With the adoption of the Act to modernize legislative provisions as regards the protection of personal information[1] (“Bill C-25”), assented to on September 22, 2021, amendments have been made to the Act respecting the protection of personal information in the private sector[2] (the “Private Sector Act”) and to the Act respecting Access to documents held by public bodies and the Protection of personal information[3] (the “Access Act”).
The purpose of these changes is to strengthen personal information protection in Québec and to adapt the legislative framework to today’s reality. These legislative changes will be phased in over a three-year period, ending in September 2024.
However, a first set of measures will come into effect as early as September 22, 2022, resulting in significant changes for both public and private sector organizations with respect to personal information protection.
The following is an overview of the key changes that will take effect on September 22, 2022:
1. Accountability for Privacy
First of all, through Bill C-25, the Quebec legislator has given concrete form to the idea that for each organization, an individual must be responsible for the protection of personal information.
Thus, any private company, regardless of its size, must now have a person responsible for the protection of personal information. By default, this person will be the person with the highest authority within the company. However, it is possible to delegate this function in writing, in whole or in part, to any person, i.e. to an individual within the company or to an external party. The title and contact information of the Privacy Officer must be published on the company’s website or, if the company does not have a website, made available by any other appropriate means.
The Access Act (for public bodies) already stipulates that the highest-ranking person in a public body would be the person responsible for access to documents or the person responsible for protecting personal information. The Act also outlines the possibility for this person to delegate, in writing, all or part of his or her functions to a member of the body, a member of its board of directors or a member of its management staff by sending a notice to the Commission d’accès à l’information (the “Commission”).
Bill C-25 specifies that, as of September 22, 2022, this notice must be sent to the Commission “as soon as possible”. It must be in writing and it must contain the title, contact information and effective date of entry into function of the person responsible for access to documents and those of the person responsible for the protection of personal information.
In addition, Bill C-25 provides that, from now on, the person with the highest authority within the public body must facilitate the functions assigned to the person responsible for access to documents and the person responsible for the protection of personal information if he or she does not already exercise these functions. Finally, with Bill C-25, the person with the highest authority within the organization will now be responsible for ensuring compliance with and for implementing the Access Act.
2. The creation of an access to information and privacy committee within a public body
With some exceptions[4], public bodies will be required to have an Access to Information and Privacy Committee in place by September 22, 2022. The primary responsibility of this committee will be to support the organization in carrying out its responsibilities and obligations under the Access Act. The committee shall report to the highest level of authority within the organization[5] and shall consist of the person responsible for access to records, the privacy officer and any other person whose expertise is required, whether internal or external.
3. Reporting of Privacy incident reporting and mandatory record keeping
Any organization, whether in the private or public sector, will henceforth have to notify diligently the Commission and the persons concerned of any confidentiality incident involving personal information that it holds and that presents a serious risk of prejudice.
A “privacy incident” is any unauthorized access to personal information, any unauthorized use or disclosure of personal information, and any loss or other breach of personal information.
Example: Jean-Claude, the Human Resources Director at ABC Inc. sent an e-mail containing personal information about a number of the company’s employees (social insurance number, bank account number, address, telephone number, etc.) by mistake. Depending on the context, this situation may require intervention with the Commission and the individuals involved. |
The risk assessment of any harm to an individual whose personal information is involved in a privacy incident will have to take into account several factors, including the sensitivity of the information involved, the perceived consequences of its use and the likelihood that it will be used for harmful purposes.
Organizations will also be required to maintain a privacy incidents log, including incidents that do not pose a risk of serious harm to individuals, and to provide a copy of the log to the Commission upon request. A draft regulation[6] to specify the content of this register, as well as the content and modalities of the notices concerning confidentiality incidents have been published by the Government of Quebec and will come into force on September 22, 2022. We will be able to provide you with more details on this subject, upon request.
4. New rules governing the communication of personal information without the consent of the person concerned
New rules have been put in place to allow organizations to disclose personal information without the consent of the individual concerned.
Under certain conditions, businesses will now be able to disclose personal information without the consent of the individual concerned:
- in the course of completing a commercial transaction
- in the course of carrying out a mandate or a contract for services or a business; and
- for study, research or statistical purposes.
With respect to public bodies, Bill C-25 repeals the requirement to obtain the Commission’s authorization in order to receive, for study, research or statistical purposes, communication of personal information without the consent of the individuals concerned. Thus, as of September 22, 2022, public organizations will be able to communicate or receive personal information for study, research or statistical purposes without the consent of the individuals concerned, and without the authorization of the Commission, if certain conditions, including the conclusion of a protection of information agreement, are met.
5. The use of processes that capture biometric characteristics or measurements
The Legal Framework for Information Technology Act[7] (“The Act”), already establishes the requirement to verify or to confirm an individual’s identity by capturing biological traits measurements. The consent of the individual is required.
As of September 22, 2022, in addition to obtaining the consent of the person concerned to use such a process, prior disclosure of biometric verification to the Commission is required. The creation of a biometric characteristics or measurements bank will also have to be disclosed to the Commission no later than 60 days before it is put into service. Bill C-25 thus provides for a maximum period of time for making this prior disclosure, which was already required under the Act to establish a legal framework for information technology..
Article written by Mrs. Charlotte Côté and Mr. Alexis Paquette-Trudeau
[1] Formerly Bill 64;
[2] RLRQ, c.P-39.1 ;
[3] RLRQ, c. A-2.1 ;
[4] The government may, by regulation, exclude a public body from the obligation to form such a committee or modify the obligations of a body according to criteria that it defines;
[5] The committee reports to the deputy minister in the case of a ministry and, in the case of a municipality, a professional order or a school board, to the director general;
[6] See Proposed Privacy Incident Regulations (2022) 26 G.O. II, 3935 ;
[7] RLRQ, c.C-1.1;