The province of Quebec was one of the first to develop a legislative framework around access to information and protection of individual privacy rights. The legislation developed in Quebec has been used as an important resource for the federal Privacy Commissioner, as well as in the development of laws in other provinces.
Background: Information Access Commissioner
As early as 1971, with the passing of Quebec’s Consumer Protection Act, all individuals were guaranteed right of access to their credit records. Later, the Professional Code and other laws governing professions were developed. Quebec’s Information Access Commissioner (Commission d’accèss à l’information du Québec, or CAI) was created on June 22, 1982 in response to increased public concern over privacy protection issues as well as enabling access to information. The CAI prides itself as a leader in developing an innovative privacy framework.
The CAI is responsible for overseeing two major privacy laws:
- the Act Respecting Access to Documents held by Public Bodies and the Protection of Public Information (referred to as the Public Sector Act)
- the Act Respecting the Protection of Personal Information in the Private Sector (referred to as the Private Sector Act)
There are three main functions of the CAI:
- The CAI functions as an administrative tribunal.
- Reviews decisions of public authorities who refuse individuals access to personal files or administrative documents.
- Resolves misunderstandings regarding the Private Sector Act.
- Goes through the processes of: mediation, hearings with both parties, decisions, appeals at the Court of Quebec.
- The CAI oversees compliance regarding the collection, storage, use and communication of personal data in the private and public sectors.
- The CAI may authorize the transfer of personal information, give opinions on agreements, carry out investigations or verify compliance with privacy legislation.
- The CAI facilitates implementation strategies for ensuring compliance with provincial privacy legislation.
- The advisory function of the CAI is preventative and educational.
- Some examples of this function include: telephone information service; publishing guidelines and information documents; assessing pilot projects; attending conferences and conventions.
Consent According to the CAI
The concept of consent is central to the Private Sector Act and Public Sector Acts. The CAI defines consent as the agreement to collect personal information. Consent is a deliberate act on the part of the individual that must meet all of the following characteristics:
- Manifest: This means that consent must be clear, certain and indisputable.
- Free: This means that the individual was not compelled to give his/her consent.
- Enlightened: this means that consent must be precise, rigorous and specific. The individual giving the consent must be made well aware to make an informed decision on the scope of the consent. The organization collecting the information must indicate:
- the information that will be communicated
- to whom the information will be communicated
- why and how the information will be communicated
- the consequences of collecting and communicating the information
- Specific: The consent must be given for a specific purpose and a pre-defined length of time in order to meet the purposes the organization indicated.
Public Sector Privacy in Quebec
The Public Sector Act, enacted in 1982, regulates documents held by public bodies and the protection of personal information. There are two main components of the Act. The first gives individuals right of access to their documents held by public bodies. The second component gives maximum protection to personal data held by public bodies. It recognizes right of access as well as right of correction of personal data.
The Public Sector Act applies to the following organizations:
- Government departments and agencies
- Municipalities, metropolitan communities, regional county municipalities
- School boards, subsidized private educational institutions, colleges, universities
- Health and social services networks
- Youth centers, shelters
- Clinics and hospitals
Requests for access or correction to personal data files must be responded to within twenty calendar days of receipt. Individuals encountering difficulties with this application, or individuals being denied access or correction may seek redress through the CAI.
Private Sector Privacy in Quebec
In 1994, Quebec was the first Canadian jurisdiction to enact private sector privacy legislation. The federal legislation regarding private sector privacy (Personal Information Protection and Electronic Documents Act, or PIPEDA) was enacted in 2000, while other similar provincial legislation (PIPA Alberta, PIPA British Columbia) were passed in 2004.
This gave Quebec’s CAI and the Quebec courts over ten years of experience in interpreting and applying the provisions. This provided a rich body of jurisprudence which has offered invaluable insight for other jurisdictions overseeing private sector privacy compliance.
There are four main principles of the Quebec Private Sector Act:
- A person (an individual or corporation) must have a serious, reasonable and legitimate reason for establishing a file of personal information on someone.
- Every individual has the right to access his/her file, unless the rights of third parties are violated, or there is a serious reason to refuse access.
- Every individual has the right to correct an inaccurate, incomplete or obsolete file.
- Every individual or corporation that opens a file about an individual is responsible for maintaining confidentiality.
The Private Sector Act applies to any person or company carrying on an enterprise in the province of Quebec, who collects, holds, uses or communicates personal information. Under the Act, the definition of an enterprise takes the following four elements into account:
- the operations of the enterprise are repetitive jurisdictional acts
- there is coordination between human and material resources
- the enterprise responds to and aims to satisfy certain needs
- the success of the enterprise is depended on market forces and efforts
For instance, an enterprise may include:
- private medical clinics
- law firms
Applying the Private Sector Act
Private enterprises are entitled to collect personal information, but this information must be deemed necessary to its ability to perform the service. The enterprise is responsible for informing the individual of:
- the object of the file
- the use for the information
- the categories of people who will have access to the information within the organization
- the location of the file
- the individual’s rights of access or correction
The following examples present situations in which the Private Sector Act can be applied:
In a retail store, an individual intends to purchase a good or a service with her credit card. The merchant requires the customer to show her driver’s license and asks for information indicated on another card before processing the sale.
According to the CAI, the credit card has all the necessary personal information. The fact that the customer has the credit card implicitly indicates that the customer has already provided her identifying information. No additional personal information should be collected as it is unnecessary for the processing of the transaction.
At a video rental store, the clerk requires customers to identify themselves with their driver’s licenses. The store also wants to keep the driver’s license number on file for future rentals. The store refuses to provide customers with membership to the services, unless the customers provide the requested information.
According to the CAI, no enterprise is entitled to collect the driver’s license information from individuals. Only peace officers and the automobile insurance agency are entitled to this information.
The social insurance number (SIN) is an identifying number issued by the federal government for employment and income tax purposes. Although private enterprises may have a justification for collecting this information, the CAI cautions individuals when disclosing this number. Enterprises entitled by law or regulation to collect the SIN may include: employers, Quebec Revenue Ministry, Canada Customs and Revenue Agency.
An individual would like to lease an apartment. The landlord has requested that the individual fill out a personal information document. The landlord also requests to conduct a credit check.
A credit check can be conducted with minimum personal information, once consent has been secured. The credit bureau requires the first and last name; current and previous addresses; and the date of birth of the potential tenant. Thus, additional personal information (e.g. driver’s license number, SIN number) is not required for the landlord’s purposes. The landlord cannot refuse to rent the apartment on this basis.
Quebec’s Private Sector Act was deemed substantially similar to the federal PIPEDA. Essentially, the declaration indicates that the provincial legislation is equivalent to the federal legislation and effectively incorporates the ten principles of the PIPEDA.
The effect is that the PIPEDA does not apply to the organizations in Quebec that are subject to private sector legislation. However, the PIPEDA continues to apply to federal works, undertakings and businesses in the province of Quebec as well as transborder flows of data over the course of commercial activities.
This article discusses provincial legislation regarding privacy in Quebec. It outlines the Public Sector Act and the Private Sector Act. Given that Quebec was the first jurisdiction to develop and implement privacy protection legislation, the Acts provide a useful resource for other Canadian jurisdictions.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Act Respecting the Protection of Personal Information in the Private Sector (Quebec) (III.A.d.)
- Canadian Public Sector Privacy (IV.A.)