Bill 64 passed by the National Assembly makes significant amendments to the Act respecting the protection of personal information in the private sector ("the Privacy Act"). These amendments and the obligations they carry will come into force gradually in 2022, 2023 and 2024.
The Commission d'accès à l'information du Québec ("the Commission") is responsible for the application of the Privacy Act.
These new obligations apply to all Québec organizations, whether private or public, whether for-profit or not.
The first provisions of Bill 64 came into force in Quebec in September 2022. To this end, the government has de facto designated the highest ranked individual in each Quebec organization or company as being responsible for the protection of personal information ("PI") within that organization.
For more information on the nature of this information, see What is personal information.
In addition to meeting your current privacy obligations, as of September 22, 2022, each Quebec organization must :
We will explain below what each of these obligations consists of.
It is the responsibility of the privacy officer to ensure that the organization or company complies with the new provisions of the Privacy Act. While these responsibilities are numerous and go beyond the scope of the obligations listed above, we will focus here on the provisions that came into force since September 22, 2022.
Each organization must designate an individual responsible for the protection of personal information (the Privacy Officer). As mentioned earlier, the Government of Quebec has already designated the highest ranking member of each organization as the Privacy officer. The organization may, however, formally designate another individual to fill this role. In this case, it is not necessary to notify the Commission.
On the other hand, it is essential to publish the title and contact details of the Privacy officer on the organisation's website or, if it does not have a website, to make them accessible by any other appropriate means.
A privacy incident is an event that could compromise the confidentiality of personal information held by an organization. This definition refers to personal information that identifies a customer, partner or staff member of the organization.
For more information on the nature of this information, see What is personal information.
A privacy incident generally involves the loss or theft of PI regarding one or more individual(s). Such an incident can have disastrous consequences for both the organization and the individuals whose personal information would be compromised.
In the event of an incident, the organization has an obligation to take specific measures to mitigate the impact on the individuals concerned. In particular, the organization must:
The amendments to the Privacy Act provide more specifics regarding the nature of personal information that may be collected by organizations and the circumstances under which that information may be collected.
The law also provides, among other things, that the organization must disclose to the individuals concerned each use it intends to make of their personal information, and obtain, in each case, their consent to the use of their PI. However, these provisions do not come into force until 2023.
In some cases, an organization or company may share the personal information it collects or holds with third parties for research purposes. If this is the case within your organization, the Privacy Officer should conduct an analysis to identify the potential risks associated with this practice, with respect to the protection of the PI concerned.
It is particularly important here to be familiar with the partners who may have access to personal information held by the organization. For example, a merchant using a cloud-based point-of-sale solution should review the terms of use for that service. Such partners frequently use the personal information collected by their software for research purposes, and include a clause to that effect in the Terms of Use. In addition to analyzing the provider's use of PI, you may need to disclose this use to the individuals involved, whether they are customers, partners or employees of the organization.
This obligation rarely applies to a company's customers, but it may be more common in the case of employees or partners and/or subcontractors of an organization who would, for example, use biometric information to grant access to its premises or equipment.
One of the most important changes made to the Privacy Act by Bill 64 is the designation of a Privacy Officer responsible for the protection of personal information within each Quebec organization or enterprise. This designation carries a number of responsibilities with respect to any personal information collected and held by the organization.
The Privacy Officer must therefore be able to develop internal policies for the use of personal information and ensure that the organization complies with these policies at all times. This requires a solid knowledge of the mechanisms of the organization and the technologies that support them.
If someone in your organization already fulfills this role, the impact of the new regulations will likely be limited. If, on the other hand, you operate a small business on your own, as of September 2022, you are now required to perform these functions, and the impact of the changes Privacy Act will be significant for you.
Nexop can help you understand these changes and develop a detailed action plan for you.
CLICK BELOW TO BOOK A FREE CONSULTATION WITH OUR EXPERTS