Data privacy has long been of major concern for corporate leaders. It is even more so since Quebec’s Law 25 came into effect, which redefines and sets out obligations for businesses as well as what is required to comply with them. In effect since September 2022, the goal of this reform is to modernize legislation protecting personal information to better adapt it to the current digital reality.
What is data privacy and personal information?
When we refer to data privacy, we’re talking about protecting and preserving sensitive and/or personal information. This includes implementing measures to prevent unauthorized access to and the improper use or disclosure of this data. The goal is to maintain trust in how data is used and shared.
In the context of Law 25, personal information is information that concerns a physical person and allows them, directly or indirectly, to be identified. For instance, this includes identification details (name, address, phone number), financial information (income, credit card number) and several other sorts of data. The Government of Quebec’s website provides a comprehensive list of different types of information (in French).
Law 25: Humans before technology
Even if you set up the best security and monitoring devices for your corporate data, your efforts will be in vain if you neglect to consider what is often the weakest link for most companies: the human factor. This aspect is central to Law 25.
The first step when ensuring compliance with Law 25 is to appoint a privacy officer responsible for protecting data at your company. The law dictates that this role must be performed by the person with the highest authority in the company, although that person may not necessarily have the skills required to do so.
If you do not possess the capacity to handle this function, you must clearly identify the roles and responsibilities required to appoint the right person for this task. Keep in mind that you must have a designated person responsible for protecting personal information in place since September 2022 and that their name and contact information must be posted on your website.
The second aspect concerns establishing your policies and practices for protecting personal information. This aims to define:
These elements can have several legal implications. Be sure to consult with a professional to help you write and validate your policies before posting them on your website.
Once you have established your regulations, you must train your staff to ensure they apply these policies correctly. The law also requires you to implement a training program on how to protect personal information, and each new employee must receive this training.
Your obligations in the event of a data breach
Law 25 requires you to implement and maintain a record of confidentiality incidents that occur. You must also define your notification process related to the incident, as you are obliged to advise anyone potentially affected as well as the Commission d’accès à l’information du Québec (CAI). This process will catalogue the event and investigate your practices to determine if you were non-compliant when the incident occurred.
A company that fails to report a confidentiality incident may be fined up to $25 million for penal offences and/or up to $10 million in administrative monetary penalties.
What about technology?
Up to now, we’ve mostly touched on obligations, policies and processes. However, technology remains central because it allows you to comply with all the requirements. All your corporate data is important and must be adequately protected. Neglecting this aspect can have disastrous consequences, as we’ve just outlined.
Your first task is to conduct an inventory of the personal information you hold. Who has access to this data, and in what context and for what reason? You must compile this information and your privacy officer must ensure this record is up to date and that your data protection policies are strictly enforced.
To help further your considerations, we recommend you read our article about protecting information and data governance. You’ll see that not all data is equally critical, and you need to know your data well to apply the right levels of protection.
Everything we’ve discussed up to now concerns what you need to have implemented by September 2022. But your work isn’t yet finished, as by September 2023 you must have set up:
- Policies to archive, destroy and anonymize personal information
- A process to handle complaints
- A process to assess privacy factors for protecting personal information
- A consent process to collect, hold, use and share personal information
- A process to de-index data
And keep in mind that you must implement measures to facilitate personal data portability by September 2024, so there’s still a lot to do.
The final article in our series will explore data traceability. Despite its somewhat esoteric nature, you’ll see that it’s a very down-to-earth concept that is enormously valuable to your information security governance.