30.3. The Institut shall establish governance rules regarding designated personal information it holds for the purpose of communicating it to researchers attached to a public body and have them approved by the Commission d’accès à l’information. The rules must, in particular, provide a framework for the protection, retention and destruction of the information and provide for the roles and responsibilities of the members of the personnel of the Institut throughout the life cycle of such information.
The rules must be submitted again to the Commission for approval every three years.
The Institut shall publish the rules on its website, except those that could hinder the protection measures applied to ensure the confidentiality and integrity of the information.
2021, c. 152021, c. 15, s. 731.