'It really puts together an organized set of rules with respect to the management of personal information'
When it comes to employee privacy, “if an organization complies with Quebec, they pretty much comply with the other [provinces’] laws,” says Éloïse Gratton, partner and national leader, privacy and data protection, at BLG in Montreal. “Broadly speaking, very often, Quebec would likely be the most stringent.”
And with recent changes rolling out, it’s the first jurisdiction to update these laws, she says, “kind of the second generation of privacy law in Quebec.”
Law 25 or the Act to modernize legislative provisions respecting the protection of personal information or PI requires an overhaul of employer policies, procedures and practices. Some amendments first took effect in September 2022, while a new set of changes just came into force last month, and the final regulations take effect in September 2024.
Most employers were already doing many of these practices, and being very careful about the management of personal information, says Natalie Bussière, partner at Blakes in Montreal.
“What the law does is it really puts together an organized set of rules with respect to the management of personal information.”
Governance policies and practices
In looking at some of the more relevant areas of HR in the new legislation, section 3 states that employers must establish and implement governance policies and practices regarding personal information that ensure the protection of such information.
“Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the lifecycle of the information, and provide a process for dealing with complaints regarding the protection of the information,” says the act.
“The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.”
Basically, employers are now required to have policies pertaining to the collection and use of personal information, says Bussière.
“This is in line with all kinds of various obligations that we have with respect to… harassment, with respect to like a code of conduct,” she says, as examples.
“I don't see this as being like earth-shattering in that, let's face this, most employers had already sometimes informal… policies in place with respect to the management of personal information.”
And the law still provides for deemed consent, meaning there's no formal requirement for express consent when it involves information needed in the course of employment – unless you are dealing with sensitive personal information such as medical or financial information, says Bussière.
“For those types of information, we usually recommend that, yes, the employer obtain… written consent.”
Privacy impact assessments
In section 16 of Quebec’s new legislation, privacy impact assessments must be carried out for any project that will “acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.”
The assessment must be proportionate “to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.”
This involves an assessment where you're going through the business case and it should involve a four-part test to meet the legal requirements of the law, says Gratton.
“Why is this new monitoring tool necessary? What are we trying to achieve here, is there an issue, a business problem? How effective will this new tool be?... Are the security measures adequate, what are the gaps from a legal compliance standpoint?”
And then it usually involves a document that lists the mitigation measures, along with who's responsible for implementing what, as a kind of roadmap, she says.
Correcting false employee information
When personal information is collected, section 8 also requires that employers inform that person about: why it was collected, how it was collected, “the rights of access and rectification provided by law” and their right to withdraw consent to the communication or use of the information collected.
Basically, there is now a separate mechanism available to employees if there are issues with respect to the application of the act, says Bussière.
“Before the law was revamped, there was an access right – an employee could ask to have access to whatever is in what we call the employee file – so this is something which of course is still available to the employees so they can basically look at what is in the employee file… and if there was a mistake, the idea is to ask that it be corrected.”
And employees have new rights, says Gratton. For example, they can request who within the organization has access to their information, and how long is their information retained?
“Employers have to figure out ‘OK, what should be the process in place to accommodate these new types of requests?’”
Transparency around collecting PI
Section 8 also states that if an organization collects PI using technology that profiles, locates or identifies an individual, the organization must also inform the individual of the use of this technology and how to activate it.
““Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour,” says the act.
As soon as you're collecting personal information using technology that includes a function that allows the individual to be identified, located or profiled, you must inform the individual that you're using the technology and the means of activating these functions, says Gratton.
“And profiling is very, very broadly defined. It refers to the collection and use of personal information to assess characteristics of the employee; for example, for the purpose of analyzing that person's work performance; for example, preferences, interests and behaviours – very broad.”
And this new requirement may apply to various technologies, in different settings, such as employee monitoring tools, she says, “so that should be on employers' radar.”
“I really think it comes down to employers doing their homework before implementing new types of tracking or monitoring technologies and tools to make sure that these are really reasonable, legitimate, meant to address a specific business need.”
This also covers third parties, such as a payroll provider, who has access to personal information, says Bussière.
“This is something that will be disclosed to the person to say, ‘We will basically disclose this information to the payroll provider’… and the payroll provider itself as an enterprise has also an obligation with respect to the management of that personal information – but that is outside of the employment relationship,” she says.
“So, as an employer, my obligation is to say, ‘This is the information I gather from you’ – which is, of course, necessary or useful in the context of the employment relationship – ‘and I will also disclose this information to my payroll provider.’”
Automated decision-making and privacy
In section 12 of the legislation, any employers using personal information “to render a decision based exclusively on an automated processing of such information” must inform the person concerned.
If it’s requested, they must also provide what personal information was used, why it was used – including “the principal factors and parameters” – and allow for the information to be corrected if needed.
In the HR context, that could mean there's software screening applicants, and individuals have to be informed that this technology is being used to make a decision, says Gratton.
“That leaves the applicant or the employee… the right to provide observations – they don't have a right to object, but at least they can say, ‘Well, I don't think it's fair because that information is not accurate, for example.’”
The rationale behind this new requirement is likely to avoid companies using AI tools or black boxes that make decisions without individuals knowing about it, or knowing how the decision was made, she says, “especially if it's an impactful decision where the algorithm decides whether you get a job or you get an interview or you get a promotion – that's something that should be disclosed, and mentioned to employees.”
Again, it should use the four-part test mentioned earlier and overall, says Gratton, and the use of such tech “must outweigh the impact the system will have on employees’ privacy, and determine if there's an alternative system that would be less intrusive and as efficient, for example.”
But employers still have the right to manage employees’ performance, and to intervene when things are not going well, says Bussière.
“The general framework regarding the employment relationship still exists,” she says. “It has to function somehow. So how do you reconcile that with the various requirements with respect to the management of personal information? That's something that will, I suspect, evolve over time.”
Employers should always monitor performance closely if there are issues with an employee, she says, “so it remains to be seen .... whether or not the use of those automated system will be... a good way of managing employment performance in Quebec. I'm unclear as to how this will evolve.”
Sensitive personal information and biometrics
Another area of note for the new rules in Quebec concerns sensitive personal information such as biometrics.
“For the purposes of this Act, personal information is sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or release, it entails a high level of reasonable expectation of privacy,” says the government.
“The creation of a database of biometric characteristics and measurements must be disclosed to the Commission d’accès à l’information promptly and not later than 60 days before it is brought into service.”
More and more employers are using biometric information to track employees to monitor attendance, and not only you need the employee's consent, but it has to be optional, says Gratton.
“You have to tell employees ‘I'm about to implement a biometric tool to authenticate you when you come in, because it's easier than using access cards.’ I'm assuming they will do their privacy impact assessment, but they still need the employees’ express consent.”
Employers also need to tell employees that their consent is optional, so there has to be an alternative method of identification, she says.
“That's very unique to Quebec, that optional consent and the reporting of the biometric system or the use of biometric data to the regular regulator.”
