Protecting Personal Information

• Address
• Personal e-mail address
• National or ethnic origin
• Religion
• Age
• Marital status
• Level of education
• Medical records
• Legal records
• Employment history
• Financial transactions in which a person participated
• Orders or transactions on behalf of a person
• Number or symbol or any other personal identification of a person
• Name, when mentioned with other personal information about the person or when simply disclosing the name would reveal information about them

Protecting personal information is an essential part of the right to privacy. The main concepts are:

• All people are entitled to privacy.
• When a person creates a file on another person, they must have a legitimate and serious interest for doing so.
• Only personal information related to the purpose of the file may be collected for the file.
• Personal information may not be communicated to third parties without the person’s consent, unless otherwise authorized by law.

Firms, dealers, independent partnerships, and independent representatives (advisors) must, while conducting their business, collect a variety of personal information on the clients, and occasionally send it to third parties, such as insurers. This personal information must be protected. Establishments must therefore establish measures to ensure this protection. Also, given that a large portion of client information is originally collected by the advisor who is in a direct relationship with them, this advisor must also ensure it is protected.

Protecting clients’ personal information relies on simple basic principles that advisors must apply to their practice, such as:

1. Establish a clear purpose for each collection, use, or communication of a client’s personal information.
2. Limit the collection, use, and communication of a client’s personal information to what is necessary for the fulfilment of this purpose.
3. Obtain the client’s consent to collect or process information about them under all circumstances.
4. In concrete terms, the advisor must ensure that the client’s consent for collection, communication, or use of personal information is clear, obvious, and given for specific purposes. 
5. Ensure that information on a client is correct and up-to-date. This is especially important when the information is used to make a decision about this client.
6. Ensure the security of personal information held on a client. In concrete terms, the advisor must take the necessary measures to protect the confidentiality of this information, whether it’s during its collection, use, communication, storage, or disposal.
7. Allow the client to view and correct their file as needed.
8. Establish specific policies to implement these concepts.

Firms, dealers, independent partnerships, and independent representatives are subject to the Act respecting the protection of personal information in the private sector (Private Sector Act) as enterprises. The requirements set forth by this act are of interest to an advisor no matter the manner in which they pursue their activities because they must comply with the rules implemented by their firm.

Naming a person in charge of the protection of personal information (Privacy Officer)

The enterprise must name a Person in charge of the protection of personal information (Privacy Officer).

By default, this responsibility goes to the person exercising the highest authority in the enterprise, usually the Chief Executive Officer (CEO), who must implement and carry out their obligations as per the law. However, this role can also be delegated to anyone, even an external party.

The title and contact information of the Privacy Officer must be listed on the website of the enterprise. If this is not possible, this information must be made accessible in another suitable way. For instance, the information could appear in the notice of file preparation provided to the client; in a brochure detailing the policies and practices of the enterprise regarding the protection of personal information; or in another manner.

Confidentiality incidents

Any situation that involves personal information entails the risk of a confidentiality incident.

A confidentiality incident may occur in the following situations:

• Access, use, or release not authorized by law to or of personal information
• Loss of personal information
• Any other breach of the protection of such information

The enterprise must consider three factors to assess the risk of serious injury presented by a confidentiality incident:

• The sensitivity of the information concerned
• The anticipated consequences of the use of such information
• The likelihood that such information will be used for injurious purposes

Register of confidentiality incidents

The enterprise must maintain a register of confidentiality incidents that logs every confidentiality incident no matter how small or big the risk of injury is. A copy of this log must be sent to the Commission d’accès à l’information (CAI) upon request.

Every confidentiality incident, no matter how small or big the risk of injury is, must be logged in the register of incidents. Here are a few examples of confidentiality incidents:

• The loss of a cellphone containing the personal information of clients
• The theft of a laptop protected by a strong, encrypted password
• A massive data leak caused by a malicious individual

These events will not all be treated in the same way and will not all have to be disclosed to the CAI. However, they should all be logged in the register.

Please note that some distribution contracts set forth an obligation for the advisor, firm, independent partnership, or independent representative to disclose any confidentiality incidents to the concerned general agent and insurer.

The advisor must consult their contracts in the case of incidents to understand their contractual obligations to these partners and, if needed, contact the Privacy Officer of these partners for assistance.

If the advisor becomes aware of a confidentiality incident that could lead to a risk of serious injury, they must notify the Privacy Officer. If the incident involves a risk of serious injury to clients’ personal information, these clients must be notified. The advisor will then have to make themselves available to clients and act in a diligent way in order to reassure them.

Policies and practices

Enterprises must establish and implement policies and practices that govern how they manage and protect personal information. These policies and practices must:

• Provide a framework for the keeping and destruction of personal information
• Describe the roles and responsibilities of employees throughout the life cycle of the information
• Provide a process for dealing with complaints regarding the protection of personal information

Enterprises must publish detailed information about these policies and practices on their website.

Privacy Impact Assessment (PIA)

Enterprises must conduct a privacy impact assessment (PIA) for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.

A PIA must be “proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.”

Automated processing of personal information

Enterprises must notify a person when they are the subject of a decision based exclusively on the automated processing of their information.

Enterprises must also, upon request of the person in question, notify them of:

• The personal information used to render the decision
• The reasons and the principal factors and parameters that led to the decision
• The right of the person concerned to have the personal information used to render the decision corrected

The person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.

Communicating information outside Quebec

Before communicating personal information outside Quebec, enterprises must conduct a PIA to determine if the information will benefit from an “adequate” level of protection, specifically through “generally accepted principles for the protection of personal information.”

The PIA must take into account:

• The sensitivity of the information
• The purposes for which the information is to be used
• Protection measures, including contractual measures, that would apply to it
• The legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State

The communication of the information must be the subject of a written agreement that takes into account the results of the PIA and, if applicable, the terms agreed on to mitigate the risks identified in the PIA.

Outsourcing

Enterprises that communicate personal information to a service provider must conclude a written agreement with the provider. It must outline:

• A description of the measures taken by the service provider to maintain the confidentiality of the personal information communicated (ex.: a description of the security measures in place)
• An obligation on the part of the service provider to only use the information for the purposes of providing the services and a provision that states the information will not be retained after the contract has expired
• An obligation on the part of the service provider to immediately notify the Privacy Officer of any breach or attempt to breach an obligation pertaining to the confidentiality of the information and to allow the Privacy Officer to carry out verifications to ensure the privacy requirements are met

Transparency

Enterprises have an obligation to provide the following information to persons when collecting their personal information:

• The purposes for which the information is collected
• The means by which the information is collected
• The rights of access and rectification
• The right to withdraw consent to the communication or use of the information collected

When applicable, the following information must also be provided to clients:

• Name of the third party for whom the information is collected
• Categories of the third parties to whom it is necessary to communicate information to accomplish the purposes for which the collection has been made (ex.: service providers)
• Possibility that the information will be released outside Quebec

Enterprises that collect personal information through technological means must publish on their website a confidentiality policy drafted in clear and simple language.

Transparency – Identification, location, and profiling technological tools

Enterprises that collect personal information using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person of the use of this technology.

Enterprises must also notify this person of the means available to activate these functions.

“Profiling” is defined as the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests, or behavior.

Consent

Any person who provides their personal information after having been informed of an appropriate privacy confidentiality consents to their personal information being used and communicated for the purposes set forth in that policy.

• Consent must be express, freely given and informed, solicited for specific purposes. It must be requested for each purpose, in simple and clear terms and separate from any other information communicated to the client.
• Enterprises must obtain consent formulated in a manner that is express when the secondary use of personal information involves sensitive personal information.
• Personal information is deemed sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy.
• For a minor under the age of 14, the consent must be provided by the person having parental authority or by the tutor.

Protecting privacy by default

Enterprises that collect personal information by providing a technological product or service which includes privacy settings must make sure they are set to the highest and most restrictive privacy settings by default.

This requirement does not apply to cookies.

Keeping and destruction

Personal information must be destroyed once the purposes for which it was collected or used have been fulfilled.

Enterprises may also anonymize personal information in accordance with best practices and thereafter use this information for serious and legitimate purposes.

Right to de-indexation

Persons have the right to require that their personal information cease to be disseminated or that any hyperlink attached to the person’s name providing access to the information by a technological means be de-indexed if the dissemination contravenes the law or a court order.

Portability of personal information

The right to portability of personal information allows natural persons (i.e., employees or clients) who have provided their personal information in a digital format (via an online form, website, portal, application, etc.) to obtain this information or transfer it to a person or organization.

Private companies and organizations must comply with requests pertaining to the right to portability of personal information.

Requests from natural persons (such as clients) should be directed to the firm’s Data Protection Officer. However, odds are that the client’s representative will be the one to receive this type of request from a client since they act as the intermediary between them and the firm. In this case, the representative must contact the Data Protection Officer and follow any instructions to comply with the request.

Any personal information collected in paper format is excluded from the right to portability. The same goes for information inferred by the organization from data provided by the person concerned by the personal information.

The information must be transmitted in a structured, commonly used technological format.

Possibility of opting out

Serious practical difficulties would have to be raised to opt out of this right. The organization will therefore have to implement adequate procedures and IT systems that allow it to safely communicate the data in a structured, commonly used technological format.

For more information, please consult the aide-mémoire sur les nouvelles responsabilités des entreprises, les pistes d’action et les bonnes pratiques (available in French only) issued by the Commission d’accès à l’information.

New penalties introduced by the Private Sector Act

The Private Sector Act will now include three mechanisms to ensure compliance of enterprises:

1. Administrative monetary penalties (AMP) imposed by the Commission d’accès à l’information (CAI)
2. New penal offences associated with steep fines.
3. A private right of action allowing individuals to sue an enterprise for damages.

Here is a table outlining the main offences that could be penalized as part of this new regulation that will come into force on September 22, 2024:

The advisor’s responsibility to ensure the protection of their clients’ personal information applies during their collection, use, and communication.

This responsibility applies to all advisors, regardless of their type of practice, and includes:

• secrecy regarding all of a client’s personal information
• use of this information exclusively for the purposes for which it was collected
• non-disclosure of a client’s personal information to a third party

In the last two cases, the client’s consent, an applicable law, or a court may allow use or communication of this information.

The section access to the client file access to the client file provides more details on the authorized people and exceptions to access rights.

Attached Advisor

An advisor who works for a firm, independent partnership, or dealer must send all the information they collect on clients to the establishment to which they are attached.

Advisor Running A Company

An advisor who runs a company may, without the client’s consent and under certain conditions, communicate personal information contained in a client file, for example:

• to their lawyer
• to the Director of Criminal and Penal Prosecutions
• to an organization tasked with preventing, detecting, or controlling crime or breaches of the law
• to a person tasked with applying a law or collective agreement
• to a public organization under the Access Act for performing its duties or the implementation of a program
• to a person or organization with the power to force its communication
• to a person who must be informed due to an emergency situation threatening the life, health, or safety of the person in question
• to a person authorized by the Commission d’accès à l’information to receive communication of personal information for purposes of study, research, or statistics
• to a person who can recover a debt under the law
• to a person for the purpose of creating a list of names
• to a person or organization with the aim of preventing an act of violence, including suicide, when there is reason to believe that a serious risk or death or serious injury is threatening a person or group

Using Information Technology

Due to the increasingly frequent use of information technology (IT) in the advisor’s activities, protecting personal information has become an especially significant compliance challenge.
When an advisor uses IT to send or keep information on a client, they must be careful and take necessary protection measures.

The section Using information technology (provides more details on this topic.