As an NPO, where do you stand in relation to the Act to modernize legislative provisions as regards the protection of personal information in the private sector, also known as Law 25?
- It scares me, it seems monstrously big and complicated…
- I think we’ve taken the necessary steps to comply with it.
- Law 25… what is it?
If you answered a,don’t worry, your feelings are understandable. It’s true that Law 25 is broad in scope, and that its provisions imply more or less significant changes in the way organizations manage personal information.
If you answered b, your confidence is great, but it would be most surprising if you had thought of everything, especially if you haven’t been able to rely on the services of an expert or lawyer specialized in this field, for example. The implications of Law 25 are more numerous and harder to grasp than you might think!
If you answered c, it’s time to remedy the situation. You need to get started now, for the sake of your NPO’s practices. For its long-term survival.
As part of our ongoing efforts to help NPOs, Engagés spoke to two specialized resources to demystify Law 25 and help you comply without getting in over your head!
Definitions
Before going into the broad outlines of Law 25, let’s take a moment to understand some useful definitions.
As part of our ongoing efforts to help NPOs, Engagés spoke to two specialized resources to demystify Law 25 and help you comply without getting in over your head!
Definitions
Before going into the broad outlines of Law 25, let’s take a moment to understand some useful definitions.
- Personal information: this is any data that enables a natural person to be identified, directly or indirectly. First and last name, facial image, telephone number and sound extract of a person’s voice are all examples of personal information.
- Sensitive data: the broad category of personal information includes sensitive data. Data is considered sensitive when, “by its nature or the context in which it is used or communicated, [it] gives rise to a high degree of reasonable invasion of privacy*”. Examples include social assistance numbers, biometric data, banking information, medical data and a person’s orientation (sexual, political, etc.).
Law 25: an overview
In a nutshell, this is a three-phase provincial regulation that sets out some basic obligations for organizations to protect the personal information and sensitive data of all individuals.
Phase 1, effective September 22, 2022
All organizations must:
- appoint a Privacy Officer*;
- initiate a privacy impact assessment (under certain conditions);
– set up a register of incidents relating to the confidentiality of personal data;
– report to the Commission d’accès à l’information (CAI) du Québec any incident that could cause substantial harm to the individuals concerned.
* Unless otherwise designated, this will be the person with the highest authority within the organization.
Phase 2, effective September 22, 2023
Every organization must ensure that it obtains the consent of each individual whose personal information it wishes to hold and use. - set up a register of incidents relating to the confidentiality of personal data;
- report to the Commission d’accès à l’information (CAI) du Québec any incident that could cause substantial harm to the individuals concerned.
* Unless otherwise designated, this will be the person with the highest authority within the organization.
Phase 2, effective September 22, 2023
Every organization must ensure that it obtains the consent of each individual whose personal information it wishes to hold and use.
This consent may be implied. For example, an NPO must specify, in its privacy policy, the type of information it collects and what it does with it, and then invite people to read this policy. From that point on, anyone who continues to allow the NPO in question to collect his or her personal information is deemed to consent to the privacy policy and to the use of his or her data.
Please note! This implicit consent is not sufficient in the case of sensitive information. In such cases, you must:
- ensure that consent is explicit and unequivocal;
- specify the purposes for which the sensitive information may be used (e.g., for the personnel insurance program, payroll management, invoicing for services, direct mail, etc.);
- clearly indicate how long sensitive information will be kept.
Phase 3, effective September 22, 2024
New obligations relating to the right to portability of personal information are added, as explained by the CAI: “if the person concerned so requests, [the organization must] communicate to him or her, in a structured and commonly used technological format, computerized personal information collected from him or her*”.
The CAI urges us to prepare for this third phase as soon as possible, since it may involve more structuring changes for organizations.
Truths…
1 – “Does Law 25 concern the confidential information of organizations’ personnel?”
Not exclusively. Law 25 aims to protect the personal information of any individual that is not of a professional nature (e.g.: company e-mail address), regardless of their relationship with the organization that collects and uses the information: client, volunteer, donor, etc.
2- “Is personal information obtained before September 22, 2023 affected by Law 25?
Yes, explicit consent is required for any sensitive information held, past or present. Yes, even though it can be difficult for an NPO to obtain explicit consent from its entire list of donors, for example. That said, Law 25 contains certain provisions that are open to interpretation, and the guidelines of the legal authorities have yet to be published on the subject of consents.
One thing’s for sure: we need to show that we’re serious about complying with Law 25, and that protecting personal information is a priority.
3 – “My organization has a privacy policy in place to ensure that personal information is protected. I don’t think we can do any better.”
Not only can we do better, we must do better. To start with, you need to make sure that everyone in your organization is aware of your policy and applies it – a policy that’s just sitting in a drawer is no good in practice. You therefore need to raise staff awareness and keep track of the awareness-raising measures employed.
What’s more, as an organization, you need to display this policy prominently on your website (usually in the footer) and at all your information gathering points. Oh, and the Act specifies that it must be written in clear language, so no more legalese!
Designating someone on your team to be responsible for protecting personal information, and putting in place a clear and visible policy, is the bare minimum. What happens next depends largely on the type of information you collect and what you do with it.
Jacques Lussier, privacy expert at Atypic, advises organizations to start by mapping the personal information they hold in order to define:
- the type of personal information they use;
- the context in which it was collected .
- how it is used;
- how long it is kept;
- the people in the organization who have access to it.
Marc-André Nadeau, an expert on Law 25 and founder of Exact RH, agrees: we need to analyze each organization’s needs in terms of personal information protection, and then know which solutions to apply in accordance with Law 25.
4 – “So, if we’re talking about ‘how long we use personal information’, it means there comes a time when we need to get rid of it?”
Exactly. The general idea is to retain only the personal information you use, and only to the extent permitted by current legislation, including Law 25. This means that you must effectively anonymize or destroy personal information after a certain period of time, and keep a record of these procedures.
– Speaking of logs, you’ll also need one to keep track of incidents relating to the security of personal information and note the remedial measures/mitigation steps put in place for each situation.
- Speaking of logs, you’ll also need one to keep track of incidents relating to the security of personal information and note the remedial measures put in place for each situation. .
5 – “Our organization deals with third parties for certain services. I imagine that they are responsible for ensuring the protection of personal information exchanged as part of these services?”
The responsibility is shared. Yes, service providers must comply with Law 25, but you must check their compliance before you decide to use them, otherwise your organization is equally liable for any failure to comply. To avoid such a situation, check in advance that their privacy policy is adequate, and provide them with clear written instructions for the use of the personal information you will be exchanging.
… and consequences
6 – “What happens if my organization doesn’t comply with Law 25?
Ah, that’s THE big question.
6 – “What happens if my organization doesn’t comply with Law 25?
Ah, that’s THE big question.
It’s important to understand that legal obligations regarding the protection of personal information are not new, and neither are the consequences of non-compliance. Of course, there are additional consequences for non-compliance with Law 25 in particular. We’re talking about punitive damages of at least $1,000 imposed by the court in cases of gross negligence or intentional misconduct. The CAI can also add an administrative monetary penalty of up to $10 million, or 2% of worldwide sales in the case of an organization. And that’s not all: the CAI can also initiate criminal proceedings, which could result in a penalty of between $15,000 and $25 million, or a maximum of 4% of the organization’s worldwide sales.
That said, there is no case law specifically relating to Law 25, so the next few years will be decisive.
How do you comply?
As a general rule, NPOs have limited resources at their disposal, even though they pursue important missions. In this frugal context, their finances dictate the choice to neglect certain files… and the work to be done to comply with Law 25 can be overlooked.
Some NPOs are taking risks without even knowing it, in that they’ve taken a good look at Law 25, but haven’t deciphered all its ins and outs. “People have good intentions and work hard, but it’s complicated and so time-consuming… In my experience, most organizations that are convinced they’ve done their homework when it comes to protecting personal information only achieve 25% compliance at most – maybe that’s why they call it Law 25,” jokes Mr. Nadeau.
All in all, in light of this information, Engagés takes the liberty of issuing a reminder and a word of advice: the personal information your organization uses does not belong to it, so be careful how you handle it. To determine the level of legal compliance appropriate to your situation and achieve it, don’t hesitate to call on expert external resources to analyze your file and help you put in place the required mechanisms or corrective measures.
Thanks to our expert collaborators:
Jacques Lussier
Consulting Director – Data, Business Intelligence and CRM at Atypic
jacques@atypic.ca
Marc-André Nadeau
Founder of Exact RH
mnadeau@exactrh.ca
___________________________________________________________________________________
*Source : https://www.quebec.ca/gouvernement/travailler-gouvernement/travailler-fonction-publique/services-employes-etat/conformite/protection-des-renseignements-personnels/definitions-concepts/lexique#:~:text=Un%20renseignement%20personnel%20est%20considéré,respect%20de%20la%20vie%20privée.
*Source : https://www.cai.gouv.qc.ca/espace-evolutif-modernisation-lois/thematiques/droit-portabilite/#:~:text=À%20compter%20du%2022%20septembre,informatisé%20recueilli%20auprès%20d%27elle.