Privacy Policy

Sommary

Context
Application and definitions
Collection, use and disclosure
Retention and Destruction of Personal Information
Responsibilities
Data security
Rights of Access, Rectification and Withdrawal of Consent
Complaint Processing Procedures
Approval
Publication and Modifications

Version History

This document will be reviewed regularly and updated according to legislative, technological and organizational developments.

Evolution History
Date	Version	Modifications Made	Responsible	Status
07/12/2023	1.0	Document creation	Steven Mc Lean	Completed
18/06/2025	1.1	Document review	Steven Mc Lean	Completed

1. Context

Département TI Inc. is a for-profit legal person under federal jurisdiction that processes personal information in the course of its activities.

This policy aims to ensure the protection of personal information and to govern how Département TI collects, uses, discloses, retains and destroys it or otherwise manages it. Furthermore, it aims to inform any interested person about how Département TI processes their personal information. It also covers the processing of personal information collected by Département TI through technological means.

2. Application and Definitions

This policy applies to Département TI, which includes in particular its directors, employees, consultants, volunteers, as well as any person who otherwise provides services on behalf of Département TI. It also applies to Département TI’s website, as well as all websites controlled and maintained by Département TI.

It covers all types of personal information managed by Département TI, whether it concerns its clients, potential or current, its consultants, its employees, its members or any other persons (such as visitors to its websites or others).

For the purposes hereof, **personal information** is information that concerns a natural person and that allows, directly or indirectly, to identify them. For example, it could be a person’s name, address, email address, telephone number, gender or banking information, information about their health, ethnic origin, language, etc.

Sensitive personal information is information towards which there is a high degree of reasonable expectation of privacy, e.g., health information, banking information, biometric information, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.

Generally, a person’s **professional or business contact information** does not constitute personal information, for example a person’s name, title, address, email address or telephone number at work. More particularly and for the sake of precision, within the meaning of Quebec’s *Act Respecting the Protection of Personal Information in the Private Sector*, and as of September 22, 2023, sections 3 (collection, use, disclosure), 4 (retention and destruction) and 6 (data security) do not apply to information about a person relating to the exercise of a function in an enterprise, such as their name, title, function, as well as the address, email address and telephone number of their workplace.

These same paragraphs also do not apply to **personal information that has a public character** under the law, from the effective date of this policy.

3. Collection, Use and Disclosure

In the course of its activities, Département TI may collect different types of information, for different purposes. The types of information that Département TI could collect, their use (or the objective pursued) as well as the means by which the information is collected are indicated in [Appendix A](#appendix-a) of this policy.

Département TI will also inform the persons concerned, at the time of collection of personal information, of any other information collected, the purposes for which it is collected and the means of collection, in addition to other information to be provided as required by law.

Département TI applies the following general principles regarding the collection, use and disclosure of personal information:

Consent :

Generally, Département TI collects personal information directly from the person concerned and with their consent, unless an exception is provided by law. Consent may be obtained implicitly in certain situations, for example, when the person decides to provide their personal information after having been informed by this policy about the use and disclosure for the purposes indicated therein (see [Appendix A] for more details). Thus, this policy and the information it contains may be consulted by the person concerned at the time of collection of personal information.
Normally, Département TI must also obtain the consent of the person concerned before collecting their personal information from third parties, before disclosing it to third parties or for any secondary use thereof. However, Département TI may act without consent in certain cases provided by law and under the conditions provided therein. The main situations where Département TI may act without consent are indicated in the relevant sections of this policy.

Collect :

In all cases, Département TI only collects information if it has a valid reason to do so. Furthermore, the collection will be limited only to the necessary information it needs to fulfill the intended objective.
Please note that Département TI’s services and programs do not target minors, and more generally, Département TI does not intentionally obtain personal information concerning minors (in these cases, information cannot be collected from them without the consent of a parent or guardian).
Collection from third parties. Département TI may collect personal information from third parties. Unless an exception provided by law, Département TI will request the consent of the person concerned before collecting personal information concerning them from a third party. In the case where such information is not collected directly from the person, but from another organization, the person concerned may request the source of the information collected from Département TI.

In certain situations, Département TI may also collect personal information from third parties, without the consent of the person concerned, if it has a serious and legitimate interest in doing so and a) if the collection is in the interest of the person and it is not possible to do so from them in a timely manner, or b) if this collection is necessary to ensure that the information is accurate.

This collection through third parties may prove necessary to use certain services or programs, or to otherwise do business with Département TI. When required, Département TI will collect the person’s consent at the appropriate time.

Retention and Use :

Département TI ensures that the information it holds is up-to-date and accurate at the time of their use to make a decision regarding the person concerned.
Département TI may only use a person’s personal information for the reasons indicated herein or for any other reasons provided during collection. As soon as Département TI wants to use this information for another reason or purpose, new consent must be obtained from the person concerned, which must be obtained expressly if it involves sensitive personal information. However, in certain cases provided by law, Département TI may use the information for secondary purposes without the person’s consent, e.g.:
when this use is manifestly for the benefit of this person;
when this is necessary to prevent or detect fraud;
when this is necessary to evaluate or improve protection and security measures.
**Limited access**. Département TI must implement measures to limit access to personal information only to employees and persons within its organization who are qualified to become aware of it and for whom this information is necessary in the exercise of their functions. Département TI will request the person’s consent before granting access to any other person

Communication :

Generally, and unless an exception indicated in this policy or otherwise provided by law, Département TI will obtain the consent of the person concerned before disclosing their personal information to a third party. Furthermore, when consent is necessary and when it involves sensitive personal information, Département TI must obtain the explicit consent of the person before disclosing the information.
However, the disclosure of personal information to third parties is sometimes necessary. Thus, personal information may be disclosed to third parties without the consent of the person concerned in certain cases, including, but not exclusively, in the following cases:
Département TI may disclose personal information, without the consent of the person concerned, to a public body (such as the government) which, through one of its representatives, collects it in the exercise of its powers or the implementation of a program for which it is responsible.
Personal information may be transmitted to its service providers to whom it is necessary to communicate the information, without the person’s consent. For example, these service providers may be event organizers, Département TI subcontractors designated for the execution of mandates in programs administered by Département TI and cloud service providers. In these cases, Département TI must have written contracts with these suppliers that indicate the measures they must take to ensure the confidentiality of the personal information communicated, that the use of this information is only made within the framework of the execution of the contract and that they cannot retain this information after its expiration. Furthermore, these contracts must provide that suppliers must notify Département TI’s personal information protection officer (indicated in this policy) of any violation or attempted violation of confidentiality obligations concerning the personal information communicated and must allow this officer to carry out any verification relating to this confidentiality.
If this is necessary for the purposes of concluding a commercial transaction, Département TI could also disclose personal information, without the consent of the person concerned, to the other party to the transaction and subject to the conditions provided by law.

– Disclosure outside Quebec: It is possible that personal information held by Département TI may be disclosed outside Quebec, for example, when Département TI uses cloud service providers whose server(s) are located outside Quebec or when Département TI does business with subcontractors located outside the province.

Additional Information on Technologies Used :

● Use of cookies

Cookies are data files transmitted to a website visitor’s computer by their web browser when they visit this site and can have several uses.

Websites controlled by Département TI use cookies notably :

To remember visitors’ settings and preferences, for example for language choice and to allow tracking of the current session.
For statistical purposes to know visitors’ behavior, content consulted and allow improvement of the website.

contenu consulté et permettre l’amélioration du site internet.

Websites controlled by Département TI use the following types of cookies :

Session cookies: These are temporary cookies that are kept in memory for the duration of the website visit only.
Persistent cookies: They are kept on the computer until they expire and will be retrieved during the next visit to the site.

Some cookies may be disabled by default and visitors may choose to activate these functions or not, when consulting Département TI’s websites.

It is also possible to activate and deactivate the use of cookies by changing preferences in the settings of the browser used.

● Use of Google Analytics

Certain Département TI sites (notably, the sites https://it-department.com) use Google Analytics to enable its continuous improvement. Google Analytics notably allows analyzing how a visitor interacts with an Département TI website. Google Analytics uses cookies to generate statistical reports on the behavior of visitors to these websites and the content consulted.

Information from Google Analytics will never be shared by Département TI with third parties.

It is possible to install a browser add-on to disable Google Analytics

Other technological means used

Département TI also collects personal information through technological means such as web forms integrated into a website controlled by Département TI (for example, its contact form, its membership form to become a member, its form to subscribe to the newsletter and seminars), questionnaires accessible online on its platforms and applications, as well as other platforms or form tools (e.g. Microsoft Forms).

If Département TI collects personal information by offering a technological product or service that has privacy settings, Département TI must ensure that these settings offer the highest level of privacy by default (cookies are not covered).

4. Retention and Destruction of Personal Information

Unless a minimum retention period is required by applicable law or regulation, Département TI will only retain personal information for the time necessary to achieve the purposes for which it was collected.

Personal information used by Département TI to make a decision regarding a person must be retained for a period of at least one year following the decision in question or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, the circumstances of an employment termination.

At the end of the retention period or when personal information is no longer necessary, Département TI will ensure:

to destroy it; or
to anonymize it (i.e., it no longer allows, irreversibly, to identify the person and it is no longer possible to establish a link between the person and the personal information) to use it for serious and legitimate purposes.

The destruction of information by Département TI must be done securely, to ensure the protection of this information.

This section may be supplemented by any policy or procedure adopted by Département TI concerning the retention and destruction of personal information, where applicable. Please contact Département TI’s personal information protection officer (indicated in this policy) to learn more.

5. Responsibilities of Département TI

Generally, Département TI is responsible for the protection of personal information it holds.
Département TI’s personal information protection officer is Steven Mc Lean. They must, generally, ensure compliance with applicable legislation concerning the protection of personal information. The officer must approve policies and practices governing the governance of personal information. More particularly, this person is responsible for implementing this policy and ensuring that it is known, understood and applied. In case of absence or inability to act of this officer, the president of Département TI will assume the functions of the personal information protection officer.

Département TI staff members who have access to personal information or are otherwise involved in their management must ensure their protection and respect this policy.

The roles and responsibilities of Département TI employees throughout the life cycle of personal information may be specified by any other Département TI policy in this regard, where applicable.

6. Data Security

Département TI commits to implementing reasonable security measures to ensure the protection of personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium and sensitivity of the information. Thus, this means that information that could be qualified as sensitive (see the definition provided in section [2](#application-and-definitions)) must be subject to more important security measures and must be better protected. Notably, and in accordance with what was mentioned previously concerning limited access to personal information, Département TI must implement necessary measures to impose constraints on the usage rights of its information systems so that only employees who must have access to them are authorized to access them.

7. Right of Access, Rectification and Withdrawl of Consent

To assert their rights of access, rectification or withdrawal of consent, the person concerned must submit a written request to this effect to Département TI’s personal information protection officer, at the email address indicated in the following section.

Subject to certain legal restrictions, the persons concerned may request access to their personal information held by Département TI and request their correction in the case where they are inaccurate, incomplete or ambiguous. They may also require the cessation of disclosure of personal information concerning them or that any hyperlink attached to their name allowing access to this information by technological means be deindexed, when the disclosure of this information contravenes the law or a court order. They may do the same, or even require that the hyperlink allowing access to this information be reindexed, when certain conditions provided by law are met.

Département TI’s personal information protection officer must respond in writing to these requests within 30 days of the date of receipt of the request. Any refusal must be motivated and accompanied by the legal provision justifying the refusal. In these cases, the response must indicate the remedies under the law and the deadline to exercise them. The officer must help the requester understand the refusal if needed.

Subject to applicable legal and contractual restrictions, the persons concerned may withdraw their consent to the disclosure or use of information collected.

They may also ask Département TI what personal information was collected from them, the categories of persons at Département TI who have access to it and their retention period.

8. Complaint Processing Procedures

Reception

Any person who wishes to file a complaint regarding the application of this policy or, more generally, regarding the protection of their personal information by Département TI, must do so in writing by addressing Département TI’s personal information protection officer, at the email address indicated in the following section.

The individual must indicate their name, their contact information to reach them, including a telephone number, as well as the subject and reasons for their complaint, giving enough details so that it can be evaluated by Département TI. If the complaint filed is not sufficiently precise, the personal information protection officer may require any additional information they deem necessary to be able to evaluate the complaint.

Processing

Département TI commits to processing any complaint received confidentially.

Within 30 days following receipt of the complaint or following receipt of all additional information deemed necessary and required by Département TI’s personal information protection officer to be able to process it, the latter must evaluate it and formulate a motivated written response by email, to the complainant. This evaluation will aim to determine whether the processing of personal information by Département TI complies with this policy, any other policy and practice in place within the organization and applicable legislation or regulation.

In the case where the complaint cannot be processed within this deadline, the complainant must be informed of the reasons justifying the extension of deadline, the state of progress of the processing of their complaint and the reasonable deadline necessary to be able to provide them with a definitive response.

Département TI must constitute a separate file for each of the complaints addressed to it. Each file contains the complaint, the analysis and documentation supporting its evaluation, as well as the response sent to the person at the origin of the complaint.

It is also possible to file a complaint with Quebec’s [Commission d’accès à l’information](https://www.cai.gouv.qc.ca/diffusion-de-linformation/services-et-formulaires/) or any other supervisory body regarding personal information protection responsible for applying the law concerned by the subject of the complaint.

However, Département TI invites any interested person to first address its personal information protection officer and wait for the end of the processing by Département TI.

9. Approval

This policy is approved by Département TI’s personal information protection officer, whose business contact information is as follows:

Personal Information Protection Officer:

Steven Mc Lean
102-385 Boulevard St-Luc, St-Jean-sur-Richelieu, Qc, J2W 2A3
[email protected]

For any request, question or comment within the framework of this policy, please contact the officer by email.

10. Publication and modifications

This policy is published on Département TI’s website, as well as on all websites controlled and maintained by Département TI, to which this policy applies, regarding the personal information collected therein. This policy is also disseminated by any means suitable to reach the persons concerned.

Département TI must also do the same for all modifications to this policy, which must also be subject to a notice to inform the persons concerned.

Notes: Please note that the use of the masculine gender is intended to lighten this policy and facilitate its reading.

Table of versions and changes :

Version	Effective Date	Changes since last version
1.0	7 december 2023	N/A First Version

Appendix A

Here is a non-exhaustive list of the types of information that Département TI could collect, their use, or the objective pursued, as well as the means by which the information is collected. Thus, this includes, without limitation, the following elements.

Please note that most of the personal information managed by Département TI is personal information of employees, job candidates and consultants. For other categories of persons indicated in the table below, the information provided is, in most cases, information of a professional or business nature (see section 2 on professional contact information). Note that in most cases, Département TI also collects the professional title/function of persons, the name of the organization and/or the address of the organization (see section 2 on professional contact information).

Relationship with Département TI	Type of Personal Information	Purpose of Collection/Uses	Methods of Information Collection
	Information collected:	Used for:	Collection methods:
Clients	name, telephone number, email, banking information (when necessary), language, postal code	establishing and managing client relationships (and obtaining a means of communication), providing services (e.g. cybersecurity support service, business networking or innovation), collecting information within the framework of a program (e.g. NRC-IRAP, Aero Montreal, support program, personal information protection), responding to information requests about the cybersecurity ecosystem, registering clients for events organized by Département TI, knowing the preferred communication language, ensuring payment of costs related to services or programs, newsletter and seminar registration, providing training (cybersecurity webinars or international business opportunities)	through web forms integrated into a website controlled by Département TI, questionnaires accessible online on its platforms and applications, as well as other technological form platforms or tools, by email (directly or through an attached document or other type of form), from third parties (e.g. NRC-IRAP, Aero Montreal as well as Shopify, Eventbrite and Events.com for banking information)
Candidats à l’emploi et employés	name, telephone number, email, banking information, social insurance number, date of birth, address	managing communications with the candidate or employee, ensuring the operation of the payroll system	by email, by telephone
Consultants	name, telephone number, email, banking information, address	managing communications with the consultant, billing	by email (directly or through an attached document: Word, PDF, etc.)
Fournisseurs de services	name, telephone number, email, banking information, language	managing mandates, paying invoices, knowing the languages in which they can provide services	through web forms integrated into a website controlled by Département TI, by email
Membres (individus et organisations)	name, telephone number, email, banking coordinates, language	membership registration, future communications, billing, registration for activities organized by Département TI and cybersecurity expertise portals, surveys, building Département TI databases on member expertise, knowing the languages in which they can provide services and the preferred communication language	through web forms integrated into a website controlled by Département TI and other technological form platforms or tools (e.g. Microsoft Forms), from third parties (e.g. Eventbrite and Events.com for banking coordinates)
Réseau Département TI (acteurs de l’écosystème)	name, telephone number, email, banking coordinates (when necessary), language	future communications, registration for activities organized by Département TI and cybersecurity expertise portals, surveys, building databases for these future communications and to know network expertise, knowing the preferred communication language	through web forms integrated into a website controlled by Département TI and other technological form platforms or tools (e.g. Microsoft Forms), from third parties (e.g. Eventbrite and Events.com for banking coordinates)
Partenaires de Département TI	name, telephone number, email, banking coordinates (when necessary)	establishing partnership (signing partnership agreements), collaboration	by email (directly or through an attached document or other type of form)