Quebec's Health And Social Services Information Privacy Law: What You Need To Know

This article is the first in a series of two publications on the theme of Quebec's new Health and Social Services Information Privacy Law.

July 1, 2024 has passed, which means that in Quebec, most of the provisions from the Act respecting health and social services information and amending various legislative provisions¹ (the « Act ») are now in force. Along with this Act, several additional regulations have also come into force. This Act follows Quebec's recent updates to its privacy regime (« Law 25 ») which have been inspired by the European Union's General Data Protection Regulation.

Health and social services providers will now have to respect new rules regarding the collection, use, transmission and collection of Health and Social Services Information (« HSSI »). Its purpose is to improve the quality of services offered by Health and Social Service Bodies (« HSSB ») by streamlining information transmission. What constitutes a HSSB includes institutions such as the Ministère de la Santé et des Services sociaux, public health facilities, private health institutions, laboratories, palliative care hospices and private seniors' residences, amongst others.²

Note that this Act exempts HSSI being held by HSSB from being subject to Quebec's Act respecting the protection of personal information in the private sector³ or the Act respecting Access to documents held by public bodies and the Protection of personal information⁴ (applicable to private sector organizations and public sector organizations, respectively).

What constitutes HSSI?

HSSI issensitive information that allows, even indirectly, the identification of an individual who meets one of the following characteristics: (i) it relates to the physical or mental health of that person and its determining factors, including the person's medical or family history; (ii) it relates to any material taken from that person as part of an assessment or treatment; (iii) it relates to the health or social services offered to that person; (iv) it was obtained in the performance of a function provided for in the Public Health Act⁵; or (v) any other characteristic determined by government regulation.⁶

In addition, information allowing the identification of a person is HSSI when it is combined with information covered by the present definition or when it is collected for the purpose of registering, enrolling or admitting the person concerned in an institution or for the purpose of taking charge of the person by another HSSB.⁷

New obligations for HSSI in Quebec⁸

The new privacy law obligations under this Act applies to :

• When HSSI is communicated to a person or a service provider: The HSSI must be necessary for the exercise of the mandate or the performance of the contract. The company receiving this information should assess its need to receive this information. An HSSB can only collect information which is necessary to fulfil its mission or purpose, exercise its function, carry on its activities or implement a program under its management.⁹ If a third party is involved, they are subject to the same obligations and the HSSB must be notified in writing before the third party is contacted.

In order to be valid, a contract must be in writing and include measures to be taken by the company to preserve the confidentiality of the HSSI and comply with appropriate rules.

If HSSI may be communicated to a person or group, they must sign confidentiality agreements, only use HSSB-authorized technology and notify the HSSB Privacy Officer if there has been any breach or attempted breach in privacy.

• When HSSI is being transferred/communicated outside of Quebec: A HSSB wishing to entrust a mandate or enter into a contract involving the communication of HSSI outside Quebec must carry out a privacy impact assessment (PIA). The mandate may only be entrusted or the contract concluded if the PIA demonstrates that the information would benefit from adequate protection, particularly with regard to generally recognized privacy principles. The agreement between the company and the HSSB must take into account the results of the PIA and, where applicable, the terms and conditions agreed to in order to mitigate the risks identified in the PIA. The same applies when the HSSB entrusts a company outside Quebec with the task of collecting, using, communicating or storing information on its behalf.

• When information held by the HSSB is going to be used or communicated: All information held by a HSSB is confidential and, subject to the express consent of the person concerned by the information. This consent must be clear, free and informed and be given for specific purposes.

• When the HSSB collects information from a person: The HSSB must, upon request, and in clear simple language, inform the person of the name of the body or on whose behalf the information has been collected, as well as the length of time the information will be kept, its purpose, and means of the collection. The person must also be informed of their right to access, rectify, restrict and refuse access to the information and the terms on which they can express these rights.

• When the HSSB holds data, it must ensure that this information remains up to date, accurate and complete so that it can be used for the purpose for which it was collected or used.

• When the HSSB holds HSSI, it must log all access to this information and protect it through safeguards and security measures. When offering a technological product or service, the privacy settings must be set to the highest level of confidentiality by default.

• When the HSSB has cause to believe that there has been a confidentiality incident involving HSSI it holds: It must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. If the incident presents a risk of serious injury, the body must promptly notify the Minister and the Commission d'accès à l'information. It must also notify any person whose information is concerned by the incident, failing which the Commission d'accès à l'information may order it to do so.

• When the HSSB uses information it holds to render a decision based exclusively on the automatic processing of the information, the person concerned must be notified of the factors and information used to come to this decision.

• When holding HSSI, a HSSB must adopt a governance policy for this information that it holds.

As this Act has been so recently implemented, it remains to be seen how it will apply in practice. We will be following developments on this law closely.

Footnotes

1 R-22.1 – Act respecting health and social services information (gouv.qc.ca)

2 R-22.1 – Loi sur les renseignements de santé et de services sociaux (gouv.qc.ca), Section 4.

3 p-39.1 – Act respecting the protection of personal information in the private sector (gouv.qc.ca)

4 p-39.1 – Act respecting the protection of personal information in the private sector (gouv.qc.ca)

5 https://www.legisquebec.gouv.qc.ca/en/document/cs/S-2.2.

6 R-22.1 – Act respecting health and social services information (gouv.qc.ca), Section 2.

7 R-22.1 – Act respecting health and social services information (gouv.qc.ca), Section 2.

8 R-22.1 – Act respecting health and social services information (gouv.qc.ca)

9 R-22.1 – Act respecting health and social services information (gouv.qc.ca), Section 13.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.