If you're just joining us, we recommend taking a moment to read Part 1 of our Law 25 (or "Bill 64") series, where we provided an in-depth introduction to privacy law amendments in force since September 22, 2022. It's the foundation upon which today's blog builds, and you'll find essential insights into the changes shaping data privacy in Quebec.
Today, it's all about what's happening right now, on this very day, September 22, 2023. We're diving straight into the second set of amendments. So, if you missed Part One, check it out for the groundwork.
Governance Policies and Practices
For businesses, Law 25 mandates the establishment and implementation of governance policies and practices dedicated to safeguarding personal information. These policies must not only provide a robust framework for information management but also define roles and responsibilities throughout the data lifecycle. Furthermore, they should incorporate a streamlined process for addressing complaints related to data protection.
But that's not all; the law requires these policies to be proportionate to a business’s nature and scope, and receive the approval of the privacy officer. To foster greater transparency, these policies must then be made available in clear and simple language, either on the organization’s website or, if the enterprise does not have one, through other accessible means.
How Your Business Can Prepare
Review and amend existing governance policies and practices used to safeguard data.
Update or implement policies and procedures to establish the roles and responsibilities of the organization through the personal information life cycle.
Develop a training program for employees who will have access to and use of personal information.
Have your policies approved by the privacy officer.
Publish the policies on your organization’s website.
Privacy Impact Assessment
Law 25 mandates conducting a PIA for any project concerning the acquisition, development, or overhaul of information systems or electronic service delivery systems. This process is collaborative, requiring the consultation of the privacy officer right from the project’s inception.
The sensitivity of the information, its intended use, the quantity and distribution, and the storage medium - all these factors influence the scale of the PIA. And remember, the process must align with the information's level of sensitivity and purpose.
Throughout the lifecycle of a project involving the collection, use, communication, keeping, or destruction of personal information, the privacy officer wields a critical role. At any stage, they can propose vital protection measures tailored to the project's specific needs. These measures might include designating a person to oversee the implementation of personal information safeguards, implementing measures to secure personal information in project-related documents, defining clear responsibilities for project participants concerning personal information protection, and conducting essential training activities for project members on safeguarding personal information. This proactive approach ensures that personal information remains shielded and compliant throughout the project's journey.
In March 2021, the Commission d’accès à l’information (the “CAI”) published a guide for conducting a PIA. According to this guide, the following projects may require the collection, use, or communication of personal information, thus necessitating a PIA:
Develop a new information system or a technique for customizing a product or service..
Seek out new customers, explore new markets.
Use an algorithm or artificial intelligence system.
Install a video surveillance system.
Compare different versions of databases or files;
Acquire or merge organizations.
Use fingerprinting, geolocation, facial recognition, connected recognition, connected objects, smart city sensors, etc.
How Your Business Can Prepare
Develop a procedure for conducting a PIA and create a template to use across various projects.
Train staff on completing a PIA.
Collection of Personal Information
Transparency is key when it comes to collecting personal information. Law 25 requires that individuals be informed about why, how, and for what purposes their data is collected. Rights of access, rectification, and the option to withdraw consent must be clearly communicated.
Additionally, if technology is used to identify, locate, or profile individuals, they must be informed about this technology's usage and how to activate or deactivate these functions. When utilizing technology for data collection, a clear and simple confidentiality policy must be published on the enterprise's website, and updated as necessary.
How Your Business Can Prepare
Prepare an inventory of the technology used to identify, locate, or profile individuals.
Create a clear policy to inform individuals about the use of the technology at the time it is collected and how to activate or deactivate features.
Publish the confidentiality policy on your organization’s website.
Valid Consent
Consent is the linchpin of data collection, and Law 25 emphasizes its clarity, freedom, and specificity. It must be requested separately for each purpose, using clear and simple language. When dealing with minors, those under 14 require consent from a person with parental authority, while those 14 and over can provide their consent.
However, remember that consent is only valid for the time necessary to achieve its intended purposes. Consent not obtained in accordance with the law is null and void.
The CAI’s draft guidelines provide that to be valid consent must be clear, free, informed, specific, granular, understood, temporary, and distinct. Let’s take a look at each of these briefly.
Clear: given in a way that demonstrates the intent of the person. In most cases, valid consent is expressly given.
Free: the person concerned must be able to exercise their choice without undue influence or disproportionate harm. Consent given freely implies real choice and control, without coercion or pressure.
Informed: meaning the consent must be precise and based on the appropriate knowledge. The individual giving consent must know what they are consenting to and what it entails.
Specific: the consent must be given for a specific purpose, meaning that it is precise and defined. A person can only consent if they are in a position to understand exactly what is being asked of them.
Granular: requested for each specific purpose.
Understood: meaning that it is presented in simple, clear terms both for the information and for the precise statement of acceptance or refusal.
Distinct: consent requested in writing must be presented distinct from any other information. For example, it must be featured in its own section or interface making it easily accessible to the person whose consent is required.
Temporary: the consent must be valid for a limited period of time, i.e. it is valid only for as long as is necessary for the purposes for which it was requested.
How Your Business Can Prepare
Review and amend privacy notices (in particular concerning minors under the age of 14 years) and implement consent forms.
Implement a process for obtaining consent, and a process to assist individuals in understanding the scope of the consent requested.
Create an inventory of personal information collected.
Communication Without Consent
In certain cases, personal information can be communicated without consent if it's necessary for fulfilling a mandate, performing an enterprise contract, or providing services entrusted by the enterprise. This communication must be governed by a written agreement that outlines protective measures and ensures information confidentiality. Specifically, the agreement must include the measures the outsourced party must take to protect the confidentiality of the personal information communicated, ensure that the information is used only for carrying out the mandate or performing the contract, and ensure the other party does not need the information after the expiry of the agreement. Any violations or attempted violations must be reported promptly to the privacy officer.
How Your Business Can Prepare
Review and amend existing agreement templates to ensure compliance with the provisions of the Act.
Privacy by Default
For enterprises offering technological products or services that involve personal information collection, parameters must be set to ensure the highest level of confidentiality by default, without requiring action from individuals. However, this does not apply to privacy settings for browser cookies.
How Your Business Can Prepare
Implement any necessary design changes to ensure the default setting is set to provide the highest level of confidentiality.
Automated Decisions
When personal information is used for making automated decisions, individuals must be informed about this usage and provided with details about the decision-making process.
If the individual requests, the organization must also inform them of the personal information used to render the decision, the reasons, principal factors, and parameters that led to the decision, and the right of the individual concerned to have the personal information corrected. They should have the opportunity to submit observations and request corrections to their personal information used in such decisions.
How Your Business Can Prepare
Train staff to understand and be able to explain the reasons, principal factors, and parameters that lead to these automatic decisions.
Implement a process for handling requests to correct personal information used in automated decisions.
Transferring Information Outside Quebec
Before sharing personal information outside Quebec, a PIA is mandatory. This includes considering the information's sensitivity, intended use, protection measures, including the contractual ones that would apply to it, and the legal framework in the destination state. The information can only be shared if it's deemed to receive protection equivalent to Quebec's standards, in particular in light of generally recognized principles regarding the protection of personal information. Finally, the communication of the information must be subject to a written agreement that takes into account the results of the PIA, and the terms agreed on to mitigate any identified risk.
How Your Business Can Prepare
Map out data flows to identify where the personal information will be located.
Implement risk mitigation measures.
Update template agreements to incorporate the PIA results..
Destruction or Anonymization of Personal Information
Once the purposes for which personal information was collected or used is fulfilled, it must be either destroyed or anonymized. However, it may only be anonymized to be used for a serious and legitimate purpose. Anonymized information means that it irreversibly no longer allows the person to be identified directly or indirectly, and must be done in accordance with generally accepted best practices and according to criteria and terms established by regulation.
How Your Business Can Prepare
Create an inventory of personal information.
Establish retention periods for personal information.
Create a protocol for deleting personal information.
For information that may be anonymised, establish processes for de-identification.
Right to Be Forgotten
Individuals have the right to request the cessation of information dissemination or the de-indexing of hyperlinks that provide access to their information via technological means if the dissemination of the information contravenes the law or court order.
Where certain conditions are met, the person may require that the hyperlink providing access to the information be re-indexed, these include: the dissemination of information causes serious injury in relation to the right to the respect of reputation or privacy; the injury is clearly greater than the interest of the public in knowing the information or the interest of another person expressing themselves freely; and the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for prevention the perpetuation of the injury.
To assess these criteria, the following must be taken into account: the person is a public figure; the fact that information concerns a minor; the information is up to date and accurate; the sensitivity of the information; the context in which the information is disseminated; the time elapsed between the dissemination of the information and the request made under this section; and where the information concerns a criminal or penal procedure, obtaining a pardon or application of a restriction on the accessibility of records of the courts of justice.
These requests are evaluated based on several criteria, including the injury caused to the individual's reputation or privacy and the context of information dissemination.
How Your Business Can Prepare
Implement a process for the cessation of information dissemination or de-indexing hyperlinks.
Create a checklist of the criteria to take into account for a right to be forgotten request.
The organization is able to verify the identity of the individual making the request.
Create a system that allows the organization to provide proof the information is no longer being disseminated, has been de-indexed, or re-indexed.
Introduction of Monetary Administrative Penalties
The CAI, or a designated person, may impose monetary administrative penalties on organizations that contravene the law. These penalties can go up to $10,000,000 or 2% worldwide turnover for the preceding fiscal year, whichever is greater.
Conclusion
As we delve deeper into the labyrinth of Law 25, remember that compliance is not just a legal obligation; it's a commitment to safeguarding the privacy and rights of individuals. Stay tuned for more insights on how to navigate the ever-evolving landscape of data privacy in Quebec.
This blog post is not legal advice and is for general informational purposes only. Always speak with a lawyer before acting on any of the information contained herein.
Yorumlar