1 855 841-1911

24/7
 

PRIVACY POLICY

PRIVACY POLICY

Last update : Sept. 22, 2023

POLICY ON THE GOVERNANCE OF PERSONAL INFORMATION (PI) HELD BY GROUPE MÉDICAL LACROIX AND PRIVACY POLICY

 

PREAMBLE

 

Clinique Médicale Lacroix Inc., Lacroix Chirurgie Privée Montréal Inc., Lacroix Chirurgie Privée Québec Inc., and Lacroix Labo Privé Inc. are related companies that collectively form the “Groupe Médical Lacroix.”

As part of its activities, Groupe Médical Lacroix collects and uses personal information about patients and users who require its services.

Groupe Médical Lacroix is subject to the application of the Act respecting the protection of personal information in the private sector (the “Act”). To this end, Groupe Médical Lacroix is responsible for ensuring the protection of the personal information it holds and for complying with the Act.

This policy aims to ensure the protection of personal information and to regulate how Groupe Médical Lacroix collects, uses, discloses, retains, and destroys it. Furthermore, it aims to inform any interested person about how Groupe Médical Lacroix processes their personal information.

Although automatically collected information generally cannot be considered personal information, in the sense that it is not collected in a way that allows us to personally identify you, Appendix “B” of this policy also aims to inform interested parties about Groupe Médical Lacroix’s practices regarding automatically collected information.

 

DEFINITIONS

 

Personal Information (hereinafter “PI”) is information that concerns an individual and allows for their direct or indirect identification. For example, here are some PIs that Groupe Médical Lacroix may collect about certain individuals:

  • Name and contact information;
  • Home and email addresses;
  • Phone number;
  • Parents’ first and last names;
  • Demographic data (gender, date of birth);
  • Billing information;
  • Membership status.

 

Sensitive Personal Information (hereinafter “Sensitive PI”) is information that, due to its nature, especially medical, biometric, or otherwise intimate, raises a high degree of reasonable expectation of privacy. For example, here are some Sensitive PIs that Groupe Médical Lacroix may collect about certain individuals:

  • Medical records and notes;
  • Health insurance number;
  • Criminal history;
  • Health status;
  • Medical test results;
  • Medication list;
  • Social insurance number (for employees only).

 

APPLICATION

 

This policy applies to executives, employees, consultants, suppliers, and any other subcontractors representing or working on behalf of Groupe Médical Lacroix.

It covers all types of PIs and Sensitive PIs that Groupe Médical Lacroix collects, manages, and uses, whether PIs and Sensitive PIs of its patients, employees, subcontractors, or consultants, as described in Appendix “A” hereto.

 

  1. Consent to the Collection of PI and Sensitive PI

 

Generally, Groupe Médical Lacroix obtains consent for the collection of PI and Sensitive PI before collection, explaining the purposes of this collection at that time. Consent to collection is given explicitly or implicitly, as the case may be. In some cases, Groupe Médical Lacroix uses a consent form for collection (online or in person).

When Groupe Médical Lacroix collects PIs and Sensitive PIs about individuals under 14 years of age, the person with parental authority or the guardian must consent to the collection, unless it is clearly to the benefit of this minor, as determined by the stakeholders of Groupe Médical Lacroix.

 

  1. Collection of PI and Sensitive PI

 

In the course of its activities, Groupe Médical Lacroix collects various types of PI and Sensitive PI for different purposes, as more fully described in Appendix “A” hereto.

Generally, the collection of PI and Sensitive PI is done directly from the person seeking services or becoming an employee of Groupe Médical Lacroix. In some cases, PIs and Sensitive PIs may be received by Groupe Médical Lacroix from third parties, especially when it comes to additional examination results conducted externally.

At the time of collection, Groupe Médical Lacroix informs the individuals contacted of the following information:

  • The purposes for which PIs and Sensitive PIs are collected;
  • The means by which PIs and Sensitive PIs are collected;
  • The rights of access and rectification of PIs and Sensitive PIs provided by the Act; and
  • Their right to withdraw their consent to the use and disclosure of PIs and Sensitive PIs collected.

Every person has the opportunity to consent or not to the collection of PIs and Sensitive PIs necessary for Groupe Médical Lacroix, as mentioned in section 1.

 

 

  1. Access to PI and Sensitive PI and Security Measures

 

Patients

The PIs and Sensitive PIs that Groupe Médical Lacroix holds regarding patients are stored on a cloud-based Electronic Medical Record software, with encrypted data (hereinafter the “EMR”).

The EMR itself is hosted in the data center of Telus Health (Canada) Ltd. located in Canada. The solution is approved by the Ministry of Health and Social Services (MSSS) and holds a TGV (Global Verification Kit) certification regarding the requirements of the Quebec social health sector in terms of security, protection of personal information (PPI), performance, and technology.

Groupe Médical Lacroix limits access to the PIs and Sensitive PIs contained in the EMR to those who need it in the performance of their duties. It creates as many types of access to the EMR as necessary to ensure personalized and limited access for different stakeholders to PIs and Sensitive PIs.

To this end, access to the EMR is protected by a unique password for each user. Any person who is no longer an employee, subcontractor, or no longer needs access to the PIs and Sensitive PIs held by Groupe Médical Lacroix has their access to the EMR revoked in a timely manner.

The management of EMR access is administered by the various management teams and supervised by the Responsible for Personal Information Protection.

Some PIs of Patients collected via online forms may be stored on the website’s server until patients requesting services have been contacted by the Groupe Médical Lacroix team.

Some Patient PIs may be stored on the point-of-sale platform for payment collection named Netbanx operated by Paysafe Group Limited. Groupe Médical Lacroix limits access to Netbanx to those who need it in the performance of their duties, and the Netbanx password changes automatically once a month. To learn more about how Netbank manages PIs, please refer to https://www.paysafe.com/caen/paysafegroup/comprehensive-privacy-notice/.

 

 

Employees, subcontractors, and consultants

 

The PIs and Sensitive PIs of employees, subcontractors, and consultants, and in rare cases of exceptions, certain PIs and Sensitive PIs of patients, are stored on a cloud server hosted by Microsoft (the “SharePoint GML”).

Groupe Médical Lacroix limits access to the PIs and Sensitive PIs contained in the SharePoint GML to those who need it in the performance of their duties. It creates as many accesses and sites in the SharePoint GML as necessary to ensure personalized and limited access for different employees to PIs and Sensitive PIs.

To this end, each user is granted Microsoft 365 access with a unique password and two-factor authentication for access to the SharePoint GML. Any person who is no longer an employee, subcontractor, or no longer needs access to the PIs and Sensitive PIs contained in the SharePoint GML has their Microsoft 365 access revoked in a timely manner.

The management of access to the SharePoint GML is administered by the Groupe Médical Lacroix controller and supervised by the Responsible for Personal Information.

(1) TELUS Privacy Management Program Framework (ctfassets.net)

(2) https://ti.msss.gouv.qc.ca/getdoc/fc5f4a0b-e3ba-4dd6-b17d-aa78d4025b82/Grandes-etapes-TGV-v0-8_2022-04-12.aspx

 

Confidentiality Agreement

 

All employees, service providers, and subcontractors of Groupe Médical Lacroix who may have access to the PIs and Sensitive PIs it holds have signed confidentiality agreements in favor of Groupe Médical Lacroix.

They also undertake to respect this policy and ensure the processing of PIs and Sensitive PIs throughout their lifecycle in the most secure manner possible.

 

 

  1. Use of PI and Sensitive PI

 

 

Groupe Médical Lacroix limits the use of PIs and Sensitive PIs to the purposes for which they were collected, as described in this policy (specifically in Appendix A) or at the time of collection.

However, in some exceptional cases provided for by the Act, Groupe Médical Lacroix may use the PIs and Sensitive PIs held without the consent of the individual:

  • If Groupe Médical Lacroix considers that the purposes of using the PIs and Sensitive PIs are compatible with the purposes for which the PIs and Sensitive PIs were collected;
  • If Groupe Médical Lacroix considers that the purposes of using the PIs and Sensitive PIs are clearly to the benefit of the individual (e.g., for medical purposes or assistance purposes);
  • If Groupe Médical Lacroix considers that using the PIs and Sensitive PIs is necessary to prevent fraud (e.g., to validate someone’s identity in case of doubt about their identity);
  • If Groupe Médical Lacroix considers that the use is in accordance with ethics laws and the recommendations of the Collège des Médecins du Québec, the Ordre des Infirmières et Infirmiers du Québec, or any other professional order governing professionals working within Groupe Médical Lacroix, especially in investigation and inspection processes, as these laws may be amended from time to time;
  • If Groupe Médical Lacroix considers that the use of PIs and Sensitive PIs is necessary to provide a service requested by the individual concerned; and
  • If Groupe Médical Lacroix considers that the use of PIs and Sensitive PIs is necessary for study, research, or statistical production purposes (and that PIs and Sensitive PIs are processed in a depersonalized or anonymized manner).

 

If Groupe Médical Lacroix intends to use the PIs and Sensitive PIs for other purposes not provided for in one of the exceptions above, the individual concerned must consent to such use. If it is a Sensitive PI, this information must be expressly provided.

 

 

  1. Disclosure of Information

 

 

As a general rule, Groupe Médical Lacroix will not disclose the PIs and Sensitive PIs it holds to anyone without the authorization of the individual concerned, unless an exception is provided for herein or in the Act. This consent must be given explicitly when it comes to a Sensitive PI.

If Groupe Médical Lacroix were to subcontract in whole or in part the organization, conduct, or execution of certain communications or services, it would need to disclose the PIs necessary for these purposes to its subcontractors. In such cases, Groupe Médical Lacroix will always enter into strict confidentiality agreements with these third parties, subcontractors, or organizations.

In certain other cases provided for by the Act, Groupe Médical Lacroix may disclose PIs and Sensitive PIs without the consent of the individuals concerned.

Groupe Médical Lacroix may be required to disclose PIs and Sensitive PIs outside Quebec, for example, when its service providers, subcontractors, or employees are located outside Quebec or when the servers of certain IT services are located outside Quebec.

 

 

  1. Retention and Destruction of PIs and Sensitive PIs

 

 

Groupe Médical Lacroix retains the PIs and Sensitive PIs it holds about an individual for as long as necessary to achieve the purposes for which it was requested. This period may vary depending on the type of individual and the reasons for which they have been in contact with Groupe Médical Lacroix.

Once the purposes for which the PIs and Sensitive PIs were requested have been achieved, Groupe Médical Lacroix ensures that the PIs and Sensitive PIs are destroyed or irreversibly anonymized in a secure manner.

 

 

  1. Rights of Access, Rectification, and Withdrawal of Consent

 

 

Individuals on whom Groupe Médical Lacroix holds PIs and Sensitive PIs have the right, at any time, via the procedure described below, to contact Groupe Médical Lacroix to:

  • Know the PIs and Sensitive PIs that Groupe Médical Lacroix holds about them;
  • Know the categories of persons within Groupe Médical Lacroix who have access to the PIs and Sensitive PIs held about them;
  • Know the retention period of the PIs and Sensitive PIs held about them;
  • Request access to the PIs and Sensitive PIs held about them;
  • Request a correction to the PIs and Sensitive PIs if they are incomplete, inaccurate, or ambiguous;
  • Request that Groupe Médical Lacroix stop using the PIs and Sensitive PIs that concern them; and
  • Request that the PIs and Sensitive PIs that concern them be anonymized.

 

Groupe Médical Lacroix will respond to these requests within a maximum of THIRTY (30) days unless the Act provides for an exception or prohibition.

To do so, the individual concerned must make a written request (by email or mail) addressed to the Responsible for Personal Information Protection of Groupe Médical Lacroix at the address described in section 9 below. The Responsible for Personal Information Protection will have THIRTY (30) days from the date of receipt of the request to respond. In case of refusal, it will be motivated by a legal provision and will indicate the possible remedies under the Act and the deadline to exercise them.

 

 

  1. Complaints Process Related to this Policy

 

 

Any individual wishing to file a complaint related to the governance of Groupe Médical Lacroix concerning the management of PIs and Sensitive PIs must do so in writing and send their complaint to the Responsible for Personal Information and Sensitive PI of Groupe Médical Lacroix whose address is described in section 9 below.

Filing and Receipt of a Complaint:

The complaint must include the following elements, failing which it will not be considered admissible:

  • The name of the complainant;
  • Their home address;
  • Their phone number;
  • Their email; and
  • The reasons for the complaint.

 

The Responsible for Personal Information Protection of Groupe Médical Lacroix will acknowledge receipt of the complaint to the complainant as soon as possible. The acknowledgment of receipt must contain the following information:

  • A description of the complaint received, specifying the reproach made to Groupe Médical Lacroix, the prejudice or corrective measure requested;
  • The name and contact details of the person in charge of processing the complaint;
  • In the case of an incomplete complaint, a notice containing a request for additional information to which the complainant must respond within a fixed period, namely 5 working days, failing which the complaint will be deemed abandoned;
  • A copy of the complaint processing policy.

 

Complaint Handling

 

Any complaint received will be treated confidentially.

Within THIRTY (30) days of receiving the complete complaint, the Responsible for Personal Information and Sensitive PI must process it, then send a final, written, and reasoned response to the complainant.

If Groupe Médical Lacroix cannot process the complaint within this THIRTY (30)-day period, the complainant must be informed in writing of the reasons for the delay and the deadline within which their complaint will be processed.

 

 

  1. Responsible for Personal Information Protection

 

 

The contact information for the Responsible for Personal Information Protection is as follows:

Me Jean-François Vachon, lawyer and Director of Legal Affairs

Address: 401-1000, chemin Ste-Foy, Québec (Québec) G1L 3Z5

Phone: 418 781-2860, extension 1103

Email: jfvachon@cliniqueslacroix.ca

Published on September 21, 2023. Updated on September 21, 2023.

Appendix “A”

Appendix “A” consists of an exhaustive list of the types of PIs and Sensitive PIs that Groupe Médical Lacroix may collect and use.

Appendix “B”

Automatically collected information generally cannot be considered personal information, in the sense that it is not collected in a way that allows us to personally identify you.

HOW DO WE AUTOMATICALLY COLLECT INFORMATION?

 

When you visit our website cliniquesmedicaleslacroix.com, we may automatically collect certain information using cookies and store it in log files. Cookies are small text files that we create and store on your computer when you browse our website. They record your preferences so that your subsequent visits to the website are more efficient.

Note that you can set your browser to block cookies. By default, browsers allow the use of these cookies. Additionally, you can also view the cookies that have been created on your hard drive using your browser and manually delete them whenever you want.

 

 

WHAT TYPES OF INFORMATION CAN BE AUTOMATICALLY COLLECTED?

 

The information collected using these cookies may include, but is not limited to:

  • Browser information;
  • Operating system;
  • Internet Service Providers (ISPs);
  • Pages visited and queries;
  • Time and day of connection;
  • Frequency and duration of visits;
  • Geography and language preference.

 

HOW DO WE USE THIS AUTOMATICALLY COLLECTED INFORMATION?

 

The information collected through cookies primarily allows us to:

  • Process statistics and traffic information;
  • Create audience lists for remarketing advertising;
  • Facilitate navigation and improve service for your convenience.