Québec's Access To Information Commission Takes A Stance On Anonymization - Privacy Protection

With the coming into force of several provisions of Law 25, which modernized the framework for the protection of personal information in Québec, the province's Access to Information Commission has expressed reservations about anonymization standards and the use of this practice. The Commission notes that the government will have to adopt regulations to define the criteria and procedures for anonymization. Pending such a regulation, the Commission stated that it is not possible for public bodies and enterprises to anonymize personal information. The Commission's position could have an impact on the management of personal information by public bodies and enterprises.

What you need to know

Law 25 brought anonymization into Québec legislative regime. Law 25 allows public bodies and private companies, in certain situations, to manipulate personal information in order to remove any identifier that allows for direct or indirect identification, so as to retain the information instead of destroying it once the purposes have been achieved.
The Commission raised concerns about anonymization, creating some uncertainty. Despite the introduction of anonymization in Law 25, the Commission's statements about the absence of a regulation specifying the standards needed to achieve complete anonymization leave organizations uncertain whether, and how, to implement this process.
Uncertainty could have industry impact. Uncertainty in the market could have an impact on industry practices, including the implementation of various processes and policies dealing with personal information, as well as contractual clauses negotiated as part of an agreement involving data sharing.
The government needs to set anonymization standards. The government will have to adopt regulations to set industry standards for anonymization.
Organizations should update their procedures. Pending new regulatory guidance from the government, public bodies and enterprises should update their procedures on the retention and destruction of personal information and consider avoiding reliance on anonymization processes to justify the use, disclosure or retention of data at this time.

Retention and destruction of personal information

In Québec, privacy laws¹ provide that public bodies and enterprises in possession of personal information need to protect it from the time it is collected until it is destroyed².

Once the personal information has been used for its desired purpose, organizations are required to destroy that information³. However, personal information may be retained if a time limit is prescribed by law or if a retention schedule is established by government regulation⁴. For instance, tax laws provide for extended retention periods.

Alternative to the destruction of personal information: anonymization

Law 25

Law 25 provides an alternative to destroying personal information: anonymization⁵. Once the personal information has been used for its desired or required purpose, companies could, in theory, retain anonymized personal information and use it for serious and legitimate purposes, while public bodies could retain and use it for public interest purposes.

Difference between de-identification and anonymization

Law 25 differentiates de-identification from anonymization: personal information is de-identified if it no longer allows the person concerned to be directly identified⁶; it is anonymized if it no longer allows the person to be identified directly or indirectly, and the anonymization is irreversible⁷.

Consequently, even though Law 25 broadens the possibility of retaining personal information by allowing anonymization instead of destruction in certain cases, it still sets high standards to achieve complete anonymization of that information.

The Commission's position on anonymization

In a recent notice⁸, the Commission, the body responsible for overseeing and enforcing Québec's privacy laws, stated that anonymization of personal information must be carried out in accordance with generally accepted best practices and methods to be determined by government regulation. The Commission also has doubts about the standards required to ensure that any personal information no longer allows a person to be identified (and that this is irreversibly so).

Therefore, while Law 25 defines anonymization, the Commission believes that a government regulation will need to be adopted to clarify the situation and define how public bodies and enterprises can effectively anonymize personal information. Pending indications from the government to this effect, the Commission's position is that personal information cannot be effectively anonymized.

Existing anonymization and de-identification processes in the industry

While some studies suggest that it is not practically possible to render personal information completely anonymous, several standards are currently recognized and used in the market to anonymize or de-identify personal information. Adding further complication, these terms are not defined consistently across such standards, which can make them difficult to apply to the framework of anonymization under Law 25.

In the United States, the Office for Civil Rights has developed guidance for de-identifying protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The HIPAA standard involves one of two methods: the "safe harbour" method and "the expert determination" method. In the first method, the organization must remove 17 specific identifiers from the dataset. In the second, the organization must obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from the dataset is very small. The methodology used by the expert to make that determination must be documented and made available to regulatory authorities on request.

A framework for de-identification of health information has also been published in Canada. The Ontario Information and Privacy Commissioner has issued De-identification Guidelines for Structured Data presenting a methodology for de-identifying structured data. The measures presented include the removal of direct identifiers and a detailed assessment of re-identification risks.

Other examples come from international independent organizations and associations. In particular, the National Institute of Standards and Technology (NIST) offers a range of technical tools to assist organizations in their anonymization process. The International Organization for Standardization (ISO) proposes a governance framework for organizations seeking to de-identify or anonymize data by suggesting a protocol that includes an assessment of the context in which altered information will be made available, the external information that a third party could access and the ways in which it could be used to discover or reveal personal information.

A number of organizations follow these standards so that they can utilize the data in their business operations. These standards, while recognized by some, do not provide a consensus on the methodology to be used or the criteria for determining whether information is anonymized.

Impact on business activities

The Commission's position may have implications for various aspects of activities at public bodies and enterprises alike. In fact, despite the existence of national and international standards already in use, the Commission's position creates legal uncertainty around anonymization. This in turn creates doubt about the possibility of using or disclosing anonymized information.

Public bodies and enterprises should be vigilant. Special attention should be paid to established data retention processes and calendars, to ensure data is destroyed where possible. Organizations should also review the contractual limits of their agreements to reconsider and, where appropriate, restrict the use or disclosure of anonymized personal information, since it could be at best considered de-identified personal information by the Commission.

For organizations that use—or whose service providers rely on—anonymization to use data for additional purposes, they should document the processes and techniques used to anonymize the information, as well as any assessment of re-identification risks. These processes should ideally be supported by established market standards that have been tested to reduce any privacy risk to individuals. These measures could help reduce the risk of significant sanctions for organizations.

Footnotes

1. Act respecting the protection of personal information in the private sector (Private Sector Act) and Act respecting Access to documents held by public bodies and the Protection of personal information (Access Act).

2. Private Sector Act, s. 10; Access Act, s. 63.1.

3. Private Sector Act, s. 12; Access Act, s. 73.

4. Id.

5. Law 25, s. 111.

6. Law 25, s. 19-102.

7. Law 25, s. 28-119.

8. https://www.cai.gouv.qc.ca/entreprises/destruction-et-anonymisation/.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.