The Act to modernize legislative provisions as regards the protection of personal information (Québec’s Bill 25) puts in place new measures to protect consumers’ personal information by making private companies and public agencies accountable. These measures will be phased in gradually from September 22, 2022 to September 2024.

 

Brokerage firms will have to take these provisions into account in their
businessactivities. If they do not, they run the risk of heavy penalties. 

 

A number of the measures that took effect in September 2022 require businesses that process and communicate personal information concerning clients, employees and/or suppliers to designate a person in charge of protecting personal information. Businesses will also have to inform the persons concerned, along with Québec’s Access to Information Commission/CAI, in the event of a personal information-related confidentiality incident that could cause serious harm. Similarly, businesses must have a plan in place to manage these types of incidents and must maintain a record of all such incidents. 

It should be noted that Bill 25 makes it possible to communicate personal information without the consent of the individual(s) concerned for study, research or statistical purposes, provided that the new regulatory framework for communicating this information is adhered to.

As of September 2023¹, businesses must: 

• Establish a governance framework for personal information protection.
• Enhance information provided to clients when collecting personal information.
• Destroy or anonymize personal information in certain circumstances.
• Assess privacy risks when personal information is used and communicated in certain circumstances.
• Obtain individuals’ prior consent to use their personal information for business prospecting purposes.

 

As of September 2024², businesses must:

• Communicate, at the request of the individual(s) concerned, personal information provided to third parties.

 

Impact on your firm as of September 2022 

 

It should be noted that Bill 25 imposes new obligations on brokerage firms regarding the protection of clients’ personal data with a view to better reflecting current technological realities.

Bill 25 establishes better personal information protections by providing the individuals concerned with more powers concerning how their personal data is processed and a better understanding of the consequences of the choices they make. 

 

Main obligations now in effect

 

Appointing a person in charge of protecting personal information

The person duly designated and formally identified as being in charge of personal information protection within the business must be fully aware of his/her role and responsibilities, including ensuring that the business processes the personal data that it holds in accordance with the standards in effect. 

The designated person must understand the nature of the personal information that the business holds, processes and communicates. He/she must also know who is authorized to access this personal information, and why. He/she must put together and implement policies and practices governing personal information. For example, information conservation and destruction rules may be needed, as well as centralization of sensitive data to facilitate protection and monitoring.

Needless to say, the contact information of the person in charge of protecting personal information must be clearly posted on the business’s website to facilitate clients’ direct access to it. 

This function, which is assumed by default by the business’s most senior officer, may also be delegated in writing to an external specialist or any other person. Bear in mind, however, that the business must assume responsibility for any deviations from Bill 25. 

Confidentiality incidents: planning and recording

Brokerage firms must put in place an action plan to be followed in the event of a confidentiality incident. That way, rapid measures can be taken to reduce the risk of damage. An official record of confidentiality incidents must also be kept.

Appropriate measures must be taken within the firm to protect personal information and to act diligently when dealing with any such incidents. An effective plan providing for a swift reaction and taking steps to ensure that employees are aware of the importance of following the plan to the letter will demonstrate that the firm is able to handle situations leading to a real incident and to minimize the risk of harm as much as possible. 

To that end, the person in charge of protecting personal information must be able to detect these incidents. Businesses are advised to instruct employees to immediately report situations in which they are exposed to personal information that does not concern them. Locations where sensitive information must be stored should also be identified. Steps should be taken to avoid making copies thereof, regardless of the format used, or communicating information by email. That is why it is so important for employees to report any cases of sensitive information found in non-designated locations.

A policy on the use of portable storage devices (USB keys, laptop hard disks, etc.) and the systematic recording of storage devices should also be implemented. As we all know, using laptops outside the workplace or memory devices can lead to potential losses or thefts of client-related information. Steps should be taken to ensure that access is not given to staff members who are not required to use client-related personal information. Protective measures should be put in place to guard against malicious third parties seeking to access email inboxes or IT storage spaces. In that case, double-factor authentication may be required. 

The importance of reporting incidents

Under Bill 25, all incidents must be reported to the Access to Information Commission, as well as to the persons concerned, if an incident poses the risk of serious harm to the victims. If the incident requires disclosure to the client and to the Commission, the person in charge must decide how the disclosure will be carried out. It is important to avoid opening the door to legal action by implying that an incident may be due to negligence.

Consequences 

Bill 25 states that in the event of default or non-compliance with their legal obligations, businesses may face heavy penalties of up to $25 million or 4% of their annual revenues.

In addition, Sections 23 and 24 of the Code of ethics of damage insurance representatives set out the obligation to “respect the secrecy of any personal information” obtained from clients and to use this information solely for the purposes for which it was obtained. 

Brokers may not disclose personal or confidential information or information obtained other than in accordance with the Act, nor may they use it against a client in order to obtain a benefit. These requirements apply not only to insurance representatives, but also to brokerage firms themselves, as noted in Section 80 of the Act respecting the distribution of financial products and services. Under Sections 84 and following of the latter Act, brokerage firms are responsible for ensuring that managers, representatives and employees act in accordance with the Act and the accompanying regulations.

Conclusion

Brokerage firms must diligently ensure that the designated person in charge of protecting personal information fulfils all his/her obligations, as well as those imposed by Bill 25, and that he/she will oversee their implementation by the firm’s members. 

Those are the main things we wanted to bring to your attention. For further information, please consult the checklist put together by the Access to Information Commission, which is designed to help businesses comply with these new obligations.

Article by Luc Jobin and Alexis Falanga-Duchesneau, Tremblay Bois Avocats

 

¹ and ²: Further information on these additional obligations may be provided at a later date.