Policies and Procedures–C3 Application (Cardiogenic Shock)

Date: April 4, 2025

1. Privacy Policy

Objective: Ensure the protection of personal and clinical information handled via the C3 application.

Guiding Principles:

  • No clinical or identifiable personal data from the Montreal Heart Institute (ICM) is transmitted to the C3 application.
  • Any data collected via the C3 application will only be used for the specific purposes of coordinating care in the context of cardiogenic shock and within the context of research approved by an ethics board.
  • No data is shared with entities outside of Canada without written agreements that comply with applicable laws.
  • The application does not allow for any automatic data transfer between C3 and other platforms.

Data Collection:

  • Data is manually entered by external users and includes:
  • SCAI stage of cardiogenic shock
  • Phone numbers (CHOC line, referral hospitals)
  • Generation of a de-identified PDF summary regarding the shock stage of a patient (no patient-identifying data included)
  • Static MS Teams link to a pre-established MSSS care team

Data Hosting:

  • All data is hosted on secure servers located in Canada.
  • No data is transferred outside Canada without explicit consent and proper security safeguards.

Security Measures:

  • Technical protections include: data encryption, access logging, and role-based access control.
  • Ongoing monitoring of access logs and periodic audits of system events.

Privacy Officer Contact:

  • Robert Avram(robert-calin.avram.med@ssss.gouv.qc.ca)
  • Ongoing monitoring of access logs and periodic audits of system events.

2. Privacy Incident Policy

Objective: Define the response protocol in the event of unauthorized access, loss, theft, or disclosure of data related to the C3application.

Incident Response Procedure:

  • Immediate notification to the Information Security Officer
  • Incident analysis within 24 hours of detection
  • Notification to impacted stakeholders, in accordance with Quebec’s access to information law (LAI)
  • Documentation of the incident in a secure register
  • Implementation of corrective actions (e.g., access suspension, software updates)
  • Incident report submitted to the appropriate authorities, if required

3. Data Retention and Destruction Policy

Objective: Define the duration of clinical data retention entered in C3 and the secure destruction process.

Retention:

  • Clinical data is temporary and local — not stored on a central server of the application.
  • PDF summaries are exported by users and not retained by the application.

Destruction:

  • No long-term storage mechanisms are integrated into the application.
  • Technical logs (if generated for maintenance or security) are anonymized and deleted automatically after 30 days.

4. Respecting Data Subject Rights – C3 Application (LAI Compliance)

4.1 Right to Access Information (Article 65 LAI)

Objective: Enable any individual to obtain personal information concerning them, if held by the C3 application.

Measures in Place:

  • The application does not store personal data in a centralized way; thus, no nominative records are held by the platform.
  • De-identified PDF summaries (no fields allow the entry of identifying patient information) are generated and stored locally by external users, who are responsible for their management.

4.2 Right to Data in a Structured Technological Format (Article 65.1 LAI)

Objective: Provide access to personal data in a structured and commonly used digital format.

Measures in Place:

  • The application allows the export of clinical data entered (e.g., SCAI stage, phone contacts) in structured PDF format, easily shareable among clinicians.
  • No centralized database stores this information— healthcare institutions can provide patient documentation upon request.

4.3 Right to Rectify or Delete Information (Article 89 LAI)

Objective: Allow individuals to correct or delete incorrect or inaccurate information about them.

Measures in Place:

  • Any changes or deletions must be made directly by the external user who originally entered the data.
  • As the application does not store data persistently, no durable copies exist within C3.
  • Users (e.g., physicians or coordinators) are responsible for data accuracy and can generate corrected summaries as needed.

5. Additional Information

Definitions:

  • Personal Information: Any information relating to an identifiable individual, excluding anonymized data.
  • Usage Data: Technical data automatically collected related to platform use (e.g., frequency of use, login count), which does not identify any individual.
  • Service Providers: External entities contracted with the C3application to provide technical or security services under strict confidentiality agreements.

Automated Decision-Making:

  • No legally or clinically significant decisions are made without human oversight.
  • The AI in C3 is solely used to generate structured PDF summaries from manually entered data.

Policy Updates:

  • This policy may be updated to reflect legal or operational changes.
  • In case of significant updates, a notice will be posted in the application interface.
  • The latest version is always available via the project coordination team.

Contact:

  • Email:robert-calin.avram.med@ssss.gouv.qc.ca
  • Responsible: Dr. Robert Avram, Montreal Heart Institute