27.1. An institution may communicate information contained in a user’s record to any person or body, if that communication is necessary for carrying out any fixed-term mandate or service contract given to that person or body by the institution, except, subject to section 108, a mandate or service contract related to the provision of certain health services or social services.
The mandate or contract must be given in writing and, on pain of nullity, (1) indicate the measures to be taken by the person or body to ensure at all times throughout the mandate or contract that
(a) the confidentiality of the information is respected;
(b) measures are established to ensure the security of the information;
(c) the information is used only for carrying out the mandate or the contract; and
(d) the information is not retained once the mandate is completed or the contract performed; and
(2) set out the following obligations to be complied with by the person or body that carries out the mandate or contract:
(a) before communicating the information, to send the institution a confidentiality agreement completed by every person to whom the information may be communicated in carrying out the mandate or contract;
(b) if the mandate or contract is carried out on the premises of the institution, to refrain from transmitting any information or transporting any document containing such information outside those premises, unless the executive director of the institution permits it;
(c) to immediately notify the executive director of the institution of any violation or attempted violation of an obligation relating to the confidentiality of information communicated under this section; and
(d) to allow the institution to carry out any verification or investigation relating to the confidentiality of the information communicated.
On awarding a mandate or a service contract, the institution must take the necessary measures to ensure that the information communicated in accordance with this section will be protected in a manner equivalent to that prescribed in this Act in cases where the mandate or service contract could be given to a person or body outside Québec or the information could be communicated outside Québec.
A third person retained by a person or body to carry out a mandate or contract is subject to the same obligations as those imposed on the person or body under the second paragraph. However, the third person must send that person or body the confidentiality agreement required under subparagraph a of subparagraph 2 of the second paragraph and the notice required under subparagraph c of that paragraph.