Purpose

·      To ensure a comprehensive protection of personal and confidential data to comply with privacy laws, the policy will be amended with the evolution of law and regulation in this area.

·      This policy regroups the following previous policies for efficiency and organization: Privacy policy, File Management and Retention policy, File Destruction policy, Confidentiality policy, and the Data Retention policy. This policy should be read jointly with the Incident Response Policy, the AI policy and the IT policy.

Definitions

·      “privacy”: a right protected by the Québec Charter of Rights and Freedoms and the Civil Code of Québec[1]. Everyone is entitled to not being observed or interfered with by others.

·      “personal information” : information that could enable a person to directly or indirectly (through amalgamation of data points for example) identify someone[2]. This includes information like name, date of birth, email address, etc. Publicly available information from which one can identify another is still considered personal information, but it can be collected and used without concerns for consent or confidentiality.

·      “sensitive information”: personal information that is intimate like biological or medical information.

·      “confidential information”: personal or sensitive information as well as information that is learnt on the job pertaining to Ometz that should remain within the organization. Confidential Information includes for example, all client and donor lists (including any and all information associated with each client or donor), records, documents, budgets, correspondence, systems, programs, notes, studies, manuals, computer printouts, computer readable information on portable devices such as USB keys and cloud drives as well as hard disks, computer software object code and source code, sources of supply and suppliers’ lists and prices and any other information regarding suppliers, marketing plans, strategies, projects, financial information of any kind, information concerning employees and contractors, methods, processes, business plans and trade secrets of every other nature. Confidential information cannot be disclosed outside the organization.

·      “file”: a record of personal or sensitive information in any format whether paper or digital. Anyone collecting personal information establishes a file.

·      “deidentified information”: information that is processed from which it is impossible to identify someone.

·      “consent”: the explicit permission to do something to someone by the person in question.

How Ometz uses and is accountable to using personal and sensitive information

Use

·      To analyze trends in client services to improve service delivery and quality

·      To analyze trends in donor preferences to enhance donor support

·      To assess client needs when providing a service; similarly to determine eligibility for some of our services

·      To contact employees and volunteers

·      To thank donors and volunteers and to invite them to continue supporting Ometz

·      To issue tax receipts and pay cheques

·      To deal with urgent situations like medical emergencies

·      To protect Ometz’ legal rights and take precautions against liability, in which case personal and sensitive information may be disclosed

Accountability

·      HR does not need consent to collect or use personal information within the organisation for purposes related to the performance of a person’s role[3].

·      Any new use of personal and sensitive information will be communicated by the Privacy Officer and in a revised version of this policy. Consent of those concerned will be obtained.

Handling data access, rectification, and deletion requests

·      Any person has the right to access their personal data, rectify their personal data, erase their personal data, restrict the processing of their personal data, obtain their personal data in a structured commonly readable format (right to data portability), and to object to the processing of their personal data for specific purposes

·      Any such request will be made to the Privacy Officer who will verify the requestor’s identity and acknowledge the request within a week, and respond to the request within 30 days, providing, at minimum or in addition to the request, a copy of the requestor’s data in an intelligible machine readable format,. Verbal requests will be ignored, all requests must be in writing.  No access request will be denied except for serious reasons or if access would injure a third party. If refused, legal justification will be provided[4].

Consent requirements: protecting privacy rights and confidentiality

·      Ometz does not sell, trade, or rent information to third parties.

Access to personal information without consent

·      Authorized employees can access personal information without consent if it is necessary for the performance of their duties[5]. Request for such authorization should be directed to the Privacy Officer. Information within the organization is thus shared on a “need-to-know” basis.

Consent

·      The purpose(s) for which consent is sought must be sorted out prior to obtaining consent and collecting the personal information[6]. The purpose(s) must be explained to the person concerned[7]. Once consent for the collection of personal information is obtained, it is implied that consent applies to the use of the personal information and communication of it for the purposes specified[8].

·      Minors under the age of 14 cannot consent. Consent must be sought from their guardians[9].

·      Consent to collecting personal information can never be assumed, it must be CLEAR, FREE, and INFORMED, and given for SPECIFIC PURPOSES in PLAIN LANGUAGE. It can be obtained verbally though written consent is preferred. It lasts as long as it takes to fulfil the specific purpose, so long as the time elapsed is reasonable.

o   Once information is collected and if the person concerned requests access to their personal information, it is necessary to inform that person of the purposes for which the information was collected, how it was collected, and that they have the right to withdraw consent at any time. It is also necessary to inform them of who has access to it within the organisation and of any third-party access. If the person’s information is used for profiling purposes, the technology used must be explained to them in plain language[10].

·      A person is able to withdraw consent at any time. They are also able to access and rectify their personal information at any time. Such requests should be directed to the Privacy Officer and processed swiftly.

Communication and use of personal information to/from third parties

·      It is prohibited to communicate sensitive, personal, or confidential information to third parties, except public social service and health organizations like hospitals, unless the person concerned consents, or, if it is clearly in their best interests and they are unable to consent in due time, as may be the case in medical emergencies[11]. If such an emergency occurs and the personal information is communicated in good faith, it must be entered into a registry within the organization[12].

·      It is legal to obtain personal information about a person from a third-party without the person consenting[13].

·      Third-parties within the organisation collecting personal information about a person via the original source must inform the person of that source[14]. For example, junior staff can call donors to thank them, so long as they mention that they got the number from the initial senior staff who obtained consent.

Communication and use of personal information to third parties outside Québec

·      A Privacy Impact Assessment must be conducted and the benefits must outweigh the risks[15]. See appendix.

 

Conducting research using personal information

·      A Privacy Impact Assessment must be conducted and the benefits must outweigh the risks. See appendix.

File management: managing the lifecycle of creation, maintenance, and destruction, and retention of files

Creation

·      Files should be created with security in mind.

Maintenance

·      Personal information should only be kept until the purposes for which consent was obtained are achieved.

·      Files with personal information must be stored securely, restricted to authorized users only (those who have obtained consent or that the person knows is using the file OR persons who must access the file to perform their job), proportional to the sensitivity of the information.

·      Files without personal information like an account, an anonymized agreement, an anonymized form, anonymized corporate minutes and documents, anonymized images, an anonymized invoice, an anonymized letter, a memorandum, a plan, and any other medium containing information, whether written or in any other form, will be kept and backed up electronically and the archived file will be kept for 7 years.

Destruction

·      When the purposes for which consent was obtained are achieved, the information must be destroyed or anonymized (if planning to use the personal information for serious and legitimate purposes)[16]. Information is anonymized if at all times it is irreversibly impossible to identify the person concerned directly or indirectly.

 

Confidentiality: protecting sensitive and personal information

·      Measures taken to keep personal information confidential should be in proportion to the degree of sensitivity of the data[17].

·      Information obtained while working at Ometz is confidential information. It cannot be shared within the organisation or outside the organisation. UNLESS:

o   The personal information is necessary to perform a contract or the requested service (as would be with clinical programs)[18]

o   Sharing the personal information would clearly be to the benefit of the person.

o   The personal information is necessary to conduct research and statistics, and is deidentified.

 

 

Privacy Policy

Last updated: November 2025