Policy protection of personal information

Object
The purpose of this document is to describe the methods for protecting Personal Information in application at Alten (hereinafter referred to as “the Company”).

The requirements of this policy apply exclusively to business activities deemed normal by the Company carried out within the framework of its operation.

These requirements are directed at any person who may come into contact with Personal Information in the context of activities that directly or indirectly involve the Company.

The objectives of this policy are:

Ensure the Company’s compliance with the obligations of the Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, hereinafter “ARPPIPS”

Safeguard the rights of the Company’s staff, customers and partners as outlined in articles 35 to 40 of the Civil Code of Quebec pertaining to the protection of personal information.

Mitigate risks to the Availability, Integrity or Confidentiality of personal information that is maintained, utilized or stored by the Company in the course of its operations.
This document contains Information classified as public. Its content must not be broadcasted or distributed outside of the Company and must be subject to appropriate controls for its classification.

Political Responsibility
Responsibility for the implementation of this policy is vested with the Company’s President.

Responsibility for ensuring compliance with this policy also rests with the President of the Company.

Definitions
Authorization: permission to perform a specific action.

Confidentiality: ownership of information that is accessible only by authorized persons.

Confidential: high risk Information Classification category, accessible only within designated sectors of the Company. Disclosure could severely compromise the Company’s financial, judicial, physical or moral integrity or that of its employees, suppliers, and customers.

Classification of Information: process of distributing Information according to predefined categories.

Availability: ownership of information that can be used in a timely and appropriate manner by authorized persons.

Incidents: any event that potentially compromises the confidentiality, integrity, availability or constitutes a significant deviation from the normal functions of an Information System containing personal information.

Information: set of data likely to be stored, processed or communicated.

Integrity: the assurance that information has not been altered, modified or destroyed without authorization.

Internal: medium risk Information Classification category, available within designated sectors of the Company, and which, if revealed, could potentially harm the financial, judicial, physical or moral integrity of the Company ‘Company or its employees, suppliers and customers.

Public: low risk Information Classification category, available to the general public and which, if revealed, is without harm to the financial, judicial, physical or moral integrity of the Company or its employees, suppliers and customers.

Information system: set of media (physical or digital) whose function is the conservation, processing or communication of information.
Third party: person or company that does not have a contemporary employment relationship with the Company.
Alten Canada : group bringing together companies Alten Canada, MDC, QAC, Proex and any other external company that has been the subject of an acquisition.

Personal information: as defined by the act, personal information encompasses “[…] any information which relates to a natural person and allows that person to be identified.” (Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, s. 2).

Personal information of a person (consider whether the information is mentioned with other information concerning a person or when its sole mention would reveal the identity of the person concerned):

Name;
Social insurance number;
Driving license number;
Health insurance number;
Address;
Telephone number
Registration number;
Age;
Genre;
Race, nationality or ethnic origin
Religion
Marital status;
Medical, educational or professional history
Online identifiers;
Employee identification number;
Banking or credit card information;
Biometric data for identity verification;
Geolocation data;

Additionally, elements that contribute to one’s physical identity such as photographs, as well as physiological, genetic, psychological, health, economic, cultural, or social characteristics, are considered personal information.

Exclusions from personal information encompass:

Data not directly related to an individual, such as postal codes
Corporate information
Anonymized data, where identification of the individual is impossible
Government-related information

Rights of individuals
The Company respects the rights of individuals regarding the protection of personal information within the limits of laws and regulations. The individuals have the right:

To be informed about the processing of their personal data.
To know how, when and why their personal data is processed or shared
To access their data.
To be forgotten.
To be able to receive a copy of their personal data.
To refuse services such as automated decision-making, to receive chain emails, and other electronic messages.
To have their data rectified if it is inaccurate.
To limit the processing of their data.
To be asked for consent when personal data is disclosed or requested from third parties if it is not clearly exempted by law.

The Company must ensure that it appoints a person responsible for the protection of personal information who will be responsible for individual rights, processing requests and complaints regarding personal information within the time limits prescribed by the laws and regulations in force.

The Company must ensure that individuals are aware that their data is being processed and that they understand how they can exercise their rights.

The Company ensures the secure recovery, correction or deletion of data following receipt of a request. It could refuse a request with justification or within the limits of the Act.

Documentation of requests and complaints will be maintained.
Personal Information Protection Process
Roles and responsibilities
Roles and responsibilities as mandated by the ARPPIPS require the Company to appoint individuals to the specified roles. A personal information protection management committee can also be set up according to the legal, contractual and contextual needs of the Company.

Executive Authority of the Company
Must be assumed by the individual holding the highest level of authority within the Company

Responsible for implementing policies and procedures related to the protection of personal information

Oversees adherence to and compliance with personal information protection policies and procedures

Designates a delegate tasked with overseeing the protection of personal information

Approves strategic action plans and allocates human and financial resources accordingly

Delegate Responsible for the Protection of Personal Information
Responsible for documenting incidents related to privacy breaches

Keeps a comprehensive log of all confidentiality-related incidents

Notifies the relevant authorities in the event of unintended disclosures of Personal Information

Ensures a thorough understanding and implementation of laws concerning Personal Information Protection

Facilitates ongoing training and awareness programs for employees within the Personal Information Protection framework

Engages in Privacy Impact Assessment (PIA) activities

Oversees the processing of information access requests

Handles grievances related to Personal Information Protection
Employees, Suppliers and other Third Parties
Must comply with the Company’s Personal Information Protection governance policies

Are expected to participate in training and awareness initiatives focused on Personal Information Protection

Obligated to report any suspected or verified incidents of privacy breach
Obligations
The obligations described below are outlined explicitly or implicitly by the LPRPSP. The Company and its personal information protection program are required to respect these obligations.

General
The Company must designate an individual responsible for ensuring adherence to relevant personal information protection laws, with their contact information (email and telephone) publicly accessible on the Company’s website(s).

The Company is obliged to safeguard personal information in all forms (physical or digital) and states (at rest, in transit or in use), across all business processes.

The Company must comply with the personal information protection principles set forth in the LPRPSP and validate this compliance through evaluations or audits.

The Company is required to publicly disclose detailed information about its personal information protection policies and practices.

The Company must promptly update its personal information protection program in response to new, amended, or repealed applicable laws.
Collection of Personal Information
Prior to any collection, use, (non-accidental) disclosure, or communication of personal information, the Company must clearly define and communicate the intended purposes.

The Company must inform and obtain explicit consent from individuals before engaging in any activities including the collection, use, communication or (non-accidental) disclosure of personal information, except where such consent is deemed unnecessary.

The Company must only collect personal information that it can demonstrate as necessary for one or more of its business processes.

The Company must destroy or anonymize personal information once it is no longer needed for the purposes for which it was collected.

The Company must disclose the existence, nature, and usage of personal information under its responsibility to the owner of the personal information who requests it.

The Company must allow the owner of the personal information to consult the personal information under its responsibility upon request.

Personal Information Inventory
The Company must create, implement, document, and maintain an inventory of personal information under its responsibility. This inventory must address the following characteristics for each piece of personal information under its responsibility:

Storage locations
Description of personal information
Medium used for storage
Types of Personal Information
Access scheme to the personal information concerned
Classification of personal information
List of controls applied to the personal information concerned
Maximum retention period
Prescribed destruction method

The Company must maintain the accuracy of personal information contained in the inventory.

The Company must maintain the accuracy of the inventory concerning personal information to meet legislative requirements regarding the use, storage, and destruction of personal information.
Protection of personal information
The Company must create, implement, document, and maintain a risk management process applied to the protection of personal information. This risk management process must address the following characteristics for each risk:

Identification date
Reporting individual
Type of threat
Type of vulnerability
Targeted information assets
Risk impact measure
Risk probability measure
Security controls in place
Identification of residual risks
Security controls to be implemented
Action plan for residual risks
Risk owner

The Company must implement and use the necessary security controls as prescribed by the classification level of personal information.

The Company must measure the effectiveness of the security controls in place at all times.

The Company must use and maintain the systems, technological tools and expertise necessary to protect personal information.

The Company must create, implement and maintain a restrictive access scheme to personal information. This scheme must ensure that individuals only have minimal access to the personal information necessary for performing their tasks, and only at appropriate times. This access scheme must address the following characteristics for each access:
Individual or group targeted by access
Personal information targeted to access
Type of personal information
Medium containing the personal information
Type of access (writing/reading/deletions)
Access activation date
Last access modification date
Access expiration date
Use of personal information
The Company must ensure that personal information is not used other than as declared at the time of collection.

The Company must not sell, rent or exchange personal information without explicit consent of the owner of the personal information.

The Company must obtain the consent of the personal information protection officer before any internal or external communication of personal information.

The Company must establish, use and maintain formal and necessary processes for the internal and external communication of personal information. This obligation contains exceptions provided by current laws and regulations.

The Company must establish, use, and maintain a list of all third parties involved in the collection, processing, or communication of personal information. This list must address the following characteristics for each third party:

Third parties targeted by access
Personal information targeted by access
Type of personal information
Medium containing personal information
Geographic location of personal information storage by the third party
Type of use of personal information
Type of access (writing/reading/deletion)
Last access activation date
Access expiration date

The Company must use contractual agreements with third parties governing any action affecting personal information under the responsibility of the Company. These agreements define the obligations and responsibilities of each party.
Data transfer outside Quebec
The Company must limit the cross-border transfer of personal information regardless of the medium.

The Company must, in the event of an inevitable cross-border transfer of personal information, inform the owner of the personal information and obtain their consent beforehand.

The Company must ensure that all legal requirements for cross-border transfers of personal information are met before such a transfer takes place. A Privacy Impact Assessment (PIA) will be produced for each case.

Consent
Before proceeding with the collection, use, communication or voluntary disclosure of personal information, the Company must secure the consent of the targeted personal information owner.

Characteristics of consent
The Company is required to secure explicit consent, ensuring that the potentially potentially consenting individual can clearly grasp the consent’s purpose.

The Company must secure voluntary consent, ensuring the potentially consenting individual is free from any coercion or pressure, acting on their own volition.

The Company must secure informed consent, ensuring the potentially consenting person is fully aware of the clear implications and consequences of their decision.

The Company must secure specific consent, ensuring the potentially consenting individual agrees to a well-defined and precise objective.

The Company must secure granular consent, enabling the potentially consenting individual to agree to each specific purpose.

The Company must secure understandable consent, ensuring the terms are straightforward and clear to the potentially consenting individual.

The Company is obliged to secure separate consent, ensuring the potentially consenting individual can distinctly agree, separate from any other information, especially when the request is made in writing.

The Company must secure temporary consent, ensuring the potentially consenting individual agrees for only the necessary duration to fulfill the requested purposes.

The Company must provide a simple mechanism allowing individuals to withdraw their consent at any time and for any reason, informing them of the withdrawal’s consequences. This mechanism should be universally accessible and widely publicized.
Consent of minors
In Quebec, individuals under 18 years are considered minors.

If the minor is under 14, consent for the use or communication of their personal information must come from a parent or person having parental authority.

If the minor is 14 or older, consent may be given by the minor themselves or by himself or by the parent parent or person having parental authority.

If the collection is evidently for the minor’s benefit, the Company may proceed without parental consent.
Exceptions to Consent
In situations where an individual’s health or safety is at risk due to an urgent and dangerous condition:

The Company may share the individual’s personal information without their consent with anyone who needs to be informed.

The Company must ascertain the situation’s urgent and perilous nature to justify non-consensual disclosure.

To prevent acts of violence, including suicide, the Company may:

Share personal information without the affected individuals’ consent, limited to those at risk, their representatives, and any potential helpers, such as police officers, suicide prevention centers, community health service workers, child protection services, or health professionals.

Additional considerations
To comply with ARPPIPS legal requirements, the following must also be considered:

The Company must develop, implement, and maintain an information asset incident management process.

The Company must develop, implement, and maintain a general data classification policy, including personal information classification.

The Company must establish, implement, and uphold policies for handling personal information requests and complaints.

The Company must create, implement, and sustain a personal information risk training and awareness policy.

Compliance
Compliance measures
The Company establishes this policy and ensures adherence and compliance through:
Control tools
Internal and external audits
Feedback to the policy officer
Exceptions
Any deviations from these guidelines must be formally requested in writing and approved by the Company using the appropriate documents.

Unauthorized exceptions will be treated as non-compliance.

Noncompliance
Significant deviations from these guidelines may result in disciplinary actions, up to and including termination of employment.

Revision
This policy will be reviewed within a period of 2 years or as needed due to contractual, legal, or contextual changes. In case of modification or update of this policy, you will be informed directly on the website.