Governance of personal information

McPeak-Sirois Group for Clinical Research in Breast Cancer (MPSG) places great importance on the protection of personal information. In this respect, MPSG has developed a Governance Framework to provide a framework for its privacy governance.

MPSG has also implemented various measures in support of its policy and its application in accordance with applicable laws. For example, MPSG has:

• validated and confirmed the roles and responsibilities of its person in charge of the protection of personal information (the Privacy Officer);
• undertaken the review and documentation of internal privacy measures and rules; and
• set up assistance measures.

The framework is complemented by several other procedures and tools developed by MPSG, including:

• its Confidentiality incident management policy;
• its Retention policy for documents containing personal information;
• its Confidentiality incident register;
• its Privacy impact assessment template for the communication of personal information outside Quebec;
• its Privacy impact assessment template in the context of communicating personal information for study, research or statistical purposes;
• its Privacy impact assessment template for technology projects involving personal information;
• template contractual clauses if third-party services are retained; and
• template contract clauses for transfers outside Quebec.

All these documents form MPSG’s privacy Governance Framework. They specify in particular:

• rules governing the collection and other processing of personal information of employees and any other person where applicable;
• the security measures in place to ensure the confidentiality, integrity and availability of personal information throughout its life cycle;
• the roles and responsibilities of various people, including those with the highest authority, the manager, employees and subcontractors;
• managing access to personal information;
• the complaints handling process;
• certain rules that may apply in specific contexts, such as:
  
  • communication or processing of personal information outside Quebec;
  • requests for access to information for study, research or statistical purposes; and
  • technology projects involving personal information;
• certain rules that will apply if certain types of initiatives are implemented, including :
  
  • the use of identification, location or profiling technology; or
  • decision-making based exclusively on the automated processing of personal information
• processes applicable to access, rectification and other requests; and
• the document update process

A summary of the Governance Framework is provided in appendix. This Governance Framework is also supplemented by current legislation. Further details can be obtained by contacting:

Privacy Officer
McPeak-Sirois Group for Clinical Research in Breast Cancer
Address: 460 McGill Street, 5th floor, Montreal (Quebec) H2Y 2H2
Email: d.johnson@mcpeaksirois.org
Phone: 514-509-8858

Please note that the Governance Framework contains certain sensitive information, particularly with regard to the security measures implemented. As a result, access to and communication of documents forming the Governance Framework, or information contained therein, may be restricted.

SUMMARY OF THE PERSONAL INFORMATION GOVERNANCE FRAMEWORK

MPSG places great importance on the protection of personal information. In this respect, MPSG has developed a Governance Framework to provide a framework for its privacy governance. The purpose of this summary of the Governance Framework (the Summary) is to inform individuals about whom MPSG collects personal information of how it may be collected, used, and disclosed, and of their rights with respect to such information.

For the purpose of this Summary, personal information means information concerning a natural person that allows, directly or indirectly, that person to be identified, unless otherwise provided by law.

1. SCOPE OF APPLICATION

The Governance Framework covers the following activities, information, resources and individuals:

• Individuals: All MPSG employees (including its manager), subcontractors and service providers with whom MPSG may do business.
• Activities: Any processing of personal information held by MPSG as part of its mission, activities or responsibilities, even if the personal information is not physically held by MPSG, if applicable.
• Resources: Any information systems, regardless of medium or format, whether stored internally or externally, such as cloud-based systems.
• Information: Any personal information, regardless of the format in which it is held or whether it is held internally or externally. “Personal information” is broadly interpreted to include information about MPSG employees, and any other person, where applicable. However, in accordance with applicable laws, certain information will not qualify as “personal information”.

2. GUIDING PRINCIPLES

In the course of its mission and activities, MPSG is called upon to hold and/or process various types of personal information. To this end, MPSG stresses the importance of ensuring that all processing is carried out in accordance with the following guiding principles:

• the collection of personal information must be necessary and required or permitted by law (and, where applicable, by contract);
• all personal information is considered confidential by default and is treated as such;
• no personal information may be processed unless the required consents have been obtained or such processing is permitted or required by law;
  the protection of personal information must be ensured by, among other things, the implementation of and compliance with appropriate security measures;
• personal information may be retained only as long as necessary for the purposes for which it was collected (subject to applicable legal and contractual exceptions); and
• all requests (for access, rectification, etc.) and confidentiality incidents must be reported immediately to the applicable manager.

3. COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION

In the course of its activities, MPSG may collect, use, communicate and/or otherwise process, as the case may be, personal information concerning different categories of individuals, namely: (i) its employees; (ii) individuals whose personal information is collected in the Metastatic Breast Cancer Registry (the Registry), under the control and management of MPSG in collaboration with the Research Institute of the McGill University Health Centre; (iii) members of its scientific committee or other members of its committees; (iv) certain researchers or employees of public institutions offering services to MPSG or wishing to act as principal investigators in studies for which MPSG receives information from sponsors; and (iv) visitors of its Site (as defined in MPSG’s privacy policy) who interact with MPSG and/or, where applicable, any member of the public communicating with MPSG.

(i) Personal information about employees

MPSG collects and processes required personal information about its employees to the extent that it is: (i) required to manage its employment relationship with its employees; (ii) permitted by law; or (iii) necessary to comply with applicable legal and contractual requirements. Such collection and other processing is limited to these purposes. Such required information is collected and otherwise processed with employee consent, unless the law permits or requires such collection or other processing without consent, in which case employee consent will not be required.

Optional information is also collected if employees give their consent.

MPSG will not communicate personal information about its employees to third parties without their consent, unless an exception is provided by law or brought to the attention of the employees concerned.

(ii) Personal information about individuals whose information is collected in the Registry

MPSG collects and processes personal information about individuals who have consented to their personal information being held in the Registry (a Participant). Any personal information collected and/or processed for this purpose will be collected and/or processed in accordance with the terms and conditions provided in the consent form signed by each Participant, as well as the other documents applicable to the Registry including the McPeak-Sirois Group for Clinical Research in Breast Cancer Metastatic Breast Cancer Registry Management Framework (collectively, the Registry Documents).

The Registry Documents will also detail the purposes for which personal information will be used. Finally, the Registry Documents will specify the circumstances in which personal information about Participants may be disclosed to third parties.

(iii) Committee members

Various committees, including the scientific committee, the operations committee and the patients and partners committee, have been created to support MPSG, including its board of directors, in its activities. MPSG is required to collect and process certain personal information about the members of its committees, in particular information relating to their experience and expertise, as well as their contact details. Such collection and processing will take place on the basis of implicit or explicit consent obtained. MPSG will not provide third parties with personal information it holds about these individuals without their consent, unless an exception is provided for by law or brought to the attention of the individuals concerned.

(iv) Researchers and employees of public institutions

In the course of its activities, MPSG may retain the services of researchers or employees of public institutions to perform services for MPSG with them. Similarly, certain researchers may wish to participate in studies for which MPSG has obtained information from sponsors. In such cases, MPSG will be called upon to collect and process certain personal information concerning these individuals. Such collection and processing will take place on the basis of implicit or explicit consent obtained. MPSG will not provide third parties with personal information it holds about these individuals without their consent, unless an exception is provided for by law or brought to the attention of the individuals concerned.

(v) Personal information about any other person

MPSG may collect and process personal information from members of the public who contact MPSG. Such collection and processing will take place on the basis of consent (e.g., a person contacts MPSG to apply for a job, or to ask questions related to MPSG’s activities). MPSG will not provide personal information it holds about an individual to third parties without that individual’s consent, unless an exception is provided for by law or brought to the attention of the individuals concerned.

4. CONSENT

MPSG’s Governance Framework emphasizes the importance of valid consent for the collection or other processing of personal information. Consent may be implied or express. MPSG makes reasonable efforts to ensure that consents obtained from individuals are manifest, free, informed, given for specific purposes, requested for each purpose in clear and simple terms, presented separately from other information communicated and, when pertaining to sensitive information, expressly formulated. However, the Governance Framework recalls that the law recognizes certain situations in which consent need not be sought. Assistance is provided to anyone requesting it, to help them understand the scope of the consent sought.

A Participant’s consent to the collection and processing of their personal information will be obtained in accordance with the Registry Documents, and the terms thereof will take precedence over the conditions of validity of the consent thus given to MPSG.

5. RETENTION, DESTRUCTION AND ANONYMIZATION

MPSG retains the personal information collected only as long as necessary to achieve the purposes for which it was collected or for a longer period where required or authorized by law. MPSG will destroy or anonymize, as the case may be, the personal information it holds once the purposes for which it was collected or used have been fulfilled (subject to a retention period stipulated by law); MPSG has set up a retention schedule to assist in this regard.

Personal information about Participants will be retained by MPSG for the duration of the Registry, as more fully described in the Registry Documents.

6. DISCLOSURE OF PERSONAL INFORMATION OUTSIDE QUEBEC

MPSG will conduct a Privacy Impact Assessment before disclosing personal information outside Quebec to ensure its confidentiality and security. Participant’s personal information will not be disclosed (outside Quebec or otherwise) as only results (and not this information) may be provided to the applicants.

7. DISCLOSURE OF PERSONAL INFORMATION FOR STUDY, RESEARCH OR STATISTICAL PURPOSES

In accordance with the law, MPSG may, in some cases, disclose personal information it holds without consent to a person or organization wishing to use the information for study, research or statistical purposes. However, a Privacy Impact Assessment must be carried out, and if it concludes that the information can be disclosed, an agreement will be reached with the applicant. Any requirements imposed by law must also be respected. However, the above will not apply to the personal information of Participants, which will be governed by the Registry Documents.

8. TECHNOLOGICAL PROJECT INVOLVING PERSONAL INFORMATION

MPSG will conduct a Privacy Impact Assessment of any acquisition, development or redesign of an information system or electronic service delivery project involving personal information in accordance with the process prescribed by law. The management of information systems or electronic service delivery systems involving the collection or other processing of personal information contained in the Registry will be carried out in accordance with the provisions of the Registry Documents and, where applicable, in accordance with applicable ministerial requirements.

9. USE OF IDENTIFICATION, LOCATION OR PROFILING TECHNOLOGY

In the event that MPSG uses a technology that includes functions enabling a person to be identified, located or profiled, that person will be informed in advance: (i) of the use of such technology; and (ii) of the means available to activate the functions enabling a person to be identified, located or profiled, all in accordance with the law.

10. DECISION-MAKING BASED ON THE AUTOMATED PROCESSING OF PERSONAL INFORMATION

In the event that MPSG uses personal information to make a decision based solely on the automated processing of such information, MPSG will ensure that the person concerned is informed of this fact, at the latest at the time MPSG’s decision is communicated to them, in accordance with applicable laws.

11. WEBSITE

A privacy policy, including a notice regarding the use of cookies, are included on MPSG website in order to clarify its practices. MPSG will ensure that it updates this policy and notice when required, in particular if the government determines the content and terms, and will ensure that these documents are written in plain and clear language.

12. SECURITY MEASURES FOR THE PRESERVATION OF PERSONAL INFORMATION

MPSG is responsible for the protection of any personal information under its control. MPSG has designated a Privacy Officer and has implemented policies and procedures to ensure that personal information is reasonably protected. These measures include: (i) internal measures; (ii) measures concerning subcontractors; and (iii) measures concerning the management of confidentiality incidents.

With regard to Participants’ personal information, MPSG takes measures to ensure that any partner with access to the Registry and its content has adequate security measures in place to maintain the confidentiality and integrity of such personal information.

13. ACCESS, RECTIFICATION AND OTHER REQUESTS

As a general rule, individuals have the right, with respect to their personal information, to (i) obtain information about the personal information collected about them by MPSG; (ii) know the categories of individuals who have access to it and how long it is kept; (iii) access their personal information and obtain a copy of it; and (iv) withdraw their consent to the collection and/or use of their personal information, have inaccurate information rectified or, in certain circumstances, request that personal information be deleted.

Requests for access or rectification or other requests are processed by MPSG in accordance with the law. The Privacy Officer will provide assistance to applicants if requested. The assistance offered includes the following:

• If the request is not sufficiently precise, of if the applicant so requires, the
• Privacy Officer assists the person making the request in identifying the personal information sought.
• Subject to applicable law and following a request to this effect, the Privacy Officer will:
  
  1. confirm the existence of personal information held about the applicant and, where applicable, disclose it to the applicant (or allow the applicant to obtain a copy); and
  2. correct any personal information that is inaccurate, incomplete or misleading.
• In the event of a refusal to grant access, the reasons for the refusal will be communicated to the applicant in accordance with the law. The Privacy Officer will then assist the applicant in understanding the refusal.

The Privacy Officer is responsible for:

• offering reasonable assistance throughout the application process;
• providing information about the law, including how to process a request and the right to file a complaint with the Commission d’accès à l’information;
• communicating with the applicant if clarification is required on an application, such communication to take place as soon as reasonably possible;
• making reasonable efforts to locate the requested documents;
• ensuring that the exceptions invoked (in connection with a refusal to disclose all or part of the documents) are precise and limited (to such documents);
• providing answers that, to the best of its knowledge, are accurate and complete;
• promptly communicating the information requested as part of the access process; and
• if applicable, providing the documents in the format requested or, as the case may be, providing an appropriate place to examine the documents covered by the request.

The assistance offered does not, however, oblige the Privacy Officer to provide the same explanations to an applicant several times. Similarly, once the information needed to help an applicant understand the Privacy Officer’s decision has been provided, the Privacy Officer may choose to stop providing explanations.

14. CONTACT DETAILS AND FURTHER INFORMATION

If you have any concerns, questions, requests or complaints about the Summary or management of personal information by MPSG, you can contact the Privacy Officer at the following address:

Privacy Officer
McPeak-Sirois Group for Clinical Research in Breast Cancer
Address: 460 McGill Street, 5th floor, Montreal (Quebec) H2Y 2H2
Email: d.johnson@mcpeaksirois.org
Phone: 514-509-8858