Quebec’s Bill 64, also known as Law 25, is an act to modernise legislative provisions regarding protecting personal information. It was officially adopted on September 22, 2021, and represents a significant shift in modernising Canada’s wider privacy landscape.
Under Law 25, businesses operating in Quebec will need to be aware of new obligations that relate to the protection of personal information. These include the appointment of a Data Protection Officer (DPO) and conducting privacy impact assessments (PIAs), among other things. The new provisions will become effective gradually over three years, with the majority taking effect in September 2023.
So, what do medical practices need to know about Law 25? The short answer is medical practices are not exempted from these regulations and if you are treating any Quebec residentsーeven if your practice resides outside of Quebecーyou need to adhere to Law 25.
The timeline for Law 25’s key provisions becoming effective includes:
Under Law 25, organisations must report a breach as soon as possible after an incident occurs, as well as maintain a record of all security incidents.
Businesses are required to designate an employee responsible for compliance with Law 25. Although any individual can be designated as a privacy officer, Law 25 defaults the responsibility of overseeing compliance to the highest senior employee (e.g., the CEO). If a privacy officer other than the CEO is assigned, organisations must publish the name, title, and contact information of the individual responsible on their website.
Law 25 adds a requirement for organisations to conduct a Privacy Impact Assessment (PIA) in certain circumstances, such as when acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, release, keeping, or destruction of personal information.
The majority of new subject rights will be effective by September 2023, with the right to data portability becoming effective in September 2024.
Subject rights in Quebec now include:
Privacy officers should respond to requests within 30 days of receipt, with the possibility of an extension.
The act defines certain enhanced rules relating to individuals’ consent required before the collection, use, or distribution of personal information. A public body or organisation that requests consent in writing must do so independently from any other information provided to the individual. Consent for some uses or disclosures of sensitive personal information must be given expressly. Furthermore, the consent of the person with parental authority or the tutor must be obtained before collecting, using, or disclosing personal information about a minor under the age of 14.
For consent to be considered valid under Law 25, it must be:
Additionally, individuals must be made aware of:
In conclusion, Quebec’s Law 25 represents a significant modernization of privacy legislation and should not be overlooked by businesses operating in Quebec or dealing with Quebec residents' personal information. Companies must take steps to understand Law 25 requirements and take measures towards ensuring compliance as effective dates approach gradually.
This article is intended to serve as a guideline and represents the writer's understanding of the subject. It is important to note that it does not constitute legal advice.
