We’re in the first year of a three-year implementation period. Here’s what you need to know about this first year!

Given the fluid nature of information, the ease with which it can be shared from one provider to another, and the reputational losses and issues involved. The government (and your author) believe that the protection of personal information deserves strong safeguards.

It is therefore important to have laws and regulations in place to protect this personal information.

Laws have been created in several countries, the RGPD – Reglement Général de Protection de Donnée, is in force in Europe, in California they have “Consumer Privacy Act” and now in Quebec we will have our similar and reinforced law.

Bill 64 was passed on September 21, 2021 and assented to on September 22, 2021.

This bill makes a number of changes to several Quebec statutes, including Bill P39-1- **An Act respecting the protection of personal information in the private sector (“LPRPSP”). **That’s the law I’m talking about here.

These changes to the law, LPRPSP, will apply to all companies with a digital presence in Quebec. If they fail to comply with the new rules, they could face fines and corrective action that could damage their business and reputation.For the moment, there are still a number of grey areas surrounding the implementation of the law, and we should expect more precise details by the law’s first anniversary.

Before you start:

When it comes to your employees’ and customers’ personal information, it’s important to start by taking inventory!

  • Do you know where they’re stored?
  • Which information systems process them?
  • Do you have monitoring systems to ensure the security of this data?
  • Who has access to the data?

It’s starting!

Here are the articles of the LPRPSP that will come into force 1 year after the sanction, i.e. on September 22, 2022.

Article 3.1 – Appointing a privacy officer

By default, the owner of the company is responsible for the protection of personal information. In concrete terms, the president is responsible for ensuring compliance with the law within the organization. The president would be well advised to delegate this function to a person with knowledge and skills in the field of personal information protection.

  • Delegation must be made in writing to a member of staff.
  • The title and contact details must be posted on the company’s website.

Article 3.5 – be able to quickly communicate incidents of harm to the CAI and the persons concerned

Not every incident can cause harm, so you need to take steps to ensure that there are no incidents. But in the event of a potentially damaging incident, communication must take place quickly.

  • You must have an incident management system in place –See article here!
  • Do you know on which system your personal information is stored?
  • Would you be able to write to this specific group of customers?
  • Do you have a procedure for contacting the Commission d’accès à l’information?

Here is the link to the Commission d’accès à l’information (CAI) form

https://www.cai.gouv.qc.ca/documents/CAI_FO_decl_incident_securite.docx

https://www.cai.gouv.qc.ca/incident-de-securite-impliquant-des-renseignements-personnels/reagir-en-cas-dincident-de-securite/

Article 3.6 – Recognizing a confidentiality incident

The law is precise on this point, an incident is :

  • Unauthorized access to personal information;
  • Unauthorized use of personal information;
  • Unauthorized disclosure of personal information.
  • Loss of personal information

Your incident management procedures should include these definitions to help all team members recognize these incidents.

Article 3.7 – Understanding the challenges of confidentiality incidents

When an incident occurs, it is important to understand the nature of the incident and its potential consequences. Bill 64 encourages the business owner to consult his or her privacy officer to properly document the risk of harm.

The sensitivity of the information, the apprehended consequences and the probability should be included in an alert.

Article 3.8 – Keeping a register of confidentiality incidents

The company must keep a history of its security incidents, including less serious incidents, i.e. those that do not risk harming the people involved.

Article 18.4 – have a confidentiality agreement with its business partners.

This article covers the sale of all or part of a business. Before sharing customer or business information, the confidentiality agreement must include the following items:

  • Undertaking not to use the information other than to complete the transaction;
  • Undertaking not to disclose information;
  • Take the necessary security measures to protect the information;
  • Commitment to destroy this personal information if a transaction is concluded or not.

Article 21 – Assessing transmission needs for study, research or statistical purposes

During the life of your business, you may be asked to share information about your customers and the personal information under your control. You should evaluate the evidence before sharing, including :

  • Confirm that the objective of the study cannot be achieved in any other way;
  • That it is unreasonable to obtain the consent of the persons concerned;
  • The benefits of the study outweigh the need to protect information;
  • Measures will be taken to protect information;
  • Only necessary personal information is requested.

Article 21.0.1 – Validation of sharing requirements with researchers

Pursuant to Article 21, before disclosing information for the purposes of studies, researchers or the production of statistics, the operator of the company responsible for the data must meet the following criteria:

  • The request must be made in writing;
  • The research protocol provided;
  • Explain the reasons and explanations for meeting the criteria of article 21;
  • Mention all persons who have received a similar request..;
  • Describe the technologies to be used;
  • Provide a documented decision from an ethics committee.

Article 21.0.2 – Confidentiality agreement with researchers

Just like commercial agreements, the company must sign an agreement with the researchers. This includes commitment, confidentiality and data destruction clauses. In addition, the agreement must be forwarded to CAI, and takes effect 30 days after receipt.

As you can imagine, the job is far from easy, even for this first year. On the other hand, the law is straightforward and doesn’t impose a very precise way of doing things, which means there’s plenty of scope for implementation. Acting with caution and in such a way as to protect personal data, that’s the goal to keep in mind! If you want to go one step further, ISO27001 certification is recommended.

References:

https://www.caij.qc.ca/dossier/projet-de-loi-n-64-loi-modernisant-des-dispositions-legislatives-en-matiere-de-protection-des-renseignements-personnels

https://www.cai.gouv.qc.ca/espace-evolutif-modernisation-lois/