Last updated: 2024-07-24
All questions, comments and requests concerning the present policy should be sent to Lexum’s Privacy Officer, Frédéric Pelletier, using the Contact Us form.
1-Preamble
[1] Lexum processes personal information in the course of its activities, including that of its customers, website visitors, employees and job applicants. As such, Lexum recognizes the importance of respecting privacy and protecting the personal information it holds, whether it is hosted by Lexum or with a third party.
[2] Lexum has adopted this privacy policy in order to fulfil its obligations in this area. It sets out the framework principles applicable to the protection of personal information held by Lexum throughout its life cycle as well as the roles and responsibilities of stakeholders in the protection of personal information and the exercise of the rights of the individuals concerned.
[3] The protection of personal information held by Lexum is the responsibility of any person who processes such information, within its staff and any service provider mandated to process such information.
2-Object
[4] This policy:
a. sets out Lexum’s governance principles with respect to personal information throughout its life cycle;
b. provides a framework for the exercise of the rights of individuals concerned;
c. provides for the process for handling privacy complaints; and
d. Defines Lexum’s privacy roles and responsibilities.
3- Definitions
[5] For the purposes of this policy, the following terms mean:
“CAI” refers to the Commission d’accès à l’information du Québec.
“Life Cycle” refers to all stages of handling personal information, including its collection, use, communication, retention, and destruction.
“Privacy Impact Assessment” or “PIA” refers to the preventive process aimed at better protecting personal information and respecting the privacy of individuals. This study involves considering all factors that would result in positive and negative impacts on the privacy of the individuals concerned and implementing measures to mitigate the associated risks.
“Privacy Incident” refers to any unauthorized consultation, use, or communication of personal information by law, or any loss or other breach of the protection of such information.
“Law” refers to any law that may apply to the personal information processing activities carried out by Lexum, including at the federal level, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5, and in Quebec, the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c P-39.1.
“Individual concerned” refers to an individual to whom the personal information relates.
“Profiling” refers to the collection and use of personal information to assess certain characteristics of an individual, particularly for the purpose of analyzing work performance, economic situation, health, personal preferences, interests, or behaviour.
“Personal Information” or “PI” refers to any information relating to an individual that can be used to identify them directly—by using this information alone—or indirectly—by combining it with other information.
“Sensitive Personal Information” refers to any personal information that, by its nature, such as medical or biometric data, or other intimate information, or due to how it is used or communicated, elicits a high degree of reasonable expectation of privacy.
“Privacy Officer” or “PO” refers to the person within Lexum who ensures compliance with and implementation of the act concerning the protection of personal information.
4-Scope
[6] This policy applies to personal information held by Lexum and to anyone who processes personal information on behalf of Lexum.
5-Processing of Personal Information
[7] Personal information is protected throughout its life cycle in accordance with the following principles, except as provided by law.
5.1 – Collection
[8] Lexum only collects the personal information necessary for the conduct of its activities. Before collecting personal information, Lexum determines the purposes of its processing, which must be serious and legitimate.
[9] Personal information is collected from the individual concerned unless the law permits it to be collected from a third party.
[10] At the time of collection, and subsequently upon request, Lexum informs the individuals concerned of at least the following:
a. the purposes for which the information is collected;
b. the means by which the information is collected;
c. the rights of access and rectification provided by law;
d. the right to withdraw consent to the communication or use of the collected information;
e. the name of the third parties for whom the collection is made;
f. the name of the third parties or categories of third parties to whom it is necessary to communicate the information for the stated purposes;
g. the possibility that the information may be communicated outside of Quebec;
h. the use of technology that includes features allowing identification or profiling of the individual; and
i. the means available to activate the functions allowing identification, localization, or profiling.
[11] The information listed above about the personal information collected is provided to the individual concerned in simple and clear terms, through a privacy policy or a ‘just-in-time’ notice.”
[12] The individual concerned who provides their personal information after receiving the information listed above about the personal information collected is presumed to consent to its use and communication for the stated purposes.
[13] Upon request by an individual concerned, Lexum informs them of the following:
a. the personal information collected from him or her;
b. the categories of persons who have access to this information within Lexum;
c. the retention period of this information; and
d. the contact details of Lexum’s PO.
[14] When the law requires obtaining consent, it must be explicit, free, informed, and given for specific purposes. Consent is requested for each of these purposes, in simple and clear terms. This consent is valid only for the time necessary to achieve the purposes for which it was requested.
5.2 – Usage
[15] Lexum only uses personal information for the purposes for which it was collected. However, Lexum may modify these purposes if the individual concerned consents in advance.
[16] Lexum may also use personal information for secondary purposes without the individual concerned consent in any of the following cases:
a. when the use is for purposes compatible with those for which the information was collected (compatible purposes exclude commercial or philanthropic solicitation);
b. when the use is clearly to the benefit of the individual concerned;
c. when the use is necessary for the purposes of fraud prevention and detection or for assessing and improving security measures;
d. when the use is necessary for the provision or delivery of a product or service requested by the individual concerned; and
e. when the use is necessary for study, research, or statistical purposes and the information is anonymized.
5.3 – Communication
[17] Subject to exceptions provided by law, Lexum cannot disclose personal information without obtaining the consent of the individual concerned. Consent must be given expressly when sensitive personal information is involved.
[18] Lexum may disclose personal information without consent to an agent or service provider as part of a mandate or service contract, including a technology tool hosted on a cloud platform. To this end, Lexum must enter into a written agreement with the agent or service provider, which stipulates, at a minimum, the measures the agent or service provider must take:
a. to ensure the protection of the confidentiality of the disclosed personal information;
b. to use this information only for the purpose of fulfilling the mandate or performing the contract; and
c. not to retain the information after the mandate or contract expires.
[19] The agreement described in the previous paragraph must specify the following:
a. the agent or service provider must promptly notify the PO of any breach or attempted breach by any person of any privacy obligation regarding the disclosed information; and
b. Lexum’s PO reserves the right to conduct any verification related to this privacy.
[20] When personal information is disclosed outside of Quebec, Lexum conducts a PIA in accordance with Article 6 of this policy.
5.4 – Retention, Anonymization and Destruction
[21] Lexum takes all reasonable steps to ensure that the personal information it holds is up-to-date, accurate, and complete for the purposes for which it is collected or used.
[22] Lexum retains personal information as long as necessary to conduct its activities, subject to applicable retention periods.
[23] When the purposes for which the personal information was collected are fulfilled, this information is destroyed or anonymized, in accordance with Lexum’s retention periods.
6 – Privacy Impact Assessment (PIA)
[24] The completion of a PIA serves to demonstrate that Lexum has met all obligations regarding the protection of personal information and that all measures have been taken to effectively protect this information.
[25] Lexum conducts a PIA in the following contexts:
a. before undertaking a project to acquire, develop, or redesign an information system or electronic service delivery system that involves personal information;
b. before disclosing personal information without the consent of the individuals concerned to a person or organization that wishes to use this information for study, research, or statistical purposes; and
c. when it intends to disclose personal information outside of Quebec.
[26] When conducting a PIA, Lexum considers the sensitivity of the information to be processed, the purposes of its use, its quantity, distribution, and medium, as well as the proportionality of the proposed measures to protect personal information.
[27] When personal information is disclosed outside of Quebec, Lexum ensures that it receives adequate protection, particularly with regard to generally recognized principles of personal information protection.
7 – Rights of Individuals Concerned
[28] Subject to the provisions of the law, any individual concerned about whom Lexum holds personal information has the following rights:
a. to access the personal information held by Lexum and obtain a copy, whether in electronic or non-electronic format; unless it poses serious practical difficulties, personal information collected from an individual concerned, and not created or inferred from personal information about them, is provided in a structured and commonly used technological format, upon request. This information is also provided, upon request, to any person or organization authorized by law to collect such information.
b. to rectify any incomplete or inaccurate personal information held by Lexum;
c. to request the deletion of outdated or unjustified information, or to submit written comments to Lexum’s PO;
d. to request Lexum to cease the dissemination of information or to de-index any hyperlink associated with their name by technological means, when the dissemination of this information contravenes the law or a court order;
e. to request Lexum to cease the dissemination of information or to de-index or re-index any hyperlink associated with their name, when the following conditions are met:
i. the dissemination of this information causes them serious harm concerning their right to respect for their reputation or privacy;
ii. this harm is manifestly greater than the public interest in knowing this information or the interest of any person to freely express themselves; and
iii. the cessation of dissemination, re-indexing, or de-indexing requested does not exceed what is necessary to prevent the harm from continuing, taking into account, in particular, whether the data subject is a public figure or not, whether the information concerns a minor, whether the information is up-to-date and accurate, the sensitivity of the information, the context in which the information is disseminated, and the time elapsed between the dissemination of the information and the request made to Lexum; and
f. the right to be informed, if applicable, that personal information is used to make a decision based on automated processing.
[29] Although the right of access can be exercised at any time, access to documents containing this information is subject to certain exceptions identified in the law:
a. Lexum may refuse to disclose personal information to an individual if the disclosure of the information is likely to:
i. harm an investigation conducted by its internal security service aimed at preventing, detecting, or suppressing crime or law violations, or by an external service with the same objective or a license holder of a security or investigation agency issued in accordance with the Private Security Act, RLRQ, c S-3.5;
ii. have an effect on judicial proceedings in which either of these persons has an interest.
b. Lexum must refuse to disclose personal information to:
i. an individual if its disclosure would likely reveal personal information about a third party or the existence of such information and if this disclosure could seriously harm that third party, unless the latter consents to its disclosure or it is an emergency case endangering the life, health, or safety of the individual concerned;
ii the liquidator of the estate, the beneficiary of a life insurance policy or death benefit, the heir, or the successor of the individual concerned by this information, unless this disclosure involves the interests and rights of the person requesting it as a liquidator, beneficiary, heir, or successor, all subject to the right of the spouse or parent of a deceased person mentioned above.
[30] The request for access to personal information must be sufficiently precise to allow the PO to identify the said personal information. The right of access applies only to existing personal information.
[31] The PO responds in writing to requests for access or rectification promptly and no later than 30 days from the date of receipt of the request.
[32] Access to personal information contained in a file is free of charge. However, Lexum may charge reasonable fees for the transcription, reproduction, or transmission of this information, after informing the requester of the approximate amount payable before proceeding with the transcription, reproduction, or transmission of this information.
[33] When the PO complies with a request for rectification or deletion, they notify this rectification or deletion to any person who received the information in the preceding six months and, if applicable, to the person who holds it. In addition, they provide the requester free of charge with a copy of any modified or added personal information or, as the case may be, a certificate of the deleted personal information.
[34] If there is no response within 30 days of receiving the request, Lexum will be deemed to have refused to comply with it. That said, the PO must provide reasons for any refusal to comply with a request and indicate the legal provision on which this refusal is based, the recourse available to the requester under the law, and the time frame within which they can be exercised. They must also assist the requester who asks for help in understanding the refusal.
8 – Complaints handling
[35] Any complaint regarding Lexum’s personal information protection practices or its compliance with legal requirements concerning personal information is forwarded to the PO, who responds within 30 days.
9 – Security
[36] Lexum implements reasonable security measures to ensure the privacy, integrity, and availability of personal information collected, used, disclosed, retained, or destroyed. These measures take into account the sensitivity of the personal information, the purpose of its collection, its quantity, location, and medium.
[37] Lexum manages the access rights of its personnel so that only those who need access to personal information as part of their duties have access to it.
10 – Privacy Incidents
[38] Any privacy incident involving personal information is reported to the PO. Lexum then takes reasonable measures to mitigate the risk of harm and prevent similar incidents from occurring in the future.
[39] Any privacy incident is recorded in the privacy incident register, regardless of its severity.
[40] If the privacy incident poses a risk of serious harm to the individuals concerned, Lexum promptly notifies them as well as the CAI.
11 – Privacy Incidents Register
[41] In accordance with the law, Lexum maintains an up-to-date register of privacy incidents.
[42] The PO is responsible for maintaining the register, keeping it for the periods required by law, and updating it.
12 – Roles and responsibilities
[43] The protection of personal information held by Lexum relies on the commitment of all those who handle this information, particularly the following individuals:
[44] The PO :
a. ensures compliance with and implementation of the law;
b. ensures the establishment and implementation of policies and practices governing the company’s management of personal information and ensuring its protection, particularly by approving them;
c. is consulted, for the purposes of a PIA, at the beginning of any project involving the acquisition, development, or redesign of an information system or electronic service delivery system involving the collection, use, disclosure, retention, or destruction of personal information;
d. at any stage of a project mentioned in the previous point, the PO may suggest measures to ensure the protection of personal information involved in the project, such as:
i. the appointment of a person responsible for implementing the protection measures;
ii. the inclusion of PI protection measures in all project-related documents;
iii. a description of the responsibilities of the project participants regarding PI protection;
iv. the provision of training activities on PI protection for the project participants;
e. is responsible for maintaining the privacy incidents register;
f. participates in the assessment of the risk of serious harm related to a privacy incident, particularly concerning the sensitivity of the information involved, the anticipated consequences of its use, and the likelihood of it being used for malicious purposes;
g. if applicable, records the communication of a privacy incident to a person or organization that may mitigate the risk of harm;
h. if applicable, conducts checks on confidentiality obligations related to the disclosure of personal information in the context of mandates or service contracts entrusted to third parties in accordance with this policy;
i. receives written requests to exercise the rights of individuals concerned and ensures they are responded to in compliance with this policy.
[45] The Lexum Management Committee:
a. approves this policy and other reference framework documents, as well as any amendments to them;
b. receives and analyzes the report from the PO;
c. stays informed about Lexum’s personal information protection activities and takes any actions it deems appropriate to maintain an acceptable level of risk for Lexum.
[46] Any person, including a supplier, who processes personal information held by Lexum:
a. acts with caution and incorporates the principles outlined in this policy into their activities;
b. only accesses the information necessary for the performance of their duties;
c. only integrates and retains information in files intended for the performance of their duties;
d. keeps these files in such a way that only authorized persons have access to them;
e. protects access to personal information in their possession or to which they have access with a password;
f. refrains from disclosing personal information they become aware of in the performance of their duties, unless duly authorized to do so;
g. refrains from retaining, at the end of their employment or contract, personal information obtained or collected in the course of their duties and maintains their confidentiality obligations;
h. destroys all personal information in accordance with Lexum’s retention periods;
i. participates in awareness and training activities on personal information protection that are intended for them;
j. reports any breach, privacy incident, or any other situation or irregularity that could in any way compromise the security, integrity, or confidentiality of personal information in accordance with the procedure established by Lexum.
13 – Sanctions
[47] Any person who violates this policy is subject to sanctions, including disciplinary or contractual measures, which may result in termination of employment or business relationship.
14 – Update
[48] This policy is updated in accordance with developments in applicable personal information protection laws and Lexum’s practices.
[49] Any amendments made to this policy come into force as of the last update date stated at the beginning of the policy.
15 – Approval and Coming into Force
[50] This policy was approved by the PO and comes into effect on 2023-09-22.