Bill 64 to protect personal information

For September 2022, let’s prepare for Bill 64 pertaining to the protection of personal information

How to prepare for Bill 64 before September 2022

Bill 64, adopted on September 21, 2020, is a major reform governing how companies protect individual’s privacy. The objective of this law is to better protect citizens’ personal information and to oblige organizations to take concrete steps to ensure information security. Considerable fines will be imposed upon companies in the event that the new standards are not respected. 

The Loi modernisant des dispositions législatives en matière de protection des renseignements personnels will profoundly change the way Quebec companies manage the protection of privacy. This is why it’s essential to educate your IT teams and your employees to be familiar with the information protection law and to create an action plan to comply with it.

What is BIll 64?

Bill 64 is the most recent update since 1993, and is of considerable relevance considering the technological advances that have emerged in recent decades. It will have an impact on several aspects relating to the management and organization of personal information, regardless of the level of income that the company generates or the number of employees it has. The ultimate goal is to modernize the legislation in order to adapt it to the technological reality of the 21st century.

In fact, all companies will have to comply with this new legislation, whether SMEs, large international companies, NPOs, self-employed workers and any other form of business recognized by law in Quebec.

Approved in September 2021, this law’s first changes will be effective in September 2022, after which other changes will be added every year until 2024, when the law will be fully effective. It’s therefore the ideal time to develop an IT strategy and thus avoid hefty fines. 

Bill 64 allows citizens to:

• Receive better quality information when their personal information is collected.
• Receive complete information about the use of their personal information.
• Be notified when a privacy incident occurs at the company, no matter how small.
• Be erased or dereferenced.
• Have access to simple consent rules laid out in simple terms.

The right to erase, i.e. the right to completely erase information held by a company about you, will now be a right offered to all citizens. In addition, once the purposes for which personal information is collected have been achieved, the organization has a duty to permanently erase all the personal information collected.

Now that you have a better overview of the changes brought about by Bill 64, all you have to do is determine how to comply with the new standards and prepare your business adequately. 

How to prepare your business for the bill to protect personal information

Preparing your business for the bill pertaining to the protection of personal information requires an investment in time and seriously considering the new standards. You’ll also have to report to the commission d’accès à l’information that is responsible to oversee Bill 64’s application and which has the power to issue penalties to offenders.

As a company, you have a duty to report any incident, whether major or minor, to the commission as well as to the people affected. You must also take any action within your power that could reduce the damage caused.

Here are the 7 major initiatives that you should consider doing:

• Produce accurate and regularly-updated documentation on the use of your customers’ information
• Share with your team procedures about privacy impact assessments (PIAs), which could be useful to you if you are sued in court
• Contemplate all documentation that will be required for Bill 65’s entry into force and ensure that it is written or updated beforehand. In particular, consider the conditions for consent, exporting personal information, identifying the people who will receive the information, updating the website, privacy policies, contracts with suppliers, etc.
• Ensure that all information collected by artificial intelligence technologies complies with Bill 64
• Appoint a member of your organization to serve as personal information manager and another as data flow manager.
• Inform members of your organization about the new standards and how the company is complying with them
• Prepare procedures in the event of incidents in order to keep written evidence of them, as mentioned in the law

Follow these instructions and refer to the law on the protection of personal information in order to prepare yourself adequately before its effective date. Cybersecurity experts can also help you prepare for it with peace of mind.

Privacy law implementation

Bill 64 provides for the entry into force of the new standards pertaining to the protection of personal information in 3 phases. These are intended for any company doing business in Quebec, whether based inside or outside the country.

The first phase will take effect in September 2022, the second phase in September 2023 and the last phase in September 2024. Here is the order in which you will need to make changes to your organization. 

Phase 1

As of September 2022, companies must disclose any incident threatening the confidentiality of personal information or cyberattacks. It must therefore notify any person potentially affected by the security breach as well as the Commission d’accès à l’information.

The organization must also appoint a person responsible for personal information among its members.

Phase 2

As of September 2023, the procedures and policies surrounding the use, management and protection of personal information must be made available on the internet. The commission will in fact issue administrative sanctions as of this date.

Privacy Impact Assessment Grids (PIAs) will be required for any changes made to the company that could have an impact on the protection of its customers’ privacy. This includes software changes or computer systems updates, for example. 

Phase 3

Lastly, in September 2024, the right to portability makes its debut. This right allows anyone to obtain information that they have previously communicated to a company. Le projet de loi n° 64, Loi modernisant des dispositions législatives en matière de protection des renseignements personnels will be fully effective as of this date. 

Be ready for Bill 64

There’s still time to prepare your organization for the changes that will be brought about by the Bill pertaining to the protection of personal information. A well-advised internal IT team will be better equipped to make the appropriate changes quickly and efficiently. S3 experts are available to assist you with this task, no matter the size of your business or the constraints you face.

Do you need a helping hand? S3 Tech is the oldest managed IT services provider in Greater Montreal, and we’re more than capable of supporting you in your strategic planning. We can help you prepare properly for the new information protection bill, quickly and without hassle. Contact us for an IT strategy to suit your needs.