On September 22, 2022, the first set of amendments from Bill 64, specifically to Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act) will come into force. Although most amendments will come into force in September 2023, we wanted to highlight some key new obligations for all enterprises who do business across Canada and use personal data in the process of doing business.
PRIVACY OFFICER DELEGATION
“3.1. Any person carrying on an enterprise is responsible for protecting the personal information held by the person.
Within the enterprise, the person exercising the highest authority shall see to ensuring that this Act is implemented and complied with. That person shall exercise the function of person in charge of the protection of personal information; he may delegate all or part of that function in writing to a personnel member.
The title and contact information of the person in charge of the protection of personal information must be published on the enterprise’s website or, if the enterprise does not have a website, be made available by any other appropriate means.”
Now, by default, the person exercising the highest authority within the enterprise, for example the Chief Executive Officer, as the “person in charge of the protection of personal information.”
The role and activities of the “person in charge of the protection of personal information” can be delegated to any person, in-house or an outside privacy professional. Be sure to put this in writing.
The title and contact information of the person in charge of the protection of personal information must also be published on the organization’s website or, if the organization does not have a website, by any other appropriate means.
MANDATORY REPORTING OF “CONFIDENTIALITY INCIDENTS”
Sections 3.5 through 3.8 include a requirement to document a Confidentiality Incident Reporting Plan and train all employees in theses policies and procedures.
Similar to the obligation under many International privacy and data protection laws, organizations must notify the Commission d’acces a l’information du Quebec (CAI) and affected individuals of any “confidentiality incident” involving personal information that presents a risk of serious injury. Notifications must be made as soon as possible.
A “confidentiality incident” is defined to mean:
- access not authorized by law to personal information;
- use not authorized by law of personal information;
- communication not authorized by law of personal information; or
- loss of personal information or any other breach of the protection of such information.
In assessing whether a confidentiality incident presents a risk of serious injury, the organization must consider the sensitivity of the information, the anticipated consequences of its use, and the likelihood that such information will be used for injurious purposes.
Organizations must also keep a register of all confidentiality incidents and provide it to the CAI upon request.
DRAFT REGULATIONS
To help private sector enterprises, Quebec has published draft regulations respecting confidentiality incidents which are set to come into force on September 22, 2022.
“The draft Regulation standardizes the content that the public will have access to if it receives notices that a confidentiality incident has occurred that presents a risk of serious injury . The public will be better informed as to the circumstances surrounding such incidents and the recommended recourses available if the public needs to protect its personal information.”
These regulations set out content requirements for notifications to the Commission and to individuals.
The regulations also prescribe that registers of confidentiality incidents must be kept for at least five years after the date the organization became aware of the incident.
What should be included in a report to the CAI?
Notices to the Commission d’accès à l’information that a confidentiality incident presents a risk of serious injury, given under the second paragraph of section 3 .5 of the Act respecting the protection of personal information in the private sector (chapter P-39 .1), must be in writing and must contain:
(1) the name of the body affected by the confidentiality incident and any Québec business number assigned to such body under the Act respecting the legal publicity of enterprises (chapter P-44 .1);
(2) the name and contact information of the person to be contacted in that body with regard to the incident;
(3) a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
(4) a brief description of the circumstances of the incident and what caused it, if known;
(5) the date or time period when the incident occurred or, if that is not known, the approximate time period;
(6) the date or time period when the body became aware of the incident;
(7) the number of persons concerned by the incident and the number of those who reside in Québec or, if that is not known, the approximate numbers;
(8) a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
(9) the measures the body has taken or intends to take to notify the persons whose personal information is concerned by the incident, pursuant to the Protection of personal information or the second paragraph of section 3 .5 of the Act respecting the protection of personal information in the private sector, and the date on which such persons were notified, or the expected time limit for the notification;
(10) the measures the body has taken or intends to take after the incident occurred, including those aimed at reducing the risk of injury or mitigating any such injury and those aimed at preventing new incidents of the same nature, and the date on which the measures were taken or the expected time limit for taking the measures; and
(11) if applicable, an indication that a person or body outside Québec that exercises similar functions to those of the Commission d’accès à l’information with respect to overseeing the protection of personal information has been notified of the incident.
This information must be sent as soon as possible and any follow up information should be provided as soon as discovered.
What should be included when notifying individuals involved?
Notices to persons whose personal information is concerned by a confidentiality incident presenting a risk of serious injury, given under the second paragraph of section 3 .5 of the Act respecting the protection of personal information in the private sector (chapter P-39 .1), must contain:
(1) a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
(2) a brief description of the circumstances of the incident;
(3) the date or time period when the incident occurred or, if that is not known, the approximate time period;
(4) a brief description of the measures the body has taken or intends to take after the incident occurred in order to reduce the risks of injury;
(5) the measures that the body suggests the person concerned take in order to reduce the risk of injury or mitigate any such injury; and
(6) the contact information where the person concerned may obtain more information about the incident .
What should be included in the Register of Confidentiality Incidents?
The registers provided for in section 3 .8 of the Act respecting the protection of personal information in the private sector (chapter P-39 .1) must contain
(1) a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
(2) a brief description of the circumstances of the incident;
(3) the date or time period when the incident occurred or, if that is not known, the approximate time period;
(4) the date or time period when the body became aware of the incident;
(5) the number of persons concerned by the incident or, if that is not known, the approximate number;
(6) a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
(7) if the incident presents a risk of serious injury, the transmission dates of the notices to the Commission d’accès à l’information and the persons concerned, pursuant to the second paragraph of section 3 .5 of the Act respecting the protection of personal information in the private sector, as well as an indication of whether the body issued public notices and, if applicable, its reasons for doing so; and
(8) a brief description of the measures the body has taken after the incident occurred in order to reduce the risks of injury.
The information in the Confidentiality Incident Registry must be kept for at least 5 years after the enterprise became aware of the incident.
Under what circumstances would an enterprise issue a public notice?
The notices referred to in section 5 of the draft Regulations are sent to the persons concerned by the confidentiality incident.
Despite the first paragraph, the notices referred to in section 5 are given by way of a public notice in any of the following circumstances:
(1) when the fact of sending such notice is likely to cause increased injury to the person concerned;
(2) when the fact of sending such notice is likely to cause undue hardship for the body;
(3) when the body does not have the contact information for the person concerned .
The notices referred to in section 5 of the Regulations may also be given by way of a public notice if there is a need to act rapidly to reduce the risk of a serious injury or to mitigate any such injury . In such cases, the body must still send a notice to the person concerned with proper diligence, unless one of the circumstances listed in the second paragraph applies .
Pursuant to this section, public notices may be made by any method that could be reasonably expected to reach the person concerned .
DISCLOSURE OF PERSONAL INFORMATION NECESSARY FOR COMMERCIAL TRANSACTIONS
Organizations will now be allowed, subject to certain exceptions, to disclose personal information without the consent of the individual when the disclosure of personal information is necessary for the purpose of concluding a commercial transaction. This amendment will bring the Quebec Privacy Act in line with other private sector privacy statutes, including PIPEDA, and means that personal information may be shared in the due-diligence process.
A “commercial transaction” is defined to mean the “alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations.”
A data protection agreement must be in place between the parties. The organization receiving the personal information must agree to only use the information to conclude the transaction and to not communicate it without consent or as otherwise permitted by the Quebec Privacy Act. Receiving organizations must also agree to protect the confidentiality of the personal information and destroy it if it is no longer necessary to complete the transaction, or if the transaction falls apart.
Remember, documenting all of this is a requirement of PPIPS. If we can help, please reach out to info@newportthomson.com