MEET THE PROVISIONS OF ACT 25 WITH DATA GOVERNANCE
September 22, 2022 marks the coming into force of certain provisions of the law to modernize private sector privacy legislation, also known as Act 25. This reform modernizes the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by the current digital and technological environment.
The amendments resulting from Act 25 promote transparency, particularly among public organizations, businesses and provincial political parties, as well as better control of citizens over their personal information. Additionally, other measures ensure better protection of their privacy, while taking into account today’s technological reality.
OUR PLAN OF ATTACK TO MEET THE REQUIREMENTS OF ACT 25
In order to establish a new culture of privacy protection, organizations need to implement measures that mitigate the risks of infringing on citizens’ right to privacy.
Necando Solutions has developed a compliance and governance program that enhances the processes, systems and governance framework for managing and protecting personal information, in line with best practices and the requirements of Act 25. Whatever your challenge, we can guide you.
Our plan of attack is based on a simple, pragmatic 3-phase approach. Each phase consists of a series of activities carried out with members of your organization.
Our approach:
- Diagnosis and quick wins
- Enhanced compliance
- Continuity and evolution
Act 25 and your organization
The Act respecting the protection of personal information in the private sector has been amended in Quebec, establishing new responsibilities and obligations.
Its entry into force brings new responsibilities and obligations as well as challenges that organizations must face. Here is a brief overview.
Since September 22, 2022, you must, among other things:
- Designate a Privacy Officer
- In the event of a confidentiality incident involving personal information:
a. to take reasonable measures to reduce the risk of harm being caused to the persons concerned and to prevent new incidents of the same nature from occurring;
b. notify the Commission and the person concerned if the incident presents a risk of serious harm;
c. keep a register of incidents, a copy of which must be sent to the Commission at its request. - Respect the new framework for the communication of personal information without the consent of the person concerned for the purposes of study, research or the production of statistics and in the context of a commercial transaction;
- Carry out a privacy factor assessment (PIA) before disclosing personal information without the consent of the persons concerned for the purposes of study, research or the production of statistics;
- Disclose in advance to the Commission the verification or confirmation of identity made by means of biometric characteristics or measurements.
From September 22, 2023, you must, among other things:
- Have established policies and practices governing the governance of personal information
- Respect the new rules surrounding consent to the collection, communication or use of personal information
- Destroy personal information when the purpose of its collection is accomplished, or anonymize it to use it for serious and legitimate purposes, subject to the conditions and retention period provided for by law
- Respect the right to cease dissemination, re-indexing or de-indexing (or right to be forgotten)
Why is the protection of personal information important?
- Improve public confidence in the company
- Meet customer expectations and develop a competitive advantage
- Listening to employee concerns
- Reduce the risk of a privacy incident
- Meet legal obligations
- Be an exemplary corporate citizen
Examples of challenges to meet Act 25 requirements
Everyday organizations generate and manage vast amounts of data about clients, suppliers, employees, etc. In order to avoid penal and monetary administrative penalties, companies most become compliant with Act 25. It is crucial to adopt the right data governance program to ensure that you have the right processes in place.
The following are five common challenges faced by organizations regarding the actions that need to be taken to be compliant with Act 25.
- Data and procedures subject to Act 25 have not been identified
- Lack of visibility of all data and personal information held
- No data classification
- Few structured frameworks and formal controls
- Lack of mechanisms to detect and manage a data leak
Why data protection is important
- Prove public confidence in the company
- Meet customer expectations and develop a competitive edge
- Listen to employee concerns
- Reduce the risk of a confidentiality incident
- Meet legal obligations
- Be an exemplary corporate citizen