Part 2 | Privacy 101 – Obligations Under Québec’s New Act 25: Why you must now record and report privacy violations

Transcript

Marie-Eve Jean: Hello, and welcome to the second episode of Privacy 101 – Obligations under Act 25, a series of podcasts designed to assist you in preparing to comply with Québec’s new privacy legislation regarding the protection of personal information.

Candice Hévin: I am Candice Hévin.

Marie-Eve Jean: And I am Marie-Eve Jean.

Candice Hévin: We’re both lawyers at McMillan LLP and we work together as a team to help businesses operating in Québec achieve compliance with Québec’s privacy legislation.

Marie-Eve Jean: To give you some context, Québec adopted a new law on September 22, 2021. Bill 64 aims to modernize the privacy framework for both private and public sector regimes. This series focuses on the changes to the private sector regime, namely the amendments to the Act respecting the protection of personal information in the private sector, we will refer to it as Act 25. Act 25 introduces new obligations for organizations doing business in Québec.

Candice Hévin: As we explained in the previous episode, this means any organization collecting, using or disclosing personal information of individuals located within Québec. The Act likely applies to the organization’s handling of personal information, even if the organization does not have an office, facilities or installations in Québec.

In terms of timing, requirements will come into effect in three phases throughout the next three years. Although the majority of the new requirements will take effect as of September 22, 2023, some key requirements will take effect this month on September 22, 2022. A few requirements will also take effect as of September 22, 2024.

Marie-Eve Jean: In our first episode last week, we talked about enforcement mechanisms and your obligation to appoint a Privacy Officer before September 22nd. In this episode, we’ll dive into your obligations surrounding breach reporting, which is another requirement that will take effect as of September 22nd a couple days away now.

Candice Hévin: Under Act 25, as soon as you have a reason to believe that a confidentiality incident involving personal information in your custody has occurred, you immediately have to take reasonable measures to reduce any risk of harm and to prevent similar incidents from occurring. A Confidentiality incident is defined as access to, use, or communication of personal information not authorized by law, as well as the loss or any infringement of the protection of such information.

Marie-Eve Jean: So this definition is actually stricter and attracts broader obligations than what we know as data breaches in other Canadian jurisdictions. You also have further obligations if the Confidentiality incident presents a risk of serious injury. In that case, you have to notify the Commission d’Accès à l’information and any person whose personal information is concerned by the incident as soon as possible.

Candice Hévin: You can also notify any third party that is likely to reduce the risk of harm, unless this would be likely to obstruct a law enforcement or regulatory investigation. Note that any notification to third parties can be done without the concerned person’s consent, but you have to limit disclosure to necessary personal information.

Marie-Eve Jean: Alright, so we’ve established that you have additional obligations if the confidentiality incident presents a risk of serious injury, but you’re probably asking yourself at this point how you can determine if there is a risk of serious injury. The factors that you have to consider to assess whether there is a “risk of serious injury” are actually similar to those considered when determining whether there is a “real risk of significant harm” under PIPEDA. Namely, you have to consider first, the sensitivity of information concerned, the anticipated consequences of its use; and the likelihood that information will be used for injurious purposes.

Candice Hévin: Another very important requirement under Act 25 is that organizations have to implement and maintain a register of confidentiality incidents. In other words, every confidentiality incident has to be logged in a register, and this register has to be provided to the CAI upon request. On the business side, you might want to consider if, practically speaking, it makes more sense to have separate registers of confidentiality incidents under PIPEDA and Act 25. You would only ask yourself this question if your business operates in Québec as well as in other provinces. If your business only operates in Québec, this isn’t an issue.

Marie-Eve Jean: If your business operates in various provinces, including Québec, we recommend maintaining two separate registers – one under PIPEDA and one under Act 25 as Candice mentioned. The reason for this is simple. If you only have one register that includes details of all breaches and incidents across Canada and Québec, you risk disclosing all of this information, particularly any information regarding breaches that occurred outside of Québec, to the Québec regulator. That isn’t necessary. It’s best to avoid this type of situation by maintaining two separate registers.

Candice Hévin: The Québec legislator has finally taken its first steps to delineate organizations’ obligations under Act 25 when it recently published and adopted its Regulation respecting confidentiality incidents. The Regulation will come into force, with its corollary obligations, on September 22nd.

Marie-Eve Jean: The Regulation specifies many things but we will go over a few for now:

i) The contents of the notice that must be sent to the Commission when reporting a confidentiality incident that presents a risk of serious injury;
ii) The contents of the notice that must be sent to concerned persons when reporting a confidentiality incident that presents a risk of serious injury;
iii) The circumstances in which the company must notify concerned individuals through a public notice;
iv) The contents of your register of confidentiality incidents; and,
v) The time period for which you must retain and update the information in the registry, being a minimum period of five years following the date on which the organization became aware of the incident.

Candice Hévin: As Marie-Eve mentioned, providing more detail would take too much time, but be sure to check out our bulletin entitled “First Draft Regulation, On Your Marks, Get Set, Go!” which contain all the details or contact us to obtain more information on the Regulation and confidentiality incidents as a whole.

So that’s conclude our second episode. We have several other tips and tricks relating to confidentiality incidents so don’t hesitate to reach out. We also have significant experience in developing and tailoring registers of confidentiality incidents to fit companies’ needs, so we would certainly be pleased to assist your business in developing yours.

Marie-Eve Jean: Make sure to tune in for the next episode, where we’ll dive into your obligations surrounding biometric data. This is Marie-Eve Jean.

Candice Hévin: And Candice Hévin of McMillan LLP.

Marie-Eve Jean: It’s been a pleasure recording for you!