105. A body must adopt a governance policy for the information it holds that implements the information governance rules referred to in section 90.
The policy must set out, among other things,(1) the roles and responsibilities of the members of the body’s personnel and the professionals practising their profession within the body, including students and trainees, with regard to the information;
(2) the categories of persons who may use the information in the exercise of their functions;
(3) the logging mechanisms and the security measures for ensuring the protection of the information that the body puts in place;
(4) the terms and conditions on which the information may be communicated under sections 74 to 76;
(5) an update schedule for the technological products or services the body uses;
(6) a procedure for processing confidentiality incidents;
(7) a procedure for processing complaints regarding the protection of the information; and
(8) a description of the training and awareness activities offered by the body to its personnel members and the professionals practising their profession within the body, including students and trainees, regarding the protection of the information.
In the case of a body referred to in subparagraph 4 of the first paragraph of section 4, the policy of the body with which it has entered into an agreement applies to both bodies, unless they agree otherwise.
The body must make the policy known to the members of its personnel and the professionals practising their profession within the body, including students and trainees. It must also publish the policy on its website or, failing that, make it available to the public by any other appropriate means.
2023, c. 52023, c. 5, s. 105.