Governance of Personal Information

C3i places great importance on the protection of personal information. In this respect, C3i has developed a Governance Framework to provide a framework for its privacy governance.

C3i has also implemented various measures in support of its policy and its application in accordance with applicable laws. For example, C3i has:

• Validated and confirmed the roles and responsibilities of its person in charge of the protection of personal information (the Privacy Officer);
• Undertaken the review and documentation of internal privacy measures and rules; and
• Set up assistance measures.

The framework is complemented by several other procedures and tools developed by C3i, including:

• its Confidentiality incident management policy;
• its Retention policy for documents containing personal information;
• its Confidentiality incident register;
• its Privacy impact assessment template for the communication of personal information outside Quebec;
• its Privacy impact assessment template in the context of communicating personal information for study, research or statistical purposes;
• its Privacy impact assessment template for technology projects involving personal information;
• template contractual clauses if third-party services are retained; and
• template contract clauses for transfers outside Quebec.

All these documents form C3i’s privacy Governance Framework

They specify in particular:

• rules governing the collection and other processing of personal information of employees and any other person where applicable;
• specific rules applicable to personal information collected by C3i’s business partners (as controllers) to which C3i may have access in the course of providing services to them;
• the security measures in place to ensure the confidentiality, integrity and availability of personal information throughout its life cycle;
• the roles and responsibilities of various people, including those with the highest authority, managers, employees and subcontractors;
• managing access to personal information;
• the complaints handling process;
• certain rules that may apply in specific contexts, such as :
  • communication or processing of personal information outside Quebec;
  • requests for access to information for study, research or statistical purposes; and
  • technology projects involving personal information;
• certain rules that will apply if certain types of initiatives are implemented, including :
  • the use of identification, location or profiling technology; or
  • decision-making based exclusively on the automated processing of personal information
• processes applicable to access, rectification and other requests; and
• the document update process

A summary of the Governance Framework is provided in appendix. This Governance Framework is also supplemented by current legislation. Further details can be obtained by contacting:

Privacy Officer
Centre C3i inc.
5151, boulevard de L’Assomption, Montreal (Quebec) HIT 4A9
Email: info@centrec3i.com / Phone: XXX

Please note that the Governance Framework contains certain sensitive information, particularly with regard to the security measures implemented. As a result, access to and communication of documents forming the Governance Framework, or information contained therein, may be restricted.

Summary of the Personal Information Governance Framework

1. SCOPE OF APPLICATION

   The Governance Framework covers the following individuals, activities, information and resources:

   • Individuals: All C3i employees (including managers) and subcontractors.
   • Activities: Any processing of personal information by C3i as part of its mission, activities or responsibilities, even if the personal information is not physically held by C3i. Personal information collected from patients and study subjects by business partners receiving C3i Services is governed by their procedures; the Governance Framework can, however, provide indications as to C3i’s role (as service provider).
   • Resources: This policy applies to all information systems, regardless of medium or format, whether stored internally or externally, such as cloud-based systems.
   • Information: This policy applies to all personal information, regardless of the format in which it is held or whether it is held internally or externally. “Personal information” is broadly interpreted to include information about C3i employees, and any other person, where applicable. However, in accordance with applicable laws, certain information will not qualify as “personal information”.

2. GUIDING PRINCIPLES

   In the course of its mission and activities, C3i is called upon to hold and/or process various types of personal information. To this end, C3i stresses the importance of ensuring that all processing is carried out in accordance with the following guiding principles:

   • the collection of personal information must be necessary and required or permitted by law (and, where applicable, by contract);
   • all personal information is considered confidential by default and is treated as such;
   • no personal information may be processed unless the required consents have been obtained or such processing is permitted or required by law;
   • the protection of personal information must be ensured by, among other things, the implementation of and compliance with appropriate security measures;
   • personal information may be retained only as long as necessary for the purposes for which it was collected (subject to applicable legal and contractual exceptions); and
   • all requests (for access, rectification, etc.) and confidentiality incidents must be reported immediately to the applicable manager.

3. PERSONAL INFORMATION CONTROLLED BY BUSINESS PARTNERS

   As part of the services provided to business partners, C3i is called upon to process personal information, including sensitive personal information, as the case may be, of patients or study participants, which has been transmitted by the business partner for the purposes of the Services. Although C3i may have access to such personal information, in no event will C3i be the controller of such information. The Governance Framework sets out general principles governing the processing of such information by the C3i. C3i will not provide third parties with personal information it holds about a patient or a study subject without the consent of the business partner, unless such disclosure or required or allowed by law.

4. PERSONAL INFORMATION ABOUT EMPLOYEES

   C3i collects and processes required personal information about its employees to the extent that it is: (i) required to manage its employment relationship with its employees; (ii) permitted by law; or (iii) necessary to comply with applicable legal and contractual requirements. Such collection and other processing is limited to these purposes. Such required information is collected and otherwise processed with employee consent, unless the law permits or requires such collection or other processing without consent, in which case employee consent will not be required.

   Optional information is also collected if employees give their consent.

   C3i will not communicate personal information about its employees to third parties without their consent, unless an exception is provided by law or brought to the attention of the employees concerned.

5. PERSONAL INFORMATION ABOUT ANY OTHER PERSON

   C3i may collect and process personal information from members of the public who contact C3i. Such collection and processing will take place on the basis of consent (e.g. a person contacts C3i to apply for a job). C3i will not provide personal information it holds about an individual to third parties without the individual’s consent, unless an exception is provided by law or brought to the individual’s attention.

6. CONSENT

   C3i’s Governance Framework emphasizes the importance of valid consent for the collection or other processing of personal information. Consent may be implied or express. C3i makes reasonable efforts to ensure that consents obtained from individuals are manifest, free, informed, given for specific purposes, requested for each purpose in clear and simple terms, presented separately from other information communicated and, when pertaining to sensitive information, expressly formulated. However, the Governance Framework recalls that the law recognizes certain situations in which consent need not be sought. Assistance is provided to anyone requesting it, to help them understand the scope of the consent sought.

   Each business partner is responsible for obtaining consent in connection with its collection of study subjects’ personal information. Under no circumstances will the C3i be involved in the process of obtaining consent from a patient or a study subject.

7. RETENTION, DESTRUCTION AND ANONYMIZATION

   C3i will destroy or anonymize the personal information it holds once the purposes for which it was collected or used have been fulfilled (subject to a retention period stipulated by law); C3i has set up a retention schedule to assist it in this regard.

   C3i is not responsible for the retention, destruction and anonymization practices of personal information of its business partners. Following the termination of a service contract with any business partner, C3i will destroy the information so retained after the period of time prescribed by applicable law or by C3i’s policies and procedures if no specific period of time is imposed by law.

8. DISCLOSURE OF PERSONAL INFORMATION OUTSIDE QUEBEC

   C3i will conduct a Privacy Impact Assessment before disclosing personal information outside Quebec to ensure its confidentiality and security. For the purposes of this assessment, the Privacy Officer will be consulted at the beginning of the project.

9. DISCLOSURE OF PERSONAL INFORMATION FOR STUDY, RESEARCH OR STATISTICAL PURPOSES

   In accordance with the law, C3i may disclose personal information without consent to a person or organization wishing to use the information for study, research or statistical purposes. However, a Privacy Impact Assessment must be carried out, and if it concludes that the information can be disclosed, an agreement will be reached with the requester. Any requirements imposed by law must also be respected. If a request relates to personal information controlled by a business partner to which C3i has access, C3i will use reasonable efforts to relay the request to the relevant business partner.

10. TECHNOLOGICAL PROJECT INVOLVING PERSONAL INFORMATION

    C3i will conduct a Privacy Impact Assessment of any acquisition, development or redesign of an information system or electronic service delivery project involving personal information in accordance with the process prescribed by law. For the purposes of this assessment, the Privacy Officer will be consulted at the beginning of the project.

11. USE OF IDENTIFICATION, LOCATION OR PROFILING TECHNOLOGY

    If and as applicable, C3i may use technology that includes functions to identify, locate or profile an individual. In all cases and in accordance with the law, such person will be informed in advance: (i) of the use of such technology; and (ii) of the means available to activate the identifying, locating or profiling functions.

12. DECISION-MAKING BASED ON THE AUTOMATED PROCESSING OF PERSONAL INFORMATION

    If and as applicable, C3i may use personal information to make a decision based solely on the automated processing of such information. In all cases and in accordance with applicable law, C3i will ensure that the person concerned is informed of this fact, at the latest at the time C3i’s decision is communicated to them, in accordance with the applicable laws.

13. WEBSITE

    A privacy policy, including a notice regarding the use of cookies, are included on the C3i website. C3i will ensure that this policy and notice are updated when required, and will ensure that these documents are written in plain and clear language.

14. SECURITY MEASURES

    C3i implements various security measures to ensure the protection of the personal information it holds that are reasonable in light of, among other things, the sensitivity of the information, the purpose for which it is used, its quantity, distribution and medium. These measures include: (i) internal measures; (ii) measures concerning subcontractors; and (iii) measures concerning the management of confidentiality incidents.

15. ACCESS, RECTIFICATION AND OTHER REQUESTS

    Requests for access or rectification or other requests are processed by C3i in accordance with the law.

    The Privacy Officer will provide assistance to applicants if requested. The assistance offered includes the following:

    1. If the request is not sufficiently precise, or if the applicant so requires, the Privacy Officer assists the person making the request in identifying the personal information sought.
    2. Subject to applicable law and following a request to this effect, the Privacy Officer:
       • (i) confirm the existence of personal information held about the applicant and, where applicable, disclose it to the applicant (or allow the applicant to obtain a copy); and
       • (ii) will correct any personal information that is inaccurate, incomplete or misleading.
    3. In the event of a refusal to grant access, the reasons for the refusal will be communicated to the applicant in accordance with the law. The Privacy Officer will then assist the applicant in understanding the refusal.

    The Privacy Officer is responsible for :

    1. offering reasonable assistance throughout the application process;
    2. providing information about the law, including how to process a request and the right to file a complaint with the Commission d’accès à l’information;
    3. communicating with the applicant if clarification is required on an application, such communication to take place as soon as reasonably possible;
    4. making reasonable efforts to locate the requested documents;
    5. ensuring that the exceptions invoked (in connection with a refusal to disclose all or part of documents) are precise and limited (to such documents);
    6. providing answers that, to the best of its knowledge, are accurate and complete;
    7. promptly communicating the information requested as part of the access process; and
    8. if applicable, providing the documents in the format requested or, as the case may be, providing an appropriate place to examine the documents covered by the request.

    The assistance offered does not, however, oblige the Privacy Officer to provide the same explanations to an applicant several times. Similarly, once the information needed to help an applicant understand Privacy Officer’s decision, the Privacy Officer may choose to stop providing explanations.

    Any request for access by a study subject and/or patient to their information should be addressed exclusively to the appropriate business partner (or relevant healthcare professional), and not to the C3i. This request for access must be made in accordance with the law governing access to such records. Access requests will be handled exclusively by the relevant business partners. If a request relates to personal information controlled by a business partner to which C3i has access, C3i will use reasonable efforts to relay the request to the relevant business partner.