Privacy Policy


This Information Security Policy is a set of rules and guidelines that our institution implements to ensure the confidentiality, integrity, and availability of its information and systems. This policy helps protect against cyber threats such as hacking, malware and data breaches, and also helps our organization comply with relevant laws and regulations, including the Act respecting the governance and management of information resources of public bodies and government enterprises (LRQ, chapter. G1.03) and the Directive on Information Security creates obligations for college institutions in their capacity as public bodies.

The specific content of the information security policy will vary depending on the specific risks it faces. It is used to protect a wide range of sensitive information, including:

  • Students’ and staff’s personal information, such as names, addresses, phone numbers, and social security numbers
  • Medical records and other medical information
  • School records and transcripts
  • Financial information, such as payment and billing information
  • Intellectual property data
  • Passwords and login credentials
  • Network and system configurations
  • Data retention and destruction
  • Incident response and reporting.

In addition to protecting this sensitive information, the college’s technology information security policy also covers topics such as acceptable use of college-provided technology, including guidelines for Internet, email, and social media use. It also covers physical security measures for technology equipment and data centers, as well as procedures for responding to security incidents and violations

At our college, we are committed to protecting your privacy. This privacy policy explains how we collect, use and share information about you when you visit our website or use our online services


Stakeholders affected by the information security policy include:

  • Students: The information security policy can affect students in many ways, including how they can access and use college resources such as computers, networks, and online services.
  • Professors: The information security policy can also impact Professors by establishing guidelines for how they can use and access college resources, as well as how they can store and share sensitive information.
  • Staff: staff members may be affected by the information security policy in the same way as faculty, including how they may access and use college resources and how they may handle sensitive information.
  • Administrators: college administrators are responsible for implementing and enforcing the information security policy, as well as educating the college community about the policy.
  • IT Staff: Information Technology (IT) staff members are responsible for maintaining the security of the college’s information systems and networks, and for responding to security incidents.


Overall, the information security policy also includes other groups of individuals or entities, such as vendors, partners, and consultants who use information assets.

Legal and administrative framework

The security policy is mainly part of a context governed by:

  • The Charter of Human Rights and Freedoms (LRQ, chapter C-12);
  • The Civil Code of Quebec (LQ, 1991, chapter 64);
  • The Policy Framework on the Governance and Management of Information Resources of Public Bodies; Policy on Information Security 5
  • The Act respecting the governance and management of the information resources of public bodies and government enterprises (R.S.Q., chapter G-1.03)
  • The Act to establish a legal framework for information technology (R.S.Q., chapter C1.1);
  • The Act respecting access to documents held by public bodies and the protection of personal information (R.S.Q., chapter A-2.1);
  • The Archives Act (R.S.Q., chapter A-21.1);
  • The Criminal Code (RCL, 1985, chapter C-46);
  • The Regulation respecting the distribution of information and the protection of personal information (chapter A-2.1, r. 2);
  • The Directive on the Security of Government Information;
  • The Copyright Act (R.S.C., 1985, chapter C-42).

Protection of Information

We take reasonable steps to protect the security of student, professors, and staff personal information through the implementation of the Information Security Policy including:

A. Access Control: limit access to sensitive information to only those who need it to perform their job duties. This is done through the use of user accounts and passwords, as well as stronger methods such as two-factor authentication.

B. Data Encryption: encrypt sensitive data, both in storage and in transit, to prevent unauthorized access or interception. This includes email encryption, as well as encryption of data stored on laptops and other mobile devices.

C. Network Security: protect the college network from external threats such as hackers and malware. This is accomplished through the use of firewalls, intrusion detection and prevention systems, and other security tools.

D. Physical Security: protect physical assets such as servers and data centers from unauthorized access or tampering. This includes locked doors, security cameras and badge access systems.

E. Training and Awareness: educate students, professors and staff on information security best practices and the importance of protecting sensitive data. This includes regular reminders about the importance of strong passwords and the dangers of phishing scams, as well as more formal training programs.

Collection of Information

We collect information about you in several ways:

  • Information you provide to us: we collect information you provide to us, such as your name, email address, phone number and other contact information.
  • Information we collect automatically: when you visit our website, we automatically collect certain information about your device and your visit, such as your IP address, browser type and device type.

Use of Information

We use the information we collect about you for a few different purposes:

  • To provide and improve our services: we use your information to provide and improve the services we offer, such as responding to your inquiries and registering you for language courses.
  • To communicate with you: we use your information to communicate with you, for example by sending you emails or text messages about your account or upcoming courses.
  • For analysis and research: We use your information to better understand how our website and services are used, and to improve them over time.

Information Sharing

We do not share your personal information with third parties except under the following circumstances:

  • With your consent: we may share your information with third parties if you have given us your explicit consent to do so.
  • For legal reasons: we may share your information if we are required to do so by law or in response to a legal request.

Acceptable Risks

In this Information Security Policy, there will be some level of risk considered acceptable, such as:

  • Low impact data breaches: a data breach that involves the exposure of low impact data, such as a publicly available directory of faculty and staff names and contact information, may be considered an acceptable risk.
  • Limited data loss: a security incident that results in the loss of a small amount of data, or data that can be easily recovered or replaced may be considered an acceptable risk.
  • Minor system downtime: a security incident that results in a brief period of system unavailability, as long as the unavailability does not significantly impact the operation of the organization, may be considered an acceptable risk.
  • Low probability events: a security incident that has a low probability of occurring, such as a cyber attack by a nation-state, can be considered an acceptable risk.


It is important to note that the level of acceptable risk varies depending on the specific needs and goals of our organization. What may be considered an acceptable risk for our organization may not be for another.

Roles and responsibilities

The implementation of the information security policy includes different parties with the following responsibilities:

  • Management: the institution’s managers are responsible for setting the overall direction and priorities for information security, as well as ensuring that sufficient resources are dedicated to this purpose.
  • IT Department: The IT department is responsible for implementing and maintaining the technical controls and systems that support the information security policy. This includes managing network security, implementing and enforcing access controls, and monitoring security incidents.
  • Information Security Officer: The ISO reports to the Executive Director and is responsible for overseeing the institution’s information security efforts. The Information Security Officer is also responsible for identifying the security needs of information assets, developing and implementing information security policy, and coordinating with other departments to ensure compliance. In addition, he assists in the execution of investigations of actual or apparent violations of this policy as authorized by the Executive Director.
  • Users: all members of the college community, including students, professors, and staff, are expected to comply with the information security policy and to use the institution’s computing resources in a responsible and secure manner. This includes using strong passwords, protecting sensitive data, and reporting any security incidents or issues.
  • External partners: our external partners are also subject to the college’s information security policy. It is important that our partners understand and follow the policy to help protect the institution’s data and systems.


A breach of security or policy can damage the college’s reputation, which can have long-term consequences. This can result in loss of trust from students, professors, and other stakeholders, and even financial loss.

Sanctions are consequences that can be imposed on individuals or groups that violate the information security policy. They depend on the nature of the policy violation and the severity of the violation. The sanctions that will be applied for violations of the college’s information security policy are as follows:

  • Disciplinary actions: depending on the nature of the policy violation, an individual who violates the information security policy may be subject to disciplinary action. This may include a warning, reprimand or more serious consequences such as suspension or termination.
  • Loss of access: an individual who violates the information security policy may be denied access to certain systems or resources. For example, they may be denied access to certain networks or databases.
  • Legal Action: in cases where the policy violation involves illegal activity, such as hacking or theft of sensitive data, the College may decide to take legal action against the individual.

Dissemination and Updating of the Policy

The ISR, assisted by the Information Technology (IT) Department Head, is responsible for the dissemination and updating of the policy. The Information Security Policy will be reviewed no later than four years after its adoption.

Entry into force

This policy shall become effective on the date of its adoption by the Board of Directors on June 20, 2022.