Quebec’s new Bill 64 impacts 21 different laws in the province. The 2 data protection and privacy laws impacted the most are:
1) ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR (PPIPS and
2) the ACT RESPECTING ACCESS TO DOCUMENTS HELD BY PUBLIC BODIES AND THE PROTECTION OF PERSONAL INFORMATION (PBPPI)
Like in 1993 when Quebec first introduced the ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR, the law established new standards for organizations operating in Canada.
There are 2 key elements that come into force in September 2022 – less than 9 months from today. The first is a requirement for the highest authority in the organization to be the Privacy Manager, a role which they can delegate but not abdicate. The wording in the law is as follows:
“3.1. Any person carrying on an enterprise is responsible for protecting the personal information held by the person.
Within the enterprise, the person exercising the highest authority shall see to ensuring that this Act is implemented and complied with. That person shall exercise the function of person in charge of the protection of personal information; he may delegate all or part of that function in writing to a personnel member.
The title and contact information of the person in charge of the protection of personal information must be published on the enterprise’s website or, if the enterprise does not have a website, be made available by any other appropriate means.”
The second obligation coming into force in September 2022 is a requirement to document a Confidentality Incident Response and Reporting Plan.
“3.5. Any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.
If the incident presents a risk of serious injury, the person carrying on an enterprise must promptly notify the Commission d’accès à l’information established by section 103 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1). He must also notify any person whose personal information is concerned by the incident, failing which the Commission may order him to do so. He may also notify any person or body that could reduce the risk, by communicating to the person or body only the personal information necessary for that purpose without the consent of the person concerned.
In the latter case, the person in charge of the protection of personal information must record the communication of the information.
Despite the second paragraph, a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.
A government regulation may determine the content and terms of the notices provided for in this section.
3.6. For the purposes of this Act, “confidentiality incident” means
(1) access not authorized by law to personal information;
(2) use not authorized by law of personal information;
(3) communication not authorized by law of personal information; or
(4) loss of personal information or any other breach in the protection of such information.
3.7. In assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident, a person carrying on an enterprise must consider, in particular, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.
The person must also consult the person in charge of the protection of personal information within the enterprise.
3.8. A person carrying on an enterprise must keep a register of confidentiality incidents. A government regulation may determine the content of the register.
A copy of the register must be sent to the Commission at its request”
So, it is clear what needs to be done by the end of August 2022, but implementing these elements may not be as obvious. We have implemented similar programmes for all types of organizations large and small and can help simplify and implement your obligations as quickly and efficiently as possible. Contact info@newportthomson.com to explore more details.