In 2021, Québec was impacted by the adoption of major advances in the protection of personal information1 , triggered by serious confidentiality breaches that only continue to multiply. These legislative changes have created new obligations, while reinforcing those introduced in 1993, and now they are all accompanied by significant penalties.2
No one is immune to a confidentiality incident "private breach". The new sanctions regime is not intended to punish organizations that have been victims of a confidentiality incident, but rather to punish those that have not taken any steps to prevent it.
An incident can reveal organizational flaws and situations of non-compliance and also draw the attention of affected individuals and the Commission d'accès à l'information du Québec (or its counterparts). Some common shortcomings include:
- failing to collect only that personal information which is necessary for the specified purpose(s);
- failing to retain personal information only for the period necessary for the specified purpose(s);
- failing to use appropriate security measures to protect the personal information.
With this in mind, here are some tips to reduce the risk of a confidentiality incident as well as its impact.
Damage Control—By Limiting Collection
What does not exist cannot be accessed, disclosed or used without authorization. It is therefore essential to limit the amount of personal information collected. The collection of any personal information must respect the principle of necessity that has been3 entrenched in Québec law for more than 30 years, as well as in the Personal Information Protection and Electronic Documents Act 4 and other similar legislation.
When it comes time to assess the "risk of serious injury"5 associated with a confidentiality incident, many organizations are relieved to have collected only a postal code instead of an address, or a year of birth instead of the full date.
Before deciding to any collect personal information, it's best to follow the rule of thumb—do you really need it?6 If the collection is part of the implementation of a project to acquire, develop and redesign a computer system or provide electronic services,7 a "privacy impact assessment" should be conducted to determine how the project will affect an individual's privacy. Nothing in the legislation prevents conducting such an assessment on existing systems.
Damage Control—By Cleaning the Clutter
Limiting the initial collection also facilitates this following principle of properly managing the information retained. What does not exist does not require reassessment nor periodic deletion.
Following the collection of any personal information, that information may only be retained for a limited period of time.8 Keeping in mind the rule of thumb from the previous principle, make a point of periodically asking yourself—do you still need it?9
Many organizations are struggling to explain to individuals and the Commission d'accès à l'information du Québec why outdated and other information is circulating on the Dark Web, while others appreciate the benefits of automatic email archiving after 12 months.
The best way to respect this principle is to implement a retention and destruction schedule for personal information. This is a tedious preliminary step, but it significantly reduces the risk of costly penalties for private businesses.10
Limiting Risk—By Taking Appropriate Steps
Security measures used to protect personal information must be adapted to the sensitivity of the information, purpose of its use, quantity collected, distribution and storage medium.11 Not all risks can be eliminated and there is no silver bullet, but some universal measures include:
- Providing staff training and awareness activities. These training activities help staff members to better recognize intrusion attempts, such as phishing emails or other social engineering tactics. Employees are the first line of defence.
- Using multi-factor authentication (MFA). This additional barrier requires different methods of verifying the user's identity and plays a key role in preventing unauthorized intrusions. It's not a panacea, but the majority of incidents occur or are worse when the account is not secured by MFA.
- Using strong passwords. Weak passwords are often the result of outdated password practices, such as those involving complexity requirements or periodic resets. These practices encourage the use of predictable passwords or other dangerous practices, like saving passwords in a readable (plain-text) format in a document named "passwords."
Don't forget that these same risks also apply to any subcontractors you are doing business with. Such risks can be managed by including all these principles in a written contract that (i) limits the transmission of personal information to only those who need it; (ii) ensures its destruction at the end of the contract; and (iii) requires the implementation of security measures.12 Note that the business should ensure that it is able to verify whether its subcontractor is complying with the terms of the contract.
Footnotes
1 The passage in 2021 of An Act to modernize legislative provisions as regards the protection of personal information, which amended the Act respecting the protection of personal information in the private sector (the "Private Sector Act").
2 An Act respecting the protection of personal information in the private sector, CQLR, c P-39.1, s 10, and Division VII, Part 4.1 and following.
3 Ibid, at note 2, s 5.
4 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
5 Ibid, at note 2, s 3.5.
6 Pierre-Yves MCSWEEN, En as-tu vraiment besoin?, Laval, Guy Saint-Jean Éditeur, 2016, 228 pages.
7 Ibid, at note 2, ss 3.3 and 17.
8 Ibid, at note 2, s 23.
9 Ibid, at note 2, s 6.
10 Ibid, at note 2.
11 Ibid, at note 2.
12 Ibid, at note 2, s 18.3.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
