The Quebec government adopted An Act to modernize legislative provisions as regards the protection of personal informationon September 21, 2021. Originally introduced as Bill 64, it is now often referred to as Act 25, Law 25 or Bill 25 in English (Loi 25 in French).
This legislation creates new requirements for businesses operating in Quebec. What are those requirements and how can you meet them?
Why personal data needs to be protected
Why was it necessary to introduce legislation protecting the personal data of customers and business partners?
Personal information is now used for many different purposes. Data such as last names, first names and birthdates can be cross-referenced against a broad range of other private information in order to deliver services of all kinds: banking, transportation, healthcare, etc.
Since that information is considered “sensitive” and confidential, there are some risks involved when businesses use it.
When it comes to personal information, privacy is essential because the data can be used for fraudulent purposes if it falls into the hands of someone with malicious intentions.
Protecting data integrity is also very important so that problems can be avoided at the technology level.
For example, a failure affectingpersonal data in your payroll system could impact your team members. They could be paid the wrong amount, be paid late, have their pay deposited into an account they don't have access to, or simply receive no pay at all.
Overview of Bill 25
The legislation mandates best practices for protecting personal information. The aim is to make businesses accountable by imposing hefty administrative penalties for non-compliance with the requirements.
The legislation’s objective is to ensure the security of all operations where personal information is processed. Critical standards for security logistics are outlined in the Act.
Another goal of the legislation is to ensure that personal information is always processed for specific, justifiable purposes. In other words, there should be a reason for processing the data.
Is the personal data needed for the processing operation? Using as little information as possible and limiting it to what’s necessary reduces the risk of errors. Processing only the applicable data also minimizes the risk of compromising sensitive data if a leak occurs.
All processing must be done only with the consent of the relevant persons.
Requirements starting in 2022
Businesses must comply with certain provisions of Bill 25 as of September 22, 2022.
First, every business must appoint a “person in charge of the protection of personal information” (privacy officer).
If no one else is appointed, the chief executive of the business is deemed to hold that function. There are no specific qualifications indicated in the Act but the role does require a certain level of competency.
Privacy officers must approve a personal data protection policy for their business.
They’re also responsible for assessing which document management and physical infrastructure protection practices and IT security measures need to be implemented to protect customer and partner data.
Effective September 2022, if your business experiences a data breach (which is called a “confidentiality incident” in the legislation), you’re required to notify the Quebec Commission d’accès à l’information (CAI) and the individuals affected.
In the Act, a confidentiality incident is defined as unauthorized access, use or disclosure of personal information, the loss of personal information or any other breach in the protection of that information.
— Bill 25
Another requirement under the legislation is to do an inventory of operations that involve the personal data of customers or partners in order to better define the types of incidents that the business may need to address.
Taking reasonable measures
Under the Act, if a business suspects that a data breach has occurred, they’re required to take “reasonable measures to reduce the risk of injury and to prevent new incidents.”
This requirement means that your business must have security monitoring and network surveillance tools in place to determine whether a breach has actually occurred.
As an example, a reasonable measure could be creating an in-house crisis management team to answer questions from the public within a short timeframe.
Requirements coming in September 2023
Starting in 2023, privacy officers will have to deploy the personal data governance policy for their business, including their framework for data retention and destruction.
The policy must also define the roles and responsibilities of personnel and provide a process for dealing with complaints.
To ensure that the policy is applied effectively within the business, privacy officers are expected to organize suitable training for personnel.
Additionally, the personal data governance policy should be made available to customers through a website.
Privacy impact assessment
As of September 2023, privacy officers must ensure that a privacy impact assessment (PIA) is done for all personal data processed in their business.
The assessment is intended to assign a risk level each time data is processed by the business.
Let’s imagine that your customer relations department keeps personal information for each complaint filed. The data record contains the nature of the complaint and the complainant’s name and contact information, including their email address, phone number and mailing address.
The privacy officer or their team is responsible for assessing whether the procedure complies with the legislation’s key principles:
- Is each type of data collected necessary to properly handle the complaint?
- Did the person filing the complaint consent to having that information recorded?
- Does the person benefit from the highest level of protection for their personal information?
In this scenario, the privacy officer has tomake sure the person filing the complaint is clearly informed that their data is being recorded. Given the nature of the data gathered, the privacy officer should also ensure that only personnel with a legitimate purpose can access the data.
How is non-compliance treated?
Substantial penalties will be applied by the Commission d’accès à l’information if businesses don’t comply with the legislation.
The Commission d’accès à l’information is both an administrative tribunal and an oversight body that monitors the application of the Act respecting Access to documents held by public bodies and the Protection of personal information (Access Act) and the Act respecting the protection of personal information in the private sector (Private Sector Act). It is also responsible for promoting and ensuring compliance with citizens’ rights to access public sector documents as well as protecting their personal information. [Translation]
Administrative penalties and penal sanctions may be imposed on businesses, up to a maximum of $25 million or 4% of their global business volume.
In addition, non-compliant businesses could also expect a negative impact on their reputation.
Most importantly, complying with Bill 25 means your business is ensuring that sensitive data belonging to your customers and partners remains secure.
Bill 25 makes numerous changes affecting how Quebec businesses handle personal data.
Consulting with a privacy expert is a good way to be sure your business complies with all the new legal provisions.