Privacy and Data Protection Policy
The Montreal Clinical Research Institute (the “IRCM”) is a non-profit organization committed to excellence in fundamental and clinical health research. Affiliated with the Université de Montréal and associated with McGill University, the IRCM offers training and academic supervision to graduate students and interns. Our CHUM-affiliated clinic combines care, teaching and research to promote a better understanding of certain diseases, with a view to improving diagnosis and treatment. For these purposes, we process certain personal information relevant to our activities in the areas of care, fundamental and clinical research, academic training, employment and participation in events. The processing of personal information collected by the IRCM, including that obtained through third-party platforms, is governed by the Act respecting the protection of personal information in the private sector.
This Privacy and Data Protection Policy (the “Policy”) sets out our practices for collecting, using, disclosing and retaining personal information. By providing us with your personal information (see hereunder the section entitled “HOW DOES THE IRCM COLLECT YOUR PERSONAL INFORMATION?”), you agree to the processing of this personal information in accordance with this Policy and you authorize the IRCM, its third-party partners and service providers to process your personal information for the purposes set out below in accordance with this Policy.
This Policy does not apply to third-party websites that may be accessed through links on our website. When you click on third-party links on our website, you will be directed to websites with separate and independent privacy policies. We encourage you to carefully review any privacy policy before submitting your personal information.
In addition, please note that our website collects basic technical information related to Internet browsing. For more details, see the "Terms of Use" on our website.
What personal information does the IRCM collect?
We may collect and process different types of personal information when necessary, depending on the nature of the activities (care, research, training, etc.) and the nature of our relationship with the person concerned (patient, employee, student, etc.) in compliance with the law and with the extent of his/her consent, as required by law, including:
- Relevant personal contact information such as first names, last names, addresses, email addresses, dates of birth and telephone numbers;
- Information required for care or clinical or fundamental research projects, such as RAMQ numbers and information on physical and mental health (history, medications, laboratory results, etc.), ethnic origins, sexual practices, family situation, religious, moral or ethical opinions. When presenting research results, research participants cannot be identified, as data is presented in aggregated form or has been de-identified;
- Recruitment information such as social insurance numbers, passport, work permit, driver’s license and registration numbers, curriculum vitae information, educational information such as university ID numbers, diplomas and transcripts information, work history, details of professional affiliations, job titles, names of employers, professional and/or personal background, references, criminal history, credit history, medical follow-up documents, and other information relevant to potential recruitment and employment follow-up by the IRCM;
- Tax and financial information such as billing, payment details or specimen cheques;
- Information relating to participation in IRCM events, as well as related information such as food preferences, photos and video or audio content;
- Comments and answers to surveys;
- Your interest in contributing to our Foundation’s philanthropic efforts and your affiliations with IRCM clinics, if any;
- Proof of consent given to us (date, time, means) for the processing of personal information when required;
- Any other personal information provided.
Please note that if you provide us with personal information about other individuals (such as your clients, employees and applicants), you must ensure that you have duly notified them that you are providing us with their information and confirm that you have obtained their consent to such disclosure.
How does the IRCM collect your personal information?
We collect the personal information you provide during your interactions with us:
- When you open a clinical file and receive care from the healthcare professionals working at our CHUM-affiliated clinic, the collection and communication of certain medical information is subject to specific consents and laws that will be presented and explained to you in due course, if applicable;
- When you consent to participate in a clinical study or in a research biobank/registry and thereafter in accordance with the applicable consent form signed by you, if any;
- When you apply as an employee, student or consultant and, if applicable, when your application is accepted and thereafter to create and update your file;
- When you register and participate in activities we organize;
- When you complete forms on our website;
- When relevant verification processes are required, including for ethical purposes and the declaration and management of conflicts of interest for our employees, students and professionals.
We also collect publicly available information, particularly on public and social media platforms.
How does the IRCM use your personal information?
We may use personal information in any way set out below, with your consent or, if applicable, where permitted by law. In each case, we indicate the purposes for which we use your personal information:
- To provide you with appropriate care and monitor your medical conditions in accordance with applicable laws and standards;
- To carry out, administer or conduct our research projects, clinical studies or research biobanks/registries;
- When recruiting employees, consultants, students or participants for clinical studies or research biobanks/registries – to enable us to assess whether an individual meets the requirements of the IRCM, of one of our academic programs or clinical studies or of the biobank/research registries, including to fulfill our obligations under any agreement with you;
- To share information about IRCM developments, invitations to events, in particular through publishing visual or audio content on third-party sites and social networks such as LinkedIn, or for the purpose of creating your profile as a director, officer, researcher or professional on our website;
- To prevent fraud or conduct other background or conflict-of-interest checks which may, for instance, be required at any time by applicable law, regulation or best practices (if the information provided is false or inaccurate or fraud is detected or suspected, information may be disclosed to fraud prevention agencies and recorded by us or by such agencies);
- To comply with our legal or regulatory obligations, including reporting requirements, or to protect the rights of third parties;
- To facilitate the use of our websites and to ensure that content is relevant and presented in the most effective manner for you and your device.
We will use personal information only to achieve the applicable primary purpose and legitimate purpose for which it was collected or for purposes consistent with that primary purpose. Information collections may also be subject to various approvals or consents, such as the prior approval by the CHUM’s department of professional services, the IRCM’s or CHUM’s research ethics board, or an explicit consent.
With whom does the IRCM share personal information?
The personal information we collect may be shared with certain third-party service providers, research collaborators or IRCM partners to be processed as follows:
- To manage and maintain your medical file and transfer such file between healthcare professionals for the purposes of medical care;
- To conduct clinical studies or research projects, whether or not linked to research biobanks/registries;
- To recruit and hire human resources, and to manage employee files, including payroll, vacations, insurance, leave, pension plans, etc.;
- To enable our Foundation to carry out philanthropic solicitation in accordance with its privacy policy;
- To solicit database and website analysis services, for application development, hosting, maintenance, event organization and related services;
- To enable government authorities or agencies and law enforcement agencies to process information when required by applicable laws. More specifically, we may disclose personal and other information if we are required to do so by laws, including medical or tax laws, or if we believe in good faith that such disclosure is necessary to comply with applicable laws, respond to a court order or subpoena or a government search warrant, or otherwise to cooperate with such government authorities and law enforcement agencies.
We limit the information we so disclose to what is reasonably necessary for such third parties to perform their duties, and all of them are required, under a contract or legal obligation, to protect and maintain the confidentiality of such information. Such third parties shall destroy such information when it is no longer relevant to the services unless there is a legal obligation to retain such information. Sharing of information may also be subject to various approvals or consents, such as the prior approval by the CHUM’s department of professional services, the IRCM’s or CHUM’s research ethics board.
When does the IRCM assess privacy risks?
The IRCM assesses privacy risks and the means to mitigate identified risks before processing or sharing personal information considered more at risk in accordance with the law, including:
- Before undertaking a project to acquire, develop or overhaul an information system or an electronic service delivery system involving personal information;
- Before collecting or disclosing personal information to an organization with which IRCM collaborates to provide services or carry out a joint mission;
- Before disclosing personal information without the consent of the persons concerned, in particular to an individual or organization wishing to use this information for study, research or statistical purposes;
- Before transferring personal information outside the Province of Quebec.
For how long and where does the IRCM retain personal information?
We will retain personal information only as long as necessary for the purposes set out in this Policy and to comply with our statutory and regulatory obligations.
The IRCM stores personal information on its internal network or on the servers of its IT service providers.
Once the purposes for which the personal information was collected have been fulfilled, the information is destroyed or anonymized, in accordance with the retention periods and mechanisms as provided by law.
How does the IRCM protect personal information?
We ensure that our practices are aligned with generally accepted industry standards to fulfill our obligations regarding protection of personal information. We maintain administrative, physical and technological measures to protect the personal information we process and meet our obligations under applicable privacy laws. We also ensure that access to your personal information is restricted to those persons who need your information to fulfill their duties.
Nevertheless, despite our precautions, incidents may occur, and we cannot guarantee the security of the information you knowingly provide to us. Members of our community and third-party partners are required to report any confidentiality incident of which they become aware in accordance with our confidentiality incident management procedure. In the event of a confidentiality incident presenting a risk of serious damage related to your personal information, we will notify you and the Commission d’accès à l’information as soon as possible after becoming aware of the incident, as per the applicable law. We will take reasonable measures to reduce the risk of damage and prevent further incidents of a similar nature. In addition, any person who violates this Policy is subject to sanctions in accordance with the applicable rules.
If you have reason to believe that your personal information has been compromised, please communicate with us as indicated in the section entitled “HOW TO CONTACT US?”.
What rights do individuals have concerning their personal information?
In certain circumstances and under applicable data protection and privacy laws, individuals have the following rights concerning their personal information:
- Right to access their personal information and to receive a written or electronic copy of such information;
- Right to request correction of their personal information where such information is incomplete or inaccurate;
- Right to be informed if a decision is based exclusively on the automated processing of their personal information;
- Right to withdraw consent to the use and disclosure of their personal information.
To exercise any of these rights, please communicate with us as indicated in the section entitled “HOW TO CONTACT US?”.
Finally, you may file a complaint with a data protection supervisory authority in the country, province or state in which you normally reside (in Quebec, the designated authority is the Commission d’accès à l’information) or where we are located or where an alleged breach of data protection laws has occurred.
How do we use cookies and similar technologies?
For detailed information about the cookies we use, please refer to the “Terms of Use” available on our website.
How to contact us?
To submit a request or report under this Policy regarding your personal information, please communicate with our Data Protection Officer: Secretary General, at the following address:
donnees.personnelles@ircm.qc.ca
Updates
This policy may be updated from time to time in order to comply with changes in applicable legislation and practices relating to protection of personal information.
This policy was last updated on September 15, 2023.