Privacy Policy

Autisme Estrie respects each individual’s right to privacy and is committed to protecting the confidentiality of confidential information collected from any Individual, Employee or Member. As a general rule, confidential information is available only to those who require access to it in the course of their duties at Autisme Estrie.
Table of contents

DEFINITIONS
“Member”
“Employee”
“Event”
“Reporting Form”
“Privacy Incident”
“Individual”
“Publication”
“Register of confidentiality incidents”
“Serious risk of harm”
“Confidential information”
“Service or activity”
PHOTOGRAPHS AND RECORDINGS
OBLIGATION OF CONFIDENTIALITY
COLLECTION AND USE OF CONFIDENTIAL INFORMATION
HANDLING CONFIDENTIAL INFORMATION
RETENTION OF CONFIDENTIAL INFORMATION
DESTRUCTION OF CONFIDENTIAL INFORMATION
DISCLOSURE OF CONFIDENTIAL INFORMATION TO A THIRD PARTY
COMMUNICATION OF CONFIDENTIAL INFORMATION TO THE PERSON CONCERNED
BREACH OF CONFIDENTIALITY
RECOURSE

“Member”

Any individual who provides confidential information to Autisme Estrie in connection with the support service.

“Employee”

Any person who works for Autisme Estrie for remuneration, including coordination, or any unpaid person (volunteer, intern).

“Event”

Any event managed or organized by Autisme Estrie.

“Reporting form”

The form made available to any Employee, Individual or Member in order to inform the person responsible for personal information.

“Privacy incident”

Any unauthorized access, use or disclosure of personal information, as well as its loss or any other form of data breach.

“Individual”

Any individual who provides confidential information to Autisme Estrie in connection with the realization of an Event, the creation of a Publication, participation in an activity or obtaining a Service.

“Publication”

Any publication produced by Autisme Estrie or to which Autisme Estrie contributes, in any form whatsoever (verbal, written, audio, video, computerized or other).

“Confidentiality incident register”

All information recorded on reported incidents concerning the circumstances of the incident, the number of people involved, the assessment of the seriousness of the risk of harm, and the measures taken in response to the incident. Relevant dates are also included: occurrence of the incident, detection by the organization, notification (if applicable), etc.

“Serious risk of harm”

The risk assessed following a confidentiality incident that could harm the people concerned. This risk is analyzed by the person responsible for confidentiality. For any confidentiality incident, the person responsible assesses the seriousness of the risk of harm to the person concerned by estimating “the sensitivity of the information concerned”, “the apprehended consequences of their use” and “the likelihood that they will be used for harmful purposes”.

“Confidential information”

Any information provided or communicated to Autisme Estrie in any medium whatsoever (verbal, written, audio, video, computerized or other) that concerns an Individual, Employee or Member and that can be used to identify them, including: their name, telephone number, address, e-mail address, the fact that they were or are a Member or potential Member, their gender, sexual orientation and any information concerning their health. For more information:

• Information that does not allow an individual to be identified as part of a testimony is not confidential information;
• Statistical data is not confidential information, since it cannot be used to identify an individual;
• Photographs or recordings that do not allow an individual to be identified do not constitute confidential information about this individual.

“Service or activity”

Any service provided by Autisme Estrie to an individual or any activity in which the individual participates in.

2.1

Anyone can choose whether or not to be photographed or recorded (audio/video).

2.2

Photographs or recordings that identify an Employee of Autisme Estrie do not constitute confidential information about that individual.

3.1

Employees are required to sign this confidentiality agreement (Appendix A) before performing their duties or carrying out their mandates with Autisme Estrie.

3.2

The obligation of confidentiality applies for the duration of an Employee’s relationship with Autisme Estrie and follows the end of that relationship.

4.1

Autisme Estrie may, if necessary, establish a file or files containing confidential information concerning Employees. The purpose of compiling such files is to:

• Keep contact details up to date;
• Document situations of work or volunteering;
• Enable paid employees to carry out administrative tasks required or permitted by law (income tax, group insurance, etc.).

4.2

Autisme Estrie may, if necessary, create one or more files containing confidential information concerning Indivuduals or Members. The purpose of creating such files is to enable Autisme Estrie to carry out an Event, a Publication, to realize an activity or provide a Service.

4.3

Autisme Estrie may only collect confidential information that is necessary for the purposes of the file and may only use confidential information for those purposes.

4.4

Confidential information may only be collected from the person concerned, unless that person consents to collection from another person or as authorized by law.

5.1

Visit management or executive assistant, as the highest authority in the organization, is responsible for ensuring the protection of personal information. Management or the executive assistant, may delegate this responsibility in writing. On Autisme Estrie’s main website, the following must be indicated under the title of the directorate or coordination or the person in charge, “Privacy Officer”, and how to reach them.

The management or the person in charge ensures that a Confidentiality Incident Register is kept.

5.2

Subject to article 5.3, the management or executive assistant is authorized to access any confidential information held by Autisme Estrie. Other employees are authorized to access confidential information insofar as such access is necessary to carry out a task in the performance of their duties.

5.3

For legal purposes, a privacy incident is any unauthorized access, use or disclosure of personal information, as well as the loss of personal information or any other data breach.

5.4

When an Employee, Individual or Member becomes aware of a confidentiality incident, they must promptly inform Management or the person in charge of data protection, so that it can be entered in the Register. To do so, the Employee, Individual or Member must complete a reporting form and forward it to Management or the person in charge.

The register must keep information on a confidentiality incident for a period of five years.

Must be collated in the report form:

• A description of the personal information affected by the incident or, if this information is unknown, the reasons why it is impossible to provide such a description;
• A brief description of the circumstances of the incident;
• The date or period when the incident took place (or an approximation if this information is not known);
• The date or period when the organization became aware of the incident;
• The number of people affected by the incident (or an approximation if this information is not available).

5.5

The Executive or Executive Assistant or the person in charge judges whether the incident presents a “serious risk of harm”. The information and the measures to be taken to reduce the risk of serious harm to the persons concerned are entered in the Register.

If the incident presents a serious risk of harm, Management or the person responsible shall notify the Commission d’accès à l’information and the persons concerned of any incident presenting a serious risk of harm using the appropriate form.

5.6

Only the person responsible for individual support is authorized to access the confidential information that Autisme Estrie is held within the framework of this activity or service. Management, the executive assistant and the person in charge may access this information to the extent necessary and as agreed in the documents governing the activity or individualized service.

6.1

Employees with access to files under Article 5 undertake to:

• Ensure that confidential information is kept safe from physical or psychological damage or unauthorized access;
• Ensure that all electronic documents containing confidential information, including those copied onto portable storage devices, are encrypted and password-protected. These passwords must be changed twice a year, as well as each time the people with access to the files concerned are replaced;
• Keep confidential information in paper format in lockable filing cabinets, and ensure that the cabinets are locked at the end of each working day. The keys to the filing cabinets must be kept in safe places.

6.2

Where an Employee may also, in certain respects, qualify as a Individual or Member, confidential information relating to each title will be kept separate.

6.3

Files created under this policy are the property of Autisme Estrie.

7.1

Subject to section 7.2, confidential information is retained only as long as the purpose for which it was collected has not been fulfilled, unless the individual concerned has consented otherwise. This confidential information is then destroyed in such a way that the data it contains cannot be reconstructed.

7.2

Employee files are kept by Autisme Estrie for 7 years.

7.3

For greater certainty, confidential information concerning an individual who has offered a testimonial, such as name and contact information, is destroyed once the testimonial has been published or broadcast, unless the individual has given prior consent

8.1

Other than in situations where required by law and subject to the other provisions of this article 8, confidential information may only be disclosed to a third party after obtaining the written, manifest, free and informed consent of the person concerned. Such consent may only be given for a specific purpose and for the time necessary to achieve that purpose.

8.2

Confidential information may be disclosed without the consent of the person concerned if their life, health or safety is seriously threatened. In such cases, disclosure must be made in the manner least harmful to the person concerned.

8.3

As permitted by law, Autisme Estrie may disclose confidential information necessary for its defense or that of its Employees against any claim or lawsuit brought against Autisme Estrie or its Employees by or on behalf of an Individual, an Employee, or a Member, or any of their heirs, executors, beneficiaries, or assignees, including any claim arising from the insurer of an Individual, Employee, or Member.

9.1

Subject to Article 9.2, Individuals, Employees and Members have the right to know the confidential information that Autisme Estrie has received, collected, and retains about them, to access such information, and to request that corrections be made to it.

9.2

Autisme Estrie must restrict access to confidential information when required by law or when disclosure would likely reveal confidential information about a third party.

9.3

A request from an Individual, Employee or Member in connection with article 9.1 must be processed within a maximum of 30 days.

10.1

An Employee is in breach of their duty of confidentiality if they:

• Communicate confidential information to individuals that are not authorized to have access to it;
• Discusses confidential information inside or outside Autisme Estrie when individuals who are not authorized to have access to it are likely to hear it;
• Leaves confidential information on paper or computer medium in plain sight in a place where individuals who are not authorized to access them are likely to see them;
• Fails to follow the provisions of this policy.

10.2

In the event of a breach of the obligation of confidentiality, appropriate disciplinary measures, up to and including termination of the employment contract or any other relationship with Autisme Estrie, will be taken against the offending party and corrective measures will be adopted if necessary to prevent such a scenario from recurring.

11.1

If it appears that a person’s confidential information has been used in a manner contrary to a provision of this policy, that person may file a complaint with the Executive Director of Autisme Estrie, or with the Board of Directors of Autisme Estrie (if the complaint concerns the Executive Director).

11.2

As provided for by law, any person who has been denied access to or correction of confidential information concerning them may file a complaint with the Commission d’accès à l’information for review of the complaint within 30 days of Autisme Estrie’s refusal to grant their request or the expiration of the deadline for responding to it.