On December 18, 2023, Quebec's privacy regulator, the Commission d'accès à l'information (CAI), published a crucial guide for organizations seeking clarity in drafting and revising their privacy policies. You can access Gowling WLG's unofficial translation of the Guide here (official version only available in French).
1. Understanding the dual nature of privacy policies
The CAI's Guide makes a pivotal distinction between two different types of policies: the confidentiality (or online) policy, and other privacy policies.
The former, as required by section 8.2 of the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1, the Quebec Privacy Act), is necessary for organizations that collect personal information through technological means, typically on websites or digital platforms.
In contrast, the latter, required by section 3.2 of the same act, covers broader aspects of personal information protection within an organization. These policies will generally outline how an organization manages all personal information, not just the information collected online, and includes practices related to data storage, access and protection measures. Understanding this distinction is crucial for compliance and effective privacy management.
2. Clarity is key: Tips for simplified language
The CAI's Guide emphasizes the importance of clear and simple language in drafting privacy policies. It offers practical tips on writing policies that are easily understandable by a wide audience. While these are not strict requirements, they present best practices for all privacy professionals wanting to ensure their policies are accessible to all.
3. Notification of policy modifications
Unfortunately, the CAI's Guide does not provide any clarification regarding the obligation for organizations to inform individuals about modifications to their confidentiality policy. As it stands under the Quebec Privacy Act, organizations are obligated to notify individuals of any amendments to their policy.
This requirement can become burdensome, leading to unexpected scenarios where organizations must notify individuals even for minor adjustments, such as correcting a typo in their policy.
The CAI's Guide is a valuable tool for organizations drafting or revising their privacy policies. It aids in understanding legal requirements, encourages clear communication, highlights areas needing further attention and provides tools to "test" the policy prior to publication.
If you have additional questions regarding your organization's privacy policies, or any other privacy-related topics, do not hesitate to contact us.