The mobility, use and protection of government digital data
On May 5, 2021, the Quebec government took another step towards its goal of making public services faster, more intuitive, and powered by digital technology, as envisioned in its 2019-2023 Government Digital Transformation Strategy. To this end, the Minister for Government Digital Transformation tabled Bill 95 (“Bill 95”) amending the Act respecting the governance and management of the information resources of public bodies and government enterprises and other legislative provisions (“GMIR”). After special consultations and a clause-by-clause consideration by the Committee on Public Finance, Bill 95 was adopted on June 9, 2021, and assented to the following day.
The GMIR thus complements the Act to facilitate the public administration’s digital transformation, adopted in October 2019, the purpose of which is to promote “the public administration’s digital transformation by prescribing rules applicable in the context of carrying out information resource projects of government-wide interest” and “the Administration’s efficiency and effectiveness, and the implementation of the tools necessary for the provision of optimum public services” (section 1).
The main changes to the GMIR can be summarized as follows:
1. The purpose of the GMIR is “to establish a framework for the governance and management of information resources applicable to public bodies and government enterprises” (section 1).
This framework, applicable to the majority of government departments and agencies, is intended to, among other things:
- offer individuals and businesses simplified, integrated and quality services based on information technologies, including digital technologies, while ensuring the preservation of the government’s digital heritage;
- optimize the management of information resources and public services by encouraging the pooling of know-how, information, systems, infrastructure and resources;
- ensure proper protection of the information resources of public bodies used to support the delivery of public services or the carrying out of the government’s missions;
- establish optimal governance and management of digital government data to simplify access to public services by individuals and businesses, better support government action, increase the performance and resilience of the public administration and enhance the quality and protection of such data;
- coordinate public bodies’ digital transformation initiatives to offer fully digital public services;
- ensure rigorous and transparent management of the funds allocated to information resources;
- promote the use of best practices in the governance and management of information resources and the development of government expertise in information technologies, including digital technologies; and
- foster the implementation of guidelines and strategies common to all public bodies.
2. The GMIR aims to strengthen information security (new Chapter II.2). It provides that every public body must:
- ensure the security of the information resources and the information that it holds or uses under its obligations governing it, in keeping with the guidelines, strategies, policies, standards, directives, rules and application instructions made under the GMIR;
- take all measures to correct the impacts or reduce the risk when it becomes aware that an information resource or information under its responsibility is or has been the subject of a breach of confidentiality, availability or integrity, or when a risk of such a breach is apprehended.
To ensure information security, the Chair of the Conseil du trésor (Treasury Board) may enter into agreements with any person or organization in Canada or abroad when he or she considers it necessary, in particular, to prevent, detect or reduce the impacts of a breach or the risk of a breach.
3. The GMIR emphasizes the importance of every public body “[establishing] a digital transformation plan and [sending] it to the government chief digital transformation officer” (new Chapter II.3).
4. The GMIR introduces the concepts of “mobility” and “use” of “government digital data” for “administrative or public service purposes,” which are defined as follows:
- “government digital data”: means any information stored on a technological medium, including a digital medium, held by a public body, excluding: (a) information under the control of a court of justice or another public body exercising adjudicative functions; and (b) any information or category of information determined by Government regulation, in particular information that may be covered by a restriction to the right of access under the Act respecting access to documents held by public bodies and the protection of personal information;
- “mobility”: means the communication or transmission of government digital data between public bodies for an administrative or public service purpose;
- “use”: means the development of government digital data within the public administration for an administrative or public service purpose, excluding the sale of that data or any other form of alienation;
- “administrative or public service purposes”: means any of the following purposes: optimizing or simplifying services offered to citizens or businesses; supporting the various missions of the government, the provision of common services by more than one public body or the carrying out of missions common to more than one public body; verifying a person’s eligibility for a program or measure; or research and development.
These concepts are included in the new Chapter II.4 “Government digital data.” It states:
“Government digital data constitute a strategic information asset of the Government’s digital heritage. The data’s mobility and [use] within the Public Administration for administrative or public service purposes, taking into account their nature, characteristics and the access and protection rules which otherwise govern them, are of government-wide interest.” (new section 12.10)
During the detailed study of this provision, it was added that this possibility of mobility and use “shall not be interpreted as having the effect of modifying the obligations of public bodies with respect to personal information held by them or the rights of an individual with respect to such information.”
Section 12.10.1 was also added, which states that “the powers conferred by this chapter shall be exercised in a manner that respects the right to privacy and the principle of transparency and promotes public trust in measures to ensure the security, confidentiality, availability and integrity of government digital data.”
5. The GMIR provides that the government may designate a public body to act as an official source of government digital data (new section 12.13). This body may collect, use or communicate such data, including personal information, where necessary for an administrative or public service purpose. It is the government’s responsibility to:
- specify the relevant governmental digital data;
- specify the administrative or public service purpose; and
- determine the public bodies that must collect and use the data from the official source or that must communicate the data to the source.
If government digital data includes personal information, the new sections 12.14 to 12.17 provide that:
- such data is communicated only for purposes that are in the public interest or for the benefit of the persons concerned;
- when such data may be used or communicated in a form that does not allow direct identification of the person concerned, they must be used or communicated in that form;
- the official source must:
- conduct a privacy impact assessment before collecting, using or communicating such data. This assessment must be sent to the Commission d’accès à l’information (the “CAI”). This provision echoes the new section 63.5 found in section 14 of Bill 64;
- establish and have approved by the CAI rules for its governance of personal information and publish these rules on its website. This provision echoes the new section 63.3 found in section 14 of Bill 64;
- submit a report to the CAI on the personal information collected, used or communicated within 45 days after the end of each fiscal year and publish this report on its website;
- an external audit to ensure compliance with the highest standards and best practices for information security and protection of personal information must be carried out for any person or body to whom personal information is communicated by a body designated as an official source under a mandate or contract that is related to the fulfillment of one of the administrative or public service purposes then specified, and that is so entrusted in accordance with section 67.2 of the Act respecting access to documents held by public bodies and the protection of personal information.
6. The GMIR provides that the government digital data manager may entrust a public body with the mandate to circulate open data or a dataset in an open document format (new sections 12.18 and 12.19). The body entrusted with such a mandate will act as an official source of reference data and must make the data or dataset available on its website or any other designated site.
As with Bill 64, which relates to personal information, the amendments to the GMIR are an integral part of the government’s strategy to modernize the legal framework applicable to data held by public bodies.
Several amendments were made during the detailed clause-by-clause review of Bill 95 to strengthen the rights and obligations inherent in the protection of personal information and privacy.
It is therefore appropriate to consider the amendments to the GMIR in relation to those provided for in Bill 64 in order to allow government departments and public bodies to anticipate the issues that could arise from the application of these two pieces of legislation and to take the necessary measures to ensure the compliance of their practices.