Protection of Personal Information: Three years to adjust

Plainly speaking, CSF members have not been holding their breath for Bill 64 to start protecting their clients’ data. Articles 26 and 27 of the Code of Ethics and Section III of the Regulation respecting the rules of ethics in the securities sector already govern the protection and disclosure of such information.

Furthermore, under the Act respecting the protection of personal information in the private sector (Private Sector Act), all representatives who are members of the CSF are required to safeguard the confidentiality of the PI they collect as independent representatives or on behalf of their firm, broker or independent partnership. “The new legislation completes and clarifies these obligations and, above all, increases the requirements,” summarizes Geneviève Beauvais, lawyer in charge of professional development and quality of practice at the CSF.

Appointing a designated officer

CSF members are affected by reforms to the Private Sector Act, which will come into effect in three stages between 2022 and 2024.

The first two requirements will become mandatory in September 2022: the appointment of a designated privacy officer (DPO) responsible for following the PSA and the reporting of privacy incidents. By default, the CEO of a company will assume this role but may delegate it in writing to any person, including an external party. Firms must publish the name and contact information of the DPO on their website.

Organizations must also notify the Commission d’accès à l’information (CAI) and the individuals involved of any confidentiality incident that presents a “risk of serious injury” and keep a register of these events. An incident denotes an access, a use or disclosure of PI not authorized by law, a loss, or any other breach of such information.

“In every case, we will have to assess whether there is a risk of serious harm,” explains Beauvais. We will have to analyze the sensitivity of the information, the consequences of the incident and the probability that the information will be used for harmful purposes.

Crunch time in two years

A more imposing set of new requirements will come into effect in September 2023. Organizations will have to set up and implement policies and practices governing their use of PI and are expected to publish and explain the content of these policies in plain language on their websites by that date.

In addition, organizations will have to inform their customers of the means and methods used to collect their data and define the purposes for which it will be used. The information must be destroyed or anonymized once these purposes are met.

The default privacy settings for the technology product or service used to collect PI must be configured to the highest level of confidentiality without any intervention by the individual concerned. Clients will have to undergo steps to share their information; not protect it. They must also be informed about the use of profiling, location, and identification features and how to explicitly opt for them. Activation of these features cannot be agreed upon by default.

“Members of the Chambre are particularly concerned by these changes, since they are on the front line with clients,” cautions Beauvais. It will be their responsibility to explain the reasons for the collection of information and the policies that will govern the use and protection of this data.

In 2019, the high-profile Capital One data breach compromised the personal information of six million Canadians and exposed one million social insurance numbers.

In June 2019, 4.2 million individual Desjardins members had their data stolen by an employee..

They will also need to obtain free and informed consent for each purpose. A client cannot give blanket consent to use their information for multiple purposes. In the case of sensitive data, such as medical or biometric data, consent must be provided in writing. It should be noted that clients keep the right to withdraw their consent, access their PI and have it corrected at any time.

Beware of outsourcing

If an organization transfers PI to a third party, for example a cloud services provider, it will need to obtain a written agreement with the other party. The agreement should outline the measures the provider will use to protect the data. They must stipulate that the information will not be used for any purpose other than the provision of the services entrusted to them, nor will the information be kept after the expiry of the mandate or contract. The provider must inform their client at once in case of a privacy incident. Organizations are also responsible for ensuring adequate privacy protection when transferring PI outside of Quebec.

In September 2024, a final requirement will be added: the right of portability. An individual will be able to request to receive their PI in a commonly used technological format. “However, this excludes data that the organization creates from its own analysis of the individual’s PI,” notes Beauvais.

The CAI may impose administrative penalties directly for violations of the law’s requirements, with fines amounting up to $10 million or 2% of the organisation’s worldwide revenue.

Certain violations will also be subject to criminal penalties of up to $25 million or 4% of global revenue. Finally, clients themselves are given permission to sue organizations for damages.

Corrections in progress

Adrien Legault, a lawyer with IDC Worldsource Insurance Network Inc. believes that PL 64 is an interesting and justified overhaul of PI protection. He recognizes that the timeframe for compliance makes it more realistic. “I am also pleased that the definitive version shows that the industry has been heard,” he adds.

The original draft needed, for example, that organizations publish their entire privacy policies and practices. This is now limited to “detailed information.” In the first draft of PL 64, the function of DPO could only be delegated to a staff member. It will now be possible to transfer it to “any person,” even externally.

Yvan Morin, vice-president of legal affairs at MICA Cabinets de services financiers, believes that it is normal for the government to strengthen the protection of PI. “Technological tools make it possible to collect and retain a lot of information, which is often sensitive,” he says.

MICA will not be going back to the drawing board, as the firm already has PI management policies in place. It also started boosting its protective measures in the wake of the Desjardins data theft. “These policies and practices will be fine-tuned to meet the new requirements,” affirms Morin. The firm had a person responsible but will now have to create an internal committee. It also intends to support advisors, who do not necessarily have legal services available to bring themselves up to speed.

Karine Lessard, co-president and general manager of Lessard Gilbert Brui, a financial services firm in the Saguenay-Lac-Saint-Jean region, says her company was ahead of the curve in deploying measures to properly protect its clients’ PI. “We have an informal committee, which we will formalize, and we also have policies, which we will adjust to the new requirements,” she says.

However, she recognizes yet another reform comes on top of the many regulatory changes in the past few years, which puts some pressure on independent advisors. “We’re a fighting and creative breed, so we’ll be able to rise to this new challenge,” she assures.

For more information

Loi 64: la marche est haute pour les PME (in French)

Encadrement numérique : le projet de loi 64 est adopté (in French)