For several decades now, privacy impact assessments ("PIAs") have been an increasingly familiar part of the data protection landscape. Originally inspired by environmental impact assessments, their use has become an integral part of best practices in planning new uses of personal information. Governments and regulators have increasingly demanded a PIA for novel treatments of personal information, as they are struggling to keep up with the continuous and accelerating emergence of new technologies.

With the advent of the European Union's recent General Data Protection Regulation ("GDPR"), PIAs, labelled as "data protection impact assessments" ("DPIAs") under the GDPR, graduated from best practice to the necessary to do in many situations. DPIAs are now compulsory for processing operations which involves new technologies and are "likely to result in a high risk to the rights and freedoms" of the concerned individuals[1]. As a result, the responsibility for ensuring respect for privacy no longer rests solely on the shoulders of institutions or citizens; it is now the responsibility of all organizations.

This approach is mirrored in the proposed Quebec Bill 64.[2]

What is new?

Essentially, Bill 64 proposes that private and public organizations in Quebec be required to conduct "assessments of privacy-related factors" ("APFs"):

  • of "any information system project or electronic service delivery project" involving the collection, use, release, keeping or destruction of personal information[3];
  • for public bodies only, before communicating personal information to a public body or an agency of another government if it is necessary for the exercise of the rights and powers of the receiving body or the implementation of a program under its management, if it is clearly for the benefit of the person to whom it relates, where exceptional circumstances justify to do so or if it is necessary for the purposes of a service to be provided to the person concerned by a public body[6];
  • for public bodies designated as personal information manager, before collecting, using or releasing personal information in the exercise of its function.[7]

Private sector organizations and information system projects

Quebec will now require an APF of "any information system project or electronic system service delivery project".[8] Bill 64 goes beyond what is required by the GDPR (which links DPIAs to risks to individuals[9]), as it suggests an analysis of any and all new projects, not just those which seem to be high risk.

The person in charge of the protection of personal information within the company must be consulted about the purpose of the planned assessment. Bill 64 describes what this person may suggest, at any stage of the project :

  • appointing a person responsible for the implementation of the personal information protection measures;
  • protection measures for any document relating to the project;
  • a description of the project participants' responsibilities concerning the protection of personal information; and

Crucially, when the APF of an information system is carried out, it must ensure data portability for the future by the creation of an easy to use format.[11]

But what exactly is an "assessment of privacy-related factors"?

Bill 64 manages to be very prescriptive as to mere suggestions while avoiding discussion of what the criteria for a satisfactory APF would be. There is no mention of the role of risk in the assessment to be carried out. Implementation of the assessment in the project is not mentioned, nor are the consequences, if any, of incomplete assessments or indeed, none at all.

At least, Bill 64 gives us some clues as to the nature of the factors that need to be assessed in an AFP made prior to communicating personal information outside Québec, while it disposes that the ARP must, among other things take into account (a) the sensitivity of the information, (b) the purpose for which it is to be used, (ii) the protection measures that would apply to it, and (4) the legal framework applicable in the "State" in which the information would be communicated. [12]

Fortunately, the Commission d'accès à l'information ("Commission") has developed a working document on how to carry out an assessment of privacy-related factors[13](in French only), which has been published before Bill 64 being tabled. Consequently, this guide presents APFs as an optional tool and could be completely completely revised following the adoption of Bill 64.

The guide outlines the steps to follow when conducting an APF:

1. Preparation of the APF: which consists in defining the project, the organization context, the organization's obligations with regards to privacy and the protection of personal information, making an inventory of personal information that will be involved in the project (including the assessment of such personal information's sensitivity) and identifying the interactions between the organization and the personal information that will be involved in the project.

2. Conducting the APF: according to this guide, the so-called "privacy-related" factors to be assessed are:

  • The compliance of the project with applicable personal information protection legislation and adherence to the principles that support it, such as identifying purposes, consent, limiting collection, use, disclosure and retention, security measures, accuracy of the personal information collected, etc.
  • The identification of privacy risks generated by the project, such as the retention of information when its utility is no longer demonstrated, theft of information, excessive collection of information, unauthorized disclosure of information, excessive or unjustified creation of information, etc.
  • The evaluation of the impact of the identified privacy risks generated by the project, which can be done using a scoring system. In any event, it is important to make sure that the risks are quantified and addressed, and that acceptable risks are defined beforehand.
  • The implementation of strategies to avoid or effectively reduce these risks, which can consist of a document management system that allows the automated application of retention calendar; reviewing the processes for allocating and managing computer access; hiring IT security firms to periodically review the security parameters of the product or service; reviewing confidentiality clauses in contracts, etc.

3. Preparation of an APF report: this last step of the process is meant to consolidate the results of the assessment made, and allow to attest to the actions and thinking in the case of an audit, inspection or investigation by a regulatory authority.