The Commission d'accès à l'information ("CAI") has confirmed that it will not be publishing an English version of its "Lignes directrices 2023-1 – Consentement: critères de validité". Considering the interest of organizations and individuals throughout Canada for Québec's amendments to its private sector act, BLG has made available this unofficial translation to facilitate understanding of these guidelines. Readers should refer to this translation with care and review the original French version published by the CAI. In the event of a discrepancy between the original French version and this unofficial translation to English, the French version shall take precedence.

Summary of the guidelines

Who are these guidelines for?

These guidelines are intended for public and private organizations that need to obtain consent from individuals to use or disclose their personal information.

The objectives of these guidelines

  • Facilitate understanding of the criteria to be met in order to obtain valid consent;
  • Clarify the obligations of organizations in obtaining valid consent;
  • Identify good practices that promote respect for individuals' right to privacy.

What is excluded from these guidelines

  • Consent to the disclosure of non-personal information, such as technical and financial information or trade-secret;
  • Detailed explanation of when organizations must obtain consent;
  • Exceptions allowing the use or disclosure of personal information without consent. In this case, the validity criteria are irrelevant.

What do the guidelines contain?

  • A glossary of key concepts
  • An introduction to consent and the obligations of organizations
  • A detailed explanation of the 8 criteria for valid consent
  • Examples to help understand the criteria

Laws and regulations take precedence over these guidelines

In case of doubt or conflict with these guidelines, laws and regulations always take precedence.

Consent gives individuals control over their personal information

By default, personal information is confidential in order to protect the privacy of individuals. Consent gives individuals control over the use and disclosure of their personal information. This implies that they agree to what is done with their information.

For their part, organizations must comply with their legal obligations to protect personal information. This includes the obligation to obtain valid consent from the persons concerned. Organizations should document this consent and the elements that support its validity.

The 8 criteria for valid consent

To obtain valid consent, organizations must ensure that it complies with 8 criteria listed in the law. The 8 criteria are interrelated and all important. If a criterion is not met, consent is not valid.

1. Consent must be clear, i.e. obvious, and provided in a way that demonstrates the true will of the person concerned. In most cases, this will should be express, i.e. given by a positive statement or gesture that indicates consent alone, though it may be implicit in certain circumstances.

2. Consent must be free, that is, it must involve real choice and control, and it must be given without coercion or pressure. It must be as easy to provide one's consent as it is to decline providing it. The person concerned must also be able to withdraw consent at any time.

3. Consent must be informed. The person concerned must understand what he or she is consenting to and what this entails. The organization requesting consent must provide precise information. Among other things, it should mention the purpose for which the information is being collected, what information is being collected, and who will have access to it. Lastly, the person giving consent must have the capacity to do so (e.g. not be an incapacitated person or a person under the age of 14).

4. Consent must be given for specific purposes. In other words, the purposes for which personal information is used or disclosed must be as specific as possible.

5. Consent must be granular, that is, it must be requested for each purpose described. If there is more than one purposes, consent must be asked separately for each of them. This granularity allows the person concerned to express his or her wishes clearly, as he or she can accept or refuse each specific purpose.

6. The request for consent must be comprehensible (or understandable), i.e. presented in clear and simple terms, both in terms of information provided and specific inclusion of a statement of acceptance or refusal. Information presented should be concise, that is to say, it should be expressed with a minimal number of words. An organization should avoid unnecessary and complex words (legal jargon). Terms should be as direct as possible.

7. Consent must be temporary, i.e., it must be valid for a limited period of time. It shall be valid only for the period which is necessary to achieve the purposes for which it was requested. The duration limit can be linked with a time limit (e.g. 6 months or 3 years) or an event (e.g. as soon as a payment is made).

8. If a request for consent is made in writing, it must be made separately from the provision of any other information. It must therefore be separate from the terms of use, privacy policies, signatures, etc. The request for consent must be featured in its own section or on its own interface and be easily accessible to the persons concerned.

Warning

Personal information must be necessary

By law, personal information must be necessary for the fulfillment of an organization's purposes. This is true at every stage of the personal information life cycle: collection, use, disclosure, retention and destruction. The consent of an individual does not authorize an operation to be carried out with personal information that is not necessary

Personal information must be protected

After obtaining valid consent, organizations are responsible for protecting the personal information they hold.

Introduction

A. These guidelines aim to clarify the criteria for valid consent

A.1. Purpose of the guidelines

These guidelines address the criteria for valid consent that organizations must obtain from the individuals whose personal information is concerned.

These criteria are set out in:

  1. Section 53.1 of the Act respecting access to documents held by public bodies and the protection of personal information (the "Access Act");
  2. . Section 14 of the Act respecting the protection of personal information in the private sector (the "Private Sector Act").

Unless other provisions are explicitly mentioned in this document, in which case they will be referenced at the bottom of the page, the guidelines are exclusively aimed at the interpretation of these two provisions.

A.2. Intent and significance of the guidelines

The Commission d'accès à l'information (the "CAI") is disseminating these guidelines in order to facilitate the application of the Access Act and the Private Sector Act, the laws for which it is responsible1. The purpose of this document is to clarify the obligations of organizations with regard to obtaining valid consent, taking into account the legislation as a whole and case law.

The guidelines do not have the force of law. Laws and regulations take precedence at all times.

A.3. Obligations and good practices

These guidelines also identify good practices that promote respect for individuals' right to privacy. The CAI distinguishes these from obligations throughout the text:

  1. When referring to obligations, it mainly uses the verb "must" in the present tense ("must", "shall");
  2. When it urges the adoption of good practices, it uses the conditional tense or terms related to recommendation or possibility ("should", "could").

A.4. Exclusions

These guidelines do not address consent to the disclosure of non-personal information - such as technical or financial information, or trade-secret2.

Nor are they intended to provide specific guidance on situations where consent is or is not required, except general information in Section B that focuses on the criteria which must be met when consent is required by law.

A.5. Examples

Examples are given in the second part of this document to illustrate the content of these guidelines. The examples are fictitious but may be based on actual practice. They are simplified to highlight specific consent issues and thus illustrate a specific aspect of the text (for example, a single validity criterion). In practice, every situation requires its own specific analysis. These examples are therefore tools. When a potentially non-compliant situation is described, the CAI suggests a course of action, but this should not be regarded as the only possible solution.

Although the examples are generally associated with a sector, public or private, they may inspire organizations in the other. The following icons and colors are used to classify them:

1398092a.jpg

A.6. Other laws

Organizations are responsible for knowing and complying with their consent obligations under other sectoral legislation, such as the Act Respecting Health and Social Services, or general, such as the Civil Code of Quebec. In addition, obtaining valid consent does not negate the organizations' other legal obligations to protect personal information.

To view the full article, click here.

Footnotes

1. Access Act, section 123.

2. Access Act, section 23, section 25, and section 49.

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.