There have been two new developments in Quebec privacy legislation. The first is the publication of a new guideline document that outlines the requirements for a privacy notice by the Commission d’accès à l’information (or “CAI”).
The second is a draft regulation governing the practice of anonymizing personal information. ). Any business wanting to be compliant with Law 25 would do well to comply with the recommended practices and requirements in the guidance document and with the draft legislation.
Privacy Notice Requirement: An Overview
It must be noted that these are absolute requirements for public sector bodies, but are not yet absolute requirements for the private sector. Nevertheless, the Guidance Document has persuasive effect, as it may be used to provide a baseline for equivalent data protection for private sector entities.
The CAI’s Guidance Document states that all privacy notices must be presented and made available in a way that allows an individual to make an informed decision concerning the collection, use, and disclosure of their personal data. The most logical places to post a notice are:
- For online orders: before the purchase is made, when personal information is required to process the transaction
- For mobile apps: a message affixed or designed to appear when a person first uses the app
- For connected devices: a booklet that is included with packaging for the product
- For physical premises: a notice to the public stating that there is on-site surveillance, and the purpose for doing so.
The Guidance Document also lists three types of privacy notices, which should not be confused with one another:
- Terms & Conditions: the privacy notice should be buried within this document, as the T&C refer only to the usage of the site and any issues with them. However, the privacy notice / consent can be linked through the T&C. This is to ensure that the notice at collection is not buried into T&C.
As with other legislation (such as California, for example), the Guidance Document recommends that an entity indicate any other parties to whom they share personal data while doing business including:
- IT security / related services providers (e.g. cloud hosts)
- Service providers (e.g. payment processor, marketing / advertising firms)
- A consultant who is offering services to a client on behalf of a business
If you intend to conduct any profiling using personal data, the privacy notice must contain the following:
- How the profiling is to be done
- What personal information is involved
- Ways to not participate in profiling
- Set the notice to “opt-in” by default, where the person(s) to whom the data must actively provide opt-in consent to the profiling (and not use an “opt-out” as the default setting)
As a matter of best practice, when outlining the third parties to whom personal information is being shared, an entity should also include the categories of personal information that are disclosed. Examples include the following:
- Identifiers: name, contact information
- Technical information: IP address, date / time of connections, site visit history
- Financial information: banking details, salary / wage rate, financial holdings, debt
- Health information: preexisting conditions, gender assigned at birth, medication
- Demographic information: age, date of birth, ethnicity, city of residence
- Biometric data: voice imprint, facial recognition, biometric scans
Additionally, an entity must mention the goals or objectives for disclosing the personal data in question, as well as effects of not providing the data. In other words, an entity must justify the necessity and purpose of collection and what happens if the PI is not disclosed.
Other types of information that should be included in a privacy notice, according to the Guidance Document, including the following:
- Categories of person(s) or internal staff who will receive the data and why they need access thereto
- The technical and organizational measures to secure and safeguard data (such as SOC2, ISO, or other certifications)
- The person’s rights under Law 25 to exercise their privacy rights, including
- Access to personal information
- Right to rectify factually incorrect personal data
- Where to make a complaint
- Technological means to access or modify one’s personal information
- Name and contact information of the entity’s privacy officer
- The CAI / privacy regulator office contact information
From a stylistic standpoint, the CAI recommends that a privacy notice be clear, simple, concise, and unambiguous. Any notice should be written in plain language, tailored according to the audience, and customized so that the notice accurately reflects how personal information is to be collected, used, or disclosed. A robust privacy notice must be able to succinctly convey the key points of information collection, and communicate the sensitivity and magnitude of the data involved to ensure that a person can make an informed decision about how their personal information is to be processed. From an aesthetic standpoint, the Guidance Document recommends using headers, sub-headings, simple phrasing, appropriate layout (such as tables, charts, or flow diagrams as needed), and other ways to display information clearly. Visual aids can be a great help if it makes sense to use them in a notice.
As with any document, it is recommended that the document be tested with an internal audience to obtain feedback, and the privacy notice must be reviewed and updated regularly to ensure ongoing compliance.
Draft Anonymization Regulation for Law 25
In addition to the Guidance Document, the Quebecois Parliament has put together a draft regulation governing how an entity should anonymize, de-identify, and / or pseudonymize personal information.
It should be noted that because the regulation is still in draft form, these recommendations are considered to be best practices that can be implemented in anticipation of conforming with the draft regulation.
Establish circumstances under which anonymized data is to be used (s. 3)
Pseudonymisation Policy (Governance)
Create a policy governing when and how anonymization is to be handled by your organization
Suitably qualified person must be responsible for this (s. 4)
Decision tree and organizational chart
Assign / delegate responsibility for overall governance
Remove all personal identifiers at outset and conduct risk assessment to determine the likelihood / risk of re-identification (s. 5)
Standard Operating Procedure and Privacy Impact and / or Security Risk Assessment Document
Entity may have to develop questionnaire for internal completion. If a project is massive and involves sensitive data, a PIA may need to be completed.
Once risks assessed, anonymization techniques to be established (s. 6)
Standard Operating Procedure
Formalize workflow document. Conduct audits as needed to ensure compliance with the SOP
Demonstrate low risk:
Review document showing that the risk is low, using these key metrics
This requirement has yet to be finalized, as the criteria has not yet been established.
The risk should be reviewed periodically to ensure ongoing compliance. The risk must be reviewed if there are any changes to the way personal data is to be processed or anonymized.
Regularly assess to determine if the risk remains low (s. 8)
Audit and review
Schedule and execute periodic audits and reviews to ensure ongoing compliance
Maintain the risk register and modify / update if there are any significant changes to the risks.
Review the risk with your executive, privacy officer, and CIO / CISO to ensure that the record is correct and up to date.
How can Kobalt.io help?
At Kobalt.io, we have built a team to provide full stack security and privacy services to our clients. If you have any questions regarding data protection or cybersecurity, rewatch our webinar on cybersecurity and data privacy challenges, or book a time to talk to our Privacy Lead.
Ritchie Po holds both Canadian (CIPP/C) and European (CIPP/E) privacy officer designations from the International Association of Privacy Professionals. Additionally, he is a lawyer called to the British Columbia bar, and often acts as a legislative consultant.