also consults with its Delegate.
  • Notification of the Commissioner in the event of an incident: If the incident presents a risk of serious or grave harm, the Congregation shall promptly notify the Commission d’accès à l’information and/or, where applicable, the Privacy Commissioner of Canada. This notification contains the information prescribed, as applicable, by the Privacy Breach Notification Regulations (at the provincial level) and/or the Security Breach Notification Regulations (at the federal level).
  • Notice to the individual in the event of an incident: If the incident presents a risk of serious or grave harm, the Congregation also notifies any individual whose personal information is affected by the incident. (As an exception, an individual whose personal information is affected by the incident does not have to be notified if doing so would interfere with an investigation by a person or agency that is responsible under the law for preventing, detecting, or prosecuting crime or violations of the law.) The notice contains sufficient information to enable the individual to understand the significance of the incident to them and, if possible, to take steps to reduce the risk of harm that could result or to mitigate such harm. It also contains any other information prescribed by any regulation applicable to the situation.
  • Notice to other persons or organizations: If the incident presents a risk of serious or grave harm, the Congregation may also notify any person or organization that could reduce that risk, communicating only the personal information necessary for that purpose without the consent of the individual concerned. In the latter case, the Delegate shall record the communication.

3. CONSENT

Summary:

  • The fact that an individual provides personal information to the Congregation generally implies consent to its use and communication.
  • Any consent given must be clear, free, informed, and for specific purposes, after having been requested for each of these purposes, in simple and clear terms, and valid only for the time necessary for these purposes.
  • When consent is requested in writing, it is requested separately from other information, and assistance may be provided to understand its scope.
  • The Congregation collects personal information primarily from the individual, unless the individual consents to the collection from third parties or unless permitted by law.
  • Collection from a third party is also permitted if it is in the individual’s interest and cannot be done in a timely manner, or to verify the accuracy of the information.
  • If an individual refuses to provide personal information, the Congregation may refuse a request for goods or services, or an employment application, if the collection of such information is necessary for a contract, authorized by law, or justified on the grounds that the request is unlawful.

Consent to use and communication for purposes

: By operation of law, an individual who provides personal information under the paragraph “Information at the time of collection or upon request” in section 4 of this statement consents to its use and communication for the purposes indicated at the time of collection by the Congregation.

Characteristics of consent

: Consent must be express, free, informed, and given for specific purposes. It is requested for each of these purposes, in simple and clear terms, and is valid only for the time necessary to fulfill the purposes for which it was requested. When the request for consent is made in writing, it is presented separately from any other information communicated to the individual concerned. When requested, assistance is provided to help the individual understand the scope of the consent requested.

Commercial electronic messages

: The Congregation refrains from sending a commercial electronic message to an email address, having it sent there, or allowing it to be sent there, unless the person to whom the message is sent has expressly or tacitly consented to receive it and the message complies with regulatory requirements regarding its form and includes (1) the regulatory information identifying the person who sent it and, where applicable, the person on whose behalf it was sent, (2) information enabling the person who received it to easily communicate with either of these persons, and (3) a description of an opt-out mechanism in accordance with the laws governing such mailings.

Collection from third parties

: When the Congregation collects personal information about others, it does so in principle from the individual concerned, unless that individual consents to the collection from third parties. However, the Congregation may, without the consent of the individual concerned, collect such information from a third party if permitted by law. It may do so if it has a serious and legitimate interest and if one of the following conditions is met:

  1. the information is collected in the interest of the individual concerned and cannot be collected from that individual in a timely manner;
  2. collection from a third party is necessary to ensure the accuracy of the information.

Refusal

: In any of the following circumstances, the Congregation may refuse to comply with a request for goods or services or a request relating to employment because the individual making the request refuses to provide personal information:

  1. the collection is necessary for the conclusion or performance of the contract (bearing in mind that, in case of doubt, personal information is deemed unnecessary);
  2. the collection is authorized by law;
  3. there are reasonable grounds to believe that such a request is not lawful.

4. TRANSPARENCY

Summary:

  • When collecting personal information, the Congregation informs individuals of the purposes and means of collection, as well as their rights of access, rectification, and withdrawal of consent.
  • If the information is intended for a third party or transferred outside Quebec, individuals are also informed.
  • The information is provided in simple and clear terms, and additional details may be provided upon request, including the retention period and the person responsible.
  • When technology enabling identification, location, or profiling is used, the Congregation informs individuals in advance.
  • In the case of automated decisions, the individuals concerned are informed and may request explanations or a review.

Information at the time of collection or upon request

: When the Congregation collects personal information from the individual concerned, at the time of collection and subsequently upon request, it informs them:

  1. the purposes for which the information is being collected;
  2. the means by which the information is collected;
  3. the rights of access and rectification provided for by law;
  4. the individual’s right to withdraw consent to the communication or use of the information collected.

Where applicable, the individual concerned shall be informed of the name of the third party for whom the information is being collected, the names of the third parties or categories of third parties to whom it is necessary to communicate the information for the purposes referred to in paragraph 1 of the preceding subsection, and the possibility that the information may be communicated outside Québec.

The information that the Congregation provides to the individual concerned at the time of collection is included in “just-in-time” notices or otherwise in the Congregation’s Confidentiality policy, which is discussed in the section entitled “Confidentiality policy.”

Upon request, the individual concerned is also informed of the personal information collected from him or her, the categories of persons who have access to this information within the Congregation, the length of time this information will be retained, and the contact details of the person responsible for the protection of personal information.

The information is provided to the individual concerned in plain and clear language, regardless of the means used to collect the personal information.

Identification, location, or profiling technologies

: When the Congregation collects personal information from individuals using technology that includes functions to identify, locate, or profile them, it informs them in advance:

  1. of the use of such technology;
  2. the means available to activate functions that identify, locate, or “profile” an individual, i.e., collecting and using personal information to evaluate certain characteristics of a natural person, including for the purposes of analyzing that person’s work performance, economic situation, health, personal preferences, interests, or behavior.

Information about sources

: If the Congregation collects personal information under its control from another person who operates a business or a public body, it will inform the individual concerned, at their request, of the source of that information. (This does not apply to an investigation file created for the purpose of preventing, detecting, or prosecuting a crime or offense.)

Decision by automated processing

: If the Congregation uses personal information to make a decision based solely on automated processing of that information, it will inform the individual concerned no later than when it informs them of the decision. The Congregation shall give the individual concerned an opportunity to present his or her observations to a member of the Congregation’s staff who is in a position to review the decision. At the request of the individual concerned, the Congregation shall also inform him or her:

  1. the personal information used to make the decision;
  2. the reasons, as well as the main factors and parameters, that led to the decision; and
  3. their right to have the personal information used to make the decision corrected.

5. LIMITATIONS

Summary:

  • The Congregation determines the purposes for which personal information is collected before collecting it, ensuring that only necessary information is collected and by lawful means.
  • This personal information is used only for the predetermined purposes, unless additional consent is obtained for a new purpose or certain exceptions apply, such as a purpose that is compatible with a predetermined purpose, the prevention of fraud, or the provision of a requested service.
  • The Congregation identifies itself to the individual concerned and informs them of their right to withdraw their consent for any use for commercial or philanthropic prospecting purposes.

Determination of purposes

: When the Congregation collects personal information about others for serious and legitimate reasons, it determines the purposes of such collection before the information is collected.

Limiting collection to specified purposes

: When collecting personal information about others, the Congregation collects only the information necessary for the purposes identified before collection. This information is collected by lawful means.

Limiting use, with or without consent

: Personal information is used within the Congregation, in principle, only for the purposes for which it was collected. Use for a new purpose generally requires consent, which must be expressly given in the case of sensitive personal information. However, applicable privacy laws generally allow personal information to be used for another purpose without the consent of the individual concerned in the following cases:

  1. when its use is for purposes consistent with those for which it was collected;
  2. when its use is clearly for the benefit of the individual concerned;
  3. when its use is necessary for the purposes of preventing and detecting fraud or evaluating and improving protection and security measures;
  4. when its use is necessary for the purpose of supplying or delivering a product or providing a service requested by the individual concerned;
  5. when its use is necessary for the purposes of study, research, or the production of statistics, and it is depersonalized.

Use for compatible purposes

: For a purpose to be compatible within the meaning of point 1 in the previous paragraph, there must be a relevant and direct link to the purposes for which the information was collected. However, commercial or philanthropic prospecting is not considered a compatible purpose.

Commercial or philanthropic solicitation purposes

: In accordance with the laws governing the sending of commercial electronic messages and subject to exceptions, particularly with regard to business contact information in applicable privacy laws, if the Congregation uses personal information for commercial or philanthropic prospecting purposes, it identifies itself to the individual to whom it is addressing and informs them of their right to withdraw their consent to the use of their personal information for these purposes. When the individual concerned withdraws their consent to such use of their personal information, it ceases to be used in this manner.

6. RETENTION AND DESTRUCTION OR ANONYMIZATION

Summary:

  • The Congregation retains personal information only for as long as necessary to fulfill the purposes for which it was collected or to comply with the law.
  • The length of time varies depending on the type of data, generally ranging from 3 to 10 years, with a minimum retention period of one year after a decision concerning the individual.
  • Once the retention period has expired, the information is securely destroyed in accordance with documented procedures.
  • The Congregation may anonymize personal information after use, following recognized practices to prevent re-identification.

Retention guidelines and procedures

: Personal information for which applicable privacy laws impose processing or confidentiality obligations is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with applicable laws and regulations. The minimum and maximum retention periods for personal information vary depending on the categories of personal information and the applicable legislative and regulatory requirements. Subject to exceptions and the fact that personal information used to make a decision about an individual concerned is retained for at least one year after the decision, the retention periods are as follows for personal information that is part of the following, unless otherwise required by law or regulation:

  • 3 years for:
    • personal information relating to a specific year that appears in any record system or register kept by the Congregation under the Act respecting Labor Standards and not subject to longer mandatory retention periods; and
    • personal information that may be required or used as evidence of a legal act or fact in an action to assert a personal right or a right in rem.
  • 6 years for:
    • records of information used to determine any amount that must be deducted, withheld, collected, or paid under a tax law;
    • records and accounting books determining contributions payable under the Employment Insurance Act, as well as accounts and supporting documents necessary for their control, following the end of the year for which the documents in question were kept;
    • information used to evaluate and complete any pay equity program; and
    • supporting documentation for eligible or approved training expenses.
  • 10 years for:
    • personal information that may be required or used as evidence of a legal act or fact in an action to assert a right where the limitation period is 10 years (e.g., a real property right, a right resulting from a judgment, a statute of limitations or extinctive prescription not otherwise set by law, , etc.).
  • More than 10 years for:
    • personal information that may be required or used as evidence of a legal act or fact in proceedings based on grounds that are not subject to a limitation period.

As also indicated in the “Transparency” section above, an individual concerned is informed, upon request, of the retention period for personal information collected from him or her.

Destruction guidelines and procedures

: Once the retention period for personal information has expired, the Congregation will destroy it in a secure and permanent manner, in accordance with its established procedures. The destruction of personal information will be documented and recorded to ensure traceability and accountability. The heads of the relevant departments or divisions of the Congregation will periodically identify personal information whose retention period has expired and which must be destroyed. Personal information will be destroyed in an appropriate manner, depending on the format in which it is stored; for paper documents: shredding, grinding, or incineration; for digital media: secure erasure. The destruction of personal information will be supervised by the Delegate, who will ensure that the appropriate procedures are followed and documented. This documentation will include the date of destruction, the method used, the types of personal information destroyed, and the name of the person responsible for the destruction.

Anonymization

: Once the purposes for which personal information was collected or used have been fulfilled, the Congregation may anonymize it if it wishes to use it for serious and legitimate purposes, subject to any retention period provided for by law. (In the policies and practices referred to in this statement, information about an individual is anonymized when it is reasonable to expect, in the circumstances, that it will no longer be possible to directly or indirectly identify that individual. Information is anonymized in accordance with generally accepted best practices and the criteria and procedures set out in the regulations.) More specifically:

  • Before beginning an anonymization process, the Congregation establishes the purposes for which it intends to use the anonymized information. It ensures that these purposes comply with the requirements of applicable privacy laws.
  • At the beginning of an anonymization process, the Congregation removes all personal information that directly identifies the individual concerned from the information it intends to anonymize. It then conducts a preliminary analysis of the risks of re-identification, considering in particular the criteria of individualization, correlation, and inference, as well as the risks that other reasonably available information, particularly in the public domain, could be used to directly or indirectly identify an individual.
  • Based on the re-identification risks identified, the Congregation establishes the anonymization techniques to be used, which are in line with generally accepted best practices. It also establishes reasonable protection and security measures to reduce the risks of re-identification.
  • After implementing the established anonymization techniques for the anonymization process and the protection and security measures, the Congregation conducts a re-identification risk analysis. The results of the analysis must demonstrate that it is reasonable to expect, at all times and under the circumstances, that the information produced as a result of an anonymization process no longer allows, irreversibly, for the direct or indirect identification of an individual. (It is not necessary to demonstrate zero risk; however, taking into account the elements prescribed by the regulations, the results of the analysis must demonstrate that the residual risks of re-identification are very low.)
  • The Congregation periodically evaluates the information it has anonymized to ensure that it remains so. To do so, it updates the latest re-identification risk analysis it has performed, taking into account, in particular, technological advances that may contribute to re-identifying an individual. (The results of the updated analysis must comply with the criteria established previously; otherwise, the information is no longer considered anonymized.) The frequency of this assessment is determined based on the residual risks identified in the latest re-identification risk analysis and other factors prescribed by regulations.
  • When anonymizing personal information, the Congregation shall record the following information in a register:
    • a description of the anonymized personal information;
    • the purposes for which it intends to use this anonymized information;
    • the anonymization techniques used and the protection and security measures established;
    • the date of the re-identification risk analysis;
    • and, where applicable, the date on which this analysis was updated.

7. ACCURACY

Accuracy for decisions

: The Congregation ensures that the personal information it holds about others is up to date and accurate at the time it is used to make a decision about the individual concerned. The information used to make such a decision is retained for at least one year after the decision.

Non-routine updates

: The Congregation refrains from routinely updating the personal information it holds unless it is necessary to achieve the purposes for which it was collected.

8. COMMUNICATION

Summary:

  • The Congregation respects professional secrecy and the confidentiality of personal information.
  • It communicates personal information to third parties only with the consent of the individual concerned or if permitted or required by law.
  • Before transmitting information outside Quebec, the Congregation assesses privacy factors and establishes written agreements to ensure adequate protection.
  • Without consent, personal information may be communicated in specific situations such as to an archival service, to an agent or service provider for processing, for commercial transactions preceded by an agreement, or to prevent danger.
  • The Congregation may also communicate personal information for study, research, or statistical purposes, on an exceptional basis and in accordance with the conditions provided for by law.

The information in this section is subject to professional secrecy and confidentiality obligations, whether ethical, contractual, or otherwise.

Communication to third parties

: The Congregation does not communicate any personal information it holds about others to third parties, unless permitted or required by applicable privacy laws or unless the individual concerned consents to such communication by operation of law or otherwise. In such cases, consent must be expressly given when sensitive personal information is involved.

Communication by a third party

: Consent to the communication of personal information by a third party may be given by the individual concerned to the Congregation, which may then collect it from that third party.

Communication outside Quebec

: Before disclosing personal information outside Quebec for which no exception exists under applicable privacy laws, the Congregation conducts a privacy impact assessment. It takes into account the following factors, among others:

  1. the sensitivity of the information;
  2. the purpose for which it will be used;
  3. the protective measures, including contractual measures, that would apply to the information;
  4. the legal regime applicable in the State where the information would be communicated, in particular the principles of personal information protection applicable there.

The applicable privacy laws allow communication if the assessment shows that the information would be adequately protected, in particular with regard to generally recognized principles of personal information protection. Where applicable, such communications shall be the subject of a written agreement that takes into account, in particular, the results of the assessment and, where applicable, the terms and conditions agreed upon to mitigate the risks identified in the assessment. The same applies when the Congregation entrusts a person or organization outside Quebec with the task of collecting, using, disclosing, or retaining such information on its behalf.

Communication without consent

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information it holds about others to certain persons or categories of persons, including (1) those listed in section 18 of theAct respecting the protection of personal information in the private sector (CQLR c P-39.1) (some of which have the power to communicate if they themselves, to the extent that such communication is necessary in the performance of their duties for the purposes for which they received the information), or (2) in the cases referred to in paragraphs (3)(a) to (h.1) of the Personal Information Protection and Electronic Documents Act (LC 2000, c 5), where applicable. The Congregation records any communication made under the provisions required by applicable privacy laws.

Communication to an agent or service provider

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information to any person or organization if such communication is necessary for the performance of a mandate or the execution of a service or business contract that it entrusts to that person or organization. In this case, the Congregation:

  1. entrusts the mandate or contract in writing;
  2. specifies in the mandate or contract the measures that the agent or contractor must take to ensure the protection of the confidentiality of the personal information communicated, so that the information is used only in the exercise of the mandate or the performance of the contract and is not retained after its expiry.

A person or organization that exercises such a mandate or performs such a service or business contract is required to notify the Delegate without delay of any violation or attempted violation by any person of any of the obligations relating to the confidentiality of the information communicated and must also allow the Delegate to carry out any verification relating to such confidentiality.

Communication of information about professionals, authorized by the Commission

: The Congregation recognizes that applicable privacy laws allow the Commission d’accès à l’information, upon written request and after consulting with the relevant professional orders, to grant a person authorization (which may be revoked or suspended by the Commission in certain specific circumstances) to receive personal information about professionals relating to their professional activities, without the consent of the professionals concerned, if it has reasonable grounds to believe that:

  1. the communication preserves professional secrecy, in particular by not allowing the identification of the person to whom the professional service is provided, and does not otherwise infringe on the privacy of the professionals concerned;
  2. the professionals concerned will be notified periodically of the intended uses and purposes and will have a reasonable opportunity to refuse to allow the information to be retained or used for the intended uses or purposes;
  3. security measures ensure the confidentiality of personal information.

Communication to an archival service

: Applicable privacy laws allow the Congregation, without the consent of the individual concerned, to communicate personal information contained in a file it holds on another person to an archival service, if that archive service is provided by a service provider whose purpose is to acquire, preserve, and disseminate documents for their general informational value and if that information is communicated in connection with a transfer or deposit of the Congregation’s archives.

Communication for commercial transactions

: When the communication of personal information is necessary for the purposes of entering into a “commercial transaction” (i.e., the sale or lease of all or part of a business or its assets, a change in its legal structure through merger or otherwise, the obtaining of a loan or any other form of financing by the Congregation or a security taken to guarantee one of its obligations) to which the Congregation intends to be a party, the applicable privacy laws authorize it to communicate such information, without the consent of the individual concerned, to the other party to the transaction. Where applicable, an agreement shall be entered into in advance with the other party, stipulating in particular that the latter party undertakes:

  1. to use the information solely for the purpose of completing the commercial transaction;
  2. not to communicate the information without the consent of the individual concerned, unless authorized to do so by applicable privacy laws;
  3. to take the necessary measures to ensure the protection of the confidentiality of the information;
  4. to destroy the information if the commercial transaction is not completed or if its use is no longer necessary for the purposes of completing the commercial transaction.

Communication in case of danger

: Applicable privacy laws also allow the Congregation to communicate personal information it holds about others, without the consent of the individuals concerned, in order to protect an identifiable person or group of persons when there are reasonable grounds to believe that there is a serious risk of death or serious injury (i.e., any physical or psychological injury that significantly impairs the physical integrity, health, or well-being of an identifiable person or group of persons) , such as a disappearance or an act of violence, including attempted suicide, threatens that person or group of persons and the nature of the threat inspires a sense of urgency. The information may then be communicated to the person or persons exposed to this danger, their representative, or any person likely to come to their aid. When disclosing information pursuant to this paragraph, the Congregation shall communicate only the information necessary for the purposes of the communication. When information is communicated in this manner by the Congregation, it shall record the communication.

Communication for bereavement purposes

: Applicable privacy laws allow the Congregation to communicate to the spouse or close relative of a deceased person personal information it holds about that person, if knowledge of that information is likely to assist the requester in the bereavement process and the deceased person has not recorded in writing his or her refusal to grant that right of access.

Communication after a period of time specified by law

: Applicable privacy laws also allow the Congregation to communicate personal information to any person, without the consent of the individual concerned, if this information is contained in a document that is more than 100 years old or if more than 30 years have elapsed since the death of the individual concerned. However, unless the individual concerned consents, the Congregation will not communicate any information relating to an individual’s health until 100 years have elapsed since the date of the document.

Communication for study, research, or statistical purposes

: Under certain conditions, applicable privacy laws allow the Congregation to communicate personal information without the consent of the individuals concerned to a person or organization that wishes to use this information for study, research, or statistical purposes. Where applicable, such communication shall only be made in accordance with the requirements of applicable privacy laws, including a privacy impact assessment concluding that:

  1. the objective of the study, research or production of statistics can only be achieved if the information is communicated in a form that allows the individuals concerned to be identified;
  2. it is unreasonable to require the person or organization in question to obtain the consent of the individuals concerned;
  3. the purpose of the study, research, or production of statistics outweighs, in the public interest, the impact of the communication and use of the information on the privacy of the individuals concerned;
  4. the personal information is used in a manner that ensures its confidentiality;
  5. only the necessary information is communicated.

9. ACCESS, CORRECTION, AND OTHER RIGHTS AND REQUESTS

Summary:

  • The Congregation allows individuals to access their personal information and obtain a copy of it, including in a structured digital format.
  • Individuals may also request the correction of this personal information if it is inaccurate or processed in an unauthorized manner.
  • Requests for access or correction should be addressed to the responsible Officer, who will respond within 30 days.
  • Access is free of charge, but reasonable fees may apply for the reproduction or transmission of personal information.
  • The Congregation may refuse to communicate personal information in certain cases, particularly if it would harm a third party, an investigation, or legal proceedings.

Request for access

: When the Congregation holds personal information about another person, it will, at the request of the individual concerned, confirm the existence of that information and communicate it to the individual by providing a copy. At the request of the applicant, any computerized personal information shall be communicated in the form of a written and intelligible transcript. Unless this raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred from personal information concerning him or her, shall, at his or her request, be communicated in a structured and commonly used technological format. Such information shall also be communicated, at his request, to any person or body authorized by law to collect such information. Where the applicant is a person with a disability, reasonable accommodation measures shall be taken, upon request, to enable him to exercise the right of access provided for in this section.

Request for correction

: In addition to the rights provided for in the first paragraph of section 40 of theCivil Code of Québec, any individual may, if the personal information concerning him or her is inaccurate, incomplete, or ambiguous, or if its collection, communication, or retention is not authorized by law, require the Congregation to correct it.

Information held for the Congregation

: Applicable privacy laws allow a person who holds personal information on behalf of the Congregation, when presented with a request for access or rectification by an individual concerned, to forward the request to the Congregation. This is not intended to limit the right of access or correction of a data subject with a personal information agent.

Information held by the Congregation for an individual

: Applicable privacy laws allow the Congregation, when it holds personal information on behalf of an individual who operates a business and receives a request for access or correction from an individual concerned, to forward the request to that individual who operates the business. This is not intended to limit the right of access or correction of an individual concerned to a personal information officer.

Request to cease dissemination or indexing

: The individual concerned by personal information may require the Congregation to cease disseminating that information or to de-index any hyperlink attached to their name that allows access to that information by technological means, when the dissemination of that information contravenes the law or a court order. They may do the same, or require that the hyperlink providing access to this information be reindexed, when the following conditions are met:

  1. the dissemination of this information causes him serious harm in relation to his right to respect for his reputation or privacy;
  2. the harm clearly outweighs the public interest in knowing the information or the interest of any person in expressing themselves freely;
  3. the cessation of dissemination, reindexing, or deindexing requested does not exceed what is necessary to prevent the perpetuation of the harm.

When granting the request, the Delegate shall certify in his or her written response that the dissemination of the personal information has been discontinued or that the hyperlink has been deindexed or reindexed.

Exercise of rights

: When the Congregation holds personal information about others, it takes the necessary measures to ensure that the individuals concerned can exercise their rights under sections 37 to 40 of theCivil Code of Québec and their rights under applicable privacy laws. In particular, the Congregation informs the public of the location where this personal information is accessible and the means of accessing it.

Admissibility of a request

: A request, particularly for access or rectification, will only be considered if it is addressed to the Delegate, made in writing (except in cases where applicable privacy laws require that it may also be made verbally) by a person who can prove their identity as the individual concerned, as a representative, heir, successor of that individual, as the liquidator of the estate, as the beneficiary of life insurance or death benefits, as the holder of parental authority even if the minor child has died, or as the spouse or close relative of a deceased person in cases of bereavement covered by section 40.1 of theAct respecting the protection of personal information in the private sector (CQLR c P-39.1).

Assistance with a request

: When the request is not sufficiently specific or when an individual so requests, the Delegate provides assistance in identifying the information sought. This does not restrict the communication to an individual of personal information concerning him or her or its correction resulting from the provision of a service to be rendered to him or her.

Response to a request

: The Delegate responds in writing to the request for access or correction, diligently and no later than 30 days after the date of receipt of the request. If no response is provided within 30 days of receipt of the request, the Delegate is deemed to have refused to comply.

Free access and reasonable fees

: Access to personal information is free of charge. However, reasonable fees may be charged to the requester for the transcription, reproduction, or transmission of such information. When the Congregation intends to charge fees, it shall inform the requester of the approximate amount payable before proceeding with the transcription, reproduction, or transmission of such information.

Acceptance of a request

: When the Delegate grants a request for correction, in addition to the obligations set out in the second paragraph of section 40 of theCivil Code of Québec, he or she shall issue, free of charge, to the individual concerned who made the request, a copy of any personal information that has been modified or added or, as the case may be, a certificate of the deletion of such information.

Refusal of a request

: The Delegate shall give reasons for any refusal to grant a request and indicate the provision of the law on which the refusal is based, the remedies available to the applicant under the law, and the time limit within which they may be exercised. He or she shall also assist the applicant who so requests in understanding the refusal. If the Congregation holds information that is the subject of a request for access or correction to which it does not agree, it shall retain it for the time necessary to allow the individual concerned to exhaust the remedies provided by law.

Refusal in the event of an investigation or legal proceedings

: Applicable privacy laws allow the Congregation to refuse to communicate personal information about an individual to that individual when communication of the information would likely:

  1. to interfere with an investigation conducted by its internal security service for the purpose of preventing, detecting, or prosecuting crime or violations of the law, or on its behalf by an external service with the same purpose or a holder of a security agency or investigation agency license issued in accordance with the Private Security Act (chapter S-3.5);
  2. affecting legal proceedings in which any of these persons has an interest.

Refusal in the event of communication harmful to a third party

: The Congregation shall refuse to communicate to an individual personal information concerning him or her where communication would be likely to reveal personal information about a third party or the existence of such information and where such communication would be likely to cause serious harm to the third party, unless the third party consents to the communication or it is an emergency that endangers the life, health, or safety of the individual concerned.

Refusal concerning a liquidator, beneficiary, heir, or successor

: Subject to the cases referred to in section 40.1 of theAct respecting the protection of personal information in the private sector (relating to assistance in the grieving process), the Congregation must refuse to communicate personal information to the liquidator of the estate, the beneficiary of a life insurance policy or death benefit, or the heir or successor of the individual concerned by this information, unless the information affects communicationthe interests or rights of the person requesting it as liquidator, beneficiary, heir, or successor.

10. COMPLAINTS

Summary:

  • To file a complaint with the Congregation regarding the protection of personal information, the individual concerned is asked to read the Congregation’s Confidentiality policy and check the applicable legislation.
  • The complaint must be made in writing, specify the facts, be accompanied by supporting documents, and be addressed to the Delegate.
  • While the complaint is being processed, the individual concerned is asked to give the Congregation the opportunity to respond before contacting the public authorities.
  • If the complaint is not satisfactorily resolved, depending on the case, it is possible to request a review of the disagreement by the Commission d’accès à l’information du Québec (Quebec Access to Information Commission) or to file a complaint with the Privacy Commissioner of Canada.

Complaint to the Congregation

: Here is an overview of the Congregation’s process for handling complaints related to the protection of personal information.

Before filing a complaint

:

  • Read the Congregation’s Confidentiality policy: Read the Congregation’s Confidentiality policy, which can be accessed at the following URL:
    https://www.franciscanfriars.ca/confidentiality-policy
  • Verify the applicable law: Identify and familiarize yourself with the applicable law or laws among the various privacy laws, as well as the rights and remedies available to the individuals concerned.

When filing the complaint

:

  • Substantive and formal requirements: All complaints must clearly detail the facts and circumstances giving rise to the complaint, be made in writing by a person who can prove their identity as the individual concerned or other interested party, and be addressed and sent to the Congregation’s designated representative using their contact details.
  • Attach the necessary documents: Include all relevant supporting documents in support of the complaint.

During the processing of the complaint

:

  • Give the Congregation the opportunity to respond: Before contacting public authorities with the power to review, audit, investigate, or issue orders regarding a company’s practices in relation to the protection of personal information that is the subject of a complaint against a company, they generally recommend giving the company concerned the opportunity to review and respond to the complaint, in order to try to resolve the issue directly with the company first.
  • Follow-up on the complaint: If a complaint is not handled according to the process and time frames indicated, it is possible to contact the Delegate for the Congregation to request an update on the status of the complaint.

After the complaint has been processed, if the outcome is unsatisfactory

  • Request for review of disagreement: Any interested person may submit a request to the Commission d’accès à l’information du Québec for a review of a disagreement relating to the application of a legislative provision concerning access to or rectification of personal information in the Act respecting the protection of personal information in the private sector (CQLR c P-39.1) or the application of section 28.1 of that Act, which deals with the cessation of dissemination or indexing of personal information.
  • Complaint to the Privacy Commissioner of Canada: Any interested person may file a complaint with the Privacy Commissioner of Canada against an organization that contravenes any provision of Division 1 or 1.1 of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), or that fails to implement a recommendation set out in Schedule 1 of that Act.

Subscribe to our newsletter

Subscribe to receive our newsletter (published up to four times a year).

* Required field
 

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.