Bill 64 seems bold given its numerous provisions that indicate a clear intention to focus on the principle of accountability. While the current Act respecting the protection of personal information in the private sector ("Quebec Private Sector Act")1 never addresses the principle of accountability or transparency (note that the terms "accountable," "accountability" and "transparency" do not appear in any provision in the current Act), Bill 64 provides a major upgrade by instantly adding a whole section based on the accountability principle.2
This section on accountability provides numerous new obligations such as the obligation to: implement governance policies and practices for the protection of personal information, establish a framework for the keeping and destruction of the information, establish a process for dealing with complaints, assess privacy-related factors, report security incidents in certain circumstances and keep a register of confidentiality incidents. All of which will of course be under the control, supervision and responsibility of this new position that will have to be created in all businesses: the person in charge of the protection of personal information, also known as a "privacy officer."
How will this actually affect Quebec businesses?
Until now, contrary to what is currently in force in British Columbia,3 Alberta4 and under the federal PIPEDA,5 the Quebec Private Sector Act does not require the appointment of a privacy officer.6
As such, Bill 64 corrects this disparity in section 95 by expressly providing not only that any person carrying on an enterprise is responsible for protecting the personal information held by the person, but also goes further by requiring (as is currently in effect in the Act respecting access7) that the person exercising the highest authority shall exercise the function of the person in charge of the protection of personal information.
All or part of this function may be delegated in writing to a member of the personnel. Moreover, the title and contact information of the privacy officer must be published on the company's website or if the company does not have a website, this information must be made available by any other appropriate means.
What will the privacy officer have to do?
The privacy officer will have to ensure that the business complies with the applicable principles under the Quebec Private Sector Act regarding the protection of personal information. Moreover, the following are a few examples of the duties that the privacy officer must oversee:
- establish and implement policies and practices governing the enterprise and the protection of personal information;
- ensure the implementation of policies/practices in respect of keeping and destroying personal information;
- define the roles and responsibilities of the members of its personnel;
- establish a process for handling complaints regarding the protection of personal information;
- assess the privacy-related factors of any information system project or electronic service delivery project;
- at any stage of such a project, suggest personal information protection measures as well as the framework of such measures as provided under the Quebec Private Sector Act;
- be involved in managing a confidentiality incident, such as by establishing policies in this regard, such as a security incident response plan.
The tone has been set: Bill 64 aims to greatly expand the accountability principle and to combine it with the power to impose heavy monetary penalties against a business in breach. Moreover, the position of privacy officer will be automatically assigned to the person with the highest authority in the enterprise. This person must then duly carry out the related duties or delegate this task to a member of the personnel, who must clearly have the necessary skills and abilities to be able to properly carry out the duties, given the serious consequences to the business's reputation and the monetary penalties that could be imposed against the business in the event of a breach.
Footnotes
1 Chapter P-39.1
2 Bill 64, s 95.
3 See the book by Mtres Antoine Guilmain and Éloïse Gratton, The Protection of Personal Information in the Private Sector in Québec. Looking Back and Thinking Forward , Éditions Yvon Blais,Thomson Reuters Canada, 2020, pp. 26-31.
4 Id.
5 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
6 Comparative table on privacy laws drafted by Mtres Antoine Guilmain, Antoine Aylwin and Karl Delwaide.
7 Act respecting access to documents held by public bodies and the protection of personal information, CQLR, c A-2.1.
Originally published by FASKEN, July 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
