Skip to content

First obligations in effect since September 2022

Bill 64 passed by the National Assembly makes significant amendments to the Act respecting the protection of personal information in the private sector ("the Privacy Act"). These amendments and the obligations they carry will come into force gradually in 2022, 2023 and 2024.

The Commission d'accès à l'information du Québec ("the Commission") is responsible for the application of the Privacy Act.

These new obligations apply to all Québec organizations, whether private or public, whether for-profit or not.

The Privacy Officer

The first provisions of Bill 64 came into force in Quebec in September 2022. To this end, the government has de facto designated the highest ranked individual in each Quebec organization or company as being responsible for the protection of personal information ("PI") within that organization.

For more information on the nature of this information, see What is personal information.

 

Provisions entered into force on 22 September 2022

In addition to meeting your current privacy obligations, as of September 22, 2022, each Quebec organization must :

  1. Designate a person responsible for the protection of PI within the organization;
  2. Take specific measures in the event of a privacy incident;
  3. Comply with the new framework for the use of PI;
  4. Conduct a risk assessment prior to sharing PI for research purposes;
  5. Disclose the use of biometric measures to the Commission in advance.

We will explain below what each of these obligations consists of.

The obligations of the Privacy Officer

It is the responsibility of the privacy officer to ensure that the organization or company complies with the new provisions of the Privacy Act. While these responsibilities are numerous and go beyond the scope of the obligations listed above, we will focus here on the provisions that came into force since September 22, 2022.

Designate a person responsible for protecting PI in your organization

Each organization must designate an individual responsible for the protection of personal information (the Privacy Officer). As mentioned earlier, the Government of Quebec has already designated the highest ranking member of each organization as the Privacy officer. The organization may, however, formally designate another individual to fill this role. In this case, it is not necessary to notify the Commission.

On the other hand, it is essential to publish the title and contact details of the Privacy officer on the organisation's website or, if it does not have a website, to make them accessible by any other appropriate means.

Take specific measures in the event of a privacy incident

A privacy incident is an event that could compromise the confidentiality of personal information held by an organization. This definition refers to personal information that identifies a customer, partner or staff member of the organization.

For more information on the nature of this information, see What is personal information.

 

A privacy incident generally involves the loss or theft of PI regarding one or more individual(s). Such an incident can have disastrous consequences for both the organization and the individuals whose personal information would be compromised.

In the event of an incident, the organization has an obligation to take specific measures to mitigate the impact on the individuals concerned. In particular, the organization must:

  1. Disclose the incident to the Commission;
  2. Notify, if necessary, the individuals whose PI may have been compromised;
  3. Analyze the circumstances that led to the incident and identify the measures to be taken to mitigate the impact of the incident and to prevent such an incident from recurring.

Comply with the new framework governing the use of PI

The amendments to the Privacy Act provide more specifics regarding the nature of personal information that may be collected by organizations and the circumstances under which that information may be collected.

The law also provides, among other things, that the organization must disclose to the individuals concerned each use it intends to make of their personal information, and obtain, in each case, their consent to the use of their PI. However, these provisions do not come into force until 2023.

Conduct a risk assessment before sharing PI for research purposes

In some cases, an organization or company may share the personal information it collects or holds with third parties for research purposes. If this is the case within your organization, the Privacy Officer should conduct an analysis to identify the potential risks associated with this practice, with respect to the protection of the PI concerned.

It is particularly important here to be familiar with the partners who may have access to personal information held by the organization. For example, a merchant using a cloud-based point-of-sale solution should review the terms of use for that service. Such partners frequently use the personal information collected by their software for research purposes, and include a clause to that effect in the Terms of Use. In addition to analyzing the provider's use of PI, you may need to disclose this use to the individuals involved, whether they are customers, partners or employees of the organization.

Disclose the use of biometric measures to the Commission in advance

This obligation rarely applies to a company's customers, but it may be more common in the case of employees or partners and/or subcontractors of an organization who would, for example, use biometric information to grant access to its premises or equipment.

In short

One of the most important changes made to the Privacy Act by Bill 64 is the designation of a Privacy Officer responsible for the protection of personal information within each Quebec organization or enterprise. This designation carries a number of responsibilities with respect to any personal information collected and held by the organization.

The Privacy Officer must therefore be able to develop internal policies for the use of personal information and ensure that the organization complies with these policies at all times. This requires a solid knowledge of the mechanisms of the organization and the technologies that support them.

If someone in your organization already fulfills this role, the impact of the new regulations will likely be limited. If, on the other hand, you operate a small business on your own, as of September 2022, you are now required to perform these functions, and the impact of the changes Privacy Act will be significant for you.

Nexop can help you understand these changes and develop a detailed action plan for you.

 

CLICK BELOW TO BOOK A FREE CONSULTATION WITH OUR EXPERTS

ContactButtonImg_EN