Preamble
Law 251 updates the framework applicable to the protection of personal information.
Initially introduced as Bill 64, Law 25 was adopted by the National Assembly of Québec (Canada) in
September 2021 and its new provisions came into effect in September 2022.
Objective
The purpose of this Policy is to ensure the application of a policy related to the rules governing
governance with respect to the protection of personal information under its control.
Legal framework
Air Richelieu collects personal information, including that of students and staff members. It is therefore
subject to the provisions of the Access Act, the Civil Code of Québec and the Charter of Human Rights
and Freedoms. In the event of any discrepancy between the Access Act and this Policy, the Access Act prevails.
This applies to any person who, in the performance of his or her duties, collects, consults, uses,
communicates, holds or retains personal information held by Air Richelieu concerning any natural
person.
Definitions
In this policy, unless the context otherwise requires, the following expressions mean:
Personal Information
Any information that relates to a natural person and that directly or indirectly identifies him, such as:
name, address, telephone number, email address, occupation, social insurance number, date of birth,
photograph and bank details.
Personal information must be protected regardless of the nature of its medium and regardless of its
form: written, graphic, audio, visual, computerized or otherwise.
Sensitive Personal Information
Personal information is sensitive when, by its nature or because of the context in which it was used or
disclosed, it gives rise to a high degree of reasonable expectation of privacy. The following information
is considered sensitive: medical, biometric, genetic or financial information, or information about sexual
life or orientation, religious beliefs or ethnic origin.
Consent
Consent is the authorization of the individual holding the personal information to collect and use his or
her personal information. Consent is not presumed. It must be manifest, free, informed, given for specific
purposes, in simple and clear terms, for the duration necessary to achieve the purposes for which it
was requested.
Minor
Persons under the age of 18.
Major
A person aged 18 and over or a person under the age of 18 emancipated.
Collection of Personal Information
Personal Information That May Be Collected
In order to adequately fulfill its mission, Air Richelieu must collect a number of pieces of personal
information.
The Minister collects only the personal information necessary to carry out his or her duties or to
implement a program under his or her control.
Air Richelieu takes measures to ensure that the personal information it collects is adequate, relevant,
not excessive and used for specific and limited purposes.
Below you will find all the personal information we may collect from our members.
Certain categories of personal information are collected only for specific services. If the member is not
affected by these services, we do not collect the personal information associated with them. For
example, he may be asked for information from one of his bank accounts if he is employed by
AirRichelieu to make direct payments to the specified bank account.
We grouped the personal information we may collect with the member’s consent into 6 categories,
which are set out below.
Each of them contains concrete examples. We collect only the information necessary to serve the
member on a daily basis, to comply with our legal obligations and to ensure the safety of in-flight
activities where necessary.
Identifying Information
- Name and surname
- E-mail address
- Mailing address
- Phone number
- Date and place of birth
- Gender or gender
- Nationality
- Immigration status
Additional information
- Socio-demographic data such as employment, annual income
- Fluently spoken language
- Surname, first name and contact of a resource
person to contact in case of emergency. - Bank account details
- Personal resume
- High school diploma or equivalent
- All pertinent documents required to process an
assessment of an admission request to a
collegial study program. - For employees:
• Dossiers de paye et avantages sociaux
• Rapport de rendement
• Coordonnées bancaires
• Rapports de présences
• Dossiers officiels et non officiels
• Historique de navigation Web
• Courriels
Authentication information to enable Air Richelieu to comply with its legal obligations
Government identifiers:
- Passport
- Photo
- Driver’s licence
- Birth certificate
- An immigrant card or visa
- Aviation Medical Certificate issued by
Transport Canada - Social Insurance Number
- Aviation Document booklet issued by
Transport Canada
Information about communications with us
- Report of appointments
- Record, history, recording and reporting of
communications with us - Written communications by email or chat
(including complaints and dissatisfactions if
applicable) - Responses to surveys or consultations
- Video and audio recording of security cameras
Information about the use of our electronic applications
- Passwords
- Answers to authentication questions
- IP address
- Information about device, operating system or
browser - Minutes of appointments
- Register, history, record and report of
communications using the internal messaging
system - Register, history, record and report of
communications between the memebr and our
text messaging system.
Information about training
- Date, type and time of any activity
- Evaluations and comments on the progress of
trainings. - Results and report of the theoretical and practical
evaluations carried out - Aviation Event Report related to flight activities
- Flight data report
- Aeronautical radio communication reports and
records
Information Disclosed When Personal Information Is Collected
When collecting personal information, Air Richelieu makes sure to inform the person concerned, at the
latest at the time of collection:
- The purposes for which the information is collected;
- The means by which the information is collected;
- The mandatory or optional nature of the request;
- The consequences of refusing to respond to or consent to the request;
- Rights of access and rectification provided for by law;
- The possibility of the personal information being communicated outside Québec, if applicable.
Upon request, the person concerned is also informed of the personal information collected from him,
the categories of persons who have access to it within Air Richelieu, the retention period of this
information and the contact information of the person responsible for the protection of personal
information.
Use of Personal Information
Air Richelieu uses personal information about its student clientele, staff members and other third parties
to carry out its mission and duties. Personal information will not be used for purposes other than those
specified at the time of collection, unless the individual specifically consents or as permitted by the
Access Act.
Consent
In situations that require it, Air Richelieu must send consent to the collection, use or disclosure of
personal information to the individuals concerned. To be valid, consent must be manifest, free,
informed, given for specific purposes, in simple and clear terms and for the duration necessary to
achieve the purposes for which it was requested.
Where an individual has given consent to the collection, use and disclosure of their personal information,
they may withdraw the consent at any time. To withdraw consent, if applicable, they may contact the
person whose name appears on the consent form (for example: by email, fax, telephone, etc.).
Please note that if an individual withdraws consent, Air Richelieu may not be able to provide a particular
service. Like what:
- a candidate who refuses to give consent for the transmission of his or her high school grades
to Air Richelieu may not be admitted; or - a person who refuses to provide a copy of his aviation medical certificate, issued by Transport
Canada, will not be able to fly on AirRichelieu aircraft as pilot-in-command.
Air Richelieu will explain to this person the impact of withdrawing consent to help them make decisions.
Disclosure of Personal Information
Communication with the consent of the data subject
Air Richelieu may disclose certain personal information it holds to a third party if it has obtained the valid
consent of the person concerned.
Air Richelieu may transfer the personal information it collects to service providers and other third parties
who support it. These third parties are contractually obligated to keep personal information confidential,
to use it only for the purposes for which Air Richelieu discloses it and to treat personal information
according to the standards set out in the policy and in compliance with the laws.
Communication without the consent of the data subject
Air Richelieu may disclose certain personal information held to comply with a court order, law or legal
process, including to respond to any governmental or regulatory request, in accordance with applicable
laws, or if it believes disclosure is necessary or appropriate to protect the rights, property or safety of
Air Richelieu or others.
Air Richelieu may disclose certain personal information it holds to an Air Richelieu employee who is
qualified to receive it and when the information is necessary for the performance of its duties.
Air Richelieu may disclose certain personal information for study, research or statistical purposes
subject to the conditions set out in the Access Act, including, in particular, the assessment of privacy
impacts and the transmission of the agreement to the Commission d’accès à l’information thirty (30)
days before its coming into force.
In certain situations, the person responsible for the protection of personal information must record the
disclosure in his or her personal information disclosure log.
Retention and Destruction of Personal Information
Air Richelieu retains the personal information it holds only for the time necessary to fulfill the purposes
for which it collected it and in accordance with its retention schedule, unless authorized or required by
applicable laws or regulations.
As a general rule, when the purposes for which personal information was collected or used are fulfilled,
Air Richelieu must destroy or anonymize it to use it for purposes of public interest.
Information concerning a natural person is anonymized when it is, at all times, reasonable to foresee in
the circumstances that it no longer directly or indirectly identifies that person. It should be noted that the
anonymization process must be irreversible.
However, as an exception to the general rule, in the case of personal information contained in a
document covered by Air Richelieu’s retention schedule, Air Richelieu must comply with the rules set
out therein regarding the retention and destruction of these documents.
When Air Richelieu destroys documents containing personal information, it ensures that it takes the
necessary protective measures to ensure its confidentiality. The method of destruction used must be
determined by reference to the sensitivity of the information, the purpose of its use, its quantity, its
distribution and its medium.
Information held by Air Richelieu is processed and stored in Québec. When a transfer of personal
information outside Québec is necessary in the exercise of Air Richelieu’s functions, such transfer will
take place only if it is assessed that the information would benefit from adequate protection, in particular
by considering the sensitivity of the information, the purpose of its use, the safeguards from which the
information would benefit and the legal regime applicable in the State or province where the information
would be used. communiqué. The transfer will also be subject to appropriate contractual arrangements
to ensure this adequate protection.
Protection of Personal Information
Air Richelieu has implemented appropriate and reasonable physical, organizational, contractual and
technological security measures to protect personal information, regardless of the medium on which it
is stored, against loss or theft, and against unauthorized access, disclosure, copying, use or
modification. Air Richelieu has taken steps to ensure that only those staff members who absolutely must
have access to personal information in the course of their duties are authorized to access it.
Persons working for or on behalf of Air Richelieu must, in particular:
- Make reasonable efforts to minimize the risk of unintentional disclosure of personal information;
- Take special precautions to ensure that personal information is not spied on, heard, accessed
or lost when working on premises other than Air Richelieu’s offices; and - Take reasonable steps to protect personal information as it moves from one location to another.
Subcontractors with access to personal information in Air Richelieu’s custody or control will be informed
of this Privacy Policy and other applicable policies and processes to ensure the security and protection
of personal information. All subcontractors will be required to agree in writing to agree to comply with
applicable policies, processes and laws.
Request for access or rectification
Request for access to personal information
Any person who so requests has the right of access to his or her personal information held by Air
Richelieu, subject to the exceptions provided for in the Access Act.
A request for disclosure may be considered only if it is made in writing by a natural person proving his
identity as the person concerned, as a representative, heir or successor of the latter, as liquidator of the
succession, as beneficiary of life insurance or death benefit, as the holder of parental authority even if
the minor child is deceased, or as the spouse or close relative of a deceased person.
This request must be addressed to Air Richelieu’s person responsible for the protection of personal
information, who can be reached by email at the following address privacy@airrichelieu.com. The
application must provide sufficient precise information to enable Air Richelieu to process it.
The person responsible for the protection of personal information must give the person who made a
written request notice of the date of receipt of the request.
The responsible person must respond no later than twenty (20) days from the date of receipt of a
request. If the processing of the request within the period previously provided for does not seem
possible without interfering with the normal conduct of Air Richelieu’s activities, the person in charge
may, before the expiry of this period, extend it by a period not exceeding ten (10) days by giving notice
to that effect to the applicant before the expiry of the twenty (20) day period.
If the person making the request is not satisfied with Air Richelieu’s response, he or she may refer the
decision to the Commission d’accès à l’information so that it can be reviewed. The request for review
must be made within thirty (30) days after the date of the decision or the expiry of the time limit provided
for in the Access Act to respond to the request.
Request for correction
Any person who receives confirmation of the existence in a bank of personal information concerning
him may, if it is inaccurate, incomplete or ambiguous, or if its collection, communication or retention is
not authorized by the Access Act, require that the file be corrected.
A request for rectification may be considered only if it is made in writing by a natural person proving his
identity as the person concerned, as a representative, heir or successor of the latter, as liquidator of the
succession, as beneficiary of life insurance or death benefit, as the holder of parental authority even if
the minor child is deceased or as a spouse or close relative of a deceased person.
This request must be addressed to Air Richelieu’s person responsible for the protection of personal
information, who can be reached by email at the following address privacy@airrichelieu.com. The
application must provide sufficient precise information to enable Air Richelieu to process it.
Air Richelieu must, when granting a request for rectification of a file, issue to the person who made it a
copy of any modified or added personal information or, as the case may be, an attestation of the
withdrawal of personal information, free of charge.
When Air Richelieu refuses in whole or in part to accede to a request for rectification of a file, the person
concerned may request that this request be registered.
The responsible person must respond no later than twenty (20) days from the date of receipt of a
request. If the processing of the request within the time limit provided for above does not seem possible
without interfering with the normal conduct of Air Richelieu’s activities, the person in charge may, before
the expiry of this period, extend it by a period not exceeding ten (10) days by giving notice to that effect
to the applicant.
If the person making the request is not satisfied with Air Richelieu’s decision, he or she may refer the
decision to the Commission d’accès à l’information so that it can be reviewed. The request for review
must be made within thirty (30) days after the date of the decision or the expiry of the time limit provided
for in the Access Act to respond to the request.
Privacy Incident Management
Definition
For the purposes of this policy, a privacy incident includes:
- Access not authorized by the Access to Personal Information Act. Like what:
• a staff member who accesses personal information not necessary for the performance of
his or her duties by exceeding the access rights granted to him or a hacker who infiltrates
a system;
• a person who interferes with a database containing personal information in order to alter
it;
• a staff member accesses personal information without authorization;
• The organization is the victim of a cyberattack, such as phishing or ransomware. - Use not authorized by the Access to Personal Information Act. Like what:
• A staff member who uses personal information from a database to which he or she has
access in the course of his or her duties for the purpose of impersonating an individual. - Disclosure not authorized by the Access to Personal Information Act. Like what:
• a mistakenly made communication to the wrong person by his employer;
• the communication of personal information contrary to the provisions of the Access Act;
• A staff member is disclosing personal information to the wrong recipient. - The loss of personal information or any other breach of the protection of such information. Like
what:
• a person who loses or has documents containing personal information stolen;
• forgetting to redact personal information in a document;
• sending an email containing personal information.
Handling a Privacy Incident
When Air Richelieu has reason to believe that a confidentiality incident involving personal information
under its control has occurred, it must take reasonable measures to reduce the risk of harm being
caused and prevent future incidents of the same nature from occurring, which may include sanctioning the individuals involved.
Air Richelieu may also notify any person and/or organization likely to reduce this risk by disclosing only
the personal information necessary for this purpose without the consent of the person concerned. In
the latter case, the person responsible for the protection of personal information must record the
communication.
If the confidentiality incident presents a risk of serious harm being caused, the organization must, with
diligence, notify the Commission d’accès à l’information. It must also notify any person whose personal
information is affected by the incident.
In order to assess the risk of harm being caused to a person whose personal information is affected by
a confidentiality incident, Air Richelieu must consider, in particular:
- The sensitivity of the information concerned;
- The apprehended consequences of its use; and
- The likelihood that it will be used for harmful purposes.
Air Richelieu must also consult the person responsible for the protection of personal information.
Confidentiality Incident Registry
Air Richelieu must keep a record of confidentiality incidents. It contains, in particular:
- A description of the personal information involved in the breach;
- The circumstances of the incident;
- The date the incident occurred;
- The date the person responsible for the protection of personal information became aware of
the breach; - The number of persons targeted;
- Assessment of the seriousness of the risk of harm;
- If there is a risk of serious harm to the data subject, the dates of transmission of the notices;
and - The measures taken in response to the incident.
Privacy Complaint Process
Filing a Privacy Complaint
Any person who has reason to believe that a confidentiality incident has occurred and that Air Richelieu
has failed to protect the confidentiality of the personal information in his or her possession may file a
complaint requesting that the situation be corrected.
The complaint must be in writing and include a description of the incident, the date or period when the
incident occurred, the nature of the personal information involved in the incident, and the number of
individuals involved.
The complaint must be directed to the person responsible for the protection of personal information. It
must be made by email to the following address privacy@airrichelieu.com.
In the event that the complaint involves the conduct of the person responsible for the protection of
personal information, it must be addressed to Air Richelieu’s General Management at the
tdugrippe@airrichelieu.com address.
Handling of the complaint
The Privacy Officer or the general direction, if applicable, is responsible for receiving and processing
the complaint within 20 business days.
In the event that it proves to be justified, Air Richelieu takes the necessary measures to correct the
situation as soon as possible in accordance with paragraph 10.2 of this policy and registers the incident
in the register, as indicated in paragraph 10.3.
Video surveillance
The use of video surveillance must be carried out in compliance with the obligations set out in particular
by the Civil Code of Québec, the Charter of Human Rights and Freedoms and the Access Act.
Information system or electronic delivery projects involving personal information
Air Richelieu conducts a Privacy Impact Assessment for any project to acquire, develop or redesign an
information system or electronic service that involves the collection, use, disclosure, retention or
destruction of personal information.
With respect to privacy impact assessments, Air Richelieu consults its Access to Information and
Privacy Committee at the outset of the project.
Roles and Responsibilities
Board of Directors
Members : Thierry DUGRIPPE (tdugrippe@airrichelieu.com), Richard BLACKBURN
(rblackburn@airrichelieu.com)
- Adopts the Privacy Policy and any amendments thereto.
Executive Committee
Members : Thierry DUGRIPPE (tdugrippe@airrichelieu.com), Richard BLACKBURN
(rblackburn@airrichelieu.com)
- Determines measures to promote the application of Air Richelieu’s policy and legal obligations
regarding the protection of personal information; - Determines guidelines and procedures that clarify or support the application of the policy;
- Takes reasonable steps in the event of a confidentiality incident to reduce the risk of harm
being caused and prevent similar incidents from occurring.
Executive management
Members : Thierry DUGRIPPE (tdugrippe@airrichelieu.com), Richard BLACKBURN
(rblackburn@airrichelieu.com)
- Ensures compliance with the Privacy Policy;
- Supervises the person responsible for the protection of personal information in carrying out
his/her mandate; - Delegates certain responsibilities to the General Secretariat for the management of personal
information.
Responsible for access to documents and the protection of personal information
Members : Thierry DUGRIPPE (tdugrippe@airrichelieu.com, privacy@airrichelieu.com)
- Is responsible for access to information and the protection of personal information;
- Is responsible for receiving and handling complaints;
- Is responsible, in certain situations, for recording communications in the personal information
disclosure registry; - Disseminates and updates the policy on the website.
Access to Information and Privacy Committee
Members : Thierry DUGRIPPE (tdugrippe@airrichelieu.com), Richard BLACKBURN
(rblackburn@airrichelieu.com)
- Is responsible for the Privacy Impact Assessment for any project to acquire, develop or
redesign an information system or electronic service delivery that would involve the collection,
use, disclosure, retention or destruction of personal information; - Supports the person responsible for access to information and the protection of personal
information in the exercise of his responsibilities and in the performance of his obligations under
the Access Act; - Approves rules governing the governance of personal information.
Information Technology Directorate
Members : Olivier VUVANT (ovuvant@airricehlieu.com)
- Ensures the support of personal information protection requirements in the operation of
information systems as well as in the realization of development or acquisition projects of
information systems in which it intervenes; - Actively participates in risk analysis, needs and measures to be implemented, and anticipates
any privacy threats involving information technology; - Applies appropriate measures to any privacy threats or incidents;
- Participates in the conduct of investigations relating to actual or apparent contraventions of this
policy and authorized by the Director General.
Human Resources Directorate
Members : Thierry DUGRIPPE (tdugrippe@airrichelieu.com), Richard BLACKBURN
(rblackburn@airrichelieu.com)
- Obtains from any new Air Richelieu employee his commitment to respect the policy;
- Ensures that any new staff member signs the confidentiality agreement form for information
processed in the course of his/her duties; - Ensures the conduct of training and awareness activities on the protection of personal
information; - Determines the applicable sanctions for non-compliance with this policy.
Physical Resources Directorate
Members : Olivier VUVANT (ovuvant@airricehlieu.com)
- Participates, with the person responsible for information security, in the identification of physical
security measures to adequately protect Air Richelieu’s information assets.
Staff members
Responsibility for the protection of personal information rests with any person who uses Air Richelieu’s
information assets. Anyone who accesses, consults or processes personal information is responsible
for the use he or she makes of it and must proceed in such a way as to protect the confidentiality of that
personal information.
To this end, the staff member must:
- Comply with this policy and any other Air Richelieu directive regarding the protection of
personal information; - Access and use personal information that is made available to them only in the course of their
duties and for the purposes for which they are intended; - Participate in training and awareness activities offered by Air Richelieu;
- Report to Air Richelieu’s person responsible for the protection of personal information any
confidentiality incident that may constitute a violation of this policy.
Training
Initial training will be mandatory for all staff with access to personal information. At the end of this
training, a confidentiality agreement will be signed.
The training and privacy awareness activities offered by Air Richelieu to its employees are published
on Air Richelieu’s Intranet site. These trainings will take place at least once a year and will be mandatory.
Penalties for non-compliance with this policy
Failure to comply with this policy may result in administrative and/or disciplinary action up to and
including termination of employment. The nature, seriousness and repetitive nature of the acts
complained of must be considered when determining a sanction.
As part of its contractual relationship with a third party, Air Richelieu may terminate any contract without
notice for non-compliance with this policy. This will be presented to all third party contractors with Air
Richelieu, who must undertake, in writing, to comply with it.
Dissemination and updating of the policy
The person responsible for the protection of personal information, assisted by the Access to Information
and Privacy Committee, ensures that the policy is posted and updated on Air Richelieu’s website.
Responsibility for enforcement and policy review
The general direction is responsible for the implementation of the policy and its revision.
Entry into force
This policy is approved by the Access to Information and Privacy Committee. It shall enter into force on
the day of its adoption by the Board of Directors.