In follow-up to our recent quiz, our Cyber Security and Data Protection Law Group has provided answers to critical questions on Law 25.
Question: Is it mandatory for all organizations carrying on an enterprise in Québec and handling personal information to have a privacy officer (aka the person in charge of the protection of personal information) under the new Québec law?
Any organization carrying on an enterprise in Québec - regardless of its size, resources or industry - that handles any personal information is obliged to have a privacy officer. The person exercising the highest authority in the organization is the privacy officer by default or may delegate this function in writing to another person. In contrast, under the European Regulation (GDPR), only organizations that process sensitive personal information and/or on a large scale are required to appoint a Data Protection Officer (DPO).
Question: Is there a certification or training requirement to become a privacy officer under the new Québec law?
The new Québec law does not explicitly require that the privacy officer must have specific knowledge to perform their role or have knowledge of the French language. In practice, given the many tasks and responsibilities that can be quite technical, as well as the general liability obligation of businesses, it is preferable that the privacy officer have a minimum level of knowledge and undertake continuous training on the subject.
Question: Is it possible to outsource the privacy officer role outside the province of Québec under the new Québec law?
Answer: Yes, the privacy officer can be based anywhere in the world
The privacy officer function may be delegated in writing, in whole or in part, to any individual, whether internal or third party, with no geographic restriction. The organization will nevertheless have to consider and comply with other requirements, particularly when entering a contract for services that involve the processing of personal information by the service provider or when disclosing personal information outside of the province of Québec.
Question: Is it a requirement to notify the Commission d'accès à l'information du Québec of the title and contact information of the privacy officer under the new Québec law?
Answer: Yes, upon request
The title and contact information of the privacy officer must be published on the organization's website or, if it does not have a website, made accessible by any other appropriate means. An organization is therefore not required to proactively communicate the contact information of the privacy officer to the Commission d'accès à l'information du Québec; however, it will have to provide it in a reactive manner if the Commission requests it.
Quesion: Are duties and responsibilities of the privacy officer prescribed by the new Québec law?
Answer: Yes, but the organization must rely on the law and further detail the job description and responsibilities
The new Québec law explicitly sets out a number of duties and responsibilities of the privacy officer, including approving privacy policies and practices, participating in privacy impact assessments, and participating in assessing harm caused by a confidentiality incident. However, it is also up to the organization to establish a more specific job description and responsibilities that are specifically tailored to the organization and its internal structure.
Question: Is the definition of "confidentiality incident" under the new Québec law the same as the definition of "breach of security safeguards" in the current federal legislation?
Answer: It is similar, but there are some key variations
The new Québec law defines "confidentiality incident" as the unauthorized access, use or disclosure of personal information, the loss of personal information or any other breach of personal information. It should be noted that this definition includes unauthorized use of personal information, which makes it significantly broader than the definition of "breach of security safeguards" in the current federal legislation, and includes any form of "use" without consent, which raises questions of interpretation and application.
Question: If an organization has reason to believe a confidentiality incident has occurred, does the obligation to take reasonable measures to reduce the risk of injury and prevent future incidents of the same nature arise solely from the new Québec law?
Answer: No, not only
The new Québec law requires organizations that have "reason to believe" that a confidentiality incident has occurred to take "reasonable steps to reduce the risk of harm being caused and to prevent similar incidents from occurring in the future," but this obligation also arises from the general liability regime imposed by the Québec Civil Code.
Question: Under the new Québec law, must all confidentiality incidents be notified to the affected individuals and the Commission d'accès à l'information du Québec?
Answer: No, only incidents presenting a "risk of serious injury" must be notified
Organizations must notify the Commission d'accès à l'information du Québec and the affected individuals of any confidentiality incident involving personal information that presents a "risk of serious injury." However, unlike the current federal legislation, there is no mention of the word "real" in the phrase "risk of serious injury," which may indicate that the notification requirements in Québec are potentially more stringent than at the federal level.
Question: Do organizations need to start keeping a register of all breaches under the new Québec law?
Answer: Yes, for a possible five-year period
Organizations must keep a register of all incidents, a copy of which must be transmitted to the Commission d'accès à l'information du Québec upon request. The draft regulation on confidentiality incidents proposes a retention period of five years after the incident is known, while the federal government has set a retention period of 24 months.
Question: When do organizations have to declare the creation of a biometric database to the Commission d'accès à l'information du Québec under the new Québec law?
Answer: 60 days before the database's implementation
Organizations must declare any creation of biometric databases to the Commission d'accès à l'information du Québec no later than 60 days before they are implemented. The new Québec law thus specifies a maximum period for this prior disclosure that did not exist before.