AAPI Privacy and Information Security Policy
The Association of Access to Information and Privacy Professionals (AAPI) collects, uses, and retains certain personal information to fulfill its mission of developing access to information and privacy professionals.
The collection and use of personal information is restricted to individuals who need it in the performance of their duties. Exceptionally, and after an assessment, personal information may be disclosed to third parties. Among other purposes, personal information may be used for educational and administrative purposes or to enable access to the services offered by AAPI.
AAPI implements reasonable measures to ensure the security of the personal information it collects, uses, and retains.
Principles underlying our commitments
This Policy is based on legal obligations and generally accepted privacy principles. Its primary objective is to limit the collection of personal information to what is necessary and to use it for specific purposes.
Therefore, the AAPI is committed to:
A. Limiting the collection of personal information to what is necessary and useful for specific purposes;
B. Obtaining your consent when required;
C. Respecting your rights regarding your personal information;
D. Ensuring the security and confidentiality of your information;
E. Demonstrating transparency in the processing of your information.
A. Limiting the collection of personal information to what is necessary and useful for specific purposes
Information is collected only to fulfill the purposes for which it was collected, or for compatible purposes, as mentioned in the "obtaining your consent" section; and
directly from you or from a person you have designated, such as your manager, or from a third party with whom we have established a service contract.
The AAPI collects your information through various means:
• Through a secure web form or a secure third-party application;
• Through unsecured email (in which case, we encourage you not to provide any personal information);
• By telephone, by an authorized staff member, or when you leave a message.
In accordance with Section 8 of the Act Respecting the Protection of Personal Information in the Private Sector, your information will be treated confidentially and will only be used by the AAPI for administrative and educational purposes. Staff members, whether salaried, contract, or volunteer, have access only to the information necessary to perform their duties. Access profiles based on purpose and need have been established. These profiles cover functions relevant to member services, marketing and communications, finance and accounting, and legal, legal, and corporate activities.
The AAPI collects personal information categorized as follows:
| Categories | Exemples |
| Identity information | Name, correspondance adress, telephone, email adress, membership number, person designated on the account. |
| School or training information | Courses taken at AAPI, course schedule, absence or presence in class, results of the professional certification exam, training needs and professional objectives. |
| Work or employment information |
For members : position held/function, organization, company, number of years of employment experience, membership in a professional association, etc. For job applicants or salaried ofr volunterr staff members : application content or resume, social security number, start date, emplyment status, salary and social security contributions, vacation dates, reasons for absences, sick leave database, and word performance appraisal. |
| Information on products and services held | History of activities followed, membership and renewal, authorized access to tools and platforms, appreciation form if signed, participation in surveys or consultations, etc. |
| Financial information |
For members : membership pricing, billing address, credit cadr number, bank details, invoice number, etc. For job applications or salaried or volunteer staff members: Income, tax paid, tax deductions, bank account number, government benefits - social assistance, annuity, employment insurance. |
| Authentication and navigation information | "Cookies" are pieces of data stored by an HTTP server on your computer's hard drive. They are used to identify you, but without disclosing any personnal information. These cookies only store your AAPI ID, which allows us to offer you content tailored to your interests and improve your user experience. Most Web browsers automatically allow these cookies, but it is possible to configure certain settings to refuse or limit their use. It is possible to refuse cookies by changing your browser settings in the "Your Preferences" section. You will still be able to access the content of ou website and make purchases, but some features may not function properly. |
B. Obtaining your consent when required
The AAPI will ask for your consent before using your information for purposes other than those intended or sharing it with a third party.
C. Respecting your rights regarding your information
You may access the personal information that the AAPI holds about you.
You may request that it be corrected if it contains an error, is inaccurate, or incomplete (for example, if you have changed your address).
You may give or withdraw your consent to certain uses by the AAPI and to communications with third parties under certain circumstances. For example, the AAPI website's terms of use allow for the simple activation of non-essential cookies; only connection status cookies remain activated to ensure the stability of electronic communication during your web browsing session.
To exercise your rights of access and rectification regarding your information, submit a written request by email to [email protected] or by traditional mail. Please note that email is not a secure means of communication and should not be used to send us personal information; only disclose essential information.
If you are dissatisfied with our handling of your information, you can submit a request to the General Management by mail at the following address: 750 Côte de la Pente-Douce, Suite 205, Québec City, Québec G1N 2M1. Please include your name and contact information, your request and the context of it, and any other relevant information. Your request will be processed within 30 business days.
D. Ensuring the security and confidentiality of your information
Retention, destruction, depersonalization
Your digital information is hosted in Quebec. We carefully store it until the purposes for which it was collected are fulfilled, while allowing a semi-active retention period of three years to allow you to easily contact us again. It is then destroyed. Some information is depersonalized and archived for statistical purposes.
• Identity information: retained for three years after the last interaction with us or unsubscription, then destroyed.
• Academic or training information: retained for three years after the development or training activity, then destroyed, with the exception of assessment forms and exam results, which are depersonalized for training program evaluation purposes.
Work or employment information: Retained for three years after the last interaction with us or unsubscription, then destroyed, with the exception of positions held and membership in a professional order, which are depersonalized for the purpose of assessing the training needs of members and non-members.
• Information on products and services held: Retained for three years after the last interaction with us or unsubscription, then destroyed, with the exception of depersonalized participation and evaluation reports.
• Financial information: Retained for seven years, then destroyed.
• Authentication and browsing information: Subject to the terms of use specific to each platform and site; consult the terms of use.
Communication to third parties or outside Quebec
• Communication with a third party is possible to complete membership or registration for one of our professional development activities or to access one of our tools. For example, to access the training platform hosted by a third party, we may share the name and email address of the person authorized to create an account with that third party to access AAPI services. The privacy and confidentiality policies of these third parties are available on their websites.
• We sign confidentiality agreements with our partners; this is important for us, for you, and for them. No information is sold.
• No information is shared outside Quebec without your consent.
Physical Security Measures
• Access to our premises and printed documents is limited to authorized individuals
• Secure storage of printed documents
• Retention and destruction of information on physical media in accordance with the retention schedule and applicable best practices
Technological Security Measures
• Secure directories
• Dual-identification passwords
• Technological access management mechanisms
• Monitoring to detect suspicious activity
• Retention, backup, and destruction of information on digital media in accordance with the retention schedule and applicable best practices
Administrative and Organizational Security Measures
• Collection limited to only the information necessary for our mission and periodic review of this collection
• Access limited to the information required for the performance of our salaried or volunteer staff's duties
• Signature of a confidentiality agreement by our staff
• Training and awareness of our staff on PRP and IS practices
• Up-to-date retention schedule, rigorously applied, and secure destruction
Privacy Incident Management
No organization is immune to a privacy incident, intentional or not. We ensure that this does not happen and take steps to reduce the risk.
If a privacy incident occurs, our Privacy Officer will quickly implement reasonable and necessary measures to contain the incident and prevent similar incidents.
E. Demonstrating transparency in the processing of your information
We may periodically make changes to our Policy or the website's terms of use. In such cases, a notice is posted on our website to inform you of these changes and their effective date.
The website's terms of use are available online here.
Privacy Officer
The Executive Director is the officer responsible for the protection of personal information for the AAPI.
Privacy Officer: Mr. Bruno Brochu Email address: [email protected]
An updated version of the Policy can be downloaded here.