Law 25 – Does your company comply?

Law 25 – Does your company comply?

 

Since September 22, 2022, certain provisions of the Act to modernize legislative provisions as regards the protection of personal information (the “Law 25”) have come into force in Quebec. Other provisions of this act came into force on September 22, 2023, and others will not come into force until September 22, 2024.

The provisions of this legislation amend and modernize the Quebec legal framework applicable to the processing and protection of personal information, in particular by amending the Act respecting the protection of personal information in the private sector (the “Private Sector Act”).

The Private Sector Act applies to the processing of personal information collected, used or processed by a business in Quebec and aims to protect this information held by businesses. “Personal information” is information about an individual that allows that person to be identified.

Consent

Personal information is confidential. As a general rule, such information cannot be disclosed or communicated without the prior consent of the person concerned, except in cases provided for by law.

The exceptions provided for by law include emergency situations that endanger the life, health or safety of a person, or when the purpose of the communication is to prevent an act of violence, such as a suicide, for example.

Another exception provided for by law also concerns situations where access to personal information is requested in writing for the purposes of study, research or the production of statistics or for the conclusion of a commercial transaction.

For each of these exceptions, conditions must be met in order to be able to avail oneself of the exception.

For more information on all the exceptions and the conditions to be met in relation to them, please do not hesitate to contact our legal team.

New obligations under Law 25

As mentioned above, Law 25 amends the Private Sector Act by providing for new obligations that make the legal framework applicable to the processing of personal information collected by companies more rigid.

These new obligations are coming into force gradually in Quebec, with the result that some of them are already in force, while others will come into force in September 2024. This article focuses more specifically on the new obligations that came into force on September 22, 2022. A future article will focus on the new obligations that will come into force very recently, on September 22, 2023.

Responsible for the protection of personal information

One of the main new obligations that came into force in September 2022 is that a company must publish the title and contact details of a Privacy Officer on its website, or by any other appropriate means if it does not have a website. By default, the person with the highest authority within the company will act as the Privacy Officer, unless this function is delegated, in writing, to any other person.

Confidentiality incidents register

Companies must also keep a confidentiality incident register (the “Register”). This Register shall contain a record of all confidentiality incidents involving personal information collected by the company (the “Incident(s)”). A copy of this Register must be sent to the Commission d'accès à l'information du Quebec (the “Commission”), the organization responsible for the implementation and application of Law 25, at the Commission's request.

For the purposes of the law, an Incident constitutes:

  1. unauthorized access to personal information;
  2. unauthorized use of personal information;
  3. unauthorized disclosure of personal information;
  4. loss of personal information or any other breach of the protection of such information.

If the Incident presents a risk of serious harm, the Commission and any person concerned must be notified promptly. The company must also take reasonable measures to reduce the risk of harm to the persons concerned.

In relation to any Incident, the Register must contain the following information:

  • A description of the personal information affected by the Incident;
  • A description of the circumstances of the Incident;
  • The date or period when (i) the Incident took place, and when (ii) the company became aware of the Incident;
  • The number of people affected by the Incident;
  • A description of the elements that lead the company to conclude that there is, or is not, a risk of serious harm to the persons concerned, such as:
    • the sensitivity of the personal information concerned;
    • the potential malicious use of the information;
    • the anticipated consequences of the use of the information and the likelihood of it being used for harmful purposes;
  • The dates on which the notices have been sent to the Commission and to the persons concerned when the Incident presents a risk of serious harm. The company must also specify whether it has issued public notices and the reason for them;
  • A brief description of the measures taken by the company following the Incident, to reduce the risk of harm being caused.

Privacy impact assessment

The new obligations stipulated in Law 25 include the obligation to carry out a privacy impact assessment (“PIA”) in certain situations. By way of example, one of these situations, in relation to which a PIA has been mandatory since September 2022 and which is dealt with more specifically below, concerns the disclosure of personal information without the consent of the concerned person for the purposes of study, research or the production of statistics.

A PIA is an analysis that must be carried out by a company that has been asked by a third party to disclose personal information, and which aims to ensure the protection of personal information and respect for the privacy of individuals. This analysis must consider the positive and negative factors and consequences on the privacy of the persons concerned in the event of acquiescence to the request for communication, in particular by assessing the risks of invasion of privacy and their consequences and by putting in place measures and strategies to avoid the realization of these risks.

The PIA aims to confirm that the conditions to be met in order to communicate the information without consent are met, namely that:

  1. The objective pursued can only be attained if the personal information is communicated;

If the objective can be achieved by using anonymized information, the communication of personal information will not be justified and therefore not permitted. Anonymized information is information that does not allow a person to be identified directly or indirectly.

Also, if the objective can be achieved by using depersonalized information, then only depersonalized information may be communicated. Depersonalized information is information that does not allow the direct identification of the person concerned.

  1. Requiring the researcher to obtain the consent of the persons concerned would be unreasonable;

For example, it will be considered unreasonable to require a researcher to obtain the consent of thousands of people whose addresses are unknown or out of date, or if the persons concerned are unable to give consent or are deceased.

  1. The objective pursued outweighs the impact of the communication/use of personal information on the privacy of the persons concerned;

This criterion aims to weigh up the objective pursued by the research in the public interest against the consequences of disclosing the personal information requested on the privacy of the persons concerned. The company must therefore consider the objective and its benefits for society, on the one hand, and the impact that disclosing the information may have on the other. The more sensitive the information, the greater the consequences of disclosing it will be considered to be.

  1. Personal information is used in such a way as to ensure its confidentiality;

The company must ensure that the intended use of the personal information guarantees its confidentiality, and that this personal information will benefit from protective measures that will safeguard it during communication and at all stages of the research. This analysis must take into account, in particular, the sensitivity and quantity of the personal information in question.

  1. Only the necessary information is provided.

The company must ensure that it only discloses to the researcher the personal information necessary to achieve its objective.

The content of the PIA will have to be proportional to the sensitivity of the information concerned, the purpose for which it is to be used, its quantity, its distribution and its medium. The more sensitive the information concerned (medical data, for example) or the greater the number of people involved, the more thorough the PIA will have to be.

Communication without consent

As mentioned above, it is possible for a company, in certain situations and under certain conditions, to communicate personal information without the consent of the person concerned.

Among these exceptions is the communication of personal information (i) for the purposes of study, research or the production of statistics or (ii) in the context of a commercial transaction. New rules surrounding these exceptions came into effect in September 2022.

Following a written request for access to personal information for the purposes of study, research or the production of statistics, a private company may agree to the request and communicate this information without consent. This is a discretionary power of the company, which may refuse to communicate the personal information requested. The researcher submitting such a request will have to provide reasons justifying the request and explain how the information will be used after it has been communicated. However, the requested company must first carry out a PIA on the communication. If, following the PIA, the company accepts the request, an agreement must be concluded and a copy of it must be sent to the Commission, together with a PIA report containing the analysis carried out as part of the assessment. Thirty (30) days following the Commission's receipt of the agreement and the report, the agreement will come into force and the communication may take place, unless the Commission indicates otherwise.

In the context of a commercial transaction, it may be necessary for the purposes of concluding the said transaction to communicate personal information to the co-contracting party, for example, as part of a due diligence check. In order to be able to make such a communication without consent, the company will have to sign an agreement with the other party in which the latter undertakes to (i) use the information only for the purpose of concluding the commercial transaction, (ii) not to communicate the information without the consent of the person concerned, (iii) to take the necessary measures to ensure the protection of the confidentiality of the information, and (iv) to destroy the information if the commercial transaction is not concluded or if its use is no longer necessary for the purposes of its conclusion.

Biometrics

If a company intends to use biometrics to verify or confirm the identity of individuals or to create a database of biometric characteristics or measurements, it must first notify the Commission.

Biometrics refers to the features that enable a person to be identified based on their specific physical characteristics, such as fingerprints, voice, DNA, blood, saliva, urine, etc.

This information, which makes it possible to identify a person, is considered personal information and is therefore protected by law.

A company may not verify or confirm a person's identity by means of a process that captures biometric characteristics or measurements without having first disclosed it to the Commission and without the express consent of the person concerned.

In the event that the company wishes to create a bank of biometric characteristics or measurements, disclosure to the Commission must be made at least sixty (60) days before the commissioning of such a bank of biometric characteristics or measurements.

Do you comply?

As mentioned above, these obligations have already been in force in Quebec for over a year! Are you in compliance with them?

If you need assistance in analyzing your compliance, the members of our legal team are available to assist and support you in your analysis and to answer your questions.