IT

Governance Policy for Protection of Personal Information

Modified date

Preamble

Boulart Inc. (also called the “Company”) deals every day with personal information concerning different persons (e.g. Employees, customers). This Policy is developed in accordance with the requirements of the Act respecting the protection of Personal Information in the private sector.

The Policy, a summary of which is published on the Company’s website, is approved by the person in charge of the protection of Personal Information, the Privacy Officer.

Objective of the Policy

The Company shows vigilance in its obligations regarding the persons whose Personal Information it collects and ensures the protection of their privacy. The objective of this Policy is to establish clear rules governing the treatment of this information.

Scope of the Policy

The Policy applies to the Company and to every person or business providing services for the Company, notably its Employees, Subcontractors or Suppliers.

It establishes the governance rules regarding all Personal Information, as defined by law or this Policy.

Definitions

The following definitions apply in this Policy:

Indirect Collection”: the fact of collecting Personal Information from a person other than the one concerned by this Personal Information.

Lifecycle”: the stages of existence of Personal Information within the Company, which begins with its collection and its with its retention, use and communication.

Employee”: any person who provides labour, whether full-time or part-time, on a permanent or temporary, seasonal or contractual basis, whether the person is in a management or non-management position.

Supplier”: any provider of services of goods bound to the Company under a contract, whether oral or written.

Privacy Incident”: any breach of confidential Personal Information, whether unauthorized access to that information or its improper use, communication or loss.

Person Concerned”: any natural person whose Personal Information is collected, stored, used, communicated or destroyed by the Company,

Privacy Officer”: position of the person in charge of the protection of Personal Information, whether this position is exercised by a person with the highest authority in the Company or another person exercising officially delegated authority.

Policy”: this Policy concerning the governance of Personal Information.

Personal Information”: any information concerning a person that allows the person to be identified or that confirms the person’s identity, directly or indirectly. Due to its nature (e.g., medical, biometric, financial, etc.) and the context of its use or communication, Personal Information may entail a high level of expectation of privacy for a reasonable person. When the protection is breached in a Privacy Incident, the risk of serious harm is high.

Subcontractor”: contractor or self-employed worker bound to the Company under a contract, whether oral or written.

Third Party”: any person or organization other than the Company or its Employees.

Collection

Any person who collects Personal Information on behalf of the Company shall determine the purpose of this collection in advance and ensure that the Personal Information that must be collected is necessary to achieve this purpose. Moreover, the person must make sure to use legal means of collection.

The Personal Information must be collected directly from the person it concerns. Any person who considers proceeding with Indirect Collection must obtain the Privacy Officer’s authorization in advance.

No later than the time of collection of Personal Information, any person proceeding with this collection shall inform the Persons Concerned by the collection of the following points:

  1. The purpose of the collection of Personal Information;
  2. The means of collection used;
  3. The rights of access and rectification provided by law;
  4. Their right to withdraw their consent to the communication or use of the Personal Information collected;

And, as the case may be:

  1. The name of the Third Party for whom the collection is done;
  2. The name of the Third Party or the classes of Third Parties to whom it is necessary to communicate the Personal Information for the purposes mentioned;
  3. The possibility that the Personal Information will be communicated outside Québec.

And, if the Personal Information is collected by means of an identification, location or profiling technology:

  1. The reliance on such technology;
  2. The functions of the technology;
  3. The means offered to activate the identification, location or profiling functions.

Any person who accepts to entrust their Personal Information to the Company after having been duly informed consents that it be used or communicated for the purposes mentioned.

Moreover, at the request of a Person Concerned by the Personal Information collected or to be collected, the Company shall also inform that person:

  1. Of the Personal Information collected from that person;
  2. Of the classes of persons who have access to that person’s Personal Information within the Company;
  3. Of the retention period of the Personal Information;
  4. Of the contact information of the Privacy Officer.

Use

Any person who uses Personal Information held by the Company shall ensure that the use conforms to the consent obtained and to the purposes mentioned to the Person Concerned.

A member of the personnel who considers using the Personal Information for a purpose other than a purpose for which it was collected must obtain the authorization of the Privacy Officer in advance.

The Privacy Officer then shall assess the situation and determine if a use without consent is authorized or if it is necessary to obtain consent.

Communication

Any person who uses Personal Information held by the Company must communicate the Personal Information only to the persons or organizations designated at the time of collection.

A member of the personnel who considers communicating Personal Information to another person or organization mut obtain the consent of the Person Concerned, except if the member is authorized by law to proceed without consent.

When a member of the personnel thus proceeds with communication of Personal Information without consent, the member must comply with the requirements and conditions prescribed by the Act and record the communication in the place provided for this purpose.

Retention and Destruction

The Company holds and retains documents containing Personal Information so as to ensure their security.

The documents may be retained on paper or electronic media. The Company may mandate a technology service provider to save the personal data it collects.

Moreover, the Company takes the necessary means to limit access to data to members of the personnel must who access the data to perform their duties.

The company destroys these documents at the expiry of the retention periods prescribed by the various legislation. The documents are destroyed securely.

Refusal or Withdrawal of Consent

The Personal Information requested is what is necessary for the making or execution of the contract or required by legislation or a regulation.

As the case may be, a person who refuses to provide Personal Information, whether in the context of employment or service delivery, could be refused a request relating to employment or service delivery.

Moreover, minimum retention periods are provided by different legislation regarding different documents that may contain Personal Information. Thus, despite the withdrawal of consent to use or communication, the Company must comply with the document retention periods of the documents provided by law before proceeding with destruction of the documents.

Roles and Responsibilities

Privacy Officer

The Privacy Officer ensures that the Company and all of its Employees comply with the rules for governance of Personal Information and this Policy.

The Privacy Officer plans, organizes, directs and controls the activities regarding management of Personal Information within the Company.

The Privacy Officer also deals with Privacy Incidents and ensures the process established by law is followed.

The Privacy Officer makes sure to train, inform and sensitize the members of the Personnel regarding the rules for management of Personal Information so that they have the knowledge required to know if and when a Privacy Incident has occurred.

The Privacy Officer is:
Caroline Saillant
Director of Human Resources
csaillant@boulart.com

Employee

Since the Employees deal every day with Personal Information, they must learn and comply with the practices established by the Company for the protection of Personal Information, whether they take the form of a policy, a procedure, a directive or a guideline.

Privacy Incidents

In the event of a Privacy Incident, the Company ensures that it is handled in accordance with the established process.

Any person witnessing a Privacy Incident must report it to the Privacy Officer without delay.

The Company keeps a register of incidents.

If the Company recognizes a Privacy Incident or has reasons to believe one has occurred, it shall quickly take the necessary measures to mitigate the harm caused to the Persons Concerned by the Personal Information breached.

The Persons Concerned and the Commission d’accès à l’information shall be notified in writing of the occurrence of such an incident when it represents a risk of serious harm.

The Rights of the Persons Concerned

The Persons Concerned by the information held by the Company may request access, rectification or deindexing, by submitting a written request to this effect to the Privacy Officer, who must respond to it within thirty (30) days of its receipt.

The Privacy Officer shall assist the person who makes such a request, notably to be able to understand the grounds for its refusal, as the case may be.

Request for Access

The Company, at the request of the Persons Concerned, must confirm to them it holds their Personal Information and allow them to obtain a copy.

The copy of computerized Personal Information shall be provided to the Person Concerned in an intelligible written transcript in a structured and commonly used format.

Request for Rectification

Any person, if they find that their Personal Information is inaccurate, incomplete or ambiguous, or if they have not consented to its collection, communication or retention, may require that it be rectified.

When it approves a request for rectification, the Company issues free of charge to the person who submitted the request a copy of the amended or added information or, as the case may be, an attestation of the withdrawal of such Personal Information.

Request for Deindexing

When the dissemination of Personal Information contravenes the law, the Person Concerned by this information may require the Company:

  • That it cease dissemination their Personal Information;
  • That the hyperlink attached to their name and that allows access to the Personal Information by a technological means be deindexed.

The Person Concerned may also request deindexing or reindexing of any hyperlink allowing access to the Personal Information in case of reputational damage or violation of privacy, subject to certain conditions.

Treatment of Complaints

Any person who considers that the Company has failed in its obligations concerning the protection of Personal Information, whether under a law or a policy, may formulate a complaint.

The complaint must be submitted in writing and addressed to the Privacy Officer.

Any person who formulates a complaint must indicate their name, phone number and email address to be reachable. The complaint must also contain a detailed description of the grounds justifying its submission so that it can be assessed. The Privacy Officer may ask to obtain additional information if she considers that the complaint formulated is not detailed enough. The Privacy Officer shall deal with any complaint within a reasonable time and respond in writing, justifying the grounds of her decision.

Compliance with the Policy

Any breach of the practices relating to protection of Personal Information may result in disciplinary penalties, up to dismissal.

Tout manquement aux pratiques relatives à la protection des renseignements personnels pourra entraîner des sanctions disciplinaires pouvant aller jusqu’au congédiement.

Effective Date and Updates

This Policy comes into effect on September 1st, 2024. If applicable, the updates are specified below.

DateChange made
2024-09-01Revision of the Governance Policy for Protection of Personal Information by ARH

Contact

For any questions or requests for information, we invite you to contact the person below, who will be happy to assist you.

IT Director: Patrick Pilote

Previous
Access Control Policy
Next
Use of IT and Communications Tools