Privacy policy

The Gouvernement du Québec has established and implemented internal policies and procedures designed to adequately protect personal or health information in its possession. It regularly reviews these policies and procedures.

The purpose of this privacy policy is to inform users of the Primary Care Access Point (hereinafter, the “Platform”) about the following:

• Collection of personal or health information
• Use of the collected personal or health information
• Access to the collected personal or health information
• Conservation of the collected personal or health information
• The rights of platform users with respect to the personal or health information collected

This policy complies with the rules set out in the Personal Information Protection and Electronic Documents Act, S.C. 2000, chapter 5, the Act respecting access to documents held by public bodies and the protection of personal information, RLRQ, chapter A-2.1, the Act respecting health information and social services, RLRQ, chapter R-22.1, and the Act respecting the protection of personal information in the private sector, RLRQ, chapter P-39.1 (collectively, the “Acts”). In the event of any discrepancy between this policy and the Acts, the latter shall prevail.

Subject to the exceptions and requirements of the Acts, no personal or health information is communicated or disclosed without the manifest, free, informed, and explicit consent of the user.

For minors under the age of 14, consent must be given by a parent or guardian.

Minors aged 14 and over may give their consent to the terms and conditions of the platform's privacy policy unless the law requires consent to be given by a parent or guardian.

Users agree that by using the platform, they consent to the following:

• To the conditions set out in this privacy policy
• To the collection, use and retention of the information listed in this policy

Users may withdraw their consent at any time by writing to msss_prp@msss.gouv.qc.ca, subject to certain applicable legal restrictions. The user may withdraw their consent so that their information is not made available in any way to:

• Their spouse, direct ascendant or direct descendant, if the information concerns the cause of death of the user
• a researcher, if the intended access is for the purpose of soliciting their participation in a research project
• a researcher who is not affiliated with a public institution in the health and social services network or with a private institution operating a hospital

In exceptional circumstances, it is possible to collect, use or disclose personal or health information without the user's consent. Such circumstances arise when, for legal, medical or security reasons, it is impossible or unlikely to obtain the user's consent, or when the information is required to apply the law.

Any factual or subjective information that directly or indirectly identifies a person is considered personal or health information. For example, such information may include, but is not limited to, a user's first and last name, address, telephone numbers, gender, e-mail address, marital status, lifestyle, or health information.

Information Collected Automatically by the Platform
When a user visits and uses the platform, the following information may be collected and stored automatically:

• IP address
• Location
• Details of the equipment and software used
• The content that the user consults on the platform

Information Not collected Automatically by the Platform
The personal or health information collected may vary depending on the functionalities of the platform used. It may include information from the following categories:

• Identification: last name, first name, postal address, e-mail address, telephone number
• Technological or numerical information: truncated IP address, pages visited, actions taken, connection details
• Demographic information: place of residence (via IP address), age category
• Medical information: health insurance number, care history, nature and number of procedures, drugs or health products, maternity status, disability status, information relating to a workplace accident or occupational disease

This information may be collected from forms or when using one of the platform's functions. Only information that helps provide services is collected. No other information is collected without the prior knowledge of the user.

Personal or health information collected on the platform will be used only for the purposes specified in this policy or to provide the services offered on the platform.

The information collected automatically is used to:

• Provide, perform and maintain the services
• Send transactional messages, including notifications, responses to questions, requests and comments
• Provide customer services and support
• Send technical notices, updates, security alerts, support and administrative messages
• Monitor and analyze trends, usage and activities related to the platform and services provided

The information collected when the user performs certain actions on the platform may be used to:

• Provide personalized services based on the user's health needs
• Communicate directly with health professionals and transmit the user's personal or health information
• Respond to user requests for information
• Enhance the platform's service offering
• Comply with legal requirements

The collection, use and disclosure of a user's personal or health information is limited to the purposes identified above. The user's personal or health information may only be consulted by certain authorized persons and only in the context of the tasks assigned to them. For example, when filling in a form for a callback request, the postal code may be asked to direct the request to the resource in the region responsible.

Employees
Users' personal or health information may be disclosed to any professional who needs it to achieve the objectives set out in this policy.

Third Parties
Users' personal or health information may be shared with third parties who provide the infrastructure to enable the services provided by the platform, such as, but not limited to, the web server and the tools used to maintain the platform. The government also reserves the right to share the user's personal or health information with public or para-public organizations for the purpose of providing services to the user. Third parties will only have access to the information necessary to achieve the objectives set out in this policy.

The user's personal or health information will not be sold or shared with a third party, except in the following cases:

• If the user's consent has been obtained in accordance with the law
• If required by the law
• If required for any judicial procedure

Users' personal or health information is not retained beyond what is necessary to fulfill the purposes for which it is collected. When the information is destroyed, the necessary measures are taken to maintain users’ confidentiality and ensure that no unauthorized person can access the information during and after the destruction process, in accordance with the government's records retention policy.

The government is committed to protecting users’ personal or health information. To prevent unauthorized access or disclosure of personal or health information, technical and organizational measures are in place to protect and ensure its security. To guarantee the security of personal or health information, the platform has been built using industry-standard encryption and authentication tools. Confidentiality of information is ensured by encryption at all times. A range of technical protection measures such as firewalls, antivirus and intrusion detection systems are in place to prevent abuse of the platform. While every precaution is taken to ensure that information is secure and users are protected, there are always risks. Cyberspace can be vulnerable, so it is not possible to guarantee the security of user information beyond what is reasonable.

To help protect users' personal or health information, we recommend that users avoid using the platform from a public Wi-Fi network and remain vigilant to phishing attempts.

Users' personal or health information may only be accessed, processed, or collected in Canada.

Users have rights regarding their personal or health information. These rights may vary depending on geographic location and applicable laws governing the processing of personal or health information. To the extent prescribed by applicable law, with 20 business days' notice and subject to any regulatory restrictions, a user has the right to:

• Access and obtain a copy of all personal or health information collected about them
• Request to update or rectify personal or health information held, or to correct inaccurate or incomplete personal or health information
• Request information on how personal or health information is handled
• Demand rectification of personal or health information if its collection, communication or retention is not authorized by the Act
• Choose to withdraw or modify consent to the collection and use of information

Requests should be sent to the Person In Charge of Access to Information.

The information requested by the user will be provided within the legal time limit in force from the date of receipt of the written request. However, a fee may be charged for processing the request.

Any request for modification will be processed in accordance with applicable laws. In exceptional circumstances, the information requested may not be disclosed (for example, for legal or security reasons). These limitations are described in the Laws.

If a user wishes to have their personal or health information deleted or modified in any way, they must send their request to the Person In Charge of Access to Information.

Every effort is made to ensure that the user's personal or health information is accurate and complete for the purposes for which it was collected, used or disclosed.

The government is responsible for personal or health information in its possession, including information transmitted to third parties for the purpose of providing the requested service. It requires such third parties to store such information in accordance with strict confidentiality and security standards.

Notwithstanding the foregoing, the government is not responsible for personal or health information that it has not expressly collected, but that the user has shared, intentionally or unintentionally, for example by uploading a photo to the application. In any case, such information is not targeted by intelligence-gathering software. The government has no intention of collecting, sharing or using such information.

The privacy policies and guidelines put in place by the government to protect the privacy of users comply with the principles set out in the Acts.

This Privacy Policy may be amended to comply with Laws and to reflect any changes to the information collection process. If changes are made that require the user's consent within the meaning of the Laws, the user will be informed and given the opportunity to refuse to continue using the platform before the change takes effect.

For any questions concerning this confidentiality policy, contact the Person In Charge of Access to Information.