Breadcrumbs

Governance of personal information

Personal Information - Canada and Global


Prehos has also implemented various measures in support of its policy and its application in accordance with applicable laws. For example, Prehos has:

  • Validated and confirmed the roles and responsibilities of its person in charge of the protection of personal information (the Privacy Officer);

  • Undertaken the review and documentation of internal privacy measures and rules; and 

  • Set up assistance measures.

The framework is complemented by several other procedures and tools developed by Prehos, including:

  • its Confidentiality incident management policy;

  • its Retention policy for documents containing personal information;

  • its Confidentiality incident register;

  • its Privacy impact assessment template for the communication of personal information outside Quebec;

  • its Privacy impact assessment template in the context of communicating personal information for study, research or statistical purposes;

  • its Privacy impact assessment template for technology projects involving personal information;

  • template contractual clauses if third-party services are retained; and 

  • template contractual clauses for transfers outside Quebec.

All these documents form Prehos’ privacy Governance Framework. They specify in particular: 

  • rules governing the collection and other processing of personal information under Prehos’ control, including that of employees and any other person, where applicable;

  • special considerations applicable to personal information collected by Prehos’ authorized users to which Prehos may have access in the course of providing services to them;

  • the security measures in place to ensure the confidentiality, integrity and availability of personal information throughout its life cycle;

  • the roles and responsibilities of various persons, including that with the highest authority, managers, employees and subcontractors;

  • managing access to personal information;

  • the complaints handling process;

  • certain rules that may apply in specific contexts, such as:

  • communication or processing of personal information outside Quebec;

  • requests for access to information for study, research or statistical purposes; and 

  • technology projects involving personal information;

  • certain rules that will apply if certain types of initiatives are implemented, including: 

  • the use of identification, location or profiling technology; or 

  • decision-making based exclusively on the automated processing of personal information;

  • processes applicable to access, rectification and other requests; and 

  • the document update process.

A summary of the Governance Framework is provided in the appendix or available  here . This Governance 

Framework is also supplemented by current legislation. Further details can be obtained by contacting:

Privacy Officer
Address: 2327, boul. du Versant Nord, Suite 115, Québec (Qc) G1N 4C2
Email:  privacy@prehos.com
Phone: 1 844-311-6367

Please note that the Governance Framework contains certain sensitive information, particularly with regard to the security measures implemented. As a result, access to and communication of documents forming the Governance Framework, or information contained herein, may be restricted.  

 

Summary of the Governance Framework

1. SCOPE OF APPLICATION

The Governance Framework covers the following individuals, activities, information and resources:

  • Individuals: All Prehos employees (including its managers) and subcontractors, where applicable.

  • Activities: Any processing of personal information as part of Prehos’ mission, activities or responsibilities, even if the personal information is not physically held by Prehos. For greater clarity, the Governance Framework does not apply to personal information that may be collected about patients by authorized users benefitting from Prehos’ services.

  • Resources:Any information systems, regardless of medium or format, whether stored internally or externally, such as cloud-based systems.

  • Information: Any personal information, regardless of the format in which it is held or whether it is held internally or externally. "Personal information" is broadly interpreted to include information about Prehos employees, and any other person, where applicable. However, in accordance with applicable laws, certain information will not qualify as "personal information".

2. GUIDING PRINCIPLES

In the course of its missions and activities, Prehos is called upon to hold and/or process various types of personal information. To this end, Prehos stresses the importance of ensuring that all processing is carried out in accordance with the following guiding principles:

  • the collection of personal information must be necessary and required or permitted by law (and, where applicable, by contract);

  • all personal information is considered confidential by default and is treated as such;

  • no personal information may be processed unless the required consents have been obtained or such processing is permitted or required by law;

  • the protection of personal information must be ensured by, among other things, the implementation of and compliance with appropriate security measures;

  • personal information may be retained only as long as necessary for the purposes for which it was collected (subject to applicable legal and contractual exceptions); and

  • all requests (for access, rectification, etc.) and confidentiality incidents must be reported immediately to the applicable manager.

3. PERSONAL INFORMATION HELD BY AUTHORIZED USERS

As part of the services provided to authorized users, Prehos makes available software and solutions that may be used by authorized users in the collection and processing of patient personal information. Although Prehos may access such personal information (at the request of the authorized user who collected it), under no circumstances shall Prehos be considered to have legal custody of the personal information collected by its authorized users. The Governance Framework addresses the specifics of handling personal information collected by authorized users.

4. PERSONAL INFORMATION ABOUT EMPLOYEES

Prehos collects and processes required personal information about its employees to the extent that it is: (i) required to manage its employment relationship with its employees; (ii) permitted by law; or (iii) necessary to comply with applicable legal and contractual requirements. Such collection and other processing are limited to these purposes. Such required information is collected and otherwise processed with employees consent, unless the law permits or requires such collection or other processing without consent, in which case employees consent will not be required. 

Optional information is also collected if employees give their consent. 

Prehos will not communicate personal information about its employees to third parties without their consent, unless an exception is provided by law or brought to the attention of the employees concerned.

5. PERSONAL INFORMATION ABOUT PATIENTS

As part of the services provided to authorized users, Prehos makes available software and solutions that authorized users may use in the collection and processing of patient personal information. Where necessary to provide services to its authorized users, Prehos may access personal information held by them, in which case personal information accessed by Prehos will be treated in accordance with this policy. However, authorized users will always be deemed to have legal custody of personal information collected in the course of their activities, and in no event shall Prehos be deemed to have custody of personal information collected by authorized users. Prehos will comply with legal requirements applicable to service providers.

6. PERSONAL INFORMATION ABOUT ANY OTHER PERSON

Prehos may collect and process personal information from members of the public who contact Prehos. Such collection and processing will take place on the basis of consent (e.g., a person contacts Prehos to apply for a job). Prehos will not provide personal information it holds about an individual to third parties without that individual’s consent, unless an exception is provided for by law or brought to the attention of the individuals concerned.

Prehos’ Governance Framework emphasizes the importance of valid consent for the collection or other processing of personal information. Consent may be implied or express. Prehos makes reasonable efforts to ensure that consents obtained from individuals are manifest, free, informed, given for specific purposes, requested for each purpose in clear and simple terms, presented separately from other information communicated and, when pertaining to sensitive information, expressly formulated. However, the Governance Framework recalls that law recognizes certain situations in which consent need not be sought. Assistance is provided to anyone requesting it, to help them understand the scope of the consent sought.

Each authorized user is responsible for obtaining consent for the collection of personal information from patients. Under no circumstances shall Prehos be involved in the process of obtaining consent from a patient.

8. RETENTION, DESTRUCTION AND ANONYMIZATION

Prehos will destroy the personal information it holds once the purposes for which it was collected or used have been fulfilled (subject to a retention period stipulated by law); Prehos has set up a retention schedule to assist in this regard.

Prehos is not responsible for the retention, destruction and anonymization practices of personal information held by an authorized user. Upon termination of a contract for services with any authorized user and in accordance with the terms thereof, Prehos may close all such authorized user’s accounts and delete all such information held in such accounts after a reasonable transition period. 

9. DISCLOSURE OF PERSONAL INFORMATION OUTSIDE QUEBEC

Prehos will conduct a Privacy Impact Assessment before disclosing personal information outside Quebec to ensure its confidentiality and security. If an authorized user wishes to communicate personal information collected using Prehos’ services outside Quebec, Prehos will provide such assistance as may be reasonably required in the completion of the authorized user’s Privacy Impact Assessment.

10. DISCLOSURE OF PERSONAL INFORMATION FOR STUDY, RESEARCH OR STATISTICAL PURPOSES

In accordance with the law, Prehos may disclose personal information without consent to a person or organization wishing to use the information for study, research or statistical purposes. However, a Privacy Impact Assessment must be carried out, and if it concludes that the information can be disclosed, an agreement will be reached with the applicant. Any requirements imposed by law must also be respected. If a request relates to personal information held by an authorized user to which Prehos has access, Prehos will use reasonable efforts to relay the request to the relevant authorized user and provide it with the necessary assistance to deal with the request. 

11. TECHNOLOGICAL PROJECT INVOLVING PERSONAL INFORMATION

Prehos will conduct a Privacy Impact Assessment of any acquisition, development or redesign of an information system or electronic service delivery project involving personal information in accordance with the process prescribed by law. 

12. USE OF IDENTIFICATION, LOCATION OR PROFILING TECHNOLOGY

From time to time, Prehos may use a technology that includes functions enabling a person to be identified, located or profiled. In all cases, and in accordance with the law, the person concerned will be informed in advance: (i) of the use of such technology; and (ii) of the means available to activate the functions enabling a person to be identified, located or profiled.

13. DECISION-MAKING BASED ON THE AUTOMATED PROCESSING OF PERSONAL INFORMATION

Prehos does not intend to use personal information to make a decision based solely on such personal information. Notwithstanding the foregoing and in the event that such an approach is taken, Prehos will ensure that the person concerned is informed of this fact, at the latest at the time Prehos’ decision is communicated to them, in accordance with applicable laws.

14. SECURITY MEASURES

Prehos implements various security measures to ensure the protection of personal information it holds that are reasonable after considering, among other things, the sensitivity of the information, the purpose for which it is to be used, its quantity, distribution and medium. These measures include: (i) internal measures; (ii) measures concerning subcontractors; and (iii) measures concerning the management of confidentiality incidents.

15. ACCESS, RECTIFICATION AND OTHER REQUESTS

Requests for access or rectification or other requests are processed by Prehos in accordance with the law. The Privacy Officer will provide assistance to applicants if requested. The assistance offered includes the following:

  1. If the request is not sufficiently precise, or if the applicant so requires, the Privacy Officer assists the person making the request in identifying the personal information sought.

  2. Subject to applicable law and following a request to this effect, the Privacy Officer will:

    1. confirm the existence of personal information held about the applicant and, where applicable, disclose it to the applicant (or allow the applicant to obtain a copy); and

    2. correct any personal information that is inaccurate, incomplete or misleading.

  3. In the event of a refusal to grant access, the reasons for the refusal will be communicated to the applicant in accordance with the law. The Privacy Officer will then assist the applicant in understanding the refusal.

The Privacy Officer is responsible for:

  1. offering reasonable assistance throughout the application process;

  2. providing information about the law, including how to process a request and the right to file a complaint with the Commission d’accès à l’information;

  3. communicating with the applicant if clarification is required on an application, such communication to take place as soon as reasonably possible;

  4. making reasonable efforts to locate the requested documents;

  5. ensuring that the exceptions invoked (in connection with a refusal to disclose all or part of the documents) are precise and limited (to such documents);

  6. providing answers that, to the best of its knowledge, are accurate and complete; 

  7. promptly communicating the information requested as part of the access process; and

  8. if applicable, providing the documents in the format requested, or as the case may be, providing an appropriate place to examine the documents covered by the request.

The assistance offered does not, however, oblige the Privacy Officer to provide the same explanations to an applicant several times. Similarly, once the information needed to help an applicant understand the Privacy Officer’s decision has been provided, the Privacy Officer may choose to stop providing explanations.

Any request by a patient for access to its records must be addressed exclusively to the appropriate authorized user, and not to Prehos. Such requests must be made in accordance with the laws governing access to such records. Access requests will be handled exclusively by the relevant authorized users.