Privacy

Privacy governance framework

Génome Québec (GQ) values privacy. That’s why it developed a governance policy to provide a framework for properly managing privacy issues.

GQ also took multiple steps to support the policy and its application in accordance with applicable laws.
In particular, GQ:

  • Confirmed the roles and responsibilities of the privacy officer
  • Reviewed and documented internal rules and procedures for protecting personal information
  • Put assistance measures in place

In addition, GQ developed other tools and procedures to supplement the policy, including:

  • A procedure for retaining documents that contain personal information
  • A procedure for dealing with privacy incidents
  • A privacy incident register
  • A privacy impact assessment model for personal information disclosures outside Québec
  • A privacy impact assessment model for personal information disclosures for study, research, or statistical purposes
  • A privacy impact assessment model for technology projects involving personal information
  • Model contractual clauses for the use of third-party services
  • Model contractual clauses for transfers outside Québec

Together, these documents make up GQ’s privacy governance framework. They set out:

Privacy governance framework summary

The purpose of this governance framework summary is to inform individuals whose personal information is collected by GQ about how such information may be collected, used and disclosed and their rights regarding such information.

In this summary, “personal information” means any information that directly or indirectly identifies a specific individual.

1. Scope

The summary applies to the following individuals, activities, resources, and information:

  • Individuals: All GQ employees (including managers) and all contractors and service providers with whom GQ may do business.
  • Activities: All handling of personal information held by GQ in the course of its duties, activities or functions, even if GQ does not physically hold the information.
  • Resources: All internal and external information systems in any medium or format, including cloud-based systems.
  • Information: All personal information stored internally or externally in any format. The term “personal information” is interpreted broadly to include information about GQ employees and other individuals as appropriate. However, certain information is not considered personal information, in accordance with applicable laws.
2. Guiding principles

GQ must hold and/or handle various types of personal information in the course of its duties and activities. GQ therefore stresses the importance of ensuring that such information is always handled per the following guiding principles:

  • The collection of personal information must be necessary and required or permitted by law (and, where applicable, by contract).
  • All personal information is considered confidential by default and handled as such.
  • No personal information may be handled unless the necessary consents have been obtained or such handling is permitted or required by law.
  • Proper security measures must be taken to protect personal information.
  • Personal information may only be retained for as long as necessary to fulfill the purposes for which it was collected (subject to applicable legal and contractual exceptions).
  • All access, correction, and other personal information requests, as well as all privacy incidents, must be reported promptly to the appropriate person.
3. Collection, use and disclosure of personal information

In the course of its activities, GQ may collect, use, disclose and/or otherwise handle personal information about various categories of individuals, namely: GQ employees, individuals whose personal information is held in GQ’s biobanks, researchers who apply for competitions held by GQ, visitors to the GQ website who interact with GQ, and/or any member of the public who contacts GQ (where applicable).

3.1 – Personal information about employees

GQ collects and handles required personal information about its employees to manage its employment relationship with them and to comply with applicable legal and contractual requirements or as permitted by law. Such collection and handling is limited to those purposes. Such information is collected and handled with employee consent, unless the law permits or requires such collection and handling without consent, in which case employee consent is not sought.

Optional information is also collected with employee consent.

GQ will not disclose personal information about its employees to any third party without their consent, unless an exception is provided by law or brought to their attention.

3.2 – Personal information about individuals with information stored in biobanks

GQ collects and handles personal information about individuals who have agreed to have their personal information stored in biobanks (biobank participants). Such information will be collected and/or handled as per the terms and conditions set out in the consent form signed by each biobank participant and in other applicable documents, including the governance framework applicable to each biobank (collectively, the biobank documents).

The biobank documents also specify the purposes for which personal information about biobank participants will be used and the instances where such information may be disclosed to third parties.

3.3 – Personal information about researchers participating in GQ competitions

GQ may collect and handle certain information that may constitute personal information submitted by researchers as part of the application process for GQ competitions, which may or may not be held in partnership with other organizations, including Genome Canada. By providing such information, researchers consent to its collection and handling for the purposes of analyzing the application and administering the competition and the project in question, as well as for any other purpose required or permitted by law. Documents collected by GQ for these purposes may also be shared with third parties, such as external selection committee members and partner organizations, where necessary, to administer the competition properly or in accordance with exceptions provided by law or brought to the attention of the researchers.

3.4 – Personal information about other individuals

GQ may collect and handle personal information from members of the public who contact GQ (for example, to apply for a job or inquire about GQ’s activities) and who give their consent. GQ will not disclose personal information about individuals to third parties without their consent, unless an exception is provided by law or brought to their attention.

4 – Consent

GQ’s governance framework stresses the importance of valid consent for collecting and handling personal information. Consent can be implied or express. GQ makes reasonable efforts to ensure that express consent is clear, free and informed, given for specific purposes, requested for each purpose in clear and simple language, presented separately from any other information provided, and expressly given when sensitive personal information is involved. However, the governance framework notes that the law recognizes certain situations where consent will not or need not be sought. It provides that assistance will be given to anyone who requests it to help them understand the scope of the consent being sought.

The consent of biobank participants to the collection and handling of their personal information will be obtained as per the biobank documents, whose terms will prevail over the terms for validity of the consent thus given to GQ.

5. Retention, destruction and anonymization

GQ will only retain collected personal information as long as necessary to fulfill the purposes for which it was collected or for longer if required or permitted by law. GQ will destroy personal information once the purposes for which it was collected or used have been fulfilled (subject to any retention period prescribed by law). GQ has established a retention schedule to assist in this process.

GQ will retain personal information about biobank participants for the life of the biobank where it is held, as described in greater detail in the biobank documents.

6. Personal information disclosures outside Québec

GQ will conduct a privacy impact assessment before disclosing any personal information outside Québec to ensure such information is kept confidential and secure.

The personal information of biobank participants may be disclosed outside Québec as per the biobank documents.

7. Personal information disclosures for study, research, or statistical purposes

GQ may, in certain cases and in accordance with the law, disclose personal information in its lawful possession without the consent of the individuals concerned to a person or organization wishing to use that information for study, research, or statistical purposes. Before doing so, a privacy impact assessment must be conducted and, if it concludes that the information can be disclosed, an agreement will be signed with the requesting party. Any formalities required by law must also be completed.

8. Technology projects involving personal information

GQ will conduct a privacy impact assessment in accordance with the process prescribed by law before acquiring, developing or redesigning any information or electronic service delivery system involving personal information.

9. Measures for keeping personal information secure

GQ is responsible for keeping confidential all personal information in its custody or control. It has appointed a privacy officer and put policies and procedures in place to ensure that personal information is reasonably protected. These include internal measures, measures with respect to contractors, and measures for managing privacy incidents.

Regarding the personal information of biobank participants, GQ takes steps to ensure that any partner with access to the biobank and its contents has proper security measures in place to protect the confidentiality and integrity of such personal information.

10. Access, correction, and other personal information requests

Any person can, in accordance with the law, request to access or correct personal information held about them by GQ or make any other applicable request regarding such personal information. The privacy officer will assist requesting individuals as necessary and as follows:

  • If someone so requires or makes a request that is not specific enough, the privacy officer will help them identify the personal information they are seeking.
  • Subject to applicable laws and in line with the request, the privacy officer will:
    • Confirm whether personal information about the requesting individual is held and, if so, provide the individual with access to that information (or help them obtain a copy of it).
    • Correct personal information that is inaccurate, incomplete or ambiguous.
  • If a request for access is denied, the reasons for the denial will be provided to the requesting individual, in accordance with the law. The privacy officer will then help the individual understand why the request was denied.

The privacy officer will:

  • Provide reasonable assistance throughout the request handling process
  • Provide information about the law, particularly about the handling of requests and the right to file a complaint with the Commission d’accès à l’information
  • Communicate with the requesting individual as soon as reasonably possible if the request requires clarification
  • Make reasonable efforts to locate the requested documents
  • Ensure that any exception invoked in connection with refusing to disclose documents in whole or in part is specific and limited to those documents
  • Provide answers that are accurate and complete to the best of the privacy officer’s knowledge
  • Promptly provide the information requested under the access process
  • Provide the documents in the format requested or provide a suitable space in which to view the documents requested, as appropriate

The privacy officer is not required to provide the same explanation to a requesting individual more than once. Similarly, the privacy officer can choose to stop providing explanations once they have provided requesting individuals with the information necessary to help them understand the decision on their request.

11. Contact and additional information

For any questions, concerns, requests, or complaints regarding this summary or GQ’s management of personal information, please contact the privacy officer at:

Privacy Officer

Génome Québec

630 René-Lévesque Blvd West, Suite 2660

Montréal (Québec) H3B 1S6

protection@genomequebec.wp.vortexdev.com