Canada: Overview Of The New Provisions Of The Act Respecting The Protection Of Personal Information In The Private Sector — What Are The Implications For Employers?

The Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c. 25, amending the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 [Act], among others, was proclaimed in force on September 22, 2021. Several provisions came into force on September 22, 2022. The bulk of the amendments, however, will come into force only on September 22, 2023.

As employers will face new obligations at that date, it is important to bear in mind both existing and upcoming rules.

The following is a brief overview of the new obligations that will apply to many private sector employers. Although not the focus of this discussion, several similar amendments have also been made to the corresponding statute that applies in the public sector, the Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR c A-2.1.

Appointment of a Person in Charge of the Protection of Personal Information

As of September 22, 2022, a "person carrying on an enterprise" [Enterprise] must designate a person in charge of protection of personal information [Person in Charge]. That person is responsible for receiving requests for access to or for correction of personal information. The person's title and contact information must be published on the Enterprise's website or made available by other appropriate means.

Obligation to Adopt a Policy Regarding the Management of Personal Information

As of September 22, 2023, the Enterprise will also be required to adopt and implement policies and practices regarding management of personal information.

Detailed information regarding these policies and practices must be published on the Enterprise's website or made available by some other appropriate means, which must include the following:

• The framework for the keeping and destruction of personal information;
• The roles and responsibilities of the personnel involved;
• The complaints process.

Obligation to Report Confidentiality Incidents

Since September 22, 2022, the Enterprise must disclose to the Commission d'accès à l'information [Commission] any confidentiality incident likely to cause serious prejudice, as well as to any person, including its employees, whose personal information is involved. Such breaches must also be noted in a register.

Unauthorized access, disclosure, or use of personal information as well as the loss of personal information are all situations that constitute confidentiality incidents.

New Provisions on the Collection of Employees' Personal Information, and on Work Performance Monitoring Technology

As part of the management and control of employees' work performance, employers may use technology to evaluate, analyze, or calculate work performance. Often called "remote monitoring" or "cyber surveillance", such technology may take various forms: checking unauthorized Internet use, tracking e-mails, monitoring phone calls and movements, and a variety of digital surveillance means to determine when an employee is or is not working¹.

In addition to respecting the privacy obligations imposed by the Civil Code of Québec, Quebec's Charter of Human Rights and Freedoms and the Canadian Charter of Rights and Freedoms, where applicable, as of September 22, 2023, employers will have to inform their employees when using such aforesaid surveillance technology allowing employers to monitor, identify, locate, or profile them for purposes of analyzing work performance. They will also have to inform employees of the means used to activate the functionalities that monitor the work performance.

Employers will also have to inform employees of:

• The purposes for which the information is collected;
• How it is collected;
• The rights allowed by the Act to access and rectify the information;
• The employees' right to withdraw their consent to the communication or use of the information collected
• If applicable, the name of the third party for whom the information is collected or to whom it will be communicated.

If requested, the employer will also have to inform the employee of the following:

• The personal information that is collected;
• The categories of people within the company who will have access to it;
• The period of time during which the information will be kept;
• The contact information of the person in charge.

As of September 22, 2023, an enterprise that collects personal information regarding its employees for a serious and legitimate reason will have to stipulate the purposes for collecting the information before doing so. The information collected may only be used for the purposes identified before being collected, save exceptionally, and may not be used for other purposes without the employee's consent.

Note that the Act is now clear: since September 22, 2022, the position and title of persons within an Enterprise as well as the coordinates of their workplace constitute personal information that is not protected.

Securing the Employee's Consent: New Formal Requirements

Presently, an employee's consent is required before his personal information can be communicated to a third person, save exceptionally.

As of September 22, 2023, the employee's consent will be required prior to using her or his personal information for purposes other than those for which it has been collected or to communicate such personal information to a third party.

The Act will also require the employee's written consent to be registered in a separate and distinct document. Concretely, this means that employers will no longer be allowed to simply insert a consent clause within the original employment contract.

The Obligation to Disclose Use of an Automatic Application Processing System for Hiring or Promoting

As of September 22, 2023, an employer using automated processing, often based on artificial intelligence, to screen applications received as part of a recruitment process will have to inform the candidates that such a process was used, and allow them to submit observations.

On request, the employer must also inform the applicant concerned of:

• The personal information that was used to render the decision
• The reasons and principal factors and parameters having led to the decision
• Their right to have the personal information corrected.

Recourse, Remedies and Sanctions

Since September 22, 2022, it is prohibited to demote, suspend, dismiss, transfer, or impose any other disciplinary measure on an employee for having filed a complaint with the Commission.

As of September 22, 2023, employees will be allowed to file a complaint anonymously on any matter relating to the processing of personal information by their employer and the employer's practice in this regard.

An enterprise that does not abide by the law, notably when collecting, using, communicating, storing, or destroying personal information in contravention of the statute is liable to an administrative sanction of up to the greater of $10 million or 2% of worldwide turnover for the preceding fiscal year.

The Enterprise is also liable to fines of an amount of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.

Bear in mind that fines, as penal sanctions, are different from administrative penalties. Administrative penalties, by exception, allow the Enterprise upon written undertakings to take the measures deemed necessary by the Commission to remedy the failures noted in the notice of non-compliance issued by the Commission. If the undertaking is accepted by the Commission and is complied with, no monetary administrative penalty will be imposed.

Monetary administrative penalties when applied can be reviewed and re-examined by the Commission, and then be contested before the Court of Québec as needed.

The Commission cannot impose a monetary administrative penalty on a person when a statement of offence has already been served on the person for a failure to comply with the same provision on the same day, based on the same facts.

Footnote

1. Catherine Massé-Lacoste et Camille G. Grenon, « Télésurveillance : le contrôle de la prestation de travail à l'ère du télétravail et ses limites », dans SFCBQ, vol. 511, Développements récents en droit du travail, Cowansville, Éditions Yvon Blais, 2022, p.8.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.