June 6, 2024Calculating...

New Québec regulation governing how personal information can be anonymized in compliance with privacy law

On May 15, 2024, the government of Québec published the final version of the Regulation respecting the anonymization of personal information (the Anonymization Regulation), establishing the requirements to anonymize personal information in compliance with Québec’s private and public sector privacy legislation.

What you need to know

  • The regulation is broadly applicable. The Anonymization Regulation came into force on May 30, 2024 and applies to all private enterprises, public bodies and professional orders in Québec.
  • Anonymization can be leveraged as part of data management strategies. Subject to the requirements of the Anonymization Regulation, organizations can now leverage anonymization as part of their data management strategy.
  • Establishes an eight-step process to anonymization. The Anonymization Regulation establishes an eight-step process to anonymization, which aims to reduce the risk of re-identifying individuals. It also clarifies that it is not necessary to conclude that there is no risk of re-identification, but rather that the risk is very low.

The requirements

The Anonymization Regulation sets out a process which can be summarized in eight steps required to lawfully anonymize personal information. We have detailed these steps in the chart below, along with additional interpretation and implementation guidance.

Requirements

Additional Guidance

Designate a person in charge.

The Anonymization Regulation requires that the anonymization process be carried out under the supervision of a person qualified in the field.

While the Anonymization Regulation does not set out specific qualifications, it would be reasonable to conclude that it requires a person with reasonable competence in anonymization techniques (e.g., data masking, pseudonymization, data perturbation, creating synthetic data, etc.) and in the protection of personal information.

Organizations that do not have the required expertise on-staff should consider engaging external advisors.

Identify the purpose for which anonymized personal information will be used.

The Anonymization Regulation states that the purposes must be “serious” and “legitimate” to respect the private sector privacy legislation, and for “public interest purposes” to respect the public sector privacy legislation.

The notion of “serious” and “legitimate” purposes is not defined in any law or regulation. General principles of interpretation in privacy law indicate that use for ongoing business or risk modelling would be a legitimate business purpose, but anonymizing personal information “in case” it may be useful in the future is unlikely to meet this standard.

While this step should be carried out before the anonymization process begins, the Anonymization Regulation also provides for the possibility of adding new purposes at a later time. Organizations would then have to make a further assessment and determine that these new, additional, purposes are also “serious” and “legitimate” or for “public interest purposes”.

Remove all personal information which would allow the individual to be directly identified (identifiers).

An organization must remove all personal information that allows the individual to be directly identified (e.g., name, unique identifier such as social identification numbers) from the data set.

Considering the definition provided in section 12 of the private sector privacy law and 65.1 of the public sector privacy law, this process would be the equivalent of de-identifying the personal information.

Perform a preliminary analysis of re-identification risk.

The preliminary analysis must assess the re-identification risk with respect to:

  • the individualization criterion (i.e., the inability to isolate or distinguish a person within a dataset);
  • the correlation criterion (i.e., the inability to connect datasets concerning the same individual);
  • the inference criterion (i.e., the inability to infer personal information from other available information); and
  • the risks of other reasonably available information, notably in the public space (including the Internet), being used to identify an individual directly or indirectly in combination with the de-personalized data set.

Apply generally accepted anonymization practices and safeguards to reduce re-identification risk.

On the basis of the re-identification risks identified, an organization must identify the anonymization techniques to be used, which must be consistent with generally accepted best practices.

As “generally accepted best practices” is not clearly defined under the legislation, organizations can choose to rely on national and international standards and practices (see our previous bulletin). The Canadian Anonymization Network provides this useful list of such standards.

The Anonymization Regulation also requires organizations to adopt “reasonable protection and security measures to reduce re-identification risks”. Such measures could include, for example, data segregation, access control and logging of any action taken involving the data set to reduce the ability to combine it with other data sources.

Perform a further analysis of the re-identification risk.

Taking into account the practices and safeguards applied, the organization then needs to perform a further analysis of the re-identification risk. The organization must consider the following elements:

  • the circumstances related to the anonymization of personal information, including the purposes for which the organization intends to use the anonymized information;
  • the nature of the information;
  • the individualization criterion, the correlation criterion, and the inference criterion;
  • the risks of other reasonably available information being used to identify a person directly or indirectly; and
  • the measures required to re-identify individuals, taking into account the efforts, resources and expertise required to implement those measures.

The results must show that it is reasonable to expect, in the specific circumstances, that the resulting data is irreversibly incapable of direct or indirect identification.

The results do not have to show zero risk, but rather a very low risk of re-identification.

Revisit the re-identification risk analysis periodically.

The draft version of the Anonymization Regulation stated that the analysis should be revisited “regularly”, which was then changed in the final version to “periodically”.

Section 8 of the Anonymization Regulation specifies that the intervals at which an organization must conduct assessments need to be determined according to the residual risks identified in the latest re-identification risk analysis conducted.

The review must take into account any technological advancements that may contribute to the risk of re-identification.

The review must show that the anonymized information remains anonymized in accordance with the criteria provided by the Anonymization Regulation. If not, the information will no longer be considered to be anonymized.

Keep a register of the anonymization performed.

The register should include:

  • a description of the personal information that was anonymized;
  • the purposes for which the organization intends to use the anonymized information;
  • the anonymization techniques and safeguards applied; and
  • the date on which the re-identification risk analysis was completed and the date on which any update was completed.

Note that this requirement only comes into force on January 1, 2025.

Where to start: tips for compliance

The Anonymization Regulation sets out a rigorous, multi-step process to lawfully anonymize personal information as an alternative to destruction when no longer required for business or legal purposes.

Organizations should review their current practices, procedures and policies for the retention, destruction and de-identification of personal information and determine whether updates are required to align those practices with the Anonymization Regulation. In many cases, multiple stakeholders will need to be involved in the procedure review as well as the resulting anonymization process (for example, legal, compliance, data analytics, information technology). In some cases, external resources will also be needed.

Organizations should then review and update their written procedures and policies to ensure compliance, and determine whether their existing anonymized information databases are still considered anonymized information in Québec pursuant to the Anonymized Regulation.


To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.
 

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now