The Commissioner for Access to Information in Quebec (CAI) published this Guidance document (French only), so we asked ChatGPT to translate the text to English. This is a very good description of the changes most Canadian Businesses have to make regarding the capture, use and management of personal information.
Let’s consider scope first. Does this law apply to your organization? A few questions:
Does your organization operate in the Private Sector? This document focusses on the Private Sector Act but there is a Public Sector version that is quite similar.
Do you maintain a National database? Chances are good 20-25% of that list resides in Quebec – so Law 25 applies.
Many organizations say “But we do not have offices in Quebec.” That makes no difference. It is all about where the individual lives. The individual who’s personal information you are processing.
We will add comments using [ ] to distinguish our comments from the Commissioner’s.
Now let’s hear from the Commissioner:
Towards Compliance with the Private Sector Privacy Act
The Act modernizing legislative provisions on the protection of personal information brings significant changes to the Private Sector Personal Information Protection Act (Private Sector Privacy Act). These must be implemented starting September 2022!
This tool aims to familiarize you with some of your new responsibilities and obligations (pages 1 and 2), which will come into effect gradually in September 2022, 2023, and 2024. While not exhaustive, action points and best practices are also suggested on pages 3 and 4 to assist you in planning your compliance efforts with the law.
This document presents generic content. It does not account for the specificities of each business. Laws and regulations take precedence at all times. Feel free to consult a privacy law specialist and an information security expert to guide you.
New Responsibilities and Obligations for Businesses Effective September 22, 2022 In addition to complying with current obligations regarding the protection of personal information, as of September 22, 2022, you must:
- Designate a person responsible for personal information protection and publish their title and contact information on the company’s website or, if no website exists, make it accessible through other appropriate means. You must also, among other things:
- In case of a confidentiality incident involving personal information:
- Take reasonable measures to reduce the risks of harm to the affected individuals and prevent similar incidents from recurring;
- Notify the Commission and the affected individual if the incident poses a risk of serious harm;
- Maintain a record of incidents, a copy of which must be provided to the Commission upon request.
[all content from the Commissioner – bold type is ours]
MEMO – New Business Responsibilities, Action Points, and Best Practices
Access to Information Commission – February 8, 2023 1
- Adhere to the new framework for disclosing personal information without consent for study, research, statistical production purposes, and in commercial transactions;
- Conduct a Privacy Impact Assessment (PIA) before disclosing personal information without consent for study, research, or statistical production purposes;
- Disclose to the Commission in advance any verification or confirmation of identity using biometric characteristics or measures.
Effective September 22, 2023 In addition to current obligations regarding the protection of personal information, as of September 22, 2023, as a business operator, you must:
- Have established policies and practices governing the governance of personal information and publish detailed information about them in clear and simple terms on the company’s website or, if no website exists, through other appropriate means;
- Conduct a Privacy Impact Assessment (PIA) when required by law, e.g., before disclosing personal information outside of Quebec;
- Adhere to new rules regarding consent for the collection, disclosure, or use of personal information;
- Destroy personal information once its collection purpose is fulfilled, or anonymize it for serious and legitimate purposes, subject to conditions and retention periods as prescribed by law;
- Adhere to new obligations of information and transparency towards citizens;
- Adhere to new rules for disclosing personal information without consent (exercise of a mandate or execution of a service or business contract);
- Adhere to new rules for disclosing personal information outside Quebec;
- Adhere to new rules for the use of personal information;
- By default, incorporate settings ensuring the highest level of confidentiality of the product or technological service offered to the public;
- Adhere to new rules regarding the collection of personal information about minors;
- Respect the right to cease dissemination, reindexing, or delisting (right to be forgotten);
- Adhere to new rules for disclosing personal information facilitating the grieving process.
Effective September 22, 2024 Starting September 22, 2024, as a business operator, you must:
- Respond to requests for personal information portability.
MEMO – New Business Responsibilities, Action Points, and Best Practices
Access to Information Commission – February 8, 2023 2
Action Points and Best Practices By September 22, 2022
- If you are the highest authority in the company and do not wish to fulfill the role of the person responsible for personal information protection, designate someone capable of effectively assuming this role. For example, this person should have the required skills and significant decision-making power;
- Support the person responsible for personal information protection with the necessary resources (human, technical, and financial) to ensure the success of your compliance efforts;
- Inventory the personal information held by your company (or on its behalf by a third party) and assess its sensitivity;
- Implement measures to prevent or limit the consequences of a confidentiality incident involving personal information;
- Establish practices that will enable you to respond appropriately and swiftly in the event of a confidentiality incident involving personal information (e.g., incident response plan and staff directive);
- If you plan to use biometric technology (e.g., fingerprint, facial or voice recognition), familiarize yourself beforehand with your obligations in this regard.
By September 22, 2023 To establish and implement governance policies regarding the protection of personal information, you will need, among other things:
- Inventory the personal information held by your company (or on its behalf by a third party) and assess its sensitivity;
- Since the inventory of personal information is dynamic, it is important to keep it up to date to reflect changes that may have occurred within your company (e.g., new collection of personal information for a project) and to ensure adequate planning of your actions and compliance with all obligations;
- Specify the roles and responsibilities of staff members involved in the protection of personal information throughout its lifecycle.
Completion of these tasks is essential for fulfilling your obligations and prioritizing certain actions thereafter. To conduct a Privacy Impact Assessment, you will need to have completed the aforementioned tasks, but you will also need to, among other things:
- Assess the project’s compliance with personal information protection laws;
- Identify project risks to the privacy of affected individuals;
- Implement strategies and measures to avoid or effectively reduce these risks;
- Monitor the implementation of these measures and revise them as necessary.
MEMO – New Business Responsibilities, Action Points, and Best Practices
Access to Information Commission – February 8, 2023 3
To comply with citizens’ new rights and your new transparency obligations towards them, you must implement mechanisms (e.g., directives, processes, forms, or appropriate technological solutions) that will enable you to:
- Obtain valid separate consent for each specific purpose in clear and simple terms;
- Clearly present the consent request separately from other provided information if in writing;
- Provide the information required by law to the person from whom the information is collected;
- Inform an individual when they are subject to a decision based solely on automated processing;
- Inform an individual before using technology to identify, locate, or profile them and the means available to activate these functions;
- Publish detailed information about your policies and practices on the company’s website or, if no website exists, make this information accessible through other appropriate means;
- Publish a privacy policy written in clear and simple terms on your company’s website and distribute it through any means capable of reaching the affected individuals if you collect personal information using a technological means such as a website;
- Handle citizens’ requests and complaints regarding your management of personal information.
By September 22, 2024
- Inform the team responsible for maintaining, updating, or developing your IT systems that you have new business needs related to the right to personal information portability, namely:
- That your systems allow, upon request of an affected person, for computerized personal information collected from them to be communicated in a structured, commonly used technological format;
- That this communication can also be made to a person or organization authorized by law to collect the information, at the request of the affected person.
Note: Ensure that your staff is trained to develop proper reflexes regarding the protection of personal information.
MEMO – New Business Responsibilities, Action Points, and Best Practices
Access to Information Commission – February 8, 2023