Clinique Omicron Inc. attaches the utmost importance to protecting the personal information it holds. We have implemented rigorous physical, administrative and technological security measures to prevent unauthorized access, loss, theft, disclosure, modification or destruction of data.
10.1. Physical, administrative and technological measures
To ensure the security of personal information, Clinique Omicron applies a comprehensive security framework, including :
- Physical measurements
- Secure access control to facilities (electronic keys, access cards, video surveillance)
- Secure workspaces for managing sensitive files
- Lockable filing cabinets for confidential paper documents
- Administrative measures
- Internal information security and data management policies
- Employee awareness and ongoing training on the protection of personal information
- Confidentiality agreements signed by all personnel, including employees, consultants and subcontractors
- Regular security risk assessments of personal information
- Technological measures
- Encryption of sensitive data, both in transit and at rest, particularly in electronic medical records
- Firewalls, antivirus and intrusion detection solutions to protect IT systems
- Regular data backups with secure restoration mechanisms
- Using two-factor authentication (2FA) to access critical systems
10.2 Access management and system protection
Access to personal information is limited to authorized persons who need it to perform their duties. Clinique Omicron implements strict procedures to manage access rights:
- Logical access control
- Assign individual user accounts with complex logins and passwords
- Manage access privileges according to employee roles and responsibilities (principle of least privilege)
- Quick access deactivation for employees or partners no longer connected with the clinic
- Securing systems and networks
- Continuous monitoring of system activity to detect any suspicious activity
- Regular software and operating system updates to correct vulnerabilities
- Secure mobile devices and remote connections via virtual private networks (VPNs)
10.3 Managing confidentiality incidents
Despite the security measures in place, confidentiality incidents can occur. Clinique Omicron has established an incident management process to respond quickly and effectively:
- Detecting and reporting incidents
- Obligation for all employees to immediately report any suspicious incident (unauthorized access, loss of data, theft of equipment, etc.).
- Designated point of contact: the Privacy Officer is responsible for incident management.
- Risk assessment
- Incident analysis to determine the nature and extent of the data breach
- Assessing the risk of harm to those concerned
- Corrective measures
- Contain the incident to limit its impact (disable compromised accounts, restore data from backups)
- Implementation of patches to prevent recurrence of the incident
- Incident notification
- Notification of those concerned when an incident presents a serious risk of harm, with recommendations for mitigating the impact
- Declaration of the incident to the Commission d'accès à l'information du Québec (CAI) if required by law
- Post-incident follow-up
- Full documentation of the incident and actions taken
- Revision of safety policies and procedures as necessary
This security framework reflects Clinique Omicron's commitment to proactively protect personal information and respond appropriately to any threats to data confidentiality.