Policies and Practices Governing the Handling of Personal Information (September 2023)
Steer medical (hereinafter “THE COMPANY”) is governed by the Act respecting the protection of personal information in the private sector (RLRQ, c. P-39.1) (the Act).
Our website is provided as a service to visitors. THE COMPANY reserves the right to modify, add or delete content on this website, at any time and for any reason, without notice.
Communications sent by email may contain personal and/or confidential information. If by mistake you receive a communication that is not intended for you, please notify the sender and destroy the communication, without sharing its contents or keeping a copy.
Browsing data is non-personal information since it does not allow a person to be identified. All of our business partners, without exception, are required to adhere, by law, to recognized principles regarding the protection of privacy.
When you visit our website, our servers may collect the IP address of your device (computer, mobile device, tablet, etc.) and the name of your internet service provider. By using our website, by consulting our social networks or specialized applications, you thereby consent to the use that we will make of the browsing data that is collected.
Certain information is collected when you visit our website through files commonly known as “cookies”. These cookie files are saved directly on the hard drive of your device, by an HTTPS server. These files do not contain any personal information, they are simply unique numbers allowing you to be identified during your visits in order to facilitate the downloading of pages which have already been visited as well as to provide you with content likely to be of interest to you, all, in order to offer you an optimal experience.
THE COMPANY uses the Google Analytics tool to collect data on the browsing activities of visitors to its website, including, without limitation, the source, the time spent on our website as well as the pages consulted.
THE COMPANY or one of its partners may use “Spy Pixels” for the purpose of collecting data related to users of its website, including demographic data or browsing behavior.
Personal information is information which concerns a physical person and which allows, directly or indirectly, to identify them. A writing, an image, a video and a sound recording may contain personal information. As part of its professional activities, THE COMPANY may collect personal information such as name, home address, date of birth, identity document information, etc.
THR COMPANY collects, uses and communicates personal information with the consent of the person concerned. To be valid, this consent must be manifest, free, informed and given for specific purposes. The person who consents to provide their personal information is presumed to consent to their use and communication for the purposes for which they were collected.
Any person may withdraw their consent to the collection, use and communication of their personal information by THE COMPANY at any time. In this case, if the collection is necessary for the conclusion or execution of the contract by THE COMPANY, THE COMPANY may not be able to comply with a service request.
THE COMPANY is responsible for the protection of the personal information it holds in the course of carrying out its activities. To this end, THE COMPANY has adopted the confidentiality policy as well as policies and practices governing governance with regard to personal information and the objective of which is to regulate the collection, use, communication, retention and destruction of personal information.
Collection of personal information
THE COMPANY only collects personal information necessary to carry out its activities. For example, this may involve information collected for the purposes of carrying out a transaction, for the purposes of record keeping or any other purpose determined by THE COMPANY and brought to the attention of the person to whom it is disclosed. asks for consent.
THE COMPANY invites its staff members to explain in simple and clear terms to the person concerned the reasons for collecting their personal information and to ensure their understanding.
THE COMPANY may also collect personal information verbally during correspondence with persons involved in a transaction or through various documents submitted as part of completing a transaction (identification documents, financial documents, powers of attorney, etc.).
Use and disclosure of personal information
Personal information is used and communicated for the purposes for which it was collected and with the consent of the person concerned. In certain cases provided for by law, personal information may be used for other purposes, for example, for the purpose of detecting and preventing fraud, for the purpose of providing a service to the person concerned.
THE COMPANY may be required to communicate personal information to third parties, for example, suppliers, co-contractors, subcontractors, agents, insurers, professionals or outside Quebec.
THE COMPANY may, without the consent of the person concerned, communicate personal information to a third party if this communication is necessary for the execution of a mandate or a service or business contract. In this case, THE COMPANY establishes a written mandate or contract in which it indicates the measures that its agent must take to ensure the protection of the personal information entrusted to it, so that it is only used in the exercise of the mandate or contract and that they are destroyed after its end. The co-contractor must also undertake to collaborate with the COMPANY in the event of a violation of the confidentiality of personal information.
Before communicating personal information outside Quebec, THE COMPANY takes into account its sensitivity, the purpose of its use and the protection measures it will benefit from outside Quebec. THE COMPANY will only communicate personal information outside of Quebec if its analysis demonstrates that it will benefit from adequate protection in the place where it must be communicated.
Retention and destruction of personal information
When the purposes for which the personal information was collected or used have been accomplished, THE COMPANY must destroy it, subject to a retention period provided for by law. In this regard, THE COMPANY’s professional obligations require it to keep its files for at least six (6) years following their final closure.
When collecting, using, retaining and destroying personal information, THE COMPANY applies security measures necessary to protect the confidentiality of personal information. More specifically, here are the applicable measures for the protection of personal information:
- **Access control**: Only authorized personnel have access to data and only for specific tasks.
- **Staff Training**: Regular training of staff on best practices in data management and information security.
- **Audit and Monitoring**: Regular audits are carried out to ensure compliance with security policies.
- **Regular Security Updates**: Software and systems are regularly updated to fix possible security vulnerabilities.
- **Firewall and antivirus**: Installation and maintenance of firewalls and antivirus software.
- **Backup protocols**: Regular and secure backups of data are performed and stored in a secure location.
- **Incident Response Plan**: An action plan is in place in the event of a data breach or other security incidents.
- **Secure Archiving**: Data is securely archived when its use by brokers is no longer necessary, in accordance with data protection laws. Only authorized internal personnel have access to it with a password.
- **Risk Assessment**: Regular risk assessments to identify and mitigate potential vulnerabilities.
- **Transparency and consent**: Individuals are informed about how their data is used and stored, and informed consent is obtained.
A confidentiality incident is the access, use, communication of personal information not authorized by law or the loss of personal information or any other breach of the protection of personal information.
THE COMPANY has implemented a confidentiality incident management protocol in which the people who assist the Personal Information Protection Manager are identified and which provides for the concrete actions that must be taken in the event of an incident. This protocol provides in particular the responsibilities expected at each stage of incident management, including the measures to be taken to ensure data security.
Roles and responsibilities
- THE COMPANY
▪ Ensures the confidentiality of information through good information management practices. More particularly, THE COMPANY provides directives, training and instructions to staff members relating to the collection, use, storage, modification, consultation, communication and permissible destruction of personal information.
▪ Deploys appropriate protection measures to reduce the risk of confidentiality incidents, for example, IT security, updating policies relating to personal information, training of its staff, etc.
▪ Has standardized methods for filing documents containing personal information.
▪ Has standardized methods for preserving documents containing personal information, particularly regarding the scanning procedure.
▪ Manages physical and computer access to personal information based in particular on its sensitivity.
▪ Proceeds with secure archiving of personal information. More particularly, she (he) gives directives or instructions to staff members relating to the secure archiving method, archiving deadlines, etc.
- Responsible for the protection of personal information
In accordance with the Law, THE COMPANY has appointed the Personal Information Protection Officer.
In particular, it ensures that these policies are respected and that they comply with applicable regulations. The name and contact details of this person appear in the “Right of access, withdrawal and rectification” section.
The Personal Information Protection Manager is responsible for managing confidentiality incidents and, in this context, takes actions provided for by law.
The Personal Information Protection Officer processes requests for access and rectification of personal information. It also handles complaints relating to the processing of personal information by THE COMPANY.
The Personal Information Protection Officer is consulted as part of an assessment of the factors relating to privacy for any project for the acquisition, development and redesign of an information system or electronic delivery of services involving the collection, use, communication, retention, archiving or destruction of personal information. He may suggest measures to ensure the protection of personal information in the context of such a project.
A member of THE COMPANY staff may access personal information only to the extent that it is essential to the performance of their functions or mandate.
THE COMPANY staff member:
▪ Ensures the integrity and confidentiality of personal information held by THE COMPANY.
▪ Complies with all of THE COMPANY policies and guidelines on access, collection, use, disclosure, archiving, destruction of personal information and information security and follows the instructions that are presented to him.
▪ Respects the security measures put in place at their workstation and on any equipment containing personal information.
▪ Use only equipment and software authorized by THE COMPANY.
▪ Ensures, when the time comes, the secure archiving of personal information in accordance with the instructions received. Immediately report to his superior any act of which he becomes aware that may constitute a real or suspected violation of security rules relating to personal information.
Right of access, withdrawal and rectification
An individual (or their authorized representative) may request access to their personal information held by THE COMPANY. An individual may withdraw their consent to the collection, use and disclosure of their personal information at any time. This withdrawal is then recorded in writing.
A person may ask to correct, in a file that concerns them, personal information that they consider to be inaccurate, incomplete or ambiguous.
THE COMPANY may refuse a request for access or rectification in the cases provided for by law.
A person who considers themselves wronged may file a complaint regarding the processing of their personal information by THE COMPANY. This complaint will be processed diligently within a maximum of 10 working days by the Personal Information Protection Officer and a written response will be sent to you.
- **Receipt of the Complaint**: Upon receipt of the complaint, an acknowledgment of receipt will be sent to the complainant within 48 hours.
- **Registration of the Complaint**: The complaint is recorded in a dedicated tracking system to ensure effective and transparent monitoring.
- **Initial Assessment**: The Privacy Officer will assess the complaint to determine its validity and urgency.
- **Investigation**: A full investigation will be carried out to understand the circumstances surrounding the complaint. This may include interviews with relevant personnel and review of systems and activity logs.
- **Documentation**: All evidence and findings will be fully documented.
- **Decision and Corrective Actions**: Based on the findings, corrective actions will be taken if necessary, and a decision will be made regarding the complaint.
- **Notification to Complainant**: A written response detailing the findings of the investigation and the actions taken will be sent to the complainant within 10 business days.
- **Remedies**: If the complainant is not satisfied with the response, he or she will be informed of the available remedies, including the possibility of taking the complaint to the competent authorities.
- **Internal Review**: A process review will be conducted to identify lessons learned and make future improvements.
- **Archiving**: The complaint and all associated actions will be securely archived for future auditing needs.
To request access or rectification of your personal information or to submit a complaint regarding the processing of personal information, please contact:
Michael Froncioni, Owner