Privacy Policy

  1. Policy statement

OCTANT AVIATION and its entities (hereinafter the “Company”) are committed to ensuring the protection, confidentiality and security of personal information, in accordance with applicable data protection laws.

The purpose of this policy is to ensure that all personal information is collected, used, stored and disclosed in accordance with the Privacy Act and other applicable laws (Civil Code, art. 3; Charter of Rights and Freedoms, art.5; Act respecting the legal framework for information technology) as well as with best practices in data confidentiality.

This policy applies to all employees, officers, consultants, subcontractors and suppliers who handle personal information in the course of their duties at our Company.

Personal information (PI): Personal information is information about a natural person that allows that person to be identified. It is confidential. With certain exceptions, it may not be communicated without the consent of the person concerned.

Privacy Officer: Every company is responsible for protecting the personal information it holds. The person with the highest authority is responsible for ensuring compliance with and implementation of the Act respecting the protection of personal information in the private sector (Private Sector Act). This person is responsible for the protection of personal information, and may delegate this function in writing, in whole or in part, to any person with the required skills and significant decision-making authority.

Commission d’accès Ă  l’information du QuĂŠbec (CAI): The Commission is both an administrative tribunal and an oversight body that oversees the application of the Access Act and the Privacy Act. It also sees to the promotion and respect of citizens’ rights to access documents held by public bodies, and to the protection of their PI.

Confidentiality incident: a confidentiality incident is any unauthorized access, use or disclosure of a PR, as well as the loss of a PR or any other breach of its protection. For example, a confidentiality incident could occur when :

Consent : Giving consent means agreeing to something. It is a thoughtful act that must meet all these characteristics:

Person responsible for PR in the company

The person’s title and contact details can be found on the Company’s website. Within the Company, the person in charge is Nathalie Tousignant, President and CEO.

By law, it has specific roles to play. In the event of a confidentiality incident involving personal information, she must :

It must also conduct a Privacy Impact Assessment (PIA) when required by law, for example, before disclosing PII outside Quebec, or during any project involving the acquisition, development or redesign of an information system, or the electronic delivery of services involving PII. Companion Guide – PIA

Anyone involved in a confidentiality incident involving a PR :

The law assigns him specific roles. In the event of a confidentiality incident involving personal information, he must :

Companies that collect, use, communicate to third parties, retain or destroy personal information have a number of obligations under the Act respecting the protection of personal information in the private sector.

PR life cycle

Collection

The first stage in the personal information life cycle, collection is the point at which personal information is :

Viewing personal information, such as that contained on a piece of identification, also constitutes collection, even if it is not subsequently retained.

Collection is carried out by the Company or a third party, such as an agent or service provider.

At this stage, the following obligations must be met in order to protect personal information:

The Company shall not refuse to provide a good, service or employment to a person who refuses to provide personal information, except as provided by law.

Use

Use is the period during which personal information is used by authorized persons within the Company.

At this stage, the Company must comply with the following obligations:

Communication

Disclosure is the period during which personal information is communicated, for example in an electronic service delivery system, by e-mail, to customer service, through Web sites or to a third party.

At this stage, the Company must comply with the following obligations:

Conservation

Retention is the period during which the Company keeps personal information in any form, regardless of whether the information is actively used.

At this stage, the Company must comply with the following obligations:

Destruction

The life cycle of personal information ends when it is destroyed.

At this stage, the Company must :

Other obligations: security, access and rectification

Destruction of RPs containing RPs

As a private company, the Company is responsible for ensuring the confidential management of personal information, from collection to destruction. Once the purpose for which the Company collected the personal information has been fulfilled, it is immediately obliged to destroy it in a secure manner. The only restriction on this obligation to destroy is the time limit stipulated by law, or by a retention schedule established by government regulation (e.g., for tax purposes).

As of September 22, 2023, applicable laws provide for an alternative to the destruction of personal information. Depending on whether the purpose for which the information was collected has been fulfilled, it may be possible to keep it, while anonymizing it so that it can be used for serious, legitimate purposes:

Caution and vigilance are required when anonymizing personal information in this context. This is a complex process designed to ensure that a natural person cannot be re-identified by any technological means.

The destruction procedure

Personal information has a life cycle of its own: from collection to destruction, it passes through phases of use and retention, and sometimes through communication to third parties.

The Company has an obligation to protect personal information. Applicable laws set out rules for security and destruction.

The Company takes security measures to ensure the protection of personal information that is collected, used, disclosed, retained or destroyed. Such measures shall be reasonable in light of the sensitivity of the information, the purpose for which it is to be used, its quantity, distribution and medium.

Once the purposes for which personal information was collected or used have been fulfilled, the organization must destroy or anonymize it.

The Commission recommends that a document management procedure be put in place and that those responsible for ensuring that it is properly applied be identified.

It is important to make this procedure known to all staff. In particular, this procedure should aim to :

Applicable laws oblige the Company to protect personal information contained in all types of physical or digital documents, in the broadest sense, whether in written, graphic, sound, visual, computerized or other form. Note that a database, for example, is considered a document:

The method of destruction must be adapted to the medium and level of confidentiality of the documents, and must ensure that the personal information they contain is destroyed once and for all.

A number of techniques are available for definitive destruction:

Media usedExample of destruction methods
Paper (original and all copies)Shredder, preferably cross-cut.   For highly confidential documents: shredder + incinerator.
Digital media to be reused or recycled e.g. flash memory cards (SD, XD cards, etc.) USB sticks, computer hard drivesFormatting, rewriting, digital shredding (software that performs a secure deletion and writes random information to the location of the deleted file).
Non-reusable digital media e.g. certain CDs, DVDs, flash memory cards, USB sticks and hard drives that will no longer be used Physical destruction (shredding, crushing, surface grinding, disintegration, drilling, incineration, etc.).   Most shredders can destroy CDs and DVDs.   Demagnetizers for hard disks.
Machines containing hard disks e.g. photocopiers, fax machines, scanners, printers, etc.Overwriting of information on the hard disk, or hard disk removed and destroyed when machines are replaced.

Internal destruction or destruction by a third party

The Company has the option of destroying documents containing personal information itself. If your equipment does not allow you to do this securely, the Company can also enter into a contract with an external service provider. For example, the final destruction of data contained on a hard disk may require recourse to an external firm.

When a third party (service provider) is involved, a written contract must be drawn up specifying, among other things:

The Company secures the documents to be destroyed until the document destruction provider arrives! Finally, if the service provider fails to meet its commitments, the Company will terminate the contract and request the return of personal information.

  1. Taking steps to reduce risks

If the Company has reason to believe that a confidentiality incident involving personal information held by it has occurred, it must take reasonable steps to reduce the risk of harm being caused and to prevent similar incidents from occurring in the future.

The following questions are useful to quickly assess the situation:

The reasonable measures to be put in place depend on this state of affairs. Every situation is different. Even if all the relevant information is not known at the outset, it is important to react quickly. If necessary, the organization continues to adapt its measures or adopt new ones as the circumstances and impact of the incident become clearer.

For any confidentiality incident, the Company must assess the seriousness of the risk of harm to the individuals concerned. To do this, it must consider, in particular:

The organization should consult its privacy officer. It may also involve other players, such as the information security officer or external experts.

If the analysis reveals a risk of serious harm, the organization must notify the Commission and the persons concerned of the incident.

If this is not the case, the company must continue its work to reduce the risks and prevent a similar incident from occurring in the future.

When the incident poses a risk of serious harm to the individuals whose information is involved, the Company must promptly notify the Commission. All persons whose personal information is affected by the incident must also be informed by the organization. If the organization fails to inform the persons concerned, the Commission may order it to do so.

However, the organization does not have to notify the individuals whose personal information is concerned, if such notification is likely to hinder an investigation carried out under the law to prevent, detect or repress crime or breaches of the law.

The Regulation respecting confidentiality incidents determines the content and terms of the notices that must be sent to the Commission and to the persons concerned.

NOTICE TO THE COMMISSION D’ACCÈS À L’INFORMATION (CAI)

When a confidentiality incident presents the risk of serious harm, the organization must notify the Commission in writing. The CAI notification form specifies all the information to be provided. Once the notification form has been sent, the organization that becomes aware of new information must promptly communicate it to the Commission.

NOTICE TO INTERESTED PARTIES

The notice to the person concerned must inform him or her of the scope and consequences of the incident presenting the risk of serious harm.

This notice must contain :

In addition, an organization may give public notice in order to act quickly to reduce the risk of serious harm being caused, or to mitigate it. However, the organization is still required to notify the person concerned as soon as possible.

There are only three situations in which a public notice can be issued without sending a notice to the person concerned:

This notice may be given by any reasonable means enabling the person concerned to be contacted.

Notify persons likely to prevent or reduce the risk of serious harm

The organization may notify any person or organization likely to reduce the risk of serious harm. Only the necessary personal information may then be disclosed, without the consent of the person concerned. The organization’s privacy officer must record this communication.

Every organization must keep a register in which it records all confidentiality incidents involving personal information. Even incidents that do not present a risk of serious harm must be recorded. At the request of the Commission, the organization must provide a copy of its register.

The confidentiality incident register must contain the following information:

The information in the register must be updated and kept for a minimum period of five years, after the date or period when the organization becomes aware of the incident.

The Commission may order any person, after giving him the opportunity to present his observations, to apply any measure designed to protect the rights of the persons concerned. In particular, it may order that the personal information in question be returned to the organization or destroyed. A person who is the subject of an order without prior notice because, in the opinion of the Commission, there is urgency or danger of causing irreparable harm, may, within the time specified in the order, make representations to allow the Commission to reconsider the order.

If the incident presents a risk of serious harm, the Commission may also order the organization to notify the persons concerned if it has failed to do so when required to do so.

In various contexts, organizations entrust personal information to third parties, who are responsible for its safekeeping. Even so, organizations remain responsible for all their obligations in the event of a confidentiality incident: measures to be taken, registers to be kept and updated, notices to be given, etc.

If you have any questions, complaints or concerns about the security or confidentiality of personal information, please contact Nathalie Tousignant, Privacy Officer, at dataprivacy@octantaviation.ca.

The Company undertakes to treat all complaints received confidentially. Within 30 days following receipt of the complaint or following receipt of all additional information deemed necessary and required by the Company’s Privacy Officer in order to process the complaint, the Privacy Officer shall evaluate the complaint and provide a reasoned written response by e-mail to the complainant. The purpose of this assessment will be to determine whether the Company’s handling of personal information complies with this policy, any other policies and practices in place within the organization, and applicable legislation or regulations.

If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons for the extension, the progress made in processing the complaint and the reasonable time required to provide a definitive response.

The Company must keep a separate file for each complaint it receives. Each file contains the complaint, the analysis and documentation supporting its assessment, as well as the response sent to the person who initiated the complaint.

It is also possible to file a complaint with the Commission de l’accès Ă  l’information du QuĂŠbec or any other privacy oversight body responsible for the application of the law concerned by the subject of the complaint.

However, the Company invites any interested party to first contact its Privacy Officer and wait until the Company has completed its processing.

This policy takes effect on January 26, 2024.

  1. Date of last update

This policy may be updated at any time by Company management to meet the needs of the organization.

Sources :

Summary of obligations – CIA website

https://www.cai.gouv.qc.ca/documents/CAI_Guide_obligations_entreprises_vf.pdf

Full obligations – CIA website

Private Sector PR Protection Act

https://www.legisquebec.gouv.qc.ca/fr/document/lc/P-39.1