LPCR has drafted this confidentiality policy to ensure the management and protection of personal information/confidential information within the LPCR organization. This policy therefore establishes the importance of ensuring the confidentiality of information and information available internally from LPCR with regard to information related to the activities of the organization, to customers, members of the Board of Directors , staff members, individual members as well as interns and volunteers or others.

This policy applies on a relational basis between all persons subject to cooperating and/or working with the LPCR organization such as employees, managers, directors, administrators, donors, volunteers/trainees, customers, external partners as well as to all other people likely to be present in the various LPCR premises.


This policy is put in place so that LPCR can ensure the following objectives:

  • Ensure respect for the privacy of individuals and the security of personal information held by LPCR.
  • Give guidelines regarding the sharing of information both internally and externally to the organization’s premises.
  • Ensure the implementation of this policy in order to respect the data included in this document and therefore be able to have legal decision-making follow-up on any violations concerning this policy.


  • Discretion:
    • The ability to keep confidences and private information obtained outside the work environment secret in order to preserve respect, friendship and trust.
  • Confidentiality :
    • Limiting or prohibiting others from accessing private information or personal information obtained in the course of their duties.
  • Personal information :
    • Refers to any information which concerns an individual and which could enable them to be identified. For example, this includes the name, date of birth, residential address and email address, health information, social insurance number or health insurance card of children, parents, employees, interns or any other person.
  • Sensitive personal information:
    • Refers to any information which, by its nature, gives rise to a high level of reasonable expectation of privacy.
    • Certain categories of personal information will generally be considered sensitive, including information about health, finances, ethnic and racial origins, political opinions, sex life or sexual orientation and religious or philosophical beliefs, as well as information genetic and biometric.
  • Confidential information:
    • Refers to any information which is not personal information or sensitive personal information and which is not publicly known.


LPCR commitments

LPCR undertakes to:

  • Ensure the security and confidentiality of information obtained within internal functions regarding employee, family and partner files.
  • Put in place mechanisms to protect confidential information.
  • Ensure confidential handling of complaints.
  • Collect only the information necessary or useful according to LPCR operations or the standards required by the
  • Ministry and/or the Municipality.
  • Apply the confidentiality policy in compliance with LPCR values.
  • Act with diligence and transparency when applying this policy in order to comply with the obligation of the laws in force.


Responsible for the protection of personal information

LPCR designates the General Management as the person responsible for ensuring compliance and implementation of applicable personal information protection laws (“PRP manager”). The person responsible for the PRP has the following responsibilities and may be assisted by the Human Resources Department in his tasks:

  • Sensitization
    • Ensure that employees and consultants are aware of their duties, roles and responsibilities when handling personal information for or on behalf of LPCR. This may include privacy training to foster a privacy-respecting culture within LPCR and ensure that employees comply with this policy.
  • Management of individual rights and complaints
    • Management of individual rights and related requests as well as complaints regarding the processing or protection of personal information by LPCR.
  • Breach of security measures
    • In the context of a security incident affecting personal information, participate in the assessment of potential harm to affected individuals.


Standards on the collection and use of personal information

Policies. LPCR has published a Policy on the protection of personal information available on its website https://lepetitchaperonrouge.ca/ which describes how the organization processes the personal information of clients (including children), external stakeholders or any person applying for a job.

Before or at the time of collecting personal information, LPCR must provide notice to individuals to inform them of the nature, purposes and consequences of the collection and any subsequent processing of personal information. LPCR may provide a copy or link to the applicable policy as a notice prior to the collection of personal information, provided that the information is sufficiently brought to the attention of individuals at the time of collection. In certain circumstances, LPCR must provide ad hoc notice to obtain valid consent or otherwise process certain types of activities or transactions, such as for the publication of photos of parents and children.

Collection of personal information. LPCR generally must obtain explicit or implied consent, depending on the context, and collect personal information directly from individuals (or from children’s parents, guardians or guardians). LPCR only collects personal information when necessary for the following purposes:

  • Manage LPCR’s commercial activities (registration, file opening, communications, etc.)
  • Provide services
  • Establishing, administering and terminating employment relationship
  • Comply with applicable legal and contractual obligations
  • Any other reasonable purpose with the valid consent of the individual or as otherwise permitted or required by law.

However, in certain limited circumstances permitted by law, LPCR may, without obtaining the consent of individuals, collect personal information from sources other than these and/or use personal information for purposes other than those mentioned. above, in particular:

  • When the collection or use is clearly for the benefit of the person concerned and consent cannot be obtained in due time;
  • When it is reasonable to expect that the collection with the knowledge and consent of the data subject could compromise the availability or accuracy of the personal information, and the collection is reasonable for the purposes of an investigation into breach of an agreement or contravention of any applicable law; And
  • When required or permitted by law.


Use and disclosure of personal information. LPCR may use or communicate personal information, without obtaining the consent of the persons concerned, in the following situations and in accordance with the standards on the exchange of information, record keeping and security measures below:

  • When shared with a service provider, in accordance with section 9. Providers
  • Services;
  • To obtain legal advice from LPCR lawyers;
  • To recover a debt owed to LPCR;
  • In accordance with legal requirements;
  • To respond to an emergency situation (danger to the life, health or safety of a person), provided that LPCR informs the person concerned as soon as possible when required by law;
  • To investigate a violation of an agreement or violation of an applicable law if use or consent with the individual’s knowledge or consent would compromise the investigation;
  • To detect or suppress fraud or prevent fraud that may be committed, if it is reasonable to expect that the communication made with the knowledge or consent of the individual would compromise the ability to prevent fraud, to detect it or put an end to it;
  • When required or permitted by law.

It is important to contact the PRP manager if one of the above situations occurs before any use, communication or transmission of personal information.


Standards of discretion

LPCR prioritizes with the development of this policy that everyone within the organization takes responsibility for discreet and respectful communication by ensuring established confidentiality measures so that exchanges related or not to the exercise of their functions are in the appropriate scales. Therefore, this person must:

  • Respect people’s privacy.
  • Do not disclose any confidential information or personal information obtained within the organization.
  • Know how to keep sensitive information from people who confide in them.
  • Act according to the organization’s values


Service Providers

LPCR may retain the services of a third party service provider, contractor or consultant (collectively, the “Service Provider”) to collect, use, retain, destroy or disclose or otherwise process personal and confidential information on behalf of LPCR. LPCR uses different means, notably contractual, to ensure that the information shared benefits from an adequate level of protection. Any service provider retained by LPCR must comply with legal and contractual obligations, including:

  • Compliance with privacy laws
    • The service provider must undertake to comply with applicable laws, including applicable Personal Information Protection Laws;
  • Limitation of use
    • The Service Provider must process personal and confidential information only as directed by LPCR and solely for the purpose of providing the requested services;
  • Transfers to third parties
    • The service provider must be prohibited from transferring personal or confidential information to a third party without the prior authorization of LPCR; and if authorized to do so, the service provider must ensure that the third party is bound by a written agreement which ensures personal information a level of protection equivalent to that granted by the agreement between LPCR and the service provider. services ;
  • Individual rights
    • If the Service Provider receives a request for access or rectification or any other similar request regarding personal information processed on behalf of LPCR, the Service Provider must forward the request to LPCR and cooperate with the company in responding to this request. request ;
  • Information security
    • The service provider must protect personal and confidential information using adequate physical, technical and organizational safeguards, appropriate to the volume and sensitivity of the information;
  • Breach of security measures
    • The Service Provider must immediately and promptly notify LPCR of any reasonably suspected or actual loss of personal or confidential information, any unauthorized access, use or disclosure, or any other violation or attempted violation, by any person, of any obligation concerning the confidentiality of the information communicated;
  • Security review and verification
    • The service provider must allow LPCR to carry out any verification relating to the confidentiality and security requirements of personal and confidential information;
  • Secure storage and destruction
    • The service provider must return or securely destroy all personal information processed on behalf of LPCR at the end of the service contract or at the request of LPCR;
  • Cross-border transfers
    • At the request of LPCR, the Service Provider must process personal information only in Canada, unless otherwise authorized in writing by LPCR.


Information Security – Standards for information sharing, record keeping and security measures

LPCR implements appropriate security measures to protect the confidentiality, integrity and availability of the personal and confidential information it holds. Security measures must protect against unauthorized use of and access to personal and confidential information, as well as accidental loss or alteration of this information. LPCR employees must comply at all times with the security measures listed below and with the Policy on Electronic Devices and Uses.

  • Privacy incident. LPCR employees must remain vigilant for security breaches involving personal information and must immediately report any actual or suspected breach to the PRP Manager so that LPCR can promptly investigate and take appropriate action. A breach includes in particular:
    • Accident: Personal information is communicated to the wrong recipient by accident. Ex. (i) an email or letter containing customer information is sent to the wrong address due to mechanical or human error; (ii) personal information is made public on the LPCR website following a technical problem;
    • Loss: personal information disappears. E.g. an employee’s laptop, mobile device or briefcase containing personal information is lost.
    • Unauthorized access, use or disclosure: Personal information is accessed, used or disclosed by an unauthorized person, or in an unauthorized manner, or for an unauthorized purpose, including in violation of any of LPCR’s policies or applicable law. Ex. (i) an LPCR employee’s laptop, mobile device or briefcase containing personal information is stolen; (ii) an LPCR employee accesses the personal information of another employee or customer for an unauthorized purpose (e.g., personal curiosity); or (iii) LPCR’s computer systems that house customers’ personal information are hacked or accessed by cybercriminals.
  • External exchanges of information from Le Petit Chaperon Rouge. It is stipulated that members of the Board of Directors, Directorates/Managers as well as employees are not authorized to discuss files, people or decisions specific to the LPCR organization with external or unrelated people, unless This is necessary for the development of an intervention related to the internal management of LPCR. In such a situation, they must:
    • Ensure the identity of the person requesting the information if this is not known
    • Limit exchanges of information to the minimum required.
  • Exchange of information within the organization Le Petit Chaperon Rouge. During internal exchanges, you must:
    • Limit the exchange of information between relevant stakeholders during a team meeting or in a secure location (e.g.: office with closed door).
    • Avoid discussing files, people or decisions outside of these times. If this is impossible, make sure not to identify the person concerned and communicate in a place conducive to confidentiality.
    • Ensure that telephone conversations dealing with confidential information are not overheard by other people.
  • Rules to follow regarding record keeping. LPCR staff must:
    • Only enter true, relevant and necessary information in the file.
    • Avoid noting personal comments, thoughts or perceptions and stick to the facts reported by the person concerned or observed by the professional himself.
    • Make sure to keep the information in a secure location with limited access.
  • Directorate offices and administrative office. The staff of the management offices and the administrative office must:
    • Close office doors at lunchtime, at the end of the day or when absent. Access must be prioritized only for authorized persons.
    • Make sure to lock up all confidential documents concerning the families/employees of the LPCR community.
    • It is prohibited to enter the office of an absent person without their consent.
  • Binders/data on computing devices. It is necessary to close the filing cabinets containing member, customer and employee files as well as those containing personal information at all times, outside office hours or in the absence of the responsible persons.
    • It is also essential that all computer devices belonging to the Management/Management/Financial team holding confidential information are provided with a security code in order to limit access to this data.
    • The password for computer devices must, wherever possible, be changed regularly to ensure optimal protection, in accordance with the Policy on electronic devices and uses.
  • Procedures for retention and destruction of confidential files. LPCR staff must:
    • Keep closed files in a secure place in compliance with LPCR standards.
    • Ensure that closed files are shredded by a member of management at the end of the retention period.
    • Destroy all other confidential documents in the same manner.
    • Retain personal information about customers, employees, partners and confirmed or potential donors for as long as required by law or the purposes for which it was collected. When there is no longer a need, LPCR will take reasonable steps to delete them.
  • Standards for LPCR’s external exchange of information for members of the Board of Directors. In order to ensure the confidentiality of information within the LPCR organization, members of the Board of Directors are not authorized to discuss or exchange information concerning a file or decisions specific to LPCR with people at the LPCR organization. external to the organization or not concerned. This procedure makes members responsible for being in possession of confidential information that cannot be shared with anyone who is not authorized to obtain this data. Members of the Board of Directors must follow the code of ethics with regard to the obligations to be respected as a person administratively involved in the organization.
  • Exchange of information within the LPCR organization during a meeting of the Board of Directors. At board meetings, directors must:
    • Limit the exchange of information on files, people or decisions during meetings of the Board of Directors, the
    • Executive Committee or any other committees related to the Board of Directors. The names of the people involved in the situations to be reported must remain confidential.
    • Confidential discussions should be shared wherever possible during these meetings to avoid sharing confidential information in any other unsuitable locations.
    • Ensure that telephone conversations between members of the Board of Directors and the Directors of the organization dealing with confidential information are not overheard by other people.
    • Information shared during board meetings and in the minutes must remain confidential and accessible only to authorized persons. These official documents must be kept in a secure file.
    • Resolutions adopted at meetings of the Board of Directors must remain confidential within the LPCR organization and in a location suitable for this purpose.
  • Standards for volunteers/interns. It is recommended to limit the exchange of information in order to avoid the sharing of non-essential information to be obtained for the exercise of the functions assigned to these persons. All volunteers/interns are also required to follow the standards of confidentiality/discretion established in this policy to ensure compliance with the guidelines indicated in this document.
  • Standards for donors/partners. The LPCR organization attaches paramount importance to the trust of donors/partners deciding to collaborate with LPCR. Consequently, LPCR will ensure, to the extent possible and in accordance with the partnership’s agreements, to limit the collection and use of the personal information of its donors/partners in order to protect its confidentiality.
    • All personal information collected by LPCR General Management on a donor/partner (whether confirmed or potential) will remain confidential.
    • LPCR will not use any personal information collected from another organization, a third party, an individual concerned, etc., for any purpose whatsoever, without the knowledge and consent of the individual concerned. .
    • LPCR will not disclose any personal information about a donor/partner to anyone externally or to any of its affiliated entities without the knowledge and consent of the donor/partner, except to the following individuals:
      • A verifier linked to an LPCR audit assigned by its verifier or by a verifier designated by the donor/partner.
      • An organization or individual providing services to LPCR if the personal information is reasonably necessary to provide those services. In this case, the organization or individual must act in accordance with this policy, and use said personal information only for the purposes of providing services to LPCR.
      • A law firm that represents LPCR in a matter that affects personal information.
      • Anyone who presents a subpoena, warrant or obligation arising from a court order.
      • A government institution which requests this information, which presents its authorization of request, in connection with the administration of any law in force.
      • In any other circumstance where disclosure is explicitly permitted in accordance with laws applying to the protection of personal information.


In the situation where the donor/partner who, previously, had accepted that LPCR transmit certain personal information to other organizations, decides to no longer consent, he or she must inform LPCR in writing.

An employee, customer or any other person concerned may request in writing to have access to the personal information that LPCR holds about them. The leaders of the LPCR organization will respond within a reasonable time by giving access to this data.

*It is however possible that LPCR refuses to share certain documents/information if circumstances require it or give it the right to refuse this access or when permitted or required by law.

An employee, customer or any other person concerned who believes that one or more of their personal information is inaccurate or incomplete may request in writing an LPCR Manager to modify it. LPCR will make the appropriate corrections promptly. However, if it is reasonably of the opinion that the modification is inaccurate or incomplete, the LPCR may refuse it and will enter the modification request in its files.


Management of government requests and access and rectification requests personal information

  • Government requests. If an employee receives a request for information or any other form of communication from a government agency, the employee must immediately notify the PRP manager, who will be responsible for processing and responding to the request.
  • Requests from individuals. Individuals may, subject to certain conditions, request to view the personal information that LPCR holds about them and request that appropriate corrections be made. If an employee receives a request from a third party, the employee must notify the PRP Manager, who will be responsible for processing and responding to the request. An employee must contact the Human Resources Department to access their personal information or have it corrected.
  • Request for access relating to video surveillance images. Any request for access relating to video surveillance images held by LPCR must be addressed to the PRP manager by submitting a written request. The PRP manager is responsible for processing this request.


Application rules

  • The PRP manager is responsible for the implementation and application of the confidentiality policy.
  • Administrators, management, employees and volunteers/interns must complete, as soon as this policy comes into effect, a commitment form to respect it.

It should be noted that if an administrator, employee, intern, volunteer or any other person concerned discloses confidential information, LPCR could establish disciplinary measures which could result in dismissal in accordance with the policies/regulations established internally by the LPCR organization. or in certain cases legal measures.