In response to the questions you sent us about our publications, podcast, and the training we provided via the Fasken Institute last December 8 titled "Changements à la Loi sur la protection des renseignements personnels : Comment se préparer à 2022, 2023 et 2024?", we've summarized our answers in three weekly bulletins:

  1. The first bulletin will cover questions relating to the definition and retention of personal information and the penalties imposed by the Modernization Act for obligations breaches.
  2. The second bulletin will cover the more specific obligations governing transparency, consent, and communication.
  3. The last bulletin will deal with governance in organizations in relation to personal information protection.

Our Resource Centre is still active and contains a series of bulletins and documents devoted to the Modernization Act. Please add your name to our distribution list to receive upcoming bulletins and other communications on this subject.

BULLETIN 3 (Governance: Person in Charge; PIA; Incident Management)

1. Person in charge

Can the role of the person in charge of personal information protection be outsourced?

It is now possible to delegate the duties of the person in charge of personal information to anyone, not only to a staff member.

To learn more:

The Beginning of a New Era for the Private Sector: Bill 64 on the Protection of Personal Information Has Been Adopted

Who is in the best position to perform this role: the person in charge of information systems security or the legal team?

This function falls within the enterprise's compliance operations, so is generally handled by the legal department. In all cases, a portion of the tasks will have to be performed in conjunction with the person in charge of information security.

To learn more:

The Beginning of a New Era for the Private Sector: Bill 64 on the Protection of Personal Information Has Been Adopted

Bill 64 – Chief Privacy Officer will be mandatory in private organizations

To whom does the obligation to have a person in charge of personal information protection apply?

The obligation applies to all types of enterprises, regardless of size.

In what situations must an enterprise or public body conduct a PIA?

The main situations that call for a PIA are

  • before undertaking any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release or keeping of personal information (including outsourcing projects);
  • before communicating personal information without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics;
  • before releasing personal information outside Quebec or entrusting a person or a body outside Quebec with the task of holding, using or releasing such information on its behalf; and
  • where a public body wishes to collect personal information that is necessary for the exercise of the rights and powers or for the implementation of a program of a public body with which it cooperates to provide services or to pursue a common mission.

Is a PIA necessary if depersonalized personal information is collected for statistical purposes?

Yes, under new section 21, where depersonalized information is still personal information.

To learn more:

Technological and Legal Overview of the Concepts of "De-identified" and "Anonymized" Information under Bill 64

De-identify, Anonymize and De-index: New Verbs and New Obligations!

2. Incident management

How long should an organization keep an incidents' register?

The Modernization Act does not provide a time for the register to be kept. This may be specified by regulation.

In any event, PIPEDA can be used as a guide, to start with; it provides for the record to be kept for two years after the incident.

To learn more:

Bill 64 Introduces New Confidentiality Incident Reporting Obligations Amid Increased Cyber Security Risks

How is the risk of serious injury assessed?

The Modernization Act defines a "confidentiality incident" as access to or use or release of confidential information not authorized by law, or loss of personal information, or any other breach of the protection of such information. An incident may therefore take several forms: intrusions into an organization's information system by a third party, a ransomware attack, a data loss caused by a virus or by a software flaw, extraction of data by an employee or unauthorized person, and so on.

In the event that a risk of serious injury is presented, the enterprise must notify the Commission d'accès à l'information and the persons concerned. In assessing that risk, the factors to be considered are (i) the sensitivity of the information concerned; (ii) the anticipated consequences of the information, such as identity theft, financial fraud or serious injury to privacy; and (iii) the likelihood that the information will be used for injurious purposes.

To learn more:

Bill 64 Introduces New Confidentiality Incident Reporting Obligations Amid Increased Cyber Security Risks

3. Profiling

Do the obligations relating to the use of technologies that include profiling functions apply to cookies on a website?

Yes, they do, if the cookies allow individuals to be profiled or allow for their location to be determined.

To learn more:

Cookies, a bite out of cybernauts' privacy? A Canadian-European overview

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.