What are the obligations of a company relating to the collection of personal information under the Quebec privacy act?
How can a company lawfully collect personal information when conducting business in Quebec?
Does the company have any disclosure obligation?
In this article, we will break down the notion of the collection of personal data under the Quebec privacy laws, specifically the Act Respecting the Protection of Personal Information in the Private Sector.
Are you ready?
Let’s get started!
Table of Contents
What is the collection of personal information?
The Quebec privacy act regulates the manner personal information is collected and handled by organizations in Quebec.
Particularly, the Quebec privacy act provides specific rules when creating a file on a person in the process of the collection of personal information.
Creating a file on a person
Article 4 of the personal information protection act of Quebec states:
“Any person carrying on an enterprise who may, for a serious and legitimate reason, establish a file on another person must, when establishing the file, enter its object.”
In other words, companies carrying on a business activity can create a file on a person for serious and legitimate reasons only.
They must record the object or purpose when establishing the file on the person.
What is the reason for creating a file on someone?
A company must be able to justify the purpose of why a file was created on someone.
Collecting only the necessary information
Any person collecting personal information on another person should only collect the information “necessary” for the purpose of the file.
In other words, a company should only collect the information that it needs to render its services to its customers or deal with another person.
Any information beyond what’s necessary can be considered excessive and infringe the Quebec privacy act.
Organizations should evaluate what type of information they legitimately need to render the services and ensure they implement policies and procedures to limit their data collection strictly to what’s necessary.
Collection of information by lawful means
It goes without saying that the collection of personal information must be done by lawful means.
Any deceptive activity, acts of misrepresentation or manipulation leading to the collection of personal information about a person will be a breach of the law.
Companies should periodically review their data collection processes to ensure they are complying with the applicable laws.
For example, a company may not necessarily collect information on children to create a file about them.
Even if a company creates a file, properly documents the object of the file and collects only necessary information, the underlying objective is illegal in nature.
As a result, the personal information collected is unlawful under the Quebec privacy act.
Collection only from the person concerned
Article 6 of the Quebec privacy act states that personal information should be collected “only” from the person concerned.
Collecting information about someone from a third party is illegal in principle.
There are a few exceptions to this rule.
Exception 1: Consent received by the person
A person can give consent to an organization authorizing the collection of personal information related to him or her from a third party.
Subject to the specific consent of the person in question, the Quebec law tolerates that information is collected from a third person.
When a company intends to collect personal information from a third person, they must make sure that they document and can establish that the person in question had consented as such.
Exception 2: Collection is authorized by law
A second exception to the rule is that a company can collect information from a third person when it is specifically authorized by law.
A company should document the legal basis they relied upon to collect personal information from a third party.
Exception 3: There are serious and legitimate reasons
A third exception is when the collection of information from a third party is for a serious and legitimate reason particularly:
- when it’s in the interest of the person concerned and it cannot be collected in due time
- When it’s necessary to ensure the accuracy of the information
The best practice is to record the serious and legitimate reason in the person’s file to be able to justify why the personal information was collected from a third party.
Source of personal information collected
When personal information is collected about a person from a third person and when such third person is a company or person carrying on an enterprise, the source of where the personal information was collected must be recorded.
An organization must record the source of the personal information in the file concerning the person.
The exception to this rule is when a company collects personal information with respect to an inquiry to prevent, detect or repress a crime.
To collect personal data, an organization has an obligation to inform the person in question.
Particularly, the organization must, when collecting the information:
- Disclose the object or purpose the collection
- How the information will be used by the organization
- The categories of persons who will have access to the information within the organization
- Where will the organization keep the file on the person
- Advise the individual of their right of access and rectification of the information
The disclosure information is important to allow individuals to better understand why and for what purpose their personal information is being collected.
Obligation to respond to a request for goods or services or employment
The Quebec privacy act states that a company cannot refuse to respond to a request for goods and services or with respect to employment on the basis that the individual refused to share personal information.
The exception to this rule is when:
- The information is necessary to conclude a contract
- The information is necessary to perform the obligations in a contract
- The collection of the information is specifically authorized by law
- When the request made is not lawful
The objective here is to balance the legitimate needs of an organization with the data privacy rights of individuals looking for products and services or seeking employment.
The Quebec privacy act outlines specific requirements with respect to the collection of personal information.
In summary, a company must:
- Have an object (or purpose) for collecting personal information
- Collect personal information that is strictly necessary for its object
- Lawfully collect personal information
- Collect personal information directly from the person in question
- If personal information is obtained from a third party, ensure the person has consented or there is a lawful basis
- Record the source of where the personal information was collected when it’s a company providing the information related to a person
- Disclose the legally required information to the person when personal information is being collected
- Respond to individuals on requests related to their products, services or employment even if they refuse to give their personal information
Companies subject to the Quebec privacy act should implement measures to comply with their collection of personal information obligations.