How have the Quebec courts defined the data protection principles?
In this article, we will go over the four data protection principles outlined in Quebec’s private-sector privacy act.
Are you ready?
Let’s get started!
What is Quebec’s private sector privacy act?
The Province of Quebec has adopted its own data protection and data privacy act applicable to data collection, use and communication in its territory.
The Act respecting the protection of personal information in the private sector governs how organizations dealing in the private sector must protect and safeguard the personal information they acquire about a person in when conducting business in Quebec.
The Quebec private-sector privacy act applies when a person collects, holds or communicates to third parties personal information in the course of carrying an enterprise in Quebec.
What are the data protection and privacy principles underlying the Quebec privacy act?
What are the principles of Quebec’s privacy act?
In the matter Institut d’assurance du Canada vs. Guay, the Quebec courts defined four principles underpinning Quebec’s private-sector privacy act.
The Quebec privacy act principles are:
- “A person or a corporation must have a serious and legitimate reason for establishing a file on someone;
- Every individual has the right to access his or her file, unless the rights of third parties must be protected or there is a serious reason for refusing access;
- Every individual has the right to rectify an incorrect, incomplete or obsolete file; and
- Every person or corporation that opens a file on an individual has an obligation of confidentiality.”
We can summarize these four principles as:
- Legitimate interest
- Individuals’ right to access
- Individuals’ right of rectification
- Confidentiality obligations
Let’s look at each of the four principles of the Quebec privacy act.
A person must have a legitimate reason to establish a file on a person.
This principle is found in Article 4 of the Quebec privacy act:
“Any person carrying on an enterprise who may, for a serious and legitimate reason, establish a file on another person must, when establishing the file, enter its object.”
Establishing a file on a person means that a person or company collects and gathers personal information about a person a records it in a registry, a file, a repository or stores the information in some manner.
The first principle of legitimate interest requires that a company have a lawful, serious and legitimate purpose for collecting, holding or using personal information.
Otherwise, a person cannot gather personal information on someone.
Individuals’ right to access
The second principle under the Quebec privacy act is that of an individual’s right of access his or her personal information held by a person or a company.
This principle is outlined in Article 27 of the Quebec privacy act:
“Every person carrying on an enterprise who holds a file on another person must, at the request of the person concerned, confirm the existence of the file and communicate to the person any personal information concerning him.”
A company that holds personal information about someone has a duty to confirm the existence of the file and communicate any personal information held about a person concerned.
This is an important right granted to the individual.
The law requires that a person have the ability to demand and obtain access to whatever information a person or an organization may have collected or gathered on him or her.
The right of access is a natural consequence of the first principle of legitimate interest.
By granting the right to individuals access their data, the person can evaluate whether or not a company’s data collection operation was legitimate and lawful.
Individuals’ right to rectification
The third right is an individual’s right to rectification of their personal data.
The right to rectification is a natural consequence of the right to access and can be exercised following the exercise of the right to access.
The right to rectification is a person’s right to demand that a company or an organization correct incorrect information that is held about them.
Article 30 of the Quebec privacy act states:
“No request for access or rectification may be considered unless it is made in writing by a person who proves that he is the person concerned or the representative, heir or successor of that person, the liquidator of the succession, a beneficiary of life insurance or of a death benefit or the person having parental authority even if the minor child is dead.”
This right is not an absolute right.
For example, if a company had made a mistake in their operations and shipped a product to the wrong address, does the company have the obligation to rectify the wrong address.
The answer is yes and no.
There is little doubt that a company must correct the address on record if the address is used to transact with a person.
However, if a company keeps the record of a mistake that happened in the course of its business dealings, it has the right to keep the record of that mistake as a factual history of the account.
That mistake remains factually correct and is important to keep for auditing and account history perspective.
The fourth and last principle of the Quebec private-sector privacy act is that of confidentiality.
A person establishing a file on another has a legal duty of confidentiality.
The company or the person must take all the necessary measures to ensure that the personal information collected is safeguarded and protected from unauthorized access or disclosure.
Article 10 of the Quebec privacy act enshrines this obligation by stating:
“A person carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.”
A company must take the necessary security measures to ensure personal information is kept confidential or destroyed when no longer needed.
The measures must take into account:
- The sensitivity of the information
- The purpose of why it was collected
- The quantity of information collected
- How the information was distributed
- The medium on which it was stored
Every company may take a slightly different approach but ultimately the efforts must be reasonable and consistent with industry best practices.
The Quebec privacy act applicable to the private sector outlines four important data protection and privacy principles:
- Legitimate interest to establish a file on a person
- Individuals’ right to access
- Individuals’ right to rectification
- Confidentiality obligations
Companies, businesses or individuals subject to the Quebec privacy act must take the necessary measures to comply with these four principles in their overall data processing and collection operations.