The Minister of Justice, Sonia LeBel, wants to force companies to appoint a “person responsible for the protection of personal information” within their team.
This employee will be responsible, among other things, for developing and publishing “the framework applicable to the conservation and destruction” of personal information, as well as “a complaints handling process”. He will also have to transmit to the individuals who request it the personal information collected about them, and this, “in the form of a written and intelligible transcript”, can we read in Bill 64.
Ms. LeBel tabled it in the National Assembly on Friday, a year after the personal data of millions of Desjardins members was leaked.
Bill 64 requires businesses to “destroy” or at least “anonymize” personal information “when the purposes for which it is [il] has been collected or used are accomplished, “unless it is subject to a statutory retention period.
The 60-page document specifies the right of an individual to require the end of the “dissemination” of personal information concerning him on the Web, in particular, “or that any hyperlink attached to his name allowing him to be de-indexed access this information by technological means when the dissemination of this information contravenes the law or a court order ”.
Furthermore, Bill 64 regulates both the “collection” and the “use” of personal information obtained by means of “a technology comprising identification, localization or profiling functions for the person concerned” . Minister LeBel concerned about “decision[s] founded[s] exclusively on automated processing ”of this information.
In the event of an incident
Minister LeBel’s Bill Introduces Rules Regarding the Processing by Public and Private Organizations of “Incidents” Affecting the Confidentiality of Personal Information, That is, “Access”, “Use” ”, The“ communication ”of personal information not authorized by law or the“ loss ”or“ any other breach of the protection ”of personal information. “If the incident poses a risk of serious harm being caused, she [l’organisation] must diligently notify the Access to Information Commission [ainsi que] anyone whose personal information is affected by the incident “. That said, “a person whose personal information is involved in the incident does not have to be notified as long as it would interfere with an investigation,” said the bill.
Any company must record each confidentiality incident in a register accessible by the Access to Information Commission.
Finally, Ms. LeBel also intends, through her Bill 64, to increase the administrative monetary penalties for any person who “collects, communicates, uses or destroys personal information” or “does not declare to the Commission or to the persons concerned, when she is bound to do so, a confidentiality incident ”.