top of page

ACCESS TO INFORMATION AND CONFIDENTIALITY POLICY

1. Legal framework

In carrying out its activities, Servirplus must comply with the Act respecting Access to
documents held by public bodies and the Protection of personal information, hereinafter
referred to as the " Access Act ", and all of its regulations.
The Access Act applies to all documents and personal information held by Servirplus in the
performance of its duties. To this end, Servirplus is responsible for accessing, retaining, and
protecting the following information:

  • Servirplus employee files;

  • Clinical records of Servirplus clients;

  • The various databases and forms completed on the web;

The obligations set out in this policy apply to the following persons: any manager,
employee, consultant or self-employed person, including any person who works for
Servirplus for remuneration (hereinafter the "Employees").


2. Objectives

The main objective of this policy is to ensure compliance with the Access Act in accordance
with Servirplus' values and management principles.
It aims to establish the general framework of the access to information and privacy
procedure in effect within Servirplus.
It also provides for a response strategy to be implemented in the event of a confidentiality
incident.

3. Guidelines

3.1 Access to the Access Act

Any person who so requests has the right of access to the documents of a public body
subject to the restrictions set out in the Access Act, in particular, with respect to the
protection of personal information concerning a natural person.

In addition, any person capable of giving meaningful consent has the right to receive access
to any personal information about him or her.


3.2 Servirplus

Considering the nature of Servirplus' mission and activities, the guiding principles governing
its access to information activities are the protection of the personal information of its
clients and employees and organizational transparency.

In accordance with the Access Act, personally identifiable information held by Servirplus,
i.e., information that relates to a natural person and allows him or her to be identified, is
confidential. Generally, Servirplus cannot disclose personal information without the
consent of the individual concerned.

To ensure the retention, access and protection of the personal information it holds,
Servirplus ensures compliance with the following principles:

  • Servirplus is committed to collecting only the personally identifiable information
    necessary to carry out its mission and the exercise of its activities;

  • Servirplus ensures the protection of the confidentiality of the personally identifiable
    information of staff and customers and refuses, except as provided for by law, to
    communicate this information without the consent of the person concerned;

  • All Employees agree to respect the confidentiality of the personal information of
    customers and staff members and to comply with this policy;

  • All Employees must, at the time of hiring, read and sign the Undertaking and
    Acknowledgement of Confidentiality provided for in Appendix 1 or the version
    included in the Employee Handbook. In addition, all Employees who have access to
    the personal information of customers and staff members must read and sign this
    undertaking annually;

  • The accessibility of personal information of customers and staff held by Servirplus is
    limited to those Employees whose function requires it;

  • Servirplus ensures that all of its user guides and internal measures in effect with
    respect to access to information are updated.

4. Roles and responsibilities

4.1 Access to Information Person

The President and CEO of Servirplus is responsible for access to documents and the
protection of personal information. This person is designated as such by the Commission
d'accès à l'information and is responsible for the accountability required by the
Commission.
For the purposes of carrying out his or her duties, the designated person may entrust the
processing of files, as necessary and according to the categories of documents, to other
Employees.

5. Confidentiality Incident Response Strategy

In the event of a confidentiality incident, it is essential to act diligently and intervene
effectively in order to prevent or limit the harmful consequences for the person concerned
or Servirplus. Such an incident can take place in a variety of ways, and most commonly
manifests itself as:

  • theft or loss of information;

  • a breach of the duty of confidentiality (communication of personal information to an
    individual who does not need it in the course of the performance of his or her duties);

  • use of personal information for purposes not authorized by law;

  • a communication of personal information that was mistakenly transmitted to a wrong
    recipient;

  • a process error or operational failure (programming error).

The main steps of the intervention strategy can be found in the following articles.

5.1 Confidentiality Incident Mitigation and Preliminary Assessment

5.1.1 Servirplus must immediately take steps to limit and limit the consequences of the
privacy incident

a) Immediately limit the breach of the incident, for example:

  • Promptly cease the unauthorized practice;

  • Retrieve records or information or require their destruction and written confirmation from the person who destroyed them;

  • Revoke or change passwords or access codes;

  • Correct deficiencies in computer systems or processes.

5.1.2 Servirplus must conduct a preliminary assessment of the situation by designatingan assessment coordinator. This person will be responsible for:

a) Establish the context of the incident and obtain the required clarifications, if
applicable:

  • Identify confidential information and the medium used (physical or
    electronic);

  • Identify the persons involved in the incident;

  • Establish and identify the circumstances of the confidentiality incident:

    • What happened?

    • What is the reason for this?

    • Who is involved?

    • What components or assets are affected?

    • Is this an isolated incident?

b) Identify the physical and computer or technical security measures in place;

c) Identify vulnerabilities related to the incident.

5.2 Incident Risk Assessment

To determine the risk of harm, conduct a risk assessment of the risk of harm, taking into
account the following factors:

a) Confidential information at issue:

  • The sensitivity of the information;

  • The amount of information and the ability to combine it with other information;

  • The foreseeable harm to the individuals involved, the use that may be made of the personal information – fraudulent purposes, identity theft, etc., and the third parties involved. It should be noted that the more sensitive the confidential information, the higher the risk of injury.

b) The cause and extent of the confidentiality incident:

  • Establishing the cause and extent of the situation;

  • Impact on the company's mission;

  • Assessment of the measures taken to mitigate the confidentiality incident and
    include corrective measures if necessary to prevent any risk of a similar incident.

  • If the confidentiality incident may have serious consequences, the Commission
    d'accès à l'information     must be notified. When there is potential criminal activity,
    the police must also be notified.

5.3 Determination and implementation of priorities for action

To mitigate the risk of harm to affected individuals:

a) Notification of the confidentiality incident

  • Identify who should be notified and who is responsible for the process

b) Determine the means of communication and define the content of the notification:

  • Determine the appropriate means of communication with respect to the
    individuals concerned (by telephone, secure email, mail or in person). The use of
    general and indirect notification should only be considered in the case of a major
    confidentiality incident, when it is not possible to clearly identify the persons
    concerned by the incident within a reasonable period of time or when it is not
    possible to reach the persons concerned (e.g. the contact details of the persons
    are not detained).

  • Define the content of the notification according to the nature of a confidentiality
    incident and taking into account the categories of data subjects (natural or legal
    person directly or indirectly involved):

    • Overview of the facts;

    • Confidential information at issue;

    • Summary description of the measures put in place and the actions taken;

    • Steps that affected individuals can take to reduce the risk of harm and sources
      of information to help individuals protect themselves, if applicable;

    • Contact information for questions

    • Main measures that will be taken to prevent the situation from happening again.

5.4 In-depth assessment and prevention

Following the implementation of preventive measures, the persons responsible must:

a) Adequately analyze the circumstances that led to the confidentiality incident (cause, chronological order, date of interventions).

b) Explore the relevance of implementing a prevention plan, including the following:

  • Verification of physical and technical security;

  • Review of internal standards, policies or guidelines in place at the time of the
    incident;

  • Verification of the practices of the personnel involved and the agents or partners,
    if applicable;

  • Development of recommendations for medium- and long-term solutions;

  • Review of a follow-up on the measures put in place.

c) Implement the prevention plan, if necessary.

Responsible for this policy: The President and Chief Executive Officer

Effective Date: June 8, 2023

bottom of page