Special Series - Bill 64 and the Modernization of Personal Information Protection Legislation
In response to our numerous publications, our podcast, and the training we provided via the Fasken Institute on December 8 of last year, "Changements à la Loi sur la protection des renseignements personnels : Comment se préparer à 2022, 2023 et 2024?", many of you have had questions for us. We have assembled the questions and prepared our answers in the form of three weekly bulletins:
- The first bulletin will cover questions related to the definition, retention of personal information (PI) and the penalties imposed by Act 25 ("Modernization Act") for breach of the obligations.
- The second bulletin will cover the more specific obligations governing transparency, consent and communication.
- The third and last bulletin will relate to governance within organizations in relation to personal information protection. Our Resource Centre is still active and contains a series of bulletins and documents devoted to the Act 25. So that you don't miss our next upcoming bulletins and any other information relating to this subject, put your name on our distribution list in order to receive all communications in connection with the new law.
BULLETIN 1 (Definition, Retention, Penalties):
Definition of PI and Sensitive PI
1. In practice, what information is considered to be sensitive personal information (PI)?
Information is sensitive under the new definition if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or release, it entails a high level of reasonable expectation of privacy (Private Sector Act, s. 12).
We might ask whether financial information, in particular due to the context in which it is used or communicated, will be sensitive information, although it is not covered specifically.
To learn more:
Sensitive Personal Information: Another Concept Borrowed From The GDPR
2. Can we rely on the definition of sensitive data in the GDPR?
Article 9 of the GDPR provides:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
While we might draw on the definition in the GDPR, it reflects a European rather than a North American mindset. We therefore do not believe that that definition could serve as a guide, although some items will be considered to be sensitive in both pieces of legislation.
To learn more:
Sensitive Personal Information: Another Concept Borrowed From The GDPR
Work Contact Information
3. Could an individual's personal telephone number be considered to be personal information concerning the individual's performance of duties within an enterprise? If so, in what circumstances?
The Commission d'accès à l'information has held several times that the expression "telephone number at work" within the meaning of the Act respecting access to documents held by public bodies does not include an individual's personal telephone, since that would no longer be about the telephone at work. The same approach could be followed for the Act respecting the protection of personal information in the private sector.
4. Do these obligations apply to depersonalized personal information collected for statistical purposes by an enterprise that provides software, whether with or without the consent of the entity that uses the software?
The Act applies to personal information. If the information has not been anonymized and simply been depersonalized, it is still personal information. The exception to consent for statistical purposes applies to the use and release of information, but not to the collection of it.
To learn more:
De-identify, Anonymize and De-index: New Verbs and New Obligations!
Individuals' Rights
5. What right do the persons concerned have in respect of their personal information? Can it be said to be similar to a property right?
Individuals have the following rights: right to information (including where a new technology is used); rights of access and correction; right to withdraw consent to the release of information collected; and a right to ask the enterprise to cease disseminating their personal information or to de-index any hyperlink attached to their name.
In Quebec, there is no recognized property right as such in personal information, but individuals have a right of control.
To learn more:
Retention of data
6. At what point after the use of services by an individual does the obligation to destroy their personal information arise?
Under section 23 of the Private Sector Act, where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.
Enterprises must adopt a retention schedule by September 22, 2023, to take these considerations into account in a practical way in their organization.
To learn more:
De-identify, Anonymize and De-index: New Verbs and New Obligations!
7. What measures must be taken in relation to the retention of written consents obtained (place and length of retention, etc.)?
It is recommended that consents be retained on a server to which access is limited and that is separate from the server where the personal information is retained. Consents should be retained in accordance with a retention schedule that takes into account the purpose for which they were collected and the statutory prescription period.
To learn more:
Bill 64 – C as in Consent - An oversimplification?
8. In the case of an NPO, how long is it possible to retain donor files?
The Act 25 does not provide specific rules governing retention for personal information collected and held by an NPO, which should follow the requirements set out in the previous answer.
The Act 25 did eliminate the possibility of using personal information for philanthropic prospection purposes without obtaining the consent of the person concerned for those purposes. This change will come into force on September 22, 2023, as well.
Penalties
9. How is the process leading to a penalty set in motion?
Before any penalty is imposed, the Commission d'accès à l'information ("CAI") will conduct an investigation, which may be in response to a complaint by an individual or at the initiative of the CAI.
To learn more:
10. When an enterprise is facing a penalty, does it need to show that it has a policy in place?
Before any penalty is imposed, there will be an investigation. The enterprise will then have to show that it has complied with its obligations in respect of the protection of personal information. Those obligations are not limited to adopting a policy; they go much further and may include limited access to personal information, security measures adapted to the sensitivity of the personal information, limited retention periods, and so on.
11. Given that directors are not involved in the day-to-day management of the personal information held by the enterprise, is the provision that makes a director a party to an offence committed by a legal person legally valid?
Although they may delegate their powers, directors are, in principle, responsible for the management of the corporation. There are numerous laws that assign personal liability to directors and penalties if those laws are broken (for example, the Environment Quality Act, CQLR, c. Q-2, the Act respecting labour standards, CQLR, c. N-1.1 or the Business Corporations Act, CQLR, c. S-31.1). We would also note that section 93 is not new. Directors are already liable when a legal person commits an offence under the current Act. Nonetheless, the obligations of directors are different from the obligations of the enterprise. A violation by the enterprise does not necessarily result in liability on the part of the directors, if they could not have avoided the violation, for example.
12. Are public bodies subject to the penal rules provided in the Act 25 (e.g., school boards, universities, municipal bodies, etc.)?
The penal rules that apply to public bodies are different (new section 158 of the Access Act).
However, public sector employees may incur penal liability (new section 159 of the Access Act).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
