- Data Protection in the Private Sector - Options for a Uniform Statute 1996
- Annex I - Summary of Recommendations
- Annex II - The Principles in the Canadian Standards Association Model Code for the Protection of Personal Information
- Annex III - Summary of the Quebec Model
- Annex IV - Questionnaire
- Annex V - Persons consulted
- All Pages
ANNEX III - Summary of the Quebec Model
This summary of the Quebec model is provided because almost none of the respondents referred to the Quebec model; a few respondents suggested it would be useful to provide more information about the Quebec model; that the Quebec law has been implemented with very little resistance from the private sector and little criticism from privacy advocates; and because any attempt to create a "uniform" approach to data protection in the private sector should give serious consideration to the only approach so far legislated.
- The principles in the Quebec Act generally reflect the principles in the CSA Model Code and the EU Data Protection Directive.
- The Act applies to all private enterprises, including non-profit organizations.
- The Act applies to all information which relates to a person and allows that person to be identified.
- Enterprises must only collect information necessary for the intended purpose, and enterprises must state the intended purposes on the file when the file about the person is created.
- Collection must be directly from the person concerned unless the person consents to indirect collection or unless the law authorizes indirect collection, collection is in interest of the person concerned and cannot be collected from the person in due time or collection from a third person is necessary to ensure accuracy of the information.
- The source of the information must be identified and included in the file when the information is collected.
- The enterprise cannot refuse to respond to a request about a good, service or job to a person who refuses to provide requested personal information unless the personal information is necessary for the conclusion or performance of a contract, collection is authorized by law or there are reasonable grounds to believe the applicant's request is not lawful.
- The enterprise must inform persons of the existence and object of the files the enterprise holds about them, of the place where the file is held and the person's rights of access and correction of the information in the file.
- Enterprises must respond within 30 days to a written request for access or correction.
- The enterprise must establish and apply security measures appropriate to the confidentiality of the information concerned.
- Information must be up-to-date and accurate at the time it is used by an enterprise.
- Personal information cannot be disclosed to third parties without the person's consent (which must be a clear, free and informed consent for specific purposes) or for a purpose specified by the Act. There are 10 purposes specified, most have to do with providing information to public bodies for various law enforcement or government program purposes, but also to debt collectors and to an enterprise's own lawyer, and to communicate a list of names, addresses or phone numbers, or any information used to establish such a list, if the communication is made pursuant to a contract with a clause prohibiting disclosure for purposes other than commercial or philanthropic prospection, gives the persons on the list a valid opportunity to refuse to be included in such a list (opt out) and the communication does not infringe the privacy of the persons on the list.
- Personal information cannot be disclosed to parties outside Quebec unless the enterprise in Quebec takes "all reasonable steps to ensure that the information will not be used for purposes not relevant to the object of the file" (or the other uses authorized by the Act, summarized above) and in the case of name and address lists, that the person has a valid opportunity to refuse to be included in such a list.
- Enterprises who refuse to provide a person with access to their personal information and enterprises who refuse to make a requested correction to personal information must state in writing the reasons for the refusal and must inform the person of the recourses available to the person. The Act provides for a number of situations where an enterprise can refuse to provide access, including for medical reasons, prevention of harm to a third party, protection of a law enforcement investigation or where providing the information would "affect judicial proceedings in which the enterprise or the requester has an interest".
- There is recourse to the Quebec Commission d'accès for any disagreement between a person and enterprise over the application of the law with respect to access to or correction of one's own personal information, or to the removal of one's name from a nominative list. The person must apply within 30 days of a denial by an enterprise. In addition, the Commission may inquire, on its own initiative or in response to a complaint, into any matter related to the protection of personal information. The Commission can order an enterprise to take appropriate steps to comply with the requirements of the Act and can publish warnings that an enterprise has not respected a Commission order. Commission decisions can be appealed, by leave, to the Court of Quebec, on questions of law or jurisdiction. There is no right of appeal beyond the judge of the Court of Quebec.
- The Act makes a number of provisions concerning credit reporting agencies ("personal information agents").
- The Act contains penal provisions for fines of $1,000 to $20,000 according to the offence. When an offence is committed by a corporation, its administrator, director or representative can be held responsible. There are offences for anyone who collects, holds, communicates or uses personal information except as provided in the Act and a separate offence for credit reporting agencies.
Note that the Act does not apply to "journalistic material collected, held, used or communicated for the purpose of informing the public"; does not provide for sectoral codes; does not require enterprises to designate a person to be responsible for its personal information holdings and practices; and does not impose record retention rules.