Policy of personal data management

POLICY OF PERSONAL DATA MANAGEMENT

Last update: September 11, 2023

The purpose of this Policy is to clarify the principles that guide the l’Association des Naturopathes professionnels du Québec in its management of personal information. This policy applies to both men and women, with the masculine gender used for brevity in the text.
It aims to empower all individuals who have access to personal information within the Association that could directly or indirectly identify one of its members, employees, administrators, or third parties involved in the Association's affairs.
This Policy aims to raise awareness and understanding of the Association's commitment to its legal obligations regarding the protection of personal information it holds.
It aims to standardize the collection, processing, transmission, storage, and disposal of personal data through rigorous procedures in order to mitigate the risk of data breaches.
This policy is not intended to readdress issues that have already been addressed in other procedures, policies, or constitutive documents.

All staff members of the Association, its administrators, and its management.
Any physical or moral person to whom the Association entrusts personal information in the execution of a mandate or a service contract on its behalf.
Any person who collects, uses, communicates, keeps or destroys personal information on behalf of the Association as part of their duties. This also
It applies to all personal information, regardless of its format, from collection to destruction.

This policy establishes the general regulatory framework for the governance of personal information by the Association, in compliance with its legal obligations, including those arising from Law 25 and the Access to Information Act.

No processing is possible without consent.
The Association obtains implicit consent for the use and disclosure of personal information for the legitimate purposes for which it is collected.
Consent is obtained at the initial membership and at each renewal of membership. It includes sufficient information about the information that will be disclosed and clearly states:

The personal information that will be disclosed on its website;
The personal information that will be disclosed;
To whom the information will be disclosed and why;
The right to refuse the transmission of certain information to insurers;
The name and contact information of the administrator responsible for the Personal Data Management Policy.

To contribute to its mission and the advancement of the various professions it represents, the Association retains various data for statistical purposes. Consent is required for the use of data for secondary purposes. The Association obtains the implicit consent to the use and transmission of personal information for the legitimate purposes for which they were collected.

The Association collects from members only the personal information that is necessary for the purposes of the Association and its mission;
The Association collects information directly from members. It may also collect certain information from third parties, when authorized to do so by the member through the Information Request Form;
The Association anticipates that some of the member's personal information will be published on its website and assumes its accuracy as stated by the member. The member is solely responsible for the rectification of his personal information;
The member-access interface of the website allows the member to disclose any personal information on the Association's website;
In order to carry out its mission, the Association requests that certain personal information, such as first name, last name, member number, as well as previous and current year's status.

The Association will only use personal information for the purposes for which it was collected and for which consent has been obtained. Consent is required for any other use that has not been provided, except in situations where required by law.
The Association has put in place internal mechanisms to ensure that every person involved in the affairs of the Association has access only to the information required to the performance of their duties.
In order to fully achieve its mission, the Association regularly exchanges personal information of its members with the various insurers upon request. In the event of a conformity request from an insurer, the Association discloses the following information :

The Association takes reasonable security measures to ensure the protection of personal information, considering its sensitivity, the purpose of its use, its quantity, distribution, and storage.
All documents as well as personal data collected by the Association are destroyed in a secure and definitive manner within 5 (five) years following the cessation of membership renewal.
The individual, whose personal information is held by the Association, has the right to request the erasure of their data and to withdraw their consent at any time. This request can be made at any time through a request to the Association, excluding any provisions already subject to tax laws, regulations, standards and practices.
Complaints received and investigations conducted by the Disciplinary Committee and Cessation are the property of the Association. They are already subject to rigorous procedures regarding their confidentiality and are kept in accordance with the prescribed methods and timelines in the various protocols and policies they are subject to.
The Association only retains relevant data for statistical purposes. It anonymizes its data, making it impossible to identify a person from a set of data.

The Association takes responsibility for the personal information it stores, even if a third party is involved in collecting, using, storing, or disposing of the information. The Association follows the relevant laws and its Confidentiality Policy to show accountability and ensure compliance.
The board of directors appoints a manager who is responsible for implementing this policy and ensuring that the Association follows the rules and regulations related to the protection of personal data. The contact information of this manager is available on the Association's website and in the documents provided to members when they join or renew their membership.
The executive management of the Association, as employers, will make sure that their staff is aware of, trained in, and supervised regarding the protection of personal data.
If there is a data breach, suspicion of fraud, or violation of the law, it should be reported immediately to the manager responsible for this policy or through the procedures outlined in the Denunciation Policy, which the Association has in place to protect itself against such incidents. The responsible person will inform all affected individuals and the relevant authorities, such as the Access to Information agency.

The board of directors and its committees, executive management and its personnel are responsible for the application of this policy;
Any derogatory conduct to the present policy will be subject to sanctions;
In case of divergence between the rules of ethics and code of conduct foreseen by the Law, the most stringent rules shall apply.

This policy was unanimously adopted by the board of directors on June 16th, 2023.

Christine Myette is responsible for the protection of personal information and ensures compliance with the Act.

You may contact the Privacy Officer at the coordinates indicated below:

ethique.juridique@collectifsante.ca or 450-824-3550 ext. 55