Personal data breaches are becoming more and more common. They now occur in government agencies, credit agencies, and even private companies.
On September 21, 2021, the National Assembly of Québec voted to pass the Act to modernize legislative provisions as regards the protection of personal information
also known as Bill 64.
The Act’s requirements will progressively take effect on September 22 in 2022, 2023, and 2024.
Bill 64 in brief
Bill 64 pertains to the Act respecting the protection of personal information in the private sector in Quebec
. This Act applies to personal data of any kind, whether written, graphic, audible, visual, digital, and other. The individual operating a company governed by this Act must ensure the documents it holds remain confidential.
Furthermore, subject to the exceptions provided for in the Act, personal information may never be communicated to other parties. When a company holds a file on a person, upon request of this person it must confirm the existence of the file. In this case, the person may ask that inaccurate information be rectified or deleted if the information is obsolete or not justified. In this vein, the law is similar to the federal Personal Information Protection and Electronic Documents Act.2
What exactly is personal information?
Personal data, or personally identifiable information, can be used to confirm an individual’s identity. Generally, it is information pertaining to a person’s:
- Race, nationality, ethnicity, religion
- Age or marital status
- Medical, academic, professional background
- Financial transactions and other identifying numbers
- Perspectives and opinion as an employee
The following is generally not considered personal information:
- Information not pertaining to an individual, either because the association is too vague or removed
- Information about an organization such as a company
Some information about public officials such as their name and professional title
- A person’s professional contact information that a company collects, uses, or communicates solely to enter into contact with them as part of their employment, their company, or their profession
- Government information
What actions should company executives take?
1. Appoint a Privacy Officer
Starting on September 22, 2022, your company will have to appoint a Privacy Officer in writing.
The Privacy Officer’s main task is to make sure the company complies with and implements Bill 64. This person’s title and contact information must appear on your website by September 22, 2022
. Here are a few examples of their duties:
- Implementing the policies and practices surrounding the protection of personal information in your company, including:
- Carrying out Privacy Impact Assessments
- Managing incidents and the reporting process
- Communicating to members of the team to make sure they’re aware of the issue and have the appropriate training to protect private information
- Implementing measures to simplify data storage
These tasks do not have to all be handled by one single person. The Privacy Officer can rely on a team for these matters. However, these tasks require in-depth knowledge of your company and the various processes currently in place to protect private data
It is worth noting that the highest-ranking person in the company will automatically inherit this role if they do not appoint a Privacy Officer.
2. Reporting confidentiality incidents
The second obligation that will come into effect on September 22, 2022, pertains to the obligation to signal confidentiality incidents
. Bill 64 states that companies must notify the Commission d’accès à l’information (CAI3
) as well as any person involved of confidentiality incidents involving personal data if the incident presents a serious risk.
A confidentiality incident occurs when there has been access or communication not authorized, authorization, loss, or any breach of personal information of your clients.
In order to determine if the incident presents a serious risk, the following must be considered: the sensitivity of the information, the consequences of its use, and the probability that this information may be used in a harmful way. This assessment can be made with your Privacy Officer and attorney.
Moreover, companies must keep a register of confidentiality incidents which must be sent to the CAI upon request. Bill 64 also means you must:
- Implement adequate security measures in order to efficiently prevent confidentiality incidents from occurring and quickly detect them. To this effect, your company must keep a register of the personal data it collects.
- Define an incident management process to document the incident and determine if personal data is involved and implement efficient corrective measures to minimize harm.
- Define the roles and responsibilities of your staff when an incident occurs.
Make sure the register is updated after every incident involving personal data.
- Establish the process that needs to be followed when the incident presents a serious risk of prejudice and needs to be communicated to the Commission d’accès à l’information and/or persons involved as well as the appropriate remediation measures that will be advised in this situation.
All these need to be planned before a confidentiality incident occurs. There are several practical tools that can be used such as a guide4 prepared by the CAI. It includes what to consider when a loss or theft of personal information occurs.
What you need to remember
Bill 64 pertains to personal information of every kind that is held by companies and organizations operating in Quebec.
Company CEOs might believe they have a lot of time to implement new processes to comply with Bill 64. This is unfortunately not the case.
Even though most obligations will only enter force on September 22, 2023, business owners should not wait until September 2023 to take action.