PRIVACY NOTICE

Last updated on 30 November 2023

HOW DOES THE IRSST MEET ITS RESPONSIBILITY FOR PROTECTING YOUR PRIVACY?

The IRSST is committed to protecting your personal information as required by the applicable laws. This privacy statement (i.e. “Notice”) explains how the Institute meets this commitment when it collects, uses, communicates, retains and protects your personal information.

For additional details on our internal privacy practices, please consult the following document: Politique de protection des données et des renseignements personnels (forthcoming).

WHAT IS THE ROLE OF OUR DATA PROTECTION OFFICER (DPO)?

The IRSST staff member in charge of internal policies related to personal information has a broad mandate that involves monitoring data protection at the Institute, and is responsible for the following:

• Supervising decisions related to privacy protection, including evaluation of the measures implemented;
• Defending the right to privacy in accordance with the applicable statutes and policies, including managing incidents related to personal information and the breach of privacy;
• Processing requests and complaints regarding personal information; and
• Reporting to the IRSST’s senior management about the status of privacy management.

WHAT IS PERSONAL INFORMATION?

According to Québec law, specifically the Act respecting the protection of personal information in the private sector, personal information is any information which relates to a natural person and allows that person to be identified.

WHAT TYPE OF PERSONAL INFORMATION DOES THE IRSST COLLECT AND FOR WHAT PURPOSE?

We collect personal information when it is legally permitted to do so and when this information pertains directly to the performance of our mission, namely, conducting and funding research for the purpose of eliminating risks to workers’ health and safety and promoting their rehabilitation.

The IRSST collects data provided by clients who use its services and by people who visit its Web site or premises. This information is used for the sole purpose of supporting our relationship with you in your capacity as client or visitor.

The types of information likely to be collected are, by data category:

• Personal identifying information
• Demographic
• Contact information
• Sex
• Civil status
• Nationality/ethnicity
• Financial
• Medical or physical characteristics

More specifically, through your visits to our Web site, we are able to collect information directly from you (via forms) or automatically (using analytical monitoring tools), in data categories such as the following:

• Personal identifying information
• contact information
• location
• computing device (e.g. IP address used – which is not stored or retained in a format that can be used to identify a visitor; browser)
• behavioural data (e.g. date and time of visit to the site, page(s) visited, URL, documents uploaded).

This information supports the following internal services at the IRSST:

• Order processing, such as the shipping of products or receipt of payments;
• Transmission of information about our services;
• Statistical analysis of trends in visits to our Web site for purposes of improving the latter and facilitating navigation;
• Customer service, such as receiving and responding to requests for information or client complaints; and
• Performing transactions requested by you, such as registering for an event, ordering information newsletters by e-mail, accessing a tool on the Web site, or obtaining or consulting publications.

Owing to its unique mandate as a research institute, one of the IRSST’s activities involves collecting data and sometimes personal information for statistical and research purposes.

From time to time, the IRSST collects information on minors within the context of its research activities.

Information on minors is protected under the Act respecting the protection of personal information in the private sector, according to which a person having parental authority or a tutor may request access to personal information concerning a minor, on behalf of the latter.

The IRSST also collects information on its employees or trainees.

• Personal identifying information
• Demographic
• Contact information
• Sex
• Civil/family status
• Nationality/ethnicity
• Financial
• Medical
• Physical or professional characteristics
• Authentication
• Behavioural
• All communications

• Execution of employment contracts and management of human resource files;
• Payment of salaries; and
• Management of employee files and inherent government-related obligations.

To support its internal activities, the IRSST enters into contractual agreements with third-party service providers (e.g. external consultants/researchers). Sometimes personal information is therefore collected to carry out these activities.

The types of information likely to be collected are, by data category:

• Personal identifying information
• Contact information
• Nationality/ethnicity
• financial
• Professional
• All communications

This information supports the following processes at the IRSST:

• Execution of contractual agreements;
• Payment of invoices; and
• Management of procurement files and government-related obligations.

HOW DO WE COLLECT YOUR PERSONAL INFORMATION?

The IRSST collects personal information in the following ways:

• When an individual provides such information voluntarily, for example, by completing a form, placing an order or registering for an account;
• When it collects personal information automatically from a client or visitor, for example, through the use of cookies, analytical tools or other similar technologies;
• When a contractual agreement is executed between you and the IRSST;
• When we receive biometric samples as part of requests for analysis transmitted via our portals that are accessible to our different clienteles;
• When a request for analysis is transmitted to us via our portals, and during the processing of samples that include biometric data; and
• When the IRSST receives personal information from a third party, for example, from public sources or partners.

The information you provide us with comes from:

• contractual agreements;
• the management of insurance files;
• surveys, and
• requests for services.

Our Web site uses cookies, tags, Web beacons and other tools to improve site performance and your navigation experience, or to learn more about you.

Cookies

The cookies we use on our Web site expire automatically at the end of a visitor’s session. These cookies allow us, for example, to track the way in which visitors use our Web site and to compile usage statistics in order to improve the site’s efficiency or make it easier for our visitors to use;

You can either accept cookies or refuse them to ensure that your visit to our Web site is not tracked and that no information is collected. Most Web browsers accept cookies automatically, but if you wish, you can modify your browser settings to deactivate them and refuse their access to your computer. If you opt to do so, however, you risk not being able to make full use of the functionalities of the IRSST Web site or of other Web sites you visit.

Web beacons

Used on our Web site, Web beacons do not give access to personal information. They collect only a limited set of data, notably a cookie number, the time and date on which the page was displayed and a description of the page on which the beacon was placed. The Web site may also include beacons placed by IRSST service providers to help the Institute evaluate and analyze the efficiency of various features of the site.

Web analytics

This refers to the collection, analysis and measurement of data concerning traffic and visits to a Web site for the purposes of understanding and optimizing use. Certain types of data are therefore tracked during visits to the IRSST Web site, and these are treated as personal information.

Web forms

These forms are used to collect your contact information in order to provide you with the services you have requested.

Log file data

The IRSST may perform log analysis for internal purposes. The information is not disclosed to any external third-party service provider, with the exception of our Web hosting provider.

When processing requests for service

The IRSST uses computerized tools to process requests for service, and the information received is used solely to process these requests.

We work in close collaboration with third parties (e.g. university partners, technical services and payroll subcontractors, data and data analysis providers) and may receive information about you from them.

Individual/worker data

Data received specifically for conducting analyses.

Student data

Data needed for the execution of contractual agreements between the IRSST and collaborating students/trainees.

HOW DO WE OBTAIN YOUR CONSENT?

When we collect your personal information, we inform you at that time of the reasons why we are collecting it, of our legal authority for doing so and of the way in which your information will be used. We will ask for your consent when required by the applicable laws, notably for any additional uses or disclosures of your data.

If the data comes from a third party, the IRSST also verifies that you have given your consent.

Subject to legal and contractual requirements, you are free at any time to withdraw your consent to the collection, use or disclosure of your personal information. However, withdrawing your consent could limit the IRSST’s ability to offer you certain services. Moreover, even in the case of consent withdrawal, the IRSST may have the right or obligation to continue retaining, using or disclosing your personal information, where allowed or required by law.

Consent is obtained via the following means:

Web site

Through a proactive opt-in consent banner.

Contractual agreement

Through the execution of various contractual agreements between you and the IRSST.

Consent forms

Through mandatory consent forms signed by participants in our research activities as required by our ethical standards.

HOW DO WE RETAIN YOUR PERSONAL INFORMATION AND FOR HOW LONG?

The IRSST complies with the applicable statutes to determine how long it will retain your personal information, and refers to best data-safety practices to protect this information. When you grant us your consent for us to use your personal information for defined purposes, the IRSST will stop retaining this information as soon it is no longer needed to fulfill the identified purposes.

Your personal information will then be destroyed, deleted or anonymized in accordance with best practices.

We have put measures in place to protect your personal information against the risks of loss, theft and unauthorized access or disclosure. Below are examples of these measures.

The IRSST uses robust encryption measures to protect personal information from the risk of being compromised during transmission and on our Web site.

The IRSST uses technological solutions to monitor its computer networks and detect any unauthorized attempts to upload, modify or destroy data.

The IRSST has introduced internal rules to control access to data; these rules are based on employees’ or third parties’ functions, as well as data criticality. We also use computerized tools to reinforce access-authentication and network-protection procedures.

Our employees who have access to personal information may only use it in accordance with the principles set forth in our policies, and in the applicable laws and regulations.

Access is limited to our storage servers (whether those maintained by the IRSST or by our service providers) containing personal information. These servers are located in secure and closely monitored facilities.

The IRSST offers its entire staff periodic activities to raise awareness of best practices, notably with regard to the processing of personal information. Our internal policies and procedures are communicated to users of personal information, as well as periodically reinforced.

The IRSST informs its staff members of their obligation to respect the confidentiality of personal information.

When we share or communicate personal information, we adhere to protection measures such as the following:

• Including strict confidentiality and security clauses in our contracts with third parties and partners in the context of information-sharing agreements;
• Using protection measures such as data encryption and anonymization, as well as secure data exchange tools; and
• Verifying compliance with our internal processes related to the sharing and communication of data.

DO WE SHARE YOUR PERSONAL INFORMATION?

You may rest assured that the IRSST only shares or communicates your personal information if it is done in accordance with its obligations under the applicable laws.

We share and communicate your personal information that we have in our possession to:

• individuals who are the owners of this information or their authorized representatives, in the context of our activities;
• employees, service providers, agents or partners, when needed to carry out our activity functions and on a “need-to-know” basis. It is understood that these persons or entities must comply with the strict contractual conditions that oblige them to maintain the confidentiality of all personal information and to use it only for the purposes defined; and
• government entities (federal, provincial, territorial) and law enforcement agencies.

The IRSST will only communicate your personal information to third parties in the following cases:

• You have consented that we may communicate your personal information to a third party for a specific purpose;
• When the IRSST is legally bound to provide personal information in response to a formal court order, a subpoena to produce documents or an investigation conducted by the authorities, or when otherwise required to do by law;
• When the IRSST is obligated to notify law enforcement agencies of any activity that it believes, in good faith, is unlawful or might threaten safety.

HOW DO WE HANDLE INCIDENTS INVOLVING BREACHES OF CONFIDENTIALITY?

Our employees are obligated to signal any unauthorized access to or disclosure of information, any breach or fraud detected or suspected, as well as any process that might put the personal information at risk. We take very seriously, and conduct in-depth investigations of, any allegations or suspicions regarding:

• the manipulation and/or inappropriate or unauthorized disclosure of the personal information under our control, by one of our employees or by a third party, including external threats; and
• external incidents that directly affect the personal information or interactions of any of our contributors.

If an incident is confirmed, we take prompt action to address it. As required by the laws in force, we notify the persons concerned and the appropriate government authorities. We undertake to reduce all risks in order to prevent the occurrence of compromising incidents. If a criminal activity is suspected, we cooperate fully with the law enforcement authorities.

HOW CAN YOU EXERCISE YOUR RIGHTS REGARDING YOUR PERSONAL INFORMATION THAT WE USE?

The IRSST is legally bound to comply with federal and provincial legislation regarding the protection of personal information, and thus to respond to requests you are entitled to make regarding your personal information.

Third parties may also exercise certain rights regarding your personal information, in a limited number of exceptional circumstances, such as:

• when the person who makes the request has the written consent of the individual whom the information concerns;
• when the author of the request is the legal representative of a minor or an estate;
• when the request concerns a public interest (e.g. government legislation).

Your rights regarding your personal information concern:

• access (consultation) and portability (transferability);
• withdrawal of your consent to its collection and/or use and/or disclosure;
• removal/destruction;
• modification/correction;
• issuing a complaint or signalling a breach of confidentiality.

The IRSST undertakes to respond to such requests within thirty (30) working days.

The IRSST may refuse a request in writing on serious grounds such as legislative reasons.

The IRSST reserves the right to charge fees for transcribing, reproducing or transmitting personal information, subject to giving you prior notice.

• By contacting us using the contact information provided in the “Who to Contact” section below;
• By using certain Web browsers and exclusion options discussed above to limit the personal information you provide to us or to our third-party partners;
• By sending us an email to the address indicated in the “Who to Contact” section below; or
• By following the Unsubscribe instructions included in our newsletters.

HOW DO YOU FIND OUT WHICH AMENDMENTS DOCUMENTED IN THIS NOTICE HAVE TAKEN EFFECT?

From time to time, we update this Privacy Notice. In this case, we also revise the “last updated” date appearing at the top of the page. We encourage you to consult the Privacy Notice on a regular basis to keep informed about the ways in which we help you to protect the personal information we collect.

WHO TO CONTACT?

Please submit any questions, concerns or requests you may have regarding this Privacy Notice with respect to your personal information, to:

Lise Toupin, Data Protection Officer (DPO)

505 De Maisonneuve Blvd. West

Montréal, QC H3A 3C2

Tel.: 514-288-1551, ext. 390

 lise.toupinIRSST@IRSSTirsst.qc.ca