Modernization of the Act respecting the protection of personal information in the private sector: what employers need to know
Employers are subject to a number of new obligations as a result of the modernization of the Act respecting the protection of personal information in the private sector (the “Act”), the new provisions of which will come into force over a three-year period (from September 2022 to September 2024). Below are some of the amendments that may require employers to adapt their processes and practices to comply with the new requirements of the Act.
Employers subject to the Act are now required to appoint a privacy officer to oversee compliance with and implementation of the Act. Employers may assign this role to whomever they wish. If no one is appointed, the Act stipulates that the privacy officer is de facto the highest ranking individual within the organization.
Additionally, the title and contact information of the privacy officer must be published on the employer’s website or, if no website exists, made available by other appropriate means.
In the event of (i) unauthorized access, use or disclosure of personal information, (ii) loss of personal information, or (iii) any other compromise of personal information (a “confidentiality incident”), employers are now required to:
- take reasonable measures to reduce the risk of harm and prevent similar incidents from occurring in the future; and
- determine whether the confidentiality incident poses a risk of serious harm. If it does, the employer must promptly notify the persons concerned as well as the Commission d’accès à l’information.
The following are some of the factors that employers must consider when determining whether a confidentiality incident poses a risk of serious harm:
- The sensitivity of the information concerned;
- The anticipated consequences of its use; and
- The likelihood that the information will be used for malicious purposes.
Additionally, employers are now required to keep a register of confidentiality incidents, a copy of which must be sent to the Commission d’accès à l’information upon request. The register must include the following information: the circumstances of the incident, the number of people affected, an assessment of the severity of the risk of harm and the measures taken in response to the incident. It should also include relevant dates: when the incident occurred, when it was detected by the organization, when notification took place (if applicable), etc.1
Going forward, employers must be diligent about identifying confidentiality incidents within their organization, assessing their severity and keeping a register. For example, if an employee emails personal employee data to a third party, it is no longer sufficient to simply tell recipients to delete the email. As outlined above, the new provisions of the Act require employers to do much more.
Consent and information to be provided when collecting personal information
Starting in fall 2023, employers will have to be very transparent in their collection and use of data and will have to obtain prior consent from the applicants or employees concerned.
To be valid, consent must be clear, free and informed and given for specific purposes. Consent must be requested in plain language and, when the request is made in writing, it must be presented separately from any other information provided.
It should also be noted that consent will be valid only for the time necessary to achieve the purposes for which it was requested.
Additionally, employers must notify any applicants or employees of:
- the purposes for which the information is collected;
- the means by which the information is collected;
- their rights of access and rectification under the Act;
- their right to withdraw consent to the disclosure or use of the information collected; and
- if applicable, the name of the third party for whom the information is being collected and the name of the third parties or categories of third parties to whom it is necessary to disclose the information.
These legislative changes will have a significant impact on the consent and notification requirements for the collection of personal information during hiring processes and, subsequently, on the collection of employee data.
For example, consent clauses in the context of hiring processes, such as background checks, will need to be reviewed to ensure that employers inform applicants that their information will be disclosed to an outside firm, if applicable, and that consent will only be valid for the duration of the hiring process.
Additionally, the practice of including requests for consent to the collection of personal information in an employee handbook or in an employment contract, where these requests are often buried in a paragraph dealing with various other matters, is no longer advisable, as the consent obtained will not be valid under the new legislation. We therefore encourage employers to present requests for consent separately from other information and to inform the applicant or employee that the employer can assist them in understanding the scope of the consent if necessary.
As of September 22, 2023, employers who intend to use technology that identifies, locates or profiles employees will need to inform the employees concerned.
Employers will also need to review their practices in this regard, particularly if they use employee monitoring software, such as user activity monitoring programs on work computers or geolocation software. Employers will need to ensure that the use of such software is necessary and that employees are informed of the means by which these monitoring functions can be activated.
When an employer makes a decision based on personal information—for example, terminating an employee based on information obtained through monitoring technology—the data in question must be kept for at least one year.
Governance policies and practices
As of September 22, 2023, employers will be required to establish and implement policies and practices to protect personal information and publish detailed information in plain language about these policies and practices.
In particular, employers will have to establish (i) rules for storing and destroying personal information, (ii) the roles and responsibilities of employees and (iii) a complaint-handling process.
For many employers, this will be a new task, while others will simply need to update their policies and ensure they are easily accessible to employees. Once the policies are in place, employers must inform their employees. This may be done through a memo and/or training.
While this is only an overview of some of the many changes to come for businesses, these amendments to the Act require employers operating in Québec to adapt their practices in order to avoid the increased risk of potential confidentiality incidents, but also of administrative and criminal penalties, for which fines have increased substantially.
Contact our Labour and Employment Law group to learn more or obtain advice on these new obligations.
1 See: Registre des incidents de confidentialité | Commission d’accès à l’information du Québec (in French only). See also: https://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=1&file=105822.pdf.