dynamic-content-widget-52d0bac7-2ab8dbb

Clinique Omicron Inc. takes the management of privacy incidents very seriously in order to protect the personal information it holds. A rigorous framework is in place to detect, report, assess and promptly deal with any incident so as to limit its impact and comply with legal obligations.

12.1. Definition of a confidentiality incident

A confidentiality incident is any event involving :
- Unauthorized access to personal information, whether intentional or accidental.
- Unauthorized use of personal information for unintended or unconsented purposes.
- Unauthorized disclosure of personal information to third parties without the required consent or in violation of applicable laws.
- Loss of personal information, including accidental deletion, theft, or temporary or permanent inaccessibility.

Examples of confidentiality incidents :
- Sending medical information to the wrong recipient.
- Hacking into computer systems containing sensitive data.
- Loss of an unsecured laptop containing confidential files.
- Unauthorized access to files by an unauthorized employee.

12.2. Incident reporting and management procedures

Clinique Omicron has implemented a confidentiality incident management procedure to ensure a rapid and effective response in the event of an incident. This procedure includes the following steps:

- Incident detection and reporting
- Any employee, service provider or partner of the Clinic must immediately report any suspected or confirmed incident of confidentiality.
- You can report directly to the Privacy Officer (RPRP) by e-mail at : protectionrenseignements@cliniqueomicron.ca
- The incident report must contain a detailed description of the event, including the date, time, nature of the information involved, and the circumstances of the incident.

- Incident assessment
- The RPRP carries out an in-depth analysis to determine the nature of the incident, the causes, the extent of the impact, and the potential risk to those involved.
- Risk assessment takes into account the sensitivity of the compromised information, the likelihood of malicious use, and the possible consequences for individual privacy.

- Immediate corrective measures
- Take measures to contain the incident (e.g. suspend unauthorized access, restore data, secure compromised systems).
- Implement solutions to correct identified vulnerabilities and prevent recurrence of the incident.
- Complete documentation of the incident, the measures taken and the results of the risk assessment.

12.3 Obligation to notify data subjects and authorities

When a confidentiality incident presents a serious risk of harm to the persons concerned, Clinique Omicron is obliged to inform them and the competent authorities.

- Notification to the persons concerned
- Notification is sent as soon as possible after the incident is discovered.
- It includes :
- A description of the incident and the personal information involved.
- Possible risks for the person concerned.
- Measures taken to mitigate the effects of the incident.
- Measures the data subject can take to protect himself (e.g. credit monitoring, changing passwords).
- Contact information for the Privacy Officer should you have any questions.

- Notification to the competent authorities
- The Commission d'accès à l'information du Québec (CAI) must be informed when the incident presents a serious risk of harm.
- The notification includes details of the nature of the incident, the type of information affected, the action taken, and the number of people involved.

- Keeping an incident register
- Clinique Omicron maintains a confidentiality incident register, documenting each reported incident, whether or not it required formal notification.
- This register may be required during an audit or investigation by the CAI.

The rigorous management of confidentiality incidents reflects Clinique Omicron's commitment to protecting the privacy of those concerned and to reacting proactively in the event of a security breach.