What Policies are needed to comply with Quebec Loi 25?

-???A practical coup d’?il and common sense approach -

If you are an organization who falls under the scope of this Law you probably asked ?yourselves this question a few months ago, but if you are still struggling with the answer luckily there are a lot of Law firms like Fasken, BLG, Gowling and other prestigious ones in Canada who got your back.

If we look at the original requirements: https://www.quebec.ca/nouvelles/actualites/details/loi-25-nouvelles-dispositions-protegeant-la-vie-privee-des-quebecois-certaines-dispositions-entrent-en-vigueur-aujourdhui-43212 we need to separate “what we need to do for compliance” from “what policies we need in our privacy compliance program”. Sure, a policy framework is essential but not everything in this Law translates into a Policy.

Requirement:

1.?????(No Policy required) Appoint a Data Privacy Officer – remember that unlike the GDPR, the Act has no requirement to : a) allocate resources to the Privacy Officer; b) disclose the contact information to CAI (Commission d’accès à l’information). However, you do need to publish the contact information of the Privacy Officer on the organization's website (contact doesn’t necessarily mean name!)

2.?????(More than 1 Policy) Governance over roles and responsibilities throughout the PI lifecycle – this requires more than a policy. You may need a Data Privacy Policy internally for how employees should handle all personal information as well as an Employee relationship Privacy Policy where the privacy rights of employees are addressed. In addition, you need to establish a governance structure throughout your organization (privacy by design at the structural level) on how employees meet their obligations for protecting PI at every stage of the lifecycle. And just a note: your typical PIPEDA 10 Principles based policy may not be the best option (it works but….you will need a few adjustments in your operations and how you drive your privacy program)

3.?????Don’t forget the website Privacy Notice or Online Privacy Policy as some call it: publish detailed information about all your privacy policies and practices on their website using plain language

4.?????(Policy required) General PI collection, use and disclosure principles: this should be in your Data Privacy Policy (internal)

5.?????(No standalone Policy required) Data retention principle: this should also be addressed in your Data Privacy Policy but should be part of the umbrella Records Retention Program and Retention Schedules, where you can specifically address requirements for PI. As a general rule – consult the OPC guidance https://priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/safeguarding-personal-information/gd_rd_201406

6.?????(Standard and Policy/Standard) PI destruction and anonymization: you need an PI Destruction standard but should be part of the overall IT Data Destruction Standard (no need to write a brand new document for this) and an Anonymization Standard which should contain two parts: first what the Law considers anonymized and how your employees can get there and then technical details towards anonymization. You probably wondered why these two are together: because if you don’t anonymize you need to delete/destroy.

7.?????(Policy required) Receiving and processing complaints and requests from individuals wishing to exercise their rights

8.?????(Standalone Policy required) Handling Confidentiality Incidents – you definitely need a Privacy Incident/Breach Management Policy and Procedure here. You need this as standalone but you absolutely need to cross reference with the Information Security Incident Management Policy or Standard. If theirs is strong enough, you can consider combining. You need to build an entire program around this requirement. A policy and a log of incidents is not enough

9.?????(No standalone Policy required) Surveillance cameras – you can work with IT to create a policy or you can use your Acceptable Use of IT Policy and augment it

10.??(Standalone Policy required) Biometric systems – this is where building privacy by design bridges around use of biometric systems will go a long way

11.??(Standalone Policy and Guidance required) Artificial Intelligence and use of algorithms (and research) – again build a program with a privacy by design approach in mind and embed this in the PIA (Privacy Impact Assessment)

12.??(No Policy Required) Privacy Impact Assessment: this is not a Policy. This is a program. Some organizations will invest time to write a Privacy Impact Assessment Policy but let’s think about this. A PIA is a Risk Assessment. This should already be part of your Risk Management Policy and if you really want it under a Policy you need to put it under your Data Privacy Policy.

13.??(No Policy required) A training program addressing all the 12 requirements above: any organization mindful of compliance will have a compliance training program already in place, which includes more than privacy and security. However, these specific requirements (above) need to be encapsulated into training.

14.??(No Policy required) Privacy by design: organizations must ensure tech products or services have privacy parameters that provide the highest level of confidentiality by default. You need a program and you need to embed these requirements into your other processes in the business. If you decide to write a Policy for Privacy by Design you will now need to not only comply with it but also demonstrate compliance and there are very mature organizations out-there who cannot reach this high bar. You can write a Guideline and you can expressly state that products and services need to be built following the ISO standard but you don’t need to be compliant with the ISO standard, you need to embed privacy engineering principles into your SDLC – for this see NIST 8062. If you want to embed PbD into SDLC check out Privacy Code https://www.privacycode.ai/

15.??(Not really) Consent – do you need an internal Policy on Consent? Not necessarily. You can address this Principle in your Data Privacy Policy followed by specific Guidance for: contacting?customers for marketing, collecting information on a call you receive in your Customer Contact center, cookie consent (you can have a cookie policy on your website), any other collection of information (like through a contest) but also – very important – write your Exceptions from Consent so it is very clear: “exempted from the consent requirement, i.e. use that is: necessary for: - service or delivery of a product/service the individual requested or a transaction; - prevention/detection of fraud; - evaluation and improvement of protection and security measures; - study or research purposes – but do not leave this to broad interpretation and be aware of secondary uses (inventory and justify them); production of statistics with de-identified information” etc. https://www.blg.com/en/insights/2021/11/quebec-privacy-law-reform-a-compliance-guide-for-organizations?From the same source - consent - effective September 2023:

-?organizations must comply with obligations around:

-?form of consent, which can vary depending on PI sensitivity; criteria to ensure consent validity;?and obtaining consent from minors.

• reviewing consent forms and other documents used to obtain consent to ensure: any consent obtained is: clear, free and informed;?and given for specific purposes, in simple and clear language.
• ?written consent requests are presented separately from any other information provided to the individual;?and consent for minors:

- under 14 years old is obtained by the: holder of parental authority;?or tutor.

- 14 years or older is obtained by the: minor; holder of parental authority;?or tutor.

• implementing procedures to assist individuals in understanding the scope of the consent being sought; and updating classification policies to reflect that information.

If you need some inspiration, have a re-look at the Guidelines on Consent by the OPC: https://priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/ and if you really want to write a Policy, the BLG guidance and this above one can be very useful. Also – a great “brief” was written by Gowling: https://gowlingwlg.com/en/insights-resources/articles/2023/law-25-user-friendly-approach-to-valid-consent/

16.??(No Policy required) Considerations impacting?use of tracking and location devices : this is again part of your privacy by design program, awareness, training and documentation within the System Development Lifecycle. What do you need to implement: “transparency and consent/ Recommendations for compliance include: preparing an inventory of technologies that collect PI that can identify, locate or profile customers or employees; for each technology, reviewing privacy policies or notices to ensure they inform individuals in advance of the technology use and means to activate it;?determining means of disseminating this PI collection;?and implementing procedures to inform individuals of any changes to: collection practices;?or applicable privacy notices.” https://www.blg.com/en/insights/2021/11/quebec-privacy-law-reform-a-compliance-guide-for-organizations?

17.??(Do not need a Policy) Disclosures: I have personally never seen a Policy on Disclosures. It is important though to be very clear in the internal guidance which can sit in business documents as to with whom information may be shared and under what conditions. Do not forget your Contract terms and conditions with respect to sharing information – which is a very powerful document in itself. According to BLG “Exception to consent. As noted in section 3.3, Bill 64 permits the disclosure of personal information to a third party without the consent of the individual, where such disclosure is necessary for the performance of a mandate or the execution of a contract for services (s. 18.3). This exception therefore allows the organization to transmit personal information to its agents and service providers (“service providers”) without the individual’s consent.”

18.??(Lots of Policies) Security Safeguards – all the IS Policies apply and some IT policies

19.??(No Policy Required but….)Cross-border transfers?- you will need a Form called Transfer Impact Assessment that you will likely want your vendor to fill out but you also should do your own due diligence. What do you need to have on this form was the subject of many a session at the IAPP?Canada Symposium this year and the answer I have is better than “well, it depends”. You need to assess the jurisdiction where the data is going to from a legal/enforcement regime perspective, risk, how sensitive the data is, how well this organization knows how to protect the data (training, awareness, policies) and how good their controls are (effectiveness of controls). Is it just a form? No – not by a long shot. You have to monitor all these risk on an ongoing basis. My suggestion is to take a page from the TIA the US organizations have been doing and also look at the shining and new Data Protection Framework from the US – or the ex-Privacy Shield with a new shine called https://www.dataprivacyframework.gov/s/us-businesses

20.??(No standalone Policy required) Right to be forgotten: if you are that type of organization where consumers or individuals may reach out to ask you to stop using and even deleting their information, you have to be prepared. Your Policy regarding Individual Requests and Complaints should address this aspect

21.??(No Policy required) Portability right: while this is not in effect, organizations should seriously plan for it. This is as delicate as data destruction because it requires analysis of architectures of databases and applications and also how this right applies, to what records, to what fields etc.?As per above, your Individual Requests and Complaints Policy should be revised and this requirement added for next year this time.

22.??Demonstrating Readiness and Accountability – you need a lot more than Policies for that.

Every organization is different. If yours is very compliance driven and you write a lot of policies, then you do you. A more common sense approach is to create a solid policies Framework (including security, retention, Vendor/ Outsourcing, Procurement, Acceptable Use, Data Classification etc.) and embed and combine requirements in other policies because your employees are (hopefully) already familiar with those and all you need to do is tell them there is an update and train them on the new requirement (easier said than done but it has to be done).

If you found this guidance useful and you are still not feeling ready – reach out. Given your budget, if a Law firm can help – good for you but if you don’t have that kind of budget there are more than qualified privacy professionals like myself who are in private practice, have been in the trenches and have a lot of practical knowledge because that’s what we do every day with our clients. Email me: [email protected] and I would be happy to talk to you.