Privacy Policy

1. Policy statement

OCTANT AVIATION and its entities (hereinafter the “Company”) are committed to ensuring the protection, confidentiality and security of personal information, in accordance with applicable data protection laws.

• Objectives

The purpose of this policy is to ensure that all personal information is collected, used, stored and disclosed in accordance with the Privacy Act and other applicable laws (Civil Code, art. 3; Charter of Rights and Freedoms, art.5; Act respecting the legal framework for information technology) as well as with best practices in data confidentiality.

• Range

This policy applies to all employees, officers, consultants, subcontractors and suppliers who handle personal information in the course of their duties at our Company.

• Definitions

Personal information (PI): Personal information is information about a natural person that allows that person to be identified. It is confidential. With certain exceptions, it may not be communicated without the consent of the person concerned.

Privacy Officer: Every company is responsible for protecting the personal information it holds. The person with the highest authority is responsible for ensuring compliance with and implementation of the Act respecting the protection of personal information in the private sector (Private Sector Act). This person is responsible for the protection of personal information, and may delegate this function in writing, in whole or in part, to any person with the required skills and significant decision-making authority.

Commission d’accès à l’information du Québec (CAI): The Commission is both an administrative tribunal and an oversight body that oversees the application of the Access Act and the Privacy Act. It also sees to the promotion and respect of citizens’ rights to access documents held by public bodies, and to the protection of their PI.

Confidentiality incident: a confidentiality incident is any unauthorized access, use or disclosure of a PR, as well as the loss of a PR or any other breach of its protection. For example, a confidentiality incident could occur when :

• a member of staff consults a PR without authorization;
• a member of staff sends PR to the wrong recipient;
• the organization is the victim of a cyber attack: phishing, ransomware, etc.

Consent : Giving consent means agreeing to something. It is a thoughtful act that must meet all these characteristics:

• Consent must be manifest, i.e. obvious, certain and indisputable;
• Consent must be free, i.e. given without coercion;
• Consent must be informed, i.e. it must be precise, rigorous and specific. The Company must indicate what information will be communicated, to whom, why and how, and what the consequences will be. The person giving consent must be sufficiently informed about the communications that will be made to enable him or her to make an informed judgment about the scope of the consent;
• Consent is also given for specific purposes and for the duration necessary to achieve the purposes for which it was requested. The duration will not necessarily be related to a number of days, months or years, but may refer to a specific event or situation.
• Roles and responsibilities

Person responsible for PR in the company

The person’s title and contact details can be found on the Company’s website. Within the Company, the person in charge is Nathalie Tousignant, President and CEO.

By law, it has specific roles to play. In the event of a confidentiality incident involving personal information, she must :

• record communications made to any person or organization likely to reduce the risk to the person concerned following the incident;
• take part in assessing the damage caused by the incident;

It must also conduct a Privacy Impact Assessment (PIA) when required by law, for example, before disclosing PII outside Quebec, or during any project involving the acquisition, development or redesign of an information system, or the electronic delivery of services involving PII. Companion Guide – PIA

Anyone involved in a confidentiality incident involving a PR :

The law assigns him specific roles. In the event of a confidentiality incident involving personal information, he must :

• record communications made to any person or organization likely to reduce the risk to the person concerned following the incident;
• take reasonable steps to reduce the risk of harm being caused to those concerned, and to prevent similar incidents from occurring in the future;
• notify the Commission and the person concerned if the incident presents a risk of serious harm;
• keep an incident register, a copy of which must be sent to the Commission at its request
• Protection of personal information

Companies that collect, use, communicate to third parties, retain or destroy personal information have a number of obligations under the Act respecting the protection of personal information in the private sector.

PR life cycle

Collection

The first stage in the personal information life cycle, collection is the point at which personal information is :

• collected (e.g. subscription form, survey, Web analytics tools);
• created (e.g. membership or driver’s license number);
• inferred (e.g. consumer profile), i.e. deduced from other information.

Viewing personal information, such as that contained on a piece of identification, also constitutes collection, even if it is not subsequently retained.

Collection is carried out by the Company or a third party, such as an agent or service provider.

At this stage, the following obligations must be met in order to protect personal information:

• Determining the purpose of the data collection: a serious and legitimate interest must justify the creation of a file on an individual;
• Limiting collection of personal information: The collection of personal information shall be limited to that which is necessary for the purposes identified. When in doubt, personal information is deemed unnecessary;
• Collect personal information by lawful and legitimate means: with few exceptions, personal information must be collected from the person concerned;
• Inform the person concerned before compiling a file:
  • the subject of the file;
  • how personal information will be used;
  • the categories of people who will have access to it within the Company;
  • where they will be held;
  • access and rectification rights.
• Obtain the consent of the persons concerned before collecting their personal information from a third party, unless an exception is provided for by law (see exceptions in section 18 – Act respecting the protection of personal information in the private sector).

The Company shall not refuse to provide a good, service or employment to a person who refuses to provide personal information, except as provided by law.

Use

Use is the period during which personal information is used by authorized persons within the Company.

At this stage, the Company must comply with the following obligations:

• Limit access to personal information to only those persons entitled to receive it within the Company when such information is necessary for the performance of their duties;
• Limiting the use of personal information: unless an exception is provided for by law, the Company must obtain the consent of the person concerned to use his or her information once the purpose of the file has been fulfilled.

Communication

Disclosure is the period during which personal information is communicated, for example in an electronic service delivery system, by e-mail, to customer service, through Web sites or to a third party.

At this stage, the Company must comply with the following obligations:

• Obtain the consent of the persons concerned to communicate their information to a third party (e.g. insurer or service provider), unless an exception is provided for by law;
• Comply with legal obligations when disclosing personal information without the consent of the person concerned;
• Respect specific obligations applicable to the communication of personal information outside Quebec.

Conservation

Retention is the period during which the Company keeps personal information in any form, regardless of whether the information is actively used.

At this stage, the Company must comply with the following obligations:

• Ensuring the quality of personal information by ensuring that the personal information it holds is up-to-date and accurate at the time it is used to make a decision about the individual concerned;
• Take security measures to ensure the safety of personal information.

Destruction

The life cycle of personal information ends when it is destroyed.

At this stage, the Company must :

• Destroy personal information in a secure manner as soon as the purpose for which it was collected has been fulfilled, subject to the time limit stipulated by law or by a retention schedule established by government regulation (e.g. for tax purposes).

Other obligations: security, access and rectification

• Implement security measures to ensure the protection of personal information that is collected, used, disclosed, retained or destroyed.
  • These measures are reasonable in light of, among other things, the sensitivity, purpose, amount, distribution and medium of the personal information.
• Enable the exercise of rights of access and rectification and respond promptly, within 30 days, to requests for access to personal information and for rectification submitted by the persons concerned.
  • Failure to reply within this time limit is equivalent to a refusal. A person may contest a refusal or a response deemed unsatisfactory by exercising his or her right of recourse before the Commission d’accès à l’information.

Destruction of RPs containing RPs

As a private company, the Company is responsible for ensuring the confidential management of personal information, from collection to destruction. Once the purpose for which the Company collected the personal information has been fulfilled, it is immediately obliged to destroy it in a secure manner. The only restriction on this obligation to destroy is the time limit stipulated by law, or by a retention schedule established by government regulation (e.g., for tax purposes).

As of September 22, 2023, applicable laws provide for an alternative to the destruction of personal information. Depending on whether the purpose for which the information was collected has been fulfilled, it may be possible to keep it, while anonymizing it so that it can be used for serious, legitimate purposes:

• Information concerning a natural person is anonymized when it is, at all times, reasonable to foresee in the circumstances that it will no longer make it possible, in an irreversible manner, to identify that person directly or indirectly.

Caution and vigilance are required when anonymizing personal information in this context. This is a complex process designed to ensure that a natural person cannot be re-identified by any technological means.

The destruction procedure

Personal information has a life cycle of its own: from collection to destruction, it passes through phases of use and retention, and sometimes through communication to third parties.

The Company has an obligation to protect personal information. Applicable laws set out rules for security and destruction.

The Company takes security measures to ensure the protection of personal information that is collected, used, disclosed, retained or destroyed. Such measures shall be reasonable in light of the sensitivity of the information, the purpose for which it is to be used, its quantity, distribution and medium.

Once the purposes for which personal information was collected or used have been fulfilled, the organization must destroy or anonymize it.

The Commission recommends that a document management procedure be put in place and that those responsible for ensuring that it is properly applied be identified.

It is important to make this procedure known to all staff. In particular, this procedure should aim to :

• Inventory the types of documents containing personal information (human resources files, customer databases, etc.);
• Define document confidentiality levels (e.g. protected, confidential and secret) according to criteria of sensitivity, purpose, quantity, distribution and medium.

Applicable laws oblige the Company to protect personal information contained in all types of physical or digital documents, in the broadest sense, whether in written, graphic, sound, visual, computerized or other form. Note that a database, for example, is considered a document:

• Distinguish between different types of media and associate appropriate storage and disposal methods (e.g. paper, digital);
• Determine a retention schedule that complies with legal requirements.

The method of destruction must be adapted to the medium and level of confidentiality of the documents, and must ensure that the personal information they contain is destroyed once and for all.

A number of techniques are available for definitive destruction:

Media used	Example of destruction methods
Paper (original and all copies)	Shredder, preferably cross-cut.   For highly confidential documents: shredder + incinerator.
Digital media to be reused or recycled e.g. flash memory cards (SD, XD cards, etc.) USB sticks, computer hard drives	Formatting, rewriting, digital shredding (software that performs a secure deletion and writes random information to the location of the deleted file).
Non-reusable digital media e.g. certain CDs, DVDs, flash memory cards, USB sticks and hard drives that will no longer be used	Physical destruction (shredding, crushing, surface grinding, disintegration, drilling, incineration, etc.).   Most shredders can destroy CDs and DVDs.   Demagnetizers for hard disks.
Machines containing hard disks e.g. photocopiers, fax machines, scanners, printers, etc.	Overwriting of information on the hard disk, or hard disk removed and destroyed when machines are replaced.

Internal destruction or destruction by a third party

The Company has the option of destroying documents containing personal information itself. If your equipment does not allow you to do this securely, the Company can also enter into a contract with an external service provider. For example, the final destruction of data contained on a hard disk may require recourse to an external firm.

When a third party (service provider) is involved, a written contract must be drawn up specifying, among other things:

• The destruction process;
• That the service provider recognizes the confidentiality of the information processed and that it may not retain it for its own purposes;
• That the service provider will inform his customer if he uses a subcontractor for the destruction;
• That a confidentiality agreement will be signed by the service provider’s employees;
• Safe storage of documents to be destroyed;
• That it is possible for the customer to access the service provider’s premises during the term of the contract;
• That the service provider is obliged to report regularly to the customer on the destruction of documents;
• That the provider must notify the customer without delay in the event of a breach or attempted breach of obligations relating to the security or confidentiality of information.

The Company secures the documents to be destroyed until the document destruction provider arrives! Finally, if the service provider fails to meet its commitments, the Company will terminate the contract and request the return of personal information.

• Obligations in the event of a confidentiality incident

1. Taking steps to reduce risks

If the Company has reason to believe that a confidentiality incident involving personal information held by it has occurred, it must take reasonable steps to reduce the risk of harm being caused and to prevent similar incidents from occurring in the future.

The following questions are useful to quickly assess the situation:

• Who: Who is affected by the incident? Are they employees, customers or business partners? Who may have had access to the personal information?
• How many: how many people are affected by the incident?
• What: What is the nature of the personal information involved in the incident? Is it sensitive information? What are the risks for the individuals concerned?
• When: when did the incident take place? When was it discovered?
• Where: where did the incident take place? Within the organization? If so, in which sector? Did the incident take place at the premises of a third party holding personal information on behalf of the organization (e.g.: an agent, a supplier)?
• Why: what were the causes? What safety measures were in place at the time of the incident? Why weren’t they effective?

The reasonable measures to be put in place depend on this state of affairs. Every situation is different. Even if all the relevant information is not known at the outset, it is important to react quickly. If necessary, the organization continues to adapt its measures or adopt new ones as the circumstances and impact of the incident become clearer.

• Assess whether the incident presents a risk of serious harm

For any confidentiality incident, the Company must assess the seriousness of the risk of harm to the individuals concerned. To do this, it must consider, in particular:

• the sensitivity of the information concerned;
• the apprehended consequences of their use;
• the likelihood of them being used for harmful purposes.

The organization should consult its privacy officer. It may also involve other players, such as the information security officer or external experts.

If the analysis reveals a risk of serious harm, the organization must notify the Commission and the persons concerned of the incident.

If this is not the case, the company must continue its work to reduce the risks and prevent a similar incident from occurring in the future.

• Notify the Commission and the persons concerned

When the incident poses a risk of serious harm to the individuals whose information is involved, the Company must promptly notify the Commission. All persons whose personal information is affected by the incident must also be informed by the organization. If the organization fails to inform the persons concerned, the Commission may order it to do so.

However, the organization does not have to notify the individuals whose personal information is concerned, if such notification is likely to hinder an investigation carried out under the law to prevent, detect or repress crime or breaches of the law.

The Regulation respecting confidentiality incidents determines the content and terms of the notices that must be sent to the Commission and to the persons concerned.

NOTICE TO THE COMMISSION D’ACCÈS À L’INFORMATION (CAI)

When a confidentiality incident presents the risk of serious harm, the organization must notify the Commission in writing. The CAI notification form specifies all the information to be provided. Once the notification form has been sent, the organization that becomes aware of new information must promptly communicate it to the Commission.

NOTICE TO INTERESTED PARTIES

The notice to the person concerned must inform him or her of the scope and consequences of the incident presenting the risk of serious harm.

This notice must contain :

• A description of the personal information involved in the incident. If this information is not available, the organization must provide the reason why this description cannot be provided;
• A brief description of the circumstances surrounding the incident;
• The date or period when the incident took place, or an approximation of this period if not known;
• A brief description of the measures taken or envisaged to reduce the risk of damage being caused as a result of the incident;
• Measures proposed to the person concerned to reduce the risk of harm being caused or to mitigate it;
• Contact details of a person or department that the person concerned can contact to obtain further information about the incident.

In addition, an organization may give public notice in order to act quickly to reduce the risk of serious harm being caused, or to mitigate it. However, the organization is still required to notify the person concerned as soon as possible.

There are only three situations in which a public notice can be issued without sending a notice to the person concerned:

• Giving notice may cause greater harm to the person concerned;
• The transmission of the notice represents an excessive difficulty for the organization;
• The organization does not have the contact details of the person concerned.

This notice may be given by any reasonable means enabling the person concerned to be contacted.

Notify persons likely to prevent or reduce the risk of serious harm

The organization may notify any person or organization likely to reduce the risk of serious harm. Only the necessary personal information may then be disclosed, without the consent of the person concerned. The organization’s privacy officer must record this communication.

• Keep a confidentiality incident register (confidentiality incident register template – Government of Quebec).

Every organization must keep a register in which it records all confidentiality incidents involving personal information. Even incidents that do not present a risk of serious harm must be recorded. At the request of the Commission, the organization must provide a copy of its register.

The confidentiality incident register must contain the following information:

• A description of the personal information involved in the incident. If this information is not available, the organization must indicate the reason why this description cannot be provided;
• a brief description of the circumstances surrounding the incident;
• The date or period when the incident took place, or an approximation of this period if not known;
• The date or period during which the organization became aware of the incident;
• The number of people affected by the incident or, if not known, an approximate figure;
• A description of the factors that lead the organization to conclude that there is, or is not, a risk of serious harm to the persons concerned, such as :
  • the sensitivity of the personal information concerned;
  • possible misuse of information;
  • the apprehended consequences of using the information and the likelihood of it being used for harmful purposes;
• The dates on which notices were sent to the Commission and to the persons concerned, when the incident presents the risk of serious harm. The organization must also specify whether it has given public notices and the reason for them;
• A brief description of the measures taken by the organization following the incident, to reduce the risk of harm being caused.

The information in the register must be updated and kept for a minimum period of five years, after the date or period when the organization becomes aware of the incident.

• Commission’s power to order

The Commission may order any person, after giving him the opportunity to present his observations, to apply any measure designed to protect the rights of the persons concerned. In particular, it may order that the personal information in question be returned to the organization or destroyed. A person who is the subject of an order without prior notice because, in the opinion of the Commission, there is urgency or danger of causing irreparable harm, may, within the time specified in the order, make representations to allow the Commission to reconsider the order.

If the incident presents a risk of serious harm, the Commission may also order the organization to notify the persons concerned if it has failed to do so when required to do so.

• Responsibility for PR stored by a third party

In various contexts, organizations entrust personal information to third parties, who are responsible for its safekeeping. Even so, organizations remain responsible for all their obligations in the event of a confidentiality incident: measures to be taken, registers to be kept and updated, notices to be given, etc.

• Handling complaints

If you have any questions, complaints or concerns about the security or confidentiality of personal information, please contact Nathalie Tousignant, Privacy Officer, at dataprivacy@octantaviation.ca.

The Company undertakes to treat all complaints received confidentially. Within 30 days following receipt of the complaint or following receipt of all additional information deemed necessary and required by the Company’s Privacy Officer in order to process the complaint, the Privacy Officer shall evaluate the complaint and provide a reasoned written response by e-mail to the complainant. The purpose of this assessment will be to determine whether the Company’s handling of personal information complies with this policy, any other policies and practices in place within the organization, and applicable legislation or regulations.

If the complaint cannot be processed within this timeframe, the complainant must be informed of the reasons for the extension, the progress made in processing the complaint and the reasonable time required to provide a definitive response.

The Company must keep a separate file for each complaint it receives. Each file contains the complaint, the analysis and documentation supporting its assessment, as well as the response sent to the person who initiated the complaint.

It is also possible to file a complaint with the Commission de l’accès à l’information du Québec or any other privacy oversight body responsible for the application of the law concerned by the subject of the complaint.

However, the Company invites any interested party to first contact its Privacy Officer and wait until the Company has completed its processing.

• Effective date

This policy takes effect on January 26, 2024.

1. Date of last update

This policy may be updated at any time by Company management to meet the needs of the organization.

Sources :

Summary of obligations – CIA website

https://www.cai.gouv.qc.ca/documents/CAI_Guide_obligations_entreprises_vf.pdf

Full obligations – CIA website

Private Sector PR Protection Act

https://www.legisquebec.gouv.qc.ca/fr/document/lc/P-39.1 –