Our first segment about the protection of personal information in Quebec covered the basic legal concepts applicable in the situation where an enterprise is subject to the Act Respecting the Protection of Personal Information in the Private Sector (hereinafter referred to as the “Privacy Act”).
This second segment details the responsibilities owned by enterprises in favour of the individuals under the Privacy Act, and the consequences to which an enterprise is exposed when failing to meet these responsibilities.
Note that on June 12th, 2020, Bill 64 on the Act to modernize legislative provisions as regards the protection of personal information was introduced to the Quebec National Assembly. This bill proposes significant changes to the protection of personal information as presented below. Once this law comes into effect, a new article about these changes will be posted. To remain ahead of the curve about any change to the laws applicable to your business, you can follow us on our social media platforms
Responsibilities with respect to personal information in Quebec
In Quebec, an enterprise that is subject to the provisions of the Privacy Act must comply with it. This responsibility is twofold; to ensure the confidentiality of personal information, and to enforce the right to access and rectification.
THE CONFIDENTIALITY OF PERSONAL INFORMATION
The Privacy Act provides three sections of law to ensure the confidentiality of personal information of an individual whose file is established in Quebec.
Section 10 of the Privacy Act provides that every enterprise that collects, uses or communicates personal information must take all the necessary and reasonable security measures to retain or destruct such information. In determining whether or not reasonable measures were taken, the medium on which the information is being displayed, the purpose for which the information is being collected, communicated or used, and its quantity or content are considered.
Section 11 of the Privacy Act requires that every enterprise maintains an up-to-date file when making a decision about the concerned person. This obligation intends to safeguard the integrity of the information, both in substance and form, and to ensure that the concerned individual does not suffer a harm based on inaccurate or outdated personal information. Note that an enterprise must ask for a renewed consent of the concerned person to update his or her file. The corollary of this requirement is the right of access and rectification that a person has with respect to his or her file. The second section of this article details these rights.
Section 12 of the Privacy Act allows every enterprise to use personal information for the purpose for which the file was created. In other words, once the file fulfills its purpose, the enterprise has no longer the right to use it. However, this does not mean that the enterprise has the obligation to destroy the file containing personal information, which is a significant difference from section 4.5.3. of the Personal Information Protection and Electronic Documents Act (hereinafter referred to as “PIPEDA”). When an enterprise wishes to use personal information collected for a purpose other than that for which it was originally collected, a new consent must be sought from the concerned person.
RIGHT TO ACCESS AND RECTIFICATION
Under section 8 of the Privacy Act, any enterprise that holds a file about a person must inform the concerned person of the following:
- The purpose of the file,
- The usage and access granted to the file, and
- The location where the file is being stored, and the right to access or rectify it.
Thus, any person about whom a file containing his or her personal information is created and stored has the right to access and rectify it. To this effect, the person may send a written request to access or rectify the file to the concerned enterprise (sections 27 and 28 of the Privacy Act). It should be noted that the right to access and rectification may be exercised by other persons in addition to the concerned person, including an heir as the liquidator of the estate of the concerned person or the beneficiary of an insurance policy on the concerned person’s life. Note that access to the file must be free of charge at all times; only a reasonable fee for the reproduction, transcription or transmission of information may be charged by an enterprise.
Once a request for access or rectification is received, an enterprise must respond to this request within 30 days. If the enterprise fails to respond, its silence will be deemed a refusal to grant access or rectify the file. In spite of this, the enterprise must keep the file until all the person’s legal recourses expire. In this case, a person may refer the matter to the Commission de l’accès à l’information and request a review of the enterprise’s decision. The Commission, which is a government body responsible for promoting the compliance with the Privacy Act, is empowered by the law to intervene and resolve any misunderstanding or conflict in the application of the Privacy Act or removal from a nominative list (Section 42 of the Privacy Act).
EXCEPTIONS TO THE RIGHT ACCESS AND RECTIFICATION
There are several exceptions to the right of access and rectification to a file containing personal information. For the purposes of this article, we will discuss the three most common exceptions. However, other exceptions exist, particularly with respect to the medical records of individuals.
The first exception is the public interest exception. Under certain circumstances, an enterprise will be authorized to refuse access and rectification of a file for a public interest reason. A common example is that of a professional privilege. This exception is not set out expressly in the Privacy Act but has been recognized and applied by courts on several occasions. For example, the solicitor-client privilege established in the context of a professional relationship between a lawyer and his or her client benefits from a quasi-constitutional status in the eyes of the law and may preclude the exercise of the right of access or rectification to protect any information that is covered by solicitor-client privilege.
The second exception covers the information related to one or more third parties (section 40 of the Privacy Act). Thus, an enterprise may refuse to grant access or rectify a file when it reveals information about a third-party that may be harmful to that party. It is only when the third-party consents to access or rectification, or when the life, health or security of an individual is threatened, that an enterprise may overrule this exception.
The third exception allows an enterprise to refuse to disclose personal information when it is likely to affect current or future legal proceedings between the enterprise from which the personal information is requested and the person about whom the information relates (section 39(2) of the Privacy Act). The enterprise will have to prove the prejudicial effect of the disclosure, and the existence or possibility of a recourse between the parties. For example, when one party sends a formal cease and desist letter, it generally indicates the possibility of recourse in the court’s understanding.
This sums up the section on the responsibilities that an enterprise upholds in favour of a person with respect to his or her personal information. In the next section, we look at how these responsibilities can arise in the context of a dispute.
Civil liability under the Quebec Privacy Act
When the Quebec National Assembly enacted the Privacy Act, it did not provide for a specific mechanism or special court to implement or provide a remedy to any person who suffers harm as a result of a violation of the Privacy Act. However, this does not mean that enterprises are immune from claims under the Privacy Act. On the contrary, any enterprise may be sued for damages for a breach of the Privacy Act or under common law principles to repair a harm caused to an individual in Quebec.
Therefore, to enforce a right conferred by the Privacy Act, an individual may file a claim with the competent common law court to seek compensation. Thus, an action in damages may be brought before the Court of Quebec when the value of the dispute is less than $85,000, or before the Superior Court of Quebec when the value of the dispute is of $85,000 or more. Note that punitive damages may be added to the compensatory damages. These damages are awarded by a court to punish or denounce the reprehensible behaviour of the offending enterprise. With respect to personal information, exemplary damages have been awarded when an enterprise, without reason, has refused to grant access to the personal information of an individual, contrary to section 11 of the Privacy Act.
Thus, enterprises are not immune to sanctions under privacy law. Any enterprise must comply with and enforce the Privacy Act as compensatory and punitive damages may be awarded for any harm caused in violation of the law.
To conclude, remember that:
- The Privacy Act is a fundamental law that any enterprise must respect when collecting, communicating or using the personal information of individuals in Quebec.
- You are not alone; Lex Start is here to help you implement your online terms and conditions without compromising your budget by offering affordable and personalized legal services.
We hope this article has helped you better understand the extent of your responsibilities regarding clients’ personal information, and the importance of having a terms and conditions agreement that complies with the law. For more information on this subject or about how to start your own business, you can contact us.