Bill 25 in effect: new obligations to protect data in Quebec
Since September 22, 2024, the latest regulations of Bill 25 have come into force. Following on from our last article on the first steps to compliance, we present the new general obligations that every company should have in place.
This text is a summary of the main new obligations with which a company must comply, without claiming to offer an exhaustive review of the legal regulations. For further information, please do not hesitate to contact our team.
Internal policies and practices
Your company must now implement clear internal policies and practices concerning the governance of personal information. Bill 25 explicitly requires that these policies frame practices for the retention and destruction of personal information, as well as the roles and responsibilities of employees throughout the life cycle of personal information.
These aspects include determining appropriate retention periods for each type of information, setting up a retention schedule, and developing destruction procedures adapted to different media (paper, digital, etc.). Each department must have specific responsibilities in this process.
Of course, it is strongly recommended that your internal policies go beyond these elements and include procedures for your customers to exercise their rights (access, rectification, etc.), as well as specific policies for dealing with privacy incidents, as discussed below.
Privacy policy
Probably the best-known obligation, the privacy policy must be easily accessible to your customers, particularly on your website.
This policy is a showcase for your internal practices. It informs your customers about how their personal information is collected, used, stored and disclosed. It is also an essential tool for obtaining valid consent for the collection of personal information.
Updating means of collection
Although not explicitly required by law, an organization must review its means of collecting personal information. With the introduction of the new principles governing consent, each organization must review the consent statements present in its various means of collection, as well as the manner in which consent is obtained.
Whether consent is express or implied, an organization must reassess each collection situation to ensure compliance.
Register of privacy incidents
From now on, all organizations must set up a confidentiality incident register. The Confidentiality Incident Regulation covers the content of this register.
While setting up such a register may seem straightforward, it is also essential to be able to identify an incident and assess the potential harm that could result. Depending on this assessment, it may be necessary to notify the persons concerned, as well as the Commission d’accès à l’information.
Privacy Impact Assessment
Added to these obligations are Privacy Impact Assessments (PIAs). In short, the purpose of these assessments is to determine the potential impact of the use of personal information on the privacy of the person concerned, by weighing the risks and benefits.
Such assessments are required in three situations:
- Disclosure of personal information outside Quebec.
- The acquisition, development or redesign of an information or electronic service delivery system involving personal information.
- The communication of personal information, without the consent of the individuals concerned, as part of an agreement for study, research or statistical production purposes.
In the vast majority of cases, companies are concerned by the communication of personal information outside Quebec, particularly when the data is hosted on servers located outside the province.
Since the other two situations do not directly affect all organizations, we recommend that you include a statement in your personal information management policy identifying cases requiring a PIA. This will enable you to identify these specific situations and, if necessary, carry out the appropriate assessment, without having to immediately implement a PIA protocol.
Data subject rights:
Individuals who provide their personal information to companies have a number of rights. Among them, two important new rights have been introduced: the right to de-index and the right to portability.
The right to portability enables an individual to obtain certain personal information in a structured and commonly used technological format. For more details, please consult our article from last February.
The right to de-index allows an individual to ask an organization to stop disseminating his or her personal information. This right is particularly relevant in the context of social networks and search engines.
Appointing a privacy officer:
Finally, a company must designate a person responsible for the protection of personal information. Failing this, the law automatically assigns these duties to the person with the highest authority within the organization.
It’s important to delegate these responsibilities in writing, to create an e-mail address dedicated to the protection of personal information, and to publish this person’s contact details on your website, ideally at the end of your privacy policy.
For more information, or for assistance in achieving compliance, please do not hesitate to contact our team.