The C-25 Law in Quebec, formally known as the Law on the Protection of Personal Information in the Private Sector, applies to businesses that handle personal information. Due to the nature of its activities, the Clinique Vétérinaire de L’Outaouais collects and uses personal information such as clients’ names, addresses, and email addresses. Therefore, it is essential to ensure the judicious and secure use of this data.
I. Personal Information Protection Officer
This person will be responsible for overseeing the management of personal data and ensuring compliance with privacy laws.
II. Evaluation of Data Collection Processes
Personal data is mainly collected when opening an animal file. Thus, the client’s name, address, phone numbers, and email address are associated with the animal’s file, which contains the patient’s name, description, weight, and date of birth.
Discretion must be observed when collecting data at the reception desk.
The Clinic uses personal data for its internal records. The data is also used when a third party is involved in the animal’s health. The data is used, among other things, for external laboratories, radiology interpretations, ultrasound requests, the visit of a specialist to the animal clinic, animal referral, or transfer of its file to another veterinary establishment, enrollment in an insurance trial, insurance claims, and writing an external prescription.
The Clinic sometimes uses a client’s credit card number to make a purchase or take a deposit over the phone.
The data is stored in the LOGIVET software.
III. Obtaining Consent
Until now, consent to obtain and use personal data was given verbally. The client who accepted veterinary services at our Clinic also agreed to the use of the transmitted personal data. Following the entry into force of Law C-25, a consent form will be signed by the client during their next clinic service provision and added to the file as evidence.
IV. Limits of Use and Disclosure
We use the personal information that the client provides us for various reasons:
1. Provide quality veterinary care tailored to the animal
2. Plan and manage appointments and treatments
3. Communicate with the client regarding animal care
4. Bill for services and process payments
5. Respond to client questions and concerns
6. Refer the animal for specialized care in the clinic or another facility
7. Make a request related to medical insurance for the animal
Personal information will not be sold to third parties or posted online.
We only disclose personal information with explicit consent (verbal or written), except where required by law, such as in the case of reporting a contagious disease or legal proceedings.
V. Data Security
Data is stored in the Logivet software. Backups in the CLOUD are periodically performed, only owners have access to administrative functions, the server is isolated from the rest of the network, and it is protected by a firewall to reduce the risk of ransomware. The operating systems are always up to date with the latest Microsoft updates, antivirus software is kept up to date, and staff are trained on cyber risks. Printed documents containing personal information are securely destroyed internally. Physical documents that need to be retained, according to OMVQ standards, are stored at the Clinic, in a non-publicly accessible location, until their destruction.
VI. Privacy Policy
The privacy policy of the Clinique Vétérinaire de L’Outaouais is accessible on the company’s website www.veterinairecvo.com
Privacy Policy at Clinique Vétérinaire de L’Outaouais.
The protection of our clients’ personal information is of the utmost importance to us. We are committed to ensuring the confidentiality and security of all the information you entrust to us. This document aims to explain how we collect, use, disclose, and protect your personal information.
Collection of Personal Information:
When you use our services, we may need to collect personal information about you and your pet. This information may include, but is not limited to:
1. Your contact details (name, address, phone number, email address)
2. Information about your pet (name, species, breed, age, medical history)
3. Details about medical treatments and appointments
4. Payment information for the services you have received
Use of Personal Information:
We use the personal information you provide us for the following reasons:
1. Providing quality veterinary care tailored to your pet
2. Planning and managing appointments and treatments
3. Communicating with you regarding your pet’s care
4. Billing for services and processing payments
5. Responding to questions and concerns
6. Referring your pet for specialized care in the clinic or another facility
7. Making a request related to medical insurance for your pet
Personal information will not be sold to third parties or posted online.
Disclosure of Personal Information:
We only disclose your personal information with your explicit consent, except where required by law, such as in the case of reporting a contagious disease or legal proceedings.
Retention of Personal Information:
The information collected and recorded in the medical record will be kept, as required by the Ordre des Médecins Vétérinaires du Québec, for a minimum of 5 years after the last professional service provided. Subsequently, the client’s personal information and the animal’s medical record may be securely destroyed.
Protection of Personal Information:
We take appropriate security measures to protect your personal information against unauthorized access, loss, disclosure, or alteration. Our employees are trained in confidentiality and only have access to your information as part of their work to provide care for your pet.
Access and Correction:
You have the right to access your personal information held by us and to correct it if inaccurate. To exercise these rights, please contact us at 819-663-5522 or by email at hvb2005@yahoo.ca.
We are committed to respecting the confidentiality of your personal information. If you have any questions or concerns about our privacy policy, please feel free to contact us. We are here to help and ensure the best care for your pet.
Date of last policy update: December 18, 2023
VII. Staff Training
The staff adheres to the privacy policy of Clinique Vétérinaire de L’Outaouais by signing the Employee Manual at each renewal of mandate. The signed section reads as follows:
Employee Commitment
I hereby commit to respecting the Code of Ethics and Professional Conduct of Clinique Vétérinaire de L’Outaouais, which includes the following main provisions:
Confidentiality
Every employee of the Clinic undertakes to respect the confidentiality of all information concerning the internal and external management of the company. The employee acknowledges that information and documents relating to the Clinic, its clients, and its suppliers to which they have access in the course of their duties are confidential and belong to them.
The employee must therefore:
• Respect the confidential nature of any information and document concerning the Clinic, its clients, and its suppliers;
• Not use for personal gain, or for any purpose other than the mandates entrusted to them, confidential information concerning the Clinic, its clients, and its suppliers without obtaining the prior written authorization of the Clinic.
• Not discuss or disclose any confidential information about the Clinic, its clients, and its suppliers that could harm them. Remain bound by this confidentiality commitment, even after the end of my employment at the Clinique Vétérinaire de L’Outaouais.
VIII. Access and Rectification
Individuals have the right to access their personal data held by the company and to request corrections if necessary. Requests should be addressed to the personal information protection officer via email at hvb2005@yahoo.ca.
IX. Complaints Management
See Appendix for the Personal Information Complaints Management Process
X. Data Breach Preparedness
See Appendix for the Data Breach Response Plan
Personal Information Complaints Management Process
Step 1: Complaint Receipt
• Complaints should be addressed to the email address: hvb2005@yahoo.ca
• Received complaints should be documented and recorded in the Clinique Vétérinaire de L’Outaouais complaint register: details of the complainant, nature of the complaint, and date of receipt.
Step 2: Acknowledgment
• Send an acknowledgment to the complainant to confirm that their complaint has been received and is being processed.
• Inform the complainant of the estimated timeframe for resolving the complaint.
Step 3: Complaint Evaluation
• Evaluate the complaint to determine its validity and urgency.
• Assign the complaint to a competent staff member (e.g., the personal data protection officer).
Step 4: Investigation
• Gather all necessary information to understand the complaint, including relevant documents and testimonies.
• Analyze the information to identify the causes of the complaint and determine if a violation of company policies or laws has occurred.
Step 5: Resolution
• Develop an action plan to resolve the complaint. This may include corrective measures, formal apologies, or other appropriate responses.
• Inform the complainant of the investigation results and actions taken.
Step 6: Follow-up
• Ensure follow-up with the complainant to ensure that the resolution is satisfactory.
• If necessary, revise company policies and practices to prevent future similar complaints.
Step 7: Documentation and Reporting
• Document the complaint handling process and its outcome and keep the document in the company’s complaint register.
• Prepare an annual report on received complaints, their management, and lessons learned for company management.
Data Breach Response Plan
The team responsible for personal information management at Clinique Vétérinaire de L’Outaouais consists of the two partners, Daniel Leduc and Marie-Claude Lussier, the Logivet IT manager, and the Clinic’s personal information protection officer, Nadia Poulin. The team ensures that the personal information protection policy is understood and followed by employees. It also ensures that tools and resources are provided to detect, analyze, and contain data breaches.
1. Detection and Analysis
Incident Detection: Implement monitoring systems to quickly detect potential data breaches.
Initial Assessment: Once a breach is detected, quickly assess the extent and nature of the incident.
2. Containment, Eradication, and Recovery
Containment: Take immediate steps to limit the extent of the breach.
Eradication: Identify and eliminate the cause of the breach to prevent recurrence.
Recovery: Restore affected systems and data to their normal operational state.
3. Notification
Internal Notification: Immediately inform management and the incident response team.
Notification to Authorities: If the breach presents a serious risk of harm, notify the relevant regulatory authorities in accordance with the requirements of Law C-25.
Notification to Affected Parties: Clearly and promptly inform affected individuals of the nature of the breach, actions taken, and ways to minimize impacts.
4. Post-Incident
Post-Incident Analysis: Conduct a comprehensive analysis of the breach to identify gaps in security policies and procedures.
Improvements: Implement changes to strengthen security and prevent future breaches.
Follow-up Report: Prepare a detailed report on the incident, its management, lessons learned, and actions taken.
Communication: Maintain transparent communication with all stakeholders throughout the process.