As of September 22^nd, 2023, the new Quebec privacy law will enforce the article 63.5 that reads as follows:

A public body must carry out a privacy impact assessment of any project to acquire, develop or overhaul an information system or electronic service delivery involving the collection, use, disclosure, retention or destruction of personal information.

Are you prepared and ready?

There is a new guideline/decision tree published on the government site, unfortunately it is only in French, I have listed the important steps and add my understanding of how to interpret these steps in line with the specific articles of the law.

Collection of private information

The main question is: Is it really necessary to collect the data? Remember, it is costly to protect, process, store and secure the data, so it might be as well easier to change your business processes and workflows in such a way that the minimum amount of data is collected. An if data is collected, at least try to not collect highly sensitive information that is even costlier to protect, such as social security numbers, driving licenses ID, health card ID and passport numbers.

Supposing you reviewed your data collecting practice and you really MUST collect that data, than ask internally the following questions and check what are the requirements of the new privacy laws in Quebec.

1. Which program is applicable at collection?

‐ Does the project offer the person concerned a product or service technological having parameters of confidentiality (article 63.7)? If yes, the highest level of confidentiality for personal data MUST be activated for the user himself, without him required to perform any particular action in order to activate this highest level of confidentiality. This requirement does not apply to cookies used as connection indicators.

2. Do you need to collect personal information?

‐ Does this information concern a minor (sections 53.1 and 64.1)? If yes, remember the consent for a 14 years old (or less) can be done only by an adult/tutor and it is valid only for a limited time period aligned with the reason for which the consent has been requested.

3. Have you checked the possibility:

- to use information personal data already collected, if the Law allows it, when used for another end with or without consent (article 65.1)? This article is a little bit contradictory because the law says the personal information collected can be used ONLY for the purpose for which it has been collected. However, the article 65.1 supersedes this requirement in the following cases:

“1. when its use is for purposes compatible with those for which it was collected;

2. when its use is clearly for the benefit of the person concerned;
3. when its use is necessary for the application of a law in Québec, whether or not such use is expressly provided for by law;
4. when its use is necessary for the purposes of study, research or the production of statistics and it is depersonalized. ”

In the same article 65.1 we can find a definition for depersonalization of the personal information:

“For the purposes of this Act, personal information is depersonalized when this information no longer allows the person concerned to be directly identified.

A public body that uses depersonalized information must take reasonable measures to limit the risks that anyone will identify a natural person from depersonalized information.”

The definition of depersonalization is vague enough to allow companies techniques like truncating date of birth or Social Insurance Numbers as a non-costly quick solution in that insures compliance with the law 25 requirements.

‐ to carry out a collection in collaboration with another public body (article 64)? The article 64 has been modified. There is a bypass of the collection requirements if you obtain a written agreement with the Comission, see below the conditions of the agreement.

“The collection referred to in the second paragraph must be preceded by an assessment of the factors relating to privacy and is carried out within the framework of a written agreement transmitted to the Commission. The agreement comes into force 30 days after it is received by the Commission.

This agreement must provide:

(1) the identification of the public body collecting the information and that of the public body for which the collection is carried out;

(2) the purposes for which the information is collected;

(3) the nature or type of information collected;

(4) the means by which the information is collected;

(5) the specific measures to ensure the protection of personal information;

(6) the periodicity of the collection;

(7) the duration of the agreement. ".

- to collect information less specific, like an age group? That is to see instead of collecting THE personal information, like the age of the person to rather collect, for authentication purposes the age group. The age group is not considered as personal information.

• What medium is used? The channel used for the data collection ( voice, SMS, chat, social networks, web, paper, fax, etc.) will have an impact on the way the data is secured and treated. The medium used can impact the solution required to address issues like:

- Data Masking,

- Encryption,

- Authentication,

- Disposal or Destruction of  Old Media with Old Data

- Secure and remote access.

67. Will the collection be done by a third party (section 67.2)? The private information can be freely exchange between government entities, even without the acceptance of the concerned citizen.

‐ Is this third party outside of Quebec (section 70.1)? If yes, you must refuse communication the data to the outside entity if the information is not protected as per the Quebec privacy act.

“Before disclosing personal information outside Québec or entrusting a person or organization outside Québec with the task of holding, using or disclosing such information on its behalf, the public body must ensure that they will benefit from protection equivalent to that provided for in this Act.”

Limitation of use

If the information has been collected, that doesn’t mean everyone in your enterprise should have access to it. The access to the data should be modulated by the business process workflows and aligned to the business roles and rights of access.

A. Are the use and purposes of the data in line with those that had been planned when collection (see article 65.1)?

B. Is personal information used of good quality? What is the authoritative source of this data? What are the controls in place that insure the data integrity?

C. Have you identified other types of use (see section 65.1)?

D. Is consent required (sections 53.1 and 64.1)? Article 53.1 and 64.1 details the requirement for the consent of a minor person, there are different requirements for minors of less than 14 years old vs 14 to 18 years old. The IT system needs to be design in such a way that it follows the person along the age advancement (minor less than 14, minor less than 18 and than adult) and keeps the historical private personal data depending on the age the person aligned with the requirements of the law.

E. Does the depersonalization of information is required or possible? The depersonalization of the date will lower the total overall cost of your IT solution and minimize risks for the enterprise in case of data loss.

F. Is the implementation decision exclusively based on an automated treatment of the data (section 65.2)? If yes, the person targeted by the data collection MUST be informed ON DEMAND, of the following:
“(1) personal information used to render the decision;
(2) the reasons, as well as the main factors and parameters, which led to the decision;
(3) his right to have the personal information used to make the decision corrected.”

G. Is the use of technology for identification, localization or profiling is necessary (article 65.0.1)? If yes, profiling needs to be disclosed to the concerned person. The disclosur should detail in particular:
“
(1) the use of such technology;
(2) the means offered to activate the functions making it possible to identify, locate or perform profiling.
“
H. Will the use be made by a third party (section 67.2)?
‐ Is this third party outside of Quebec (section 70.1)?
Same implications as in the case of the collection of data by 3rd party. You should have in place controls on who has access to the data from the 3rd party employees or systems.

Communication (Data exchange)

A. Is communication of personal information necessary :
‐ with consent (Articles 53,53.1 and 64.1)? again the reference with the minor person
- without consent (article 59)? There are some exception cases when the personal data can be shared without consent, especially in line with the legal system and the law enforcement.

B. Does the exercise of a mandate of a contract is required (section 67.2)? If yes, again the personal data can be shared without consent.

C. Is the communication done outside Quebec (section 70.1)? the communication should be done in order to inform that the data is communicated and stored outside Quebec.

D. What personal information is necessary for communication?

F. What medium is used?

Retention period

A. Is personal information will be retained to serve the purposes for which they are collected or used (section 72)? “A public body must ensure that the personal information it keeps is up-to-date, accurate and complete to serve the purposes for which it was collected or used.”
‐ What are the measures to preserve up-to-date personal information, accurate and complete?
- What is the retention period to respect ? Article 73 states the responsibility for the data destruction, but the analysis on the exact retention timelines depending on the applicable laws for archiving stays with the enterprise “When the purposes for which personal information was collected or used have been accomplished, the public body must destroy it.”
Means of destruction

B. Is personal information planned to be destroyed (Article 73)? One way of destruction of the data is by hasing it ( anonymization).
‐ Is the personal information can be anonymized for use for purposes of public interest?
- What is the personal information to anonymize?

C. Is personal information planned to be destroyed in accordance with the deadline listed in the retention schedule? The retention schedule needs to be confirmed with the business units, involving legal and finance departments. Here you have a list of recommended retention periods as recommended by the government of Quebec: Retention Period | Gouvernement du Québec (quebec.ca)

Security and governance

These are usual revision points for the architecture and functionality of your IT systems and mapping to the new privacy law 25 of Quebec
• implement security measures reasonable measures to ensure the protection information, design during production and during evolution period of the sytem(article 63.1), including access profiles,
logging, incident alerts, confidentiality breaches, etc. ;
• plan and provide for the solution for the right of access of the data and of the right of the portability of the data;
• plan training activities for that the staff members concerned so they can carry out their duties in respect of the privacy law;
• continuously update the assessment of the privacy factors and their definition;
• plan the administrative frameworks and the rules for the governance of the data (section 63.3); The rules supporting the governance of the data should be listed on the web site of the enterprise.
• plan and execute audits and intrusion tests, particularly in order to prevent confidentiality incidents and enhance the protection and security based on advanced technologies.