25 New Corporate Privacy & Data Protection Obligations in Canada

There are 98 Sections to the ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR that were impacted by the passing of Bill 64 in September of 2021. Some are similar to obligations within PIPEDA, but these obligations will be strongly enforced by the CAI in Quebec. As it was written back in 1999, PIPEDA does not have a method for strong enforcement within the Act, which is one of the many reasons the Privacy Commissioner of Canada has been begging for updates in Canada’s privacy legislation. Yet again, the Federal government has ignored, or at best paid lip service to these pleas leaving Quebec to step up with tough new legislation to protect its citizen’s personal information. With this development, we can expect revisions to PIPEDA this year. It remains to be seen if PIPEDA will provide the same protection for all Canadians as Bill 64 does for Quebec citizens.

It is easy to take the position that your organization is not located in Quebec so PPIPS does not apply, but the scope includes any organization who collects, uses, shares and stores personal data of Quebec citizens. According to Canada Population, Quebec accounts for 22.5% of the country’s population.

Any organization that operates in Canada knows that 20-25% of the data you collect belongs to a resident of Quebec, so any organization that operates in Canada must comply with PPIPS.

This new law comes into force in 3 distinct stages, the first one coming in September 2022. Most of these first 25 Corporate Obligations will come into force this year. The team here at Newport Thomson is scouring the 98 Sections of PPIPS to determine all of the new obligations for organizations who deal with personal data, but for starters, here are the first 25:

1. Protect Personal data the organization captures, stores, shares or uses (Sec 3.1)  Every investigation the CAI conducts will include their assessment of your organization’s effort to protect personal information in your care. RECOMMENDATION: Do a detailed inventory of all PI held or planning to be collected by your organization. Any fields you are not using you should delete. While data is considered an asset by most, these new data protection and privacy laws may transform this personal data to a liability. Be sure you are using what you collect and you are only collecting what you intend to use. We also recommend centralizing and securing this data. Too many copies in a variety of formats can dramatically increase the chance of having a Confidentiality Incident (a data or privacy breach) while making it extremely difficult for your security team to protect effectively.
2. CEO must Appoint a Privacy Manager (Sec 3.1). Quebec holds the “highest authority” in the organization accountable to see that this “Act is implemented and complied with”. It is clear they intend to hold the CEO accountable for all personal information that is collected, used, shared or stored, and for the security of that data. Should we brace ourselves for some stiff personal fines to CEOs next Fall and in the Spring of 2023? RECOMMENDATION: CEOs must understand what PI is being collected, used, shared and stored by the organization at all times. Appointing a capable Privacy Manager and setting up a reporting process with operational detail should be implemented as soon as possible.
3. Publicly display the Privacy Managers contact info on the copy website(s). The new privacy standard in Canada includes a requirement to publicly post your Privacy Manager’s name and contact information so they are easily reached. It is suggested this be placed on the corporate website in an obvious spot (base bar?)
4. establish Privacy Policies and Procedures (Sec 3.2). This is no longer a “nice to have”. This is now a “must have”. Organizations who do not have a Privacy & Security Policies and Procedures Manual will likely receive a fine if investigated by the CAI.
5. Publish those policies and procedures on corp website(s). Your Privacy Manager must arrange the publishing of your Privacy Policies and Procedures. We have an excellent structure here at Newport Thomson, including templates that we are currently automating so any size organization can log in, set up their Manual and allow their staff (and public) to view the details.
6. Conduct DPIAs for all new “information system project or electronic service delivery project involving PI (Sec 3.3). Any time a significant change is made to your system or new software is added to your network, a Data Protection Impact Assessment (DPIA) must be completed. For those not familiar with a DPIA they help an organization fully understand the data they are collecting, using, storing, sharing and deleting. A DPIA forces the organization to thoroughly think their data governance through, understanding the potential impact on the individual’s personal data they hold.
7. The Privacy Manager must be involved in the DPIA process (Sec 3.2). This must be lead by the Privacy Manager, not simply delegated to a convenient staffer or contractor. Many consultants are very familiar with this process and can be a key part of it, butte Privacy Manager is in the lead.
8. All data must be kept in a “structured, commonly used technical format” (Sec 3.3). In the past, organizations have used formats to make it far more difficult, even impossible, for organizations to transfer a person’s personal data to a competitor at the request of the individual. That stops now. This is something we expect to see a lot of fines for under Bill 64. As it is the final issue to come into force, organizations do have some time to figure this out, but Privacy Managers are best to start planning how to do this. It is a key part of the compliance journey.
9. Take reasonable measures to “reduce the risk of injury” of Confidentiality Incidents (Sec 3.5). As soon as a Confidentiality Incident, that has the potential for “serious risk of injury” to the individuals involved, is reported, the organization should communicate to all individuals involved how they might mitigate any serious injury.
10. Incidents that could result in a “risk of serious injury” must be reported to the Commission d’accès à l’information (CAI). These types of Confidentiality Incidents must be reported to the CAI immediately. The GDPR says within 72 hours. Bill 64 and PIPEDA says within a “reasonable timeframe”.
11. If an incident involves the possibility of a risk of serious injury, the Data Subjects must be informed and told what they can do to minimize the risks. – unless it could hamper an investigation. (Sec 3.5). If revealing the incident to the public could potential worsen the situation, the “reasonable timeframe” can be moved out until it is safe to do so.
12. All communication documents (to the CAI or Data Subjects) must be retained and stored. (Sec 3.5). As there has been no enforced requirement to communicate, most organizations do not have a process in place to do so. We recommend the Privacy Manager create this process and write policies & procedures that would be included in the Privacy & Security Manual. These procedures should include a simple method of logging this information in a manner that makes it easy to retrieve when required to do so.
13. Must evaluate every Confidentiality Incident to ensure the protection of the personal data (Sec 3.7). The Privacy Manager and the CEO (highest authority) are always accountable for the protection of personal data within the organization, so an assessment of every Confidentiality Incident should be reviewed to ensure the data subject is protected.
14. The Privacy Manager must inform the CEO in writing (Sec 3.7). As the highest authority is accountable, there must be clear policies & procedures for communicating key points to the CEO.
15. Build and maintain a registry (log) of all Confidentiality Incidents (Sec 3.8). The CAI can request a log of all Confidentiality Incidents the organization has experienced. Once again, with no enforced law requiring this, most organizations do not have a process in place. We are in the process of automating a Confidentiality Incident Reporting Portal that will allow anyone on your team (staff or third-party suppliers) to report a Confidentiality Incident, including the critical detail the CAI may require. While the organization is not required to report every little incident, they do have to create a registry so these details can be easily retrieved on request. Organizations who do not create and maintain an accurate log will in all likelihood be fined.
16. Provide a copy of the registry to the CAI upon demand (Sec 3.8). See above requirement.
17. Determine the purpose for collecting PI prior to collecting it (Sec 4). This is one of the primary purposes of completing a DPIA (mentioned in #6 and 7 above). In the past, when collecting personal data we often collected it first and then figured out what to do with it. Under Bill 64 (and most other data protection and privacy laws), an organization must know what they intend to do with information and communicate it in a clear statement when collecting that data (at the point of collection). Stretching that purpose limitation too far will likely result in fines and orders to change your processes to come in to compliance. Should an organization wish to use that data for another un-related purpose, they must seek consent from each individual to do so.
18. Seek parental consent for minors under the age of 14 (Sec 4.1). Pretty straight forward. Quebec has set their minority age at 14. The GDPR is between the ages 13 – 16 with some flexibility for each EU country. In Canada, parental consent is required for anyone under the age of 14 if you wish to process their personal data in any manner.
19. Information must be collected by lawful means and ONLY for the purposes collected (Sec 5). Even the way (how) an organization originally collects personal data has new rules. At the point of collection, what you are collecting and why you are collecting it must be revealed in plain language. The CAI will likely treat this similar to the EU DPAs – if the consumer does not know what they signed up for, they did not provide meaningful consent. Should the organization wish to use this data for another purpose, consent must be sought such that the data subject knows at all times what is being done with their data.
20. Limit the collection of PI to the person involved unless they consent to third party sharing – some exceptions apply under certain circumstances (Sec 6). With a few exceptions collection of the data should be managed by the organization who controls what is or is not done with it. Collecting for third-parties is allowed when those parties are listed at the point of collection. As you can see, TRANSPARENCY is critical under most of these new data protection & privacy laws.
21. Reveal the source of the information with some exceptions (Sec 7). As above, if you are a third party entitled to use a person’s personal data, when doing so you must be transparent with the data subject, how you came by their PI And who your business partner is (the organization who collected it in the first place).
22. At the time of collection, the data subject must be informed of 

• the purpose for collection, 
• the means by which the information is collected, 
• the rights to access or rectify and 
• their right to withdraw consent to use this information. (Sec 8) All forms that are used to collect personal data must include these 4 elements in plain language. It is OK to create a standard paragraph that includes all 4 elements. This same paragraph can be used for all online and offline forms.

23. If this data is to be shared, the data subject must be given the name of the organization with whom the data will be shared, including whether they are located outside Quebec. (Sec 8). Should any of the third parties you will share the data with be located outside of Quebec, it is the organization’s responsibility to ensure that the laws in the jurisdiction it is transferred to have equivalent data protection laws as Quebec.

24. All language used in the collection of PI must be “clear and simple” (Sec 8). In the past most organizations have used “legalese” to describe Privacy Policies and opt-in language. Most new data protection & privacy laws require that the language used to communicate a person’s rights when they are providing consent must be “plain language”. We recommend your marketing department write the language and your legal counsel vet it to ensure corporate risk is well managed.

25. When profiling an individual, they must be informed of the

• use of the profiling technology
• how to easily opt-out of being profiled. (Sec 8.1). If your organization profiles an individual they must be notified what technologies are being used and they must be offered a simple opt-out mechanism that ensures they will not be profiled. In the past we have simply done what’s in the best interest of the organization. Bill 64 requires you to do what’s in the best interest of the individual.

Organization who operate across Canada now have a lot more obligations due to Quebec’s Bill 64. We will publish an article with additional obligations shortly. If you wish to understand the entire scope of how this new law impacts your organization, you are welcome to reach out to info@newportthomson.com to request an online meeting.