An Interview with Hitachi Systems Security’s own Mathilde Canque, Data Protection Officer, Risk & Compliance Expert

We had the great pleasure of interviewing our own Data Privacy and Compliance expert Mathilde Canque on the impact of Law 25 which started to take effect late last month. The legislation was passed last year and will be rolled out in three phases, the first of which started just a few weeks ago in late September. Three main themes emerge from these changes: (i) a strengthening of the rights of individuals, (ii) adaptations to the reality of small and medium-sized businesses and (iii) the easing of measures allowing personal information to be released outside Quebec.

 

Before we get into the interview with Ms. Canque, we wanted to lay the groundwork with a quick summary discussing the major components of Bill 64, now Law 25 and the phases in which the law will take effect on private organizations in Quebec. In general terms, Law 25, Quebec's privacy law brings the province's privacy laws up to date with the latest global trends and best practices. For example, the law is similar to Europe's General Data Protection Regulation (GDPR).

Law 25 and GDPR Comparison – Immediate PDF Download

Here are some of the most significant impacts Bill 64 will have on the Private Sector Act and when to expect them to come into effect.

Phase 1 of 3 of Law 25’s Rollout Sequence – Privacy Officer and Breach Reporting

Phase 1, NOW –Privacy Officer & Breach Reporting - Beginning in September 2022, firms will be required to name a designated employee responsible for complying with Law 25. By default, the amended law designates the CEO of every enterprise with compliance oversight, however, organizations can assign any individual the role. In both cases, the organization must publish the name, title, and contact information of the individual, for example on the organization’s website.

Organizations must begin notifying CAI or Commission d’accès à l’information and individuals regarding any breaches to compromised personal information that present a “risk of serious injury” to the affected individuals. The determination of a risk of serious injury can be assessed under the “real risk of significant harm” factors outlined in PIPEDA, which generally evaluates the sensitivity of the personal information involved in the breach and the probability that the personal information is subject to misuse. Organizations must keep a register of all breaches, but the contents and details of the registries are expected to be promulgated by CAI in the coming months.

To be clear, the following other provisions in Phase 1 are now in effect:

1. The obligation to designate a person in charge – plainly, this is the Privacy Officer in the Private sector
2. Confidentiality incidents – or more plainly, breaches when personal information is exposed
3. The release of personal information for study or research purposes
4. The release of personal information as part of a commercial transaction
5. The release of information relating to the disposition of a complaint by an educational institution at the request of the person making the complaint

Phase 2 of 3 of Law 25’s Rollout Sequence – Compliance and Privacy Controls

Phase 2, 2023 – This phase of implementation is far more comprehensive than Phase 1 concerning how organizations collect, handle, and protect Personal Information. Further, Phase 2 provides the consumer for more transparency concerning how organizations handle and protect their Personal Information including:

1. Right to be forgotten
   1. From 22 September 2023, in the spirit of the “right to be forgotten” first created under the GDPR, consumers will now be entitled to ask companies to cease distributing their personal information.
2. Governance policies and practices regarding personal information
3. Privacy impact assessments
4. Transparency and privacy notices
5. Identification, geolocation tracking, and profiling technologies
6. New consent requirements
7. New consent exceptions
8. Privacy by default
9. Automated decision-making
10. Transfers of personal information outside Québec
11. Outsourcing personal information
12. Retention and destruction of personal information
13. New enforcement mechanisms

Phase 3 of 3 of Law 25’s Rollout Sequence – The Right to Data Portability

Phase 3, 2024– The Right to data portability

This comes straight from article 20 of GDPR and allows individuals, in some circumstances, to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance.

Hitachi Systems Security’s own Data Privacy and Compliance expert Mathilde Canque’s Perspective

Question: Is it mandatory for all organizations in Québec who are handling the Personal Information of their customers to have a privacy officer under the new Québec law?

Answer: Yes

Any organization in Québec - regardless of its size, resources, or industry - that handles Personal Information is obligated to have a privacy officer. The person exercising the highest authority in the organization, the CEO for example, is the privacy officer by default, however, they may appoint another employee or 3^rd party to the position in writing.

Question: Is there a certification or training requirement to become a privacy officer under the new Québec law?

Answer: No

Somewhat surprisingly, the law does not require that the Privacy Officer have specific privacy or compliance knowledge to perform their role or even have knowledge of the French language. In my opinion however, the many tasks and responsibilities that a Privacy Officer will have are quite technical; so it is preferable that the privacy officer have a minimum level of compliance and privacy knowledge particularly pertaining to Law 25.

Question: Is it possible to outsource the privacy officer role outside the province of Québec under the new Québec law?

Answer: Yes since the legislation does not state otherwise. However, and this goes back to the previous question, the firm chosen to act as the Privacy Officer should have a minimum of knowledge and understanding of the requirements of Law 25. Also, it is important to keep in mind that the Privacy Officer is the contact person for all questions related to Privacy compliance and may be contacted by Québec residents and the CAI. In this regard, we can reasonably expect that the Privacy Officer must be able to answer diligently and in the province language. So, while it is possible, having its Privacy Officer designated outside of Québec may not be the best practice for an organization subject to Law 25. In any case, the organization should be able to justify its decision.

Question: Is it a requirement to notify the Commission d'accès à l'information du Québec (CAI) of the title and contact information of the DPO under the new Québec law?

Answer: Yes, upon request – and this should be the first order of business for organizations concerning Law 25’s requirements.

The title and contact information of the Privacy Officer must be made available, for example on the company's website. An organization is therefore not required to proactively communicate the contact information of the privacy officer to the Commission d'accès à l'information du Québec; however, it will have to provide it in a reactive manner if the Commission requests it.

Question: Are duties and responsibilities of the privacy officer prescribed by the new Québec law?

Answer: Yes, but the organization must rely on the law and further detail the job description and responsibilities. Here at Hitachi Systems Security, the Privacy officer role is delegated to the DPO, who is supported by Privacy and Data Protection experts. In this regard, my responsibilities include for example:

1. Assessing, informing, and advising Hitachi Systems Security in obligations pursuant to the Québec Act,
2. Developing, implementing and maintaining privacy and data protection procedures and policies,
3. Providing advice as regards to privacy impact assessments, and monitoring its performance,
4. Participating in assessing damage caused by a data breach or “confidentiality incident”

However, it is also up to the organization to establish a more specific job description and responsibilities that are specifically tailored to the organization and its internal structure.

Conclusion of Part 1 - An Organization’s Responsibilities Under Law 25

Law 25 is obviously comprehensive in terms of the different compliance initiatives it requires from organizations, and we want to make sure that the law is covered appropriately in this article. Our goal with Ms. Canque is to provide the readers of this article a blueprint for handling all the responsibilities inherent in Law 25.

With that in mind, we’ll end part 1 of this two-part interview here. We listed and defined the three-phase rollout of the legislation, discussed the major components of Law 25, and provided you an expert’s perspective on handling the Privacy Officer’s responsibilities and those of the organization in general. In part two of the series, we’ll continue our interview with Ms. Canque to discuss the rest of Law 25 as well as her perspective on penalties associated with the legislation and how organizations should prioritize the compliance mandates of the legislation.