Expertises connexes

NEW OBLIGATIONS FOR BUSINESSES TO PROTECT PERSONAL INFORMATION

On September 21, 2021, the Act to modernize legislative provisions as regards the protection of personal information, named Law 25, was assented to. This expertise provides a general overview of the changes made to the Act respecting the protection of personal information in the private sector, as well as the effective date of these new obligations.

SEPTEMBER 22, 2022

Appointment of a Privacy Officer

All Quebec businesses are responsible for protecting the personal information they hold. By default, the person with the highest authority within the enterprise is automatically given the title of Privacy Officer. However, this role may be delegated, in writing, to a member of staff or a third party. The Act does not specify the qualifications required of the person in charge.

To comply with this requirement, one must :

  • Determine whether the company has the necessary expertise in-house, whether it needs to recruit a person for this function, or whether it needs to deal with a third party.
  • Establish the role and responsibilities of the person in charge:
    • Approve protection practices and policies;
    • Participate in Privacy Impact Assessments (PIAs);
    • Take part in assessing the harm caused by a privacy incident;
  • Designate the person in charge and publish his/her title and contact details on the website.

Mandatory reporting of confidentiality incidents

An enterprise that has reason to believe that a confidentiality incident involving personal information in its possession has occurred must take reasonable measures to reduce the risk of harm being caused and to prevent similar incidents from occurring in the future. If the incident presents a risk of serious prejudice, the company must, with due diligence, notify the Commission d’accès à l’information as well as any person whose personal information is affected by the incident.

To comply with this requirement, one must :

  • Define an organizational structure with roles and responsibilities for incident prevention, management and response;
  • Develop or update the enterprise’s incident management policy to include the new obligations;
  • Revise contracts with service providers to include the new incident notification obligations;
  • Maintain a corporate register of all confidentiality incidents.

Communication and use of personal information without the consent of the person concerned for study, research or statistical purposes and for commercial transactions

Enterprises may now disclose personal information, without the consent of the individuals concerned, to a person or organization wishing to use this data for study, research, or statistical purposes. Before disclosing the information, the company is subject to certain requirements: complete a privacy impact assessment (PIA), make a detailed presentation of the research activities, agree to a written data-sharing agreement, and forward the agreement to the Commission d’accès à l’information for notification.

In addition, the company may use, internally and without formality, personal information for studies, research or the production of statistics if this is done for purposes compatible with the original purpose of collection or if the information is depersonalized.

It should also be noted that the communication of personal information as part of a commercial transaction is also an exception to the consent requirement. Indeed, an enterprise may communicate personal information that is necessary for the conclusion of a commercial transaction, without the consent of the person concerned, to the other party to the transaction.

To comply with this requirement, one must :

  • Revise privacy policies and consent forms to include its exceptions.
  • Implement procedures for research projects and commercial transactions that incorporate the new obligations.

Prior disclosure of biometric identity verification to Commission de l’accès à l’information

Before putting a bank of biometric characteristics or measurements into service, the enterprise must disclose its intention to the Commission de l’accès à l’information no later than 60 days before putting it into service. It is also mandatory to notify the Commission before using identity verification or confirmation techniques based on biometric measurements or characteristics. These data are considered sensitive personal information. Thus, without such a declaration to the Commission de l’accès à l’information and the express consent of individuals, no one may use biometric technologies.

To comply with the requirement, one must :

  • Put in place a directive on the use of biometric systems that includes the above-mentioned obligations.
  • Carry out a privacy impact assessment prior to any project involving biometric data.

SEPTEMBER 22, 2023

Establishment and implementation of privacy policies and practices

Since companies are responsible for protecting the personal information they hold, policies and practices governing the governance of personal information must be established and implemented. They must be proportionate to the nature and importance of the company’s activities. Policies must also be approved by the Data Protection Officer.

To comply with this requirement, one must:

  • Update or establish policies and practices governing corporate governance of personal information, which must include:
    • Rules applicable to the retention and destruction of personal information;
    • The roles and responsibilities of personnel throughout the personal information life cycle;
    • A process for handling privacy complaints;
  • Publish detailed information in simple, clear terms about policies and practices on the company website.
  • Create a training program for employees who manage and/or have access to personal information;
  • Provide for the destruction of personal information once the purpose for which it was collected has been fulfilled or anonymize it so that it can be used for serious, legitimate purposes.

Compliance with new transparency requirements

From now on, when collecting personal information, enterprises must inform the person concerned of the purposes for which the information is collected, the means of obtaining it, and the rights of access, rectification and withdrawal of consent. In addition, if the situation applies, the enterprise must inform the person concerned of the name of the third party on whose behalf the information is being collected, the category of third parties to whom the information is to be transmitted, or the possibility that the personal information may be communicated outside Quebec. Upon request, the enterprise must also inform the person concerned of the personal information collected, the category of employees who have access to the information, how long the information will be kept and the contact information of the person responsible for protecting personal information. All this information must be conveyed in clear, simple terms.

It should be noted that a business that collects personal information from an individual using a technology that includes functions for identifying, locating, or profiling that individual has additional information obligations. It must inform the person concerned of the use of such technology, and of the means available to activate the functions enabling identification, location, or profiling. In addition, there is a certain particularity to information obtained by technological means. In such cases, a privacy policy must be published on the company’s website. Finally, if the collection of personal information is the subject of a decision based exclusively on automated processing, the person concerned must be informed on request of the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request a review of the decision.

To comply with this requirement, one must:

  • Establish and publish the following privacy policies and procedures:
    • A policy and procedure concerning the information that must be transmitted when personal information is collected;
    • A policy and procedure regarding information that must be provided upon request;
    • A policy and procedure concerning the collection of information that can be used to identify, locate or profile individuals;
    • A policy and procedure concerning the collection of personal information by technological means;
    • A policy and procedure concerning the disclosure of information when a company makes decisions based solely on the automated processing of personal information.

Conducting a privacy impact assessment

It is now mandatory to carry out a Privacy Impact Assessment (PIA) prior to any project involving the acquisition, development or redesign of information systems or the electronic delivery of services involving the processing of personal information. It should be noted that this requirement is not retroactive, i.e., it applies only to new projects. Finally, the scope of the PIA must be adapted to the project’s impact on individual privacy.

To comply with this requirement, one must:

  • Design a PIA procedure that:
    • Defines the criteria triggering the obligation to carry out the assessment;
    • Defines the process for ensuring that projects requiring assessment are identified at the beginning of the project.
  • Communicate the procedure within the company;
  • Develop an easy-to-use template for conducting PIAs.
  • Communicate the procedure within the company.

Application of new consent rules

Companies must comply with the forms and validity criteria for consent. As for the form of consent, it may be implicit if personal information is used for purposes set out in the company’s privacy policy. There are also certain exceptions specifically provided for in the law 25.

However, if the company wishes to use the personal information for a new purpose or communicate it to a third party, the person concerned must consent. Express consent is required for sensitive personal information. As for the validity of consent it must be manifest, unrestricted, informed and given for specific purposes. It must be requested in clear and simple terms. Furthermore, if it is to be requested in writing, the request for consent must be presented separately from the other information presented to the person concerned.

For minors under 14, consent is given by the parent or guardian. In the case of minors aged 14 and over, consent may also be given by the minor him/herself.

In the case of information concerning a deceased person, the company may disclose it if the purpose is to help a loved one in the grieving process.

To comply with this requirement, one must:

  • Make an inventory of the personal information collected, used and shared by the company.
  • Update the company’s classification or categorization policy.
  • Create consent forms.
  • Implement a process to assist and help individuals understand the scope of their consent.

Exceptions to the consent requirement

In certain situations, the company may make an exception to the requirement for consent to use an individual’s personal information. Firstly, consent is not required for personal data concerning an individual’s performance of a function within a company. This type of data, also known as business contact information, includes a person’s name, title, position, street address, e-mail address and workplace telephone number. In addition, certain circumstances allow the company to use personal information for purposes other than those for which it was originally collected without consent. This exception applies when the use of the data is necessary for business purposes, or when the use is clearly in the interest of the person concerned. Finally, the company does not need the consent of the person concerned when personal information is communicated following the exercise of a mandate or the performance of a service or business contract.

Setting the highest confidentiality level by default

Companies that collect personal information by offering the public a technological product or service with privacy settings must ensure that they offer the highest level of privacy by default, without any additional intervention on the part of the individual. This requirement does not apply to cookies or to products and services intended solely for employees.

To comply with this requirement, one must:

  • Identify the company’s publicly available technology products or services that collect personal information and include privacy settings.
  • Determine whether these privacy settings need to be adjusted to comply with default requirements.

Compliance with new rules governing the disclosure of personal information outside Quebec

Companies must conduct a Privacy Impact Assessment (PIA) before disclosing personal information outside of Quebec. Disclosure may take place if the assessment demonstrates that the information would benefit from adequate protection. Disclosure is subject to a written agreement with the third party that takes into consideration, among other things, the results of the assessment and, where applicable, the terms and conditions agreed to in order to mitigate the risks identified during the assessment.

To comply with the requirement, one must:

  • Revise the company’s privacy policy to specify that personal information may be disclosed outside Quebec.
  • Complete the PIA template to assess the risks associated with disclosing personal information outside Quebec.

The right to be “forgotten”

The person concerned by personal information may demand that an enterprise cease disclosing this information or de-index any hyperlink attached to his or her name that allows access to this information by a technological means if the disclosure of the information contravenes the law 25 or a court order.

 SEPTEMBER 22, 2024

Responses to requests for the portability of personal information

At the request of the person concerned, companies are obliged to communicate to him or her, in a structured and commonly used technological format, computerized personal information collected from him or her. Such communication may also be made to a person or organization authorized to collect the information, at the request of the person concerned. The aim of this new provision is to encourage the re-use of data in a competitive environment.

The Bernier Fournier team is available to advise and guide you through the various steps required to ensure your company complies with the new requirements of the law 25.