Law 5: A new paradigm in health and social services information governance (part II)

March 27th, 2025

When Law 5, the Act respecting health and social services information, and its regulations (Regulation respecting the application of certain provisions of the Act respecting health and social services information, and Regulation respecting the governance of health and social services information) came into force, we outlined the scope of Law 5 in our first article. In this second article, we will examine:

  1. The similarities between Law 5 and the Act respecting the protection of personal information in the private sector (the “Private Sector Act”) and the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Access Act”) (collectively, “Law 25”);
  2. The new requirements introduced by Law 5.

1. Common principles and obligations

While Law 25 and Law 5 establish distinct legal frameworks, they share similar principles and obligations regarding the protection of health and social services information (“health information”):

  • Person in charge of the protection of personal information: The person exercising the highest authority within a health and social services body subject to Law 5 (a “health body”) is, by default, the person in charge of the protection of health information. This function may be delegated in writing.
  • Governance policies: Health bodies must adopt and implement policies and governance rules for health information and publish them on their website.
  • Necessity and purpose test: A health body must collect only the informationnecessary to achieve the objectives determined prior to the collection of health information.
  • Criteria for valid consent: The consent of the persons concerned must be clear, free, and informed, and given for specific purposes. It must be requested for each such purpose in clear and simple language, and it is valid only for the time necessary to achieve the purposes for which it was requested.
  • Default privacy settings default: If a health body collects health information by offering technological products or services with privacy settings, it must ensure that the privacy settings provide the highest level of confidentiality by default, without any intervention by the person concerned.
  • Technologies with identification, localization, and profiling functions: When a health body collects health information using technology with functions that identify, locate, or profile an individual, it must first inform the individual of the use of this technology and the means available to activate these functions.
  • Security measures: It is the health body’s duty to implement security measures that ensure the protection of health information and that are reasonable in light of the sensitivity of the information, the purpose for which it is to be used, the quantity and distribution of the information, and the medium on which it is stored.
  • Destruction and anonymization: Once the purposes for which the health information was collected have been achieved, the preservation period is exhausted, and the information must be destroyed or anonymized.
  • Contractual terms for outsourcing: A health body may disclose information to an agent or supplier (other than for a mandate or contract for the provision of health and social services) when the mandate is given in writing and includes specific terms and conditions in compliance with Law 5.
  • Privacy incident: A health body that has cause to believe that a confidentiality incident involving information it holds has occurred, or that there is a risk of such an incident occurring must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. When the incident presents a risk of serious injury, the health body must notify the Minister of Health and Social Services, Commission d’accès à l’information, the persons concerned, and the persons or groups that could reduce this risk. It must also keep a register of confidentiality incidents.
  • Rights of persons concerned: Law 5 grants users of the health and social services systems a right of access, a right of rectification, a right to portability, and a right to withdraw consent.
  • Privacy Impact Assessment (PIA): Health bodies will also have to carry out a PIA:
    • For any project involving the acquisition, development, or overhaul of technological products or services or electronic service delivery systems involving health information;
    • Before the communication of information outside Quebec.

2. Review of new requirements

In addition to the rights and obligations mentioned above, Law 5 and its regulations confer specific rights on users and impose particular obligations on health bodies, including the following:

  • Personnel training: A health body must ensure that the members of its personnel and the professionals practising their profession within the body, including students and trainees, receive training regarding the protection of information recognized by the Minister as soon as they begin working or practising their profession within the body.
  • Express consent for the use and communication of information: Health information may only be used or disclosed in accordance with Law 5, subject to the express consent of the person concerned. Express consent by default is a requirement specific to Law 5 that has no equivalent in Law 25.
  • Use and disclosure of de-identified information by default: When it is possible to use or communicate health information in a form that does not directly identify the person concerned, the use or communication must be in that form.
  • Proof of consent: A health body must keep proof of any consent it receives.
  • Collection: When collecting health information, the health body must provide the persons concerned with certain information that is not required under Law 25, namely:
    • The possibility of restricting or refusing access to health information, and how to exercise this right;
    • The period of time the health information will be kept.

Moreover, unlike Law 25, there is no requirement for a health body to inform the persons concerned of the possibility that the information may be communicated outside Quebec or to third parties or categories of third parties.

  • Certification of a technological product or service: The government may, by regulation, determine the cases and circumstances under which health bodies are required to use only certified technological products or services. When a regulation requires certification, a health body cannot acquire or use an uncertified technological product. It is also obliged to enter any technological products or services used in a register, which it must publish on its website or make available to the public by any other appropriate means. It is also responsible for regularly updating this register to account for any changes made to technological products or services.
  • Access logging: A health body must be able to identify who has accessed, used, or disclosed health information, as well as the date and time it was accessed, used, or communicated. A logging report must be submitted annually to the Minister of Health and Social Services. Note that at the date of publication of this article, this provision has not yet come into force.
  • Restriction of access by the person concerned: A person concerned may restrict access to one or more pieces of health information about them held by a health body. That person can restrict access to a service provider or category of service providers.
  • Rights of access to health information granted to various categories of persons: Law 5 grants rights of access to health information in certain circumstances, notably to persons related to a minor, a person of full age, or a deceased person; researchers; and service providers (professional or non-professional).

Conclusion

Law 5 establishes a comprehensive and exclusive legal framework regarding health information. This complex system can apply not only to public sector health and social services bodies and health care facilities, but also to certain private sector organizations (to find out more, read our first article on the subject). However, for personal information that is not “health information” within the meaning of Law 5, organizations remain subject to the Privacy Act or the Access Act, as the case may be. Organizations likely to be subject to Law 5 should obtain legal advice on how to implement the various obligations relating to the personal information they hold.

In the news

Publications
April 10th, 2025

Amendments to certain labour standards: what should federally regulated employers expect?
Nearly seven years ago, the federal government’s Budget Implementation Act, 2018, No. 2 introduced new provisions to the Canada Labour Code applicable to federally regulated employers, aimed at legislating on equal treatment and temporary help agencies. As of today, these provisions are not yet in force and await their effective date, which will be set by an order of the Governor in Council. On February 22, 2025, the federal government published draft regulations amending, among other things, the Canada Labour Standards Regulations, to support the eventual implementation of the new Code provisions. In this article, we outline the main changes to the Code, as well as the proposed new amendments to the Regulations.
Read more
Publications
April 7th, 2025

Federal election 2025: what Canadian employers need to know
With the federal election fast approaching, Canadian employers must adapt to comply with the provisions of the Canada Elections Act. Here’s a summary of the rules that apply on that day, when every Canadian citizen aged 18 and over on polling day will be called upon to vote.
Read more
Publications
March 14th, 2025

Workplace accommodation: not just a one-way obligation for employers
Recently, in Syndicat des professionnelles et professionnels en milieu scolaire du Nord-Ouest (SPPMSNO) et Commission scolaire crie (L. O.), arbitrator Éric-Jan Zubrzycki rendered an interesting ruling on the employer’s duty to accommodate for medical reasons and the worker’s duty to cooperate in the process.
Read more
Publications
March 6th, 2025

New U.S. tariffs: Key legal and business considerations for Québec businesses
On March 4, 2025, the U.S. government reaffirmed the enforcement of tariffs on Canadian exports, tough with some subsequent temporary exceptions. This is an evolving situation. February 1, 2025, U.S. President Donald Trump officially signed an executive order imposing new tariffs on Canada, Mexico, and China. These protectionist measures include a 25% tariff on most Canadian goods and a 10% tariff on Canadian energy imports. Originally set to come into effect on February 4, 2025, the implementation of these new tariffs was delayed by 30 days. In response, the Canadian government has announced retaliatory tariffs on U.S. goods.
Read more
Publications
February 10th, 2025

Commercial contracts: Clauses to help create certainty in uncertain times
The current unpredictability of business relationships between Canada and the United States has caused concern for several Québec companies. To ensure greater certainty and stability when dealing with US business partners, commercial contracts can include clauses stipulating how and where eventual disputes will be resolved.
Read more
Publications
January 30th, 2025

10 Concrete Actions for Effective Board Governance and a Successful Year
The start of a new year is the ideal time for boards to review their accomplishments and establish priorities for the year ahead. To ensure sound governance and effective leadership, it is worth reflecting on areas for improvement to help set the tone for a year of greater efficiency and better results. The following checklist presents 10 concrete actions that boards of directors can easily implement to meet these objectives.
Read more