The bulk of the “Law 25” amendments to Québec’s Act Respecting the Protection of Personal Information in the Private Sector (“PPIPS”) take effect on September 22, 2023. In a previous post, we discussed the internal policies and practices these amendments require. This post focusses on four information systems configurations Québec businesses must respect to comply with Law 25. These include ensuring that (i) privacy settings default to “off”, (ii) profiling settings can be easily deactivated, (iii) an accurate mapping of personal information exists, and (iv) the systems can destroy and anonymize personal information that is no longer needed. This post also addresses a fifth requirement – often overlooked but increasingly relevant – concerning biometric data.
Privacy Settings Default to “Off”
As of September 2023, PPIPS’ new sub-section 9.1 requires businesses that collect personal information while offering a technological product or service to “ensure that the parameters of the product or service provide the highest level of confidentiality by default, without the intervention of the person concerned”. This requirement does not apply to cookies used as connection indicators. Concretely, this means that the individual must activate any tracking included in service or product. By default, the business offering such a good or service must set the tracking features at “off”.
Profiling Disclosed
In keeping with the previous point, businesses that use technology to identify, locate or profile an individual will have to disclose, in their privacy policy, not only that they are engaging in such activity but how their profiling technology can be activated (presumably so the individual who does not wish to be profiled can de-activate it). Subsection 8.1 makes clear that this required transparency also applies to monitoring in the workplace. It specifically states that “profiling” “means the collection and use of personal information to assess certain characteristics of a natural person in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour”.
As a result, come September 2023, businesses will have to be fully transparent about all the technology they deploy to monitor individuals, including employees in Québec. Presumably they will also have to ensure that the technology in question is configured to allow for deactivation at the individual’s request.
Knowing Where the Personal Information Is
Although responding to an individual’s request to either access or correct personal information within thirty days is not new, the addition of new individual rights (including the right to data mobility and de-indexation) and the duty to notify all individuals affected by a confidentiality incident requires businesses to know where their personal information is kept and who has access to it. A business’ information systems should be fully integrated and configured to allow for (i) easy access to all personal information required to fulfil a disclosure duty and (ii) complete updating and deletion of information across the organization. While not required by private sector businesses, a data map is an effective tool to acquire and maintain a picture of where personal information is stored.
Destroying and Anonymizing Data
A fourth information systems configuration requirement is the ability to destroy and/or anonymize data (including personal information) when such data is no longer needed. As of September 2023, Law 25 requires personal information be anonymized or destroyed when the purposes for which it is collected or used have been achieved. Although, the question of anonymization is a contentious one – as technologically speaking true anonymization is not possible – and the word “de-identified” would have been a more accurate reflection of what is possible and what the law actually requires, business must now ensure that their information systems are capable of destroying or “anonymizing” personal information they no longer need.
Biometrics
Although not new, this fifth point is a reminder to businesses that are contemplating using biometric information to identify and authenticate individuals. Québec’s Act to establish a legal framework for information technology requires that a business using biometric information to identify or authenticate a person’s identity do so only with the individual’s express consent and after having previously disclosed the practice to the Commission d’accès à l’information (Québec’s privacy commission; “CAI”). A business must also notify the CAI sixty days prior to setting up a biometric data base. In addition, CAI guidelines on the use of biometrics in the workplace state that individuals must be provided with an alternate means of identifying themselves. Employers cannot therefore rely exclusively on biometric identification or authentication of employees.
In addition to policy and procedural steps, the amendments to PPIPS that take effect in September 2023 require configuration adjustments to information systems. Some of these changes may not be negligible. If they have not already done so, businesses should start considering these adjustments now so as to avoid penalties come September.
