• FR
  • ES
  • EN

Privacy policy

Framework Policy on Governance of Personal Information

(Section 3.2 of the Act respecting the protection of personal information in the private sector, RLRQ, c. P-39.1 and Regulation respecting confidentiality incidents, RLRQ. c. P-39.1, r. 3.1)

PREAMBLE

The Équipe québécoise de contrôle des maladies avicoles (hereinafter: EQCMA or we) is responsible for the protection of personal information in its possession, including when its collection, use, storage or destruction is carried out by a third party. Personal information is confidential, except to the extent provided for by law.

This policy constitutes a statement of principles and guidelines concerning the protection of personal information of individuals who are our producers, our partners, our service providers or who consult our website.

This policy aims to strengthen the EQCMA’s governance in matters of personal information protection by establishing the roles and responsibilities of any person who processes personal information held by EQCMA.

It also aims to help you understand our practices regarding the collection, use, disclosure and retention of personal information throughout its life cycle, and it determines the measures to be taken to reduce the risks of harm being caused in the event of confidentiality incidents and to prevent new incidents of the same nature from occurring.

CONSENT

By providing personal information to EQCMA, you consent to the processing of your personal information in accordance with this policy and as otherwise permitted or required by law, and you authorize EQCMA, its third parties and service providers to process your personal information in accordance with this policy. Subject to legislative and contractual requirements, you may refuse or withdraw your consent for some of the identified purposes at any time by contacting EQCMA. If you refuse or withdraw your consent, we may not be able to provide or continue to provide you with certain services or information that may be of use to you. EQCMA will obtain the necessary consents if it intends to collect, use or disclose personal information about an individual, including when it wishes to do so for purposes other than those for which consent was initially given, except as permitted by law.

1.          OBJECTIVE AND NORMATIVE FRAMEWORK

This policy applies, subject to applicable legislation, to the collection, retention, use, disclosure and destruction or anonymization of personal information held by EQCMA.

This policy sets out EQCMA’s commitments in its management of personal information, the roles and responsibilities of the individuals who process personal information held by EQCMA, and the steps to take when EQCMA has reasonable grounds to believe that a confidentiality incident has occurred involving personal information it holds, or if such an incident is proven, in accordance with the Act respecting the protection of personal information in the private sector, RLRQ, c. P-39.1 and the Regulation respecting confidentiality incidents RLRQ, c. P-39.1, r. 3.1.

It also sets out the rights of individuals affected by personal information and provides a process for handling complaints relating to personal information.

2.          DEFINITIONS

The definitions to be considered for the application of this policy, which may be supplemented by any other regulation, policy, directive or procedure referring to it, are as follows:

Collection: means the act of gathering, acquiring or obtaining personal information from any source, including third parties, by any means.

Confidentiality incident: access, use, communication of personal information not authorized by law, as well as its loss or any other form of breach of its protection.

Here are some examples:

  • A staff member consults personal information not necessary for the performance of his duties;
  • A hacker infiltrates a system;
  • A person uses personal information from a database to which he has access in the course of his duties for the purpose of usurping the identity of a person;
  • A communication is made by mistake to the wrong person;
  • A person loses or has documents containing personal information stolen;
  • A person interferes with a database containing personal information in order to alter it.

Private Sector Act: Act respecting the protection of personal information in the private sector, CQLR, c. P‑39.1.

Personal information: any information that relates to a natural person and that allows them to be identified. A person’s name, taken in isolation, is not personal information. However, when this name is associated or combined with other information about the same person, it becomes personal information.

Sensitive personal information: Personal information is considered sensitive when, by its nature, particularly financial or otherwise intimate, or because of the context of its use or disclosure, it gives rise to a high degree of reasonable expectation of privacy.

This may include, for example, medical, biometric, genetic or financial information, or information about ethnic origin, political belief, sexual life or orientation, or religious beliefs.

3.          COLLECTION OF PERSONAL INFORMATION

EQCMA collects personal information in the course of providing services to its members and when you register for meetings, training sessions or other conferences, or for the purpose of communicating with stakeholders in the poultry industry. It only collects the personal information necessary to achieve the identified purposes.

EQCMA may also collect personal information in the course of operating its website. We invite you to consult our Cookie Policy, which is an integral part of this policy, available on our website.

EQCMA does not intend to collect personal information from minors. If a minor provides personal information to EQCMA, EQCMA will notify the parent or guardian to obtain their express consent or, failing that, will delete the information.

Here are examples of personal information we collect:

  • A person’s name and date of birth;
  • Social insurance number;
  • Credit card or bank account number or any information required for billing or payment of invoices;
  • Driver’s license number;
  • Producer number and ministerial identification number (NIM);
  • Financial or banking information;
  • A person’s name and their personal telephone number and email address;
  • A person’s name and home address.

4.          USE OF PERSONAL INFORMATION

EQCMA uses personal information in order, in particular, to carry out the services provided for in any service agreement aimed at applying regulatory standards relating to the mandatory reporting of certain diseases and enhanced biosecurity measures, to provide services to its members, to receive services from a supplier or a third party, and to collaborate with government authorities in the event of a health crisis affecting one or more poultry flocks in Quebec.

Personal information is only used by those individuals for whom it is required in the exercise of their functions or the accomplishment of their tasks.

5.          COMMUNICATION OF PERSONAL INFORMATION

EQCMA does not disclose personal information it holds to third parties, except to the extent provided for by legislation or with the individual’s consent, where applicable.

EQCMA may communicate your personal information without your consent to its agents, its service providers, including a provider of data hosting services or those related to the operation of its website, or other third parties who support it and to any government body for which the information is necessary for the application of the law or which has the power to compel its communication and for the purposes of studies or research or the production of statistics subject to the conditions provided for by the Privacy Act.

In the case of communication to an agent, third party or service provider or for research purposes, a confidentiality agreement is concluded in writing to ensure the protection of your personal information. However, such an agreement is not required when the agent or service provider is a public body within the meaning of the Act respecting Access to documents held by public bodies and the Protection of personal information (RLRQ, c. A-2.1) or a member of a professional order.

6.          RETENTION AND DESTRUCTION OF PERSONAL INFORMATION

EQCMA takes reasonable steps to ensure that the personal information it holds is up to date, complete and accurate for the purposes for which it is intended.

It only retains the personal information it holds for the time necessary to achieve the purposes for which it collected it, unless authorized or required by applicable legislation.

Generally, when the purposes for which the information was collected have been fulfilled, EQCMA must destroy or anonymize it in order to use it for serious and legitimate purposes.

When destroying personal information, EQCMA ensures that the necessary security measures are taken to ensure its confidentiality.

7.          PROTECTION OF PERSONAL INFORMATION

EQCMA implements appropriate and reasonable security measures to protect personal information against loss or theft, and against access, disclosure, communication, copying, use or modification not authorized by law. Only employees, if applicable, agents, third parties or service providers who absolutely need access to personal information in the course of their duties are authorized to access it.

Any person who, in the course of their duties, has access to personal information held by EQCMA must take the necessary steps to ensure its protection and confidentiality.

Persons who are members of EQCMA’s staff or who work on its behalf must, in particular:

  • Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;
  • Take special precautions to ensure that personal information is not monitored, overheard, accessed or lost when working in premises other than EQCMA offices; and
  • Take reasonable steps to protect personal information as it moves from one location to another.

Third parties, agents or service providers of EQCMA who have access to personal information in its custody or control must be informed of this policy.

8.          REPORTING A CONFIDENTIALITY INCIDENT

Any person to whom EQCMA communicates personal information (colleagues, suppliers, partners, service providers including experts) must report a breach when they have reasonable grounds to believe that a confidentiality incident involving personal information held by EQCMA has occurred. To do this, this report must be made without delay to the person responsible for the protection of personal information.

Any person who has reasonable grounds to believe that a confidentiality incident has occurred involving personal information held by EQCMA must also notify the Director General of EQCMA or the person responsible for the protection of personal information without delay.

9.          PRIVACY IMPACT ASSESSMENT

EQCMA conducts an assessment of privacy factors:

  • Before communicating your personal information outside Quebec; and
  • For any project to acquire, develop or redesign a computer system or electronic provision of services involving the collection, use, communication, retention or destruction of personal information.

The purpose of the assessment is to enable EQCMA to meet its obligations regarding the confidentiality of the personal information it holds and to ensure that protective measures are in place to ensure that they receive adequate protection.

10.       PERSON RESPONSIBLE FOR PERSONAL INFORMATION (PRPI): ROLES AND RESPONSIBILITIES

The person responsible for the protection of personal information (hereinafter: PRPI) for EQCMA is Ms. Anik Marchand. She can be contacted at the following address:

  • Email: anikmarchand(@)eqcma.qc.ca
  • Telephone : 819 725-0145

Her role is notably:

  • To contribute to the implementation of the information security incident management process;
  • To maintain the register of information security incidents that may have jeopardized information security, to document these incidents and to keep the Chairman of the Board of Directors informed;
  • Contribute to information security risk analyses in order to identify threats and vulnerability situations and implement appropriate solutions;
  • To contribute to privacy impact assessments;
  • To receive and process requests for the disclosure of personal information for research purposes;
  • To receive and process requests for communication of personal information without the consent of the persons concerned and, when required by law, to record this communication in the file of the person concerned;
  • To manage complaints, access rights and rectification rights of the persons concerned.

In the event of a confidentiality incident, the PRPI takes charge of handling the incident and partners with any other useful person depending on the nature of the incident.

In this respect, the PRPI:

  • Assesses the risk of harm being caused and determines its severity. This assessment considers, among other things, the sensitivity of the information in question, the anticipated consequences of its use and the likelihood that it will be used for harmful purposes.
  • Notify, promptly, the person whose personal information is concerned by the incident, when there is a risk that serious harm will be caused, except when this would be likely to hinder an investigation carried out by a person or by an organization which, under the law, is responsible for preventing, detecting or repressing crime or violations of the laws. This notice must contain the following information:
    1. A description of the personal information affected by the incident or, if this information is not known, the reason why it is not possible to provide such a description;
    2. A brief description of the circumstances of the incident;
    3. The date or period when the incident occurred or, if the latter is not known, an approximation of that period;
    4. A brief description of the measures that EQCMA has taken or intends to take following the occurrence of the incident, in order to reduce the risks of harm being caused;
    5. The measures that EQCMA suggests the person concerned take in order to reduce the risk of harm being caused to him or her or to mitigate such harm;
    6. Contact details allowing the person concerned to obtain further information regarding the incident.
  • Notifies, where appropriate, any person or organization likely to reduce the risk, by communicating only the personal information necessary for this purpose, without the consent of the person concerned.
  • Notify, promptly and in writing, the Commission for Access to Information of the confidentiality incident when it presents a risk of serious harm being caused. The notice must contain the following information:
    1. The name of EQCMA and the Quebec business number assigned to it under the Act respecting the legal publicity of enterprises;
    2. The name and contact details of the person to contact within EQCMA regarding the incident;
    3. A description of the personal information affected by the incident or, if this information is not known, the reason why it is not possible to provide such a description;
    4. A brief description of the circumstances of the incident and, if known, its cause;
    5. The date or period when the incident occurred or, if the latter is not known, an approximation of that period;
    6. The date or period during which EQCMA became aware of the incident;
    7. The number of persons affected by the incident and, among these, the number of persons residing in Quebec or, if they are not known, an approximation of these numbers;
    8. A description of the factors that lead EQCMA to conclude that there is a risk of serious harm being caused to the individuals concerned, such as the sensitivity of the personal information concerned, the possible malicious uses of this information, the anticipated consequences of its use and the likelihood that it will be used for harmful purposes;
    9. The measures that EQCMA has taken or intends to take to notify the individuals whose personal information is affected by the incident, as well as the date on which the individuals were notified or the anticipated timeframe for completion;
    10. The measures that EQCMA has taken or intends to take following the occurrence of the incident, in particular those aimed at reducing the risks of harm being caused or mitigating such harm and those aimed at preventing further incidents of the same nature from occurring, as well as the time period within which the measures were taken or the planned timeframe for execution;
    11. Where applicable, a statement specifying that a person or organization located outside Quebec and exercising responsibilities similar to those of the Commission d’accès à l’information with regard to monitoring the protection of personal information has been notified of the incident.
  • Notifies, diligently and in writing, the Commission d’accès à l’information of any information that should have been included in a confidentiality incident notice and of which EQCMA became aware after the transmission of this notice, where applicable.
  • Notifies, with diligence, EQCMA’s insurers, if applicable.
  • Record the confidentiality incident in the register provided for this purpose.
  • At the request of the Access to Information Commission, transmit a copy of this register.

11.       PRIVACY INCIDENT REGISTRY

EQCMA must maintain a register of confidentiality incidents.

The information contained in the register must be kept up to date and retained for a minimum period of five years after the date on which EQCMA became aware of the incident.

12.       RIGHT OF ACCESS AND RECTIFICATION

In accordance with applicable privacy laws, an individual may:

  • Ask whether EQCMA holds personal information about it and have access to it, which includes the right to receive a copy of this information;
  • Ask EQCMA to rectify any inaccurate or incomplete personal information concerning it;

Any request for access or rectification must be addressed in writing to the person responsible for the protection of personal information designated in this policy. Your request will be processed within 30 days of receipt.

Reasonable fees may be charged for transcription, reproduction or transmission of information.

13.       UNSUBSCRIPTION

If you no longer wish to receive communications from EQCMA, except those sent to you pursuant to a legislative provision, you can unsubscribe by contacting the person responsible for the protection of personal information directly.

14.       PROCESSING OF COMPLAINTS

Any complaint regarding the protection of personal information must be addressed in writing to the person responsible for the protection of personal information designated in this policy. This complaint will be processed within 30 days of its receipt.

15.       MODIFICATION TO THE POLICY

EQCMA reserves the right to modify or supplement this policy at any time. If changes are made, EQCMA will post them on its website and publish the amended policy there.

16.       LAST UPDATE

June 20, 2025.