Articles in this section

Conform an Enterprise to the Law on Private Matters

New responsibilities and obligations of companies

Coming into force on September 22, 2022

From September 22, 2022, in addition to the current obligations regarding the protection of personal information, you will also be required to:

  1. Appoint an employee responsible to the clients data protection and publish his or her contact details on the company’s website or by another appropriate means;

Furthermore, in the event of a confidentiality incident, you must:
2.  a. take reasonable steps to reduce the risk of harm to the persons concerned and prevent further incidents of the same nature;
   b. inform the Access to Information Commission and the persons concerned if the incident presents a serious risk;
   c. keep a register of incidents, to be transmitted to the Commission upon request;
3. Comply with the new rules for the communication of personal information without consent for studies, research or statistics, or in the context of commercial transactions;
4. Conduct a Privacy‑Impact Assessment before communicating personal information without consent for these purposes;
5. Inform the Commission in advance of any identity verification using biometric measures.

 

Coming into force on September 22, 2023
From September 22, 2023, as an operator of a company, you must in particular:

  1. Establish personal‑information governance policies and publish clear information about them on the company’s website or by another appropriate means;
  2. Perform a Privacy‑Impact Assessment when required by the Act, particularly before transferring information outside Quebec;
  3. Comply with the new rules concerning consent for collection, use and communication of personal information;
  4. Destroy or anonymize personal information once its purpose has been fulfilled;
  5. Comply with the new obligations of information and transparency toward citizens;
  6. Comply with the new rules for communication of personal information without consent, including in the context of a mandate or a contract;
  7. Follow the new rules for the communication of information outside Quebec;
  8. Adhere to the new rules for the use of personal information;
  9. Ensure by default the highest level of confidentiality for products or services offered to the public;
  10. Comply with the new rules concerning the collection of personal information about minors;
  11. Comply with the right to cessation of dissemination, re‑indexing or de‑indexing (right to be forgotten);
  12. Follow the new rules for communication of personal information to facilitate the bereavement process.

Coming into force on September 22, 2024
From September 22, 2024, as an operator of a company, you will in particular be required to:

  • Respond to requests for portability of personal information.

 

Action‑paths and best practices

By September 22, 2022

  1. If you are the highest authority in the company and do not wish to be the person responsible for privacy protection, designate a competent person with significant decision‑making power for this role;
  2. Support the employee responsible of the clients' data protection with the necessary resources (human, technical and financial) to ensure your compliance project’s success;
  3. Inventory the personal information held by your company and assess its sensitivity;
  4. Put in place measures to prevent or limit the consequences of confidentiality incidents;
  5. Adopt practices to react quickly in the event of a confidentiality incident (for example: incident‑response plan);
  6. Inform yourself about your obligations if you plan to use biometric techniques (for example: fingerprint, facial recognition).

By September 22, 2023
To establish and implement your governance policies regarding personal‑information protection, you will in particular need to:

  1. Inventory the personal information held by your company and assess its sensitivity;
  2. Keep this inventory up to date to reflect changes in the company (for example: new data collection) and plan your actions accordingly;
  3. Specify the roles and responsibilities of personnel involved in personal‑information protection;
    These tasks are essential to comply with your obligations and prioritize your actions. To conduct a Privacy‑Impact Assessment, you must also:
  4. Assess the project’s compliance with privacy‑protection laws;
  5. Identify the risks to the privacy of the persons concerned;
  6. Put in place strategies to avoid or reduce those risks;
  7. Monitor and review the application of these measures.

To comply with the new citizens’ rights and your transparency obligations, you must set up appropriate mechanisms (for example: policies, processes, forms, technological solutions) to:

  1. Obtain a valid, separate consent for each specific purpose, in simple and clear terms;
  2. Present the consent request separately from other information if it is written;
  3. Provide the legal information to the person whose information is being collected;
  4. Inform a person when they are subject to a decision based solely on automated processing;
  5. Inform a person before using technology that allows identifying, locating or profiling them, as well as the means to activate those functions;
  6. Publish detailed information on your policies and practices on the company’s website or make it accessible by another appropriate means;
  7. Publish a privacy policy in simple and clear terms and accessible on the website if you collect information through technological means;
  8. Process citizen requests and complaints concerning your management of personal information.

By September 22, 2024
Inform the team responsible for your IT systems that you have new requirements linked to the right to portability of personal information. Your systems must allow:

  • To communicate, upon request of a person concerned, a computerized personal information in a structured and commonly used format;
  • To transfer such information to a person or an organization authorized by the Act, at the request of the person concerned.

Note: Also ensure you train your staff so they adopt good practices in personal‑information protection.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.