Protection of personal information: Public bodies must also be prepared to meet new requirements
The Act to modernize legislative provisions as regards the protection of personal information, adopted on September 21 by the National Assembly of Quebec and assented to the following day (“Act 25”), amends the legal framework applicable not only to businesses but also to public bodies that are subject to the Act respecting access to documents held by public bodies and the protection of personal information (“Access Act”).
Several of the provisions that modernize the Access Act are consistent with the amendments to the Act respecting the protection of personal information in the private sector. These include:
- the definition of personal information (s. 54) and what constitutes sensitive personal information (s. 59(3)), de-identified information (s. 65.1) or anonymized information (s. 73);
- consent (s. 53.1) and the information that a public body must provide with respect to,
- third parties who collect personal information on its behalf, and the names or categories of third parties to whom it is necessary to disclose the personal information collected (s. 65);
- the possibility that the personal information collected could be disclosed outside Quebec (s. 65);
- functions allowing the person concerned to be identified, located or profiled (s. 65.0.1);
- the fact that a decision made with respect to the person concerned is based exclusively on automated processing of his or her personal information (s. 65.2);
- the requirement to ensure that when a public body collects personal information by offering to the public a technological product or service with privacy settings, those settings provide the highest level of privacy without any intervention by the person concerned (s. 63.6.1);
- the requirement to report privacy incidents involving personal information held by a public body that present a risk of serious harm (s. 63.7);
- the right to portability (s. 84);
- disclosure to assist an applicant in the grieving process (s. 88.0.1);
- the awarding of punitive damages of at least $1,000 where an unlawful infringement of a right causes harm and the infringement is intentional or results from gross negligence (s. 167).
However, certain provisions of Act 25 are specific to public bodies or modify existing mechanisms under the Access Act. The following is an overview of those elements to which public bodies should pay particular attention:
- The Privacy Officer and the committee on access to information and the protection of personal information
The Privacy Officer and the committee on access to information and the protection of personal information
The Act provides that a public body is responsible for protecting the personal information it holds (s. 52.2).
The person exercising the highest authority within a public body is hereafter designated as the person in charge of access to documents as well as (and not instead of) the Privacy Officer. These functions may still be delegated in writing, in whole or in part, to a member of the public body or its board of directors, or to a member of the management personnel. Act 25 provides that the person must be able to perform his or her duties independently. The public body must, as soon as possible, notify the Commission d’accès à l’information (“CAI”) in writing of the title, contact information and starting date of the person who exercises the function of person in charge of access to documents and of the person who exercises the function of Privacy Officer.
In addition to the aforementioned officers, a committee on access to information and the protection of personal information (“CAIPPI”) must be established. This requirement was previously set out in section 2 of the Regulation respecting the distribution of information and the protection of personal information. It is now provided for in section 8.1 of the Access Act.
The committee reports to the person exercising the highest authority within the public body or, in the case of a government department, to the deputy minister and, in the case of a municipality, a professional body or a school board, to the director general (s. 8.1 (2)).
Organizations that previously were not required to establish such a committee will be required to do so. Nevertheless, the Act provides that a government regulation may exempt a public body from the obligation to establish such a committee or modify a public body’s obligations according to criteria it defines (s. 8.1 (3)).
This committee will be responsible for supporting the public body in the exercise of its responsibilities and the performance of its obligations. Among other things, the committee must
- approve the governance rules regarding personal information that the public body must adopt (s. 63.3);
- be consulted at the outset of any planned information system acquisition, development, or redesign or any electronic service delivery project involving the life cycle of personal information. The committee may suggest personal information protection measures applicable to the project (s. 63.5 and 63.6).
The Act provides that a public body must publish on its website governance rules regarding the personal information it holds (s. 63.3). These rules may be in the form of a policy, directive or guide. In particular, they must include:
- the roles and responsibilities of the members of its personnel throughout the life cycle of personal information;
- a process for dealing with complaints regarding the protection of personal information;
- a description of the training and awareness activities offered by the public body to its personnel regarding the protection of personal information;
- the protective measures to be taken in respect of the personal information collected or used as part of a survey.
Like businesses, public bodies must conduct a PIA for any planned information system acquisition, development, or redesign or any planned electronic service delivery system involving the collection, use, disclosure, retention or destruction of personal information (s. 63.5), as well as before disclosing personal information outside Quebec or entrusting a person or body outside Quebec with the task of collecting, using, disclosing or keeping such information on its behalf (s. 70.1).
Public bodies will also be required to conduct such an assessment in the event of:
- collection of information necessary for the performance of their duties or for the implementation of a program of a public body with which they cooperate to provide services or to pursue a common mission (s. 64);
- disclosure of personal information without the consent of the persons concerned to a person or public body wishing to use the information for study or research purposes or to produce statistics (s. 67.2.1 to 67.2.3);
- disclosure of personal information without the consent of the person concerned under section 68 of the Access Act.
In these three cases, in addition to having to conduct a PIA, public bodies will have to enter into a written agreement and send it to the CAI. It should be noted that Act 25 now specifies the content of these agreements. The Act also provides that these agreements will come into force 30 days after their receipt by the CAI.
In the case of disclosure for study, research or statistical purposes, as well as disclosure made under section 68 of the Access Act, the conduct of a PIA and the agreement should take into account that sections 125 and 70 of the Access Act are repealed by Act 25.
In both of these cases, the PIA will need to conclude that:
- the objective can only be achieved if the information is disclosed in a form that allows the persons concerned to be identified;
- it is unreasonable to require the consent of the persons concerned;
- in terms of the public interest, the objective outweighs the impact of disclosing and using the information on the privacy of the persons concerned;
- the personal information is used in a manner that ensures its confidentiality; and,
- in the case of disclosure for study, research or statistical purposes, only the necessary information is disclosed.
Act 25 also increases the fines provided for in sections 158 and 159 of the Access Act and no longer refers to the concept of “knowingly” in section 159 of that Act. It also specifies that in the case of a subsequent offence, the fines are doubled (s. 164.1). Finally, it provides that criminal proceedings must be instituted within five (5) years of the commission of the offence (s. 164.2).
Act 25 provides for two distinct levels of fines, depending on the type of offence. Thus:
- under section 158 of the Access Act, anyone who does any of the following will be liable to a fine of $1,000 to $10,000 in the case of a natural person and of $3,000 to $30,000 in all other cases:
- denies or impedes access to a document or information that is accessible by law, in particular by destroying, modifying or concealing the document or by unduly delaying its disclosure;
- grants access to a document to which the law does not allow access or to which a public body refuses access in accordance with the law;
- informs a person of the existence of information he or she does not have the legal right to be informed of;
- hinders the person in charge of access to documents or the protection of personal information;
- collects, uses, keeps or destroys personal information in contravention of the law;
- fails to report, where required to do so, a confidentiality incident to the CAI or to the persons concerned;
- fails to comply with the terms of an agreement entered into under section 67.2.3 for the disclosure of personal information to a person or public body wishing to use the information for study or research purposes or to produce statistics.
- under section 159 of the Access Act, anyone who does any of the following will be liable to a fine of $5,000 to $100,000 in the case of a natural person and of $15,000 to $150,000 in all other cases:
- discloses personal information in contravention of the law;
- identifies or attempts to identify a natural person using de-identified information without the authorization of the public body holding the information or using anonymized information;
- impedes the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise;
- refuses or neglects to comply, within the prescribed time, with a demand sent under section 127.1 to provide information or documents to verify compliance with this Act or the regulations;
- fails to comply with an order of the CAI;
- fails to take the security measures necessary to ensure the protection of personal information in accordance with section 63.1.
It should be noted that during the clause-by-clause consideration of Act 25, section 160 was added to the Access Act to provide for the factors that a judge must take into account in sentencing.
Finally, it is anticipated that the new provisions of the Access Act will come into force within two (2) years of Act 25 receiving Royal Assent, i.e., September 22, 2023, with the following exceptions:
- Effective September 22, 2022:
- The person in charge of access to documents and the Privacy Officer;
- the responsibility of public bodies;
- privacy incidents;
- disclosure for study, research or statistical purposes.
- Effective September 22, 2024:
- the right to portability.
While there is a transition period before the provisions of Act 25 come into force, one should not underestimate the amount of work that needs to be done to ensure that public bodies are compliant with these new requirements. Public bodies would therefore be well advised to immediately begin a review of their processes, policies and practices to ensure they are adequately prepared.