The protection of personal information has become a major concern in the digital age, as our data and personal information have become a precious and vulnerable resource. The adoption in September 2022 of the Act to modernize legislative provisions respecting the protection of personal information ("Bill 25") represents a remarkable step forward in the protection of personal information. Bill 25 introduces important changes for private and public sector businesses in Quebec.
Among its objectives: to give individuals greater control over their personal information and to strengthen corporate obligations regarding consent, collection, disclosure and retention of personal information.
Here you'll find a brief overview of the main changes brought about by Bill 25 and the main obligations to which private companies operating in Quebec are now subject.
Obligation to adopt personal information governance policies/practices
Since September 2022, companies have been required to adopt internal governance policies and practices aimed at protecting personal information. To effectively build an internal information governance program and privacy policy, it is essential to identify the nature of the information your company collects, the purposes for which its information is used, and who within your organization needs access to it.
Any privacy policy must enable individuals to identify a company's practices regarding the collection, use, disclosure and retention of personal information, and must include:
- a description of the nature of the personal information and the means by which it is collected;
- the purposes for which personal information is collected, the retention period and the means of destruction;
- the measures put in place to ensure the protection of personal information collected;
- the establishment of an information management and access process; and
the establishment of a process for handling complaints concerning the protection of personal information.
Requirement to obtain consent
Bill 25 requires manifest, free and informed consent to the collection, use and disclosure of personal information. Consent must be given for specific purposes. The specific purposes for which personal information is collected, used and disclosed must be disclosed to any person concerned in clear terms.
Obligation to designate a privacy officer
As of September 2023, all companies must designate a Privacy Officer within their organization, and define the tasks assigned to him or her. Although this role is assigned by default to the person with the highest authority within a company, any person can be designated and hold this position. The name and contact details of the person in charge must be publicly accessible and can usually be found in the privacy policy published on a company's website.
Obligation to report and keep a register of confidentiality incidents
In the event of a confidentiality incident (as this term is defined in the Act respecting access to documents held by public bodies and the protection of personal information), an assessment process must be set in motion to determine whether there is a risk of serious harm to the individuals concerned. Should this be the case, the company affected by the confidentiality incident will have to notify the Commission d'accès à l'information ("CAI") and any person concerned by such an incident.
At the same time, since September 2023, all companies are required to set up and maintain a confidentiality incident register, and to establish a procedure and response plan in the event of such an incident. All confidentiality incidents, whether or not they involve a risk of serious harm, must be recorded in an internal register set up for this purpose.
Sanctions
In closing, it should be noted that as of September 2023, the CAI, the body responsible for monitoring and enforcing compliance with privacy legislation, will have the power to impose penal and administrative sanctions. In the event of non-compliance with the obligations set out in Law 25, the penalties to be imposed on companies include:
- a criminal penalty of up to $25,000,000 or 4% of worldwide sales, whichever is greater;
- an administrative fine of up to $10,000,000 or 2% of worldwide sales, whichever is greater.
It's not always easy to keep abreast of the changes in legislation governing the protection of personal information, especially as other provisions of Bill 25 will come into force in 2024. Our team of lawyers is at your disposal to help you comply with current legislation and review your privacy practices and processes.