The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 2....
BILL 64 MAPPING OF THE CONTROLS OF ISO/IEC 27701:2019
Information Security Management
2020-12-16
By PECB, PECB MS, and FASKEN
1. Introduction
Almost every enterprise processes personally identifiable information (PII) nowadays. As the amount and types of PII increase, so does the number of situations where enterprises need cooperation with others regarding the processing of PII. Protecting the privacy when processing PII is a societal need. Therefore, this has been the prevailing topic of legislators and regulators worldwide.
As a response to this need, the International Organization for Standardization (ISO), an international organization of worldwide recognition and the oldest and most experienced in the field of industry standardizations, in cooperation with the International Electrotechnical Commission (IEC), published ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.
The standard specifies requirements and provides guidance for establishing, maintaining, and continually improving a privacy information management system (PIMS) as an extension to the information security management system (ISMS) based on the requirements of ISO/IEC 27001 and the guidance of ISO/IEC 27002. The standard can be used by both PII controllers and PII processors and is applicable to any enterprise regardless of its size and type.
In addition, the standard includes mapping to the privacy framework and principles defined in ISO/IEC 29100, ISO/IEC 27018 (protection of PII in public clouds acting as PII processors), ISO/IEC 29151 (protection of PII), and the EU’s General Data Protection Regulation (GDPR).
In order to expand the mapping of ISO/IEC 27701 to another privacy law, this time from Quebec, Canada, a similar mapping exercise was decided to be done to compare the ISO/IEC 27701 to Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, introduced by the government of Quebec, on June 12, 2020. Bill 64 proposes to modernize the existing framework applicable to the protection of personal information by amending various public and private sector Quebec laws. The Act respecting the protection of personal information in the private sector (the Act), which regulates Quebec’s private sector privacy law, will be significantly impacted by Bill 64. Special attention was put into Bill 64 for two main reasons:
- First, the Act, adopted in 1993, was the first private sector privacy law in Canada. The federal Personal Information Protection and Electronic Documents Act (PIPEDA), the Alberta Personal Information Protection Act (Alberta PIPA), and the British Columbia Personal Information Protection Act (BC PIPA) came about 10 years later.
- Second, with Bill 64, Quebec is taking the lead in Canada on reforming privacy legislation to follow the new trend of stronger privacy laws, such as the EU’s GDPR, in terms of respecting both individual rights and business obligations.
In many ways, this proposed reform brings Quebec’s privacy laws in line with other privacy laws, such as GDPR, and with the anticipated changes as part of the PIPEDA modernization.
This paper compares ISO/IEC 27701 to Bill 64. PII, as used in ISO/IEC 27701, is used as a synonym for personal information in Bill 64.
2. Executive Summary: Main Similarities and Differences
Some of the main similarities between ISO/IEC 27701 and Bill 64 are outlined in the following:
- ISO/IEC 27701 refers to privacy impact assessments. In Bill 64, these assessments are referred to as assessments of privacy-related factors.
- In ISO/IEC 27701, requirements for transferring PII between jurisdictions are defined. Similarly in Bill 64, but as requirements for communicating PII outside Quebec and restrictions to transfer PII to jurisdictions which do not offer an equivalent level of protection for the PII as Quebec.
-
In both Bill 64 and ISO/IEC 27701:
- Specific purposes for which the PII will be processed must be identified.
- Consent to the collection, communication, or use of PII must be freely and explicitly given for specific purposes.
- Every person carrying on an enterprise must provide a copy of the PII they hold on another person (referred as PII principal in ISO/IEC 27701), if that person requests it.
- Any person carrying on an enterprise who uses PII to render a decision based exclusively on automated processing must inform the person whose information is concerned that their information will be used for automated decision-making.
- Collection of PII should be limited to the minimum that is necessary.
- PII must be up to date and accurate.
- PII minimization is favored.
- An enterprise must destroy or anonymize PII once the purposes for which that information was collected or used are achieved.
- The right to data portability requires transmitting PII to the PII principals in a computerized, written, and intelligible transcript.
- Requirements for contracting (referred as subcontracting in ISO/IEC 27701) are defined.
Some of the main differences between ISO/IEC 27701 and Bill 64 are outlined as in the following:
- Under Bill 64, the only legal basis for processing of PII is consent of the concerned individuals, subject to certain specific exceptions, whereas ISO/IEC 27701 requires to determine, document, and comply with the relevant lawful basis for the processing of PII for the identified purposes.
- Under Bill 64, PII that has been used to render a decision should be kept for at least one year following the decision, whereas in ISO/IEC 27701 PII should not be retained for longer than is necessary for the purposes for which the PII is processed.
- Under Bill 64, there is no legal obligation to maintain a record of processing, but a compliance system must be documented and published, whereas in ISO/IEC 27701 the necessary records in support of demonstrating compliance with its obligations (as specified in the applicable contract) for the processing of PII carried out on behalf of a customer should be determined and maintained.
- According to ISO/IEC 27701, the disclosure of subcontractors used to process PII is required, whereas under Bill 64 the enterprise is accountable for each subcontractor and performance of an assessment of the privacy-related factors prior for authorizing an international disclosure is required
- According to ISO/IEC 27701, the customer is required to be informed of changes of subcontractor used to process PII, whereas in Bill 64 this is not a requirement.
-
In contrast to ISO/IEC 27701, Bill 64 does not:
- Recognize the notions of joint controller, controllers, and processors
- Incorporate specific requirements regarding temporary files
- Specifically set out policies for the method of the disposal of PII
- Have a functional equivalent for records of transfer of PII
- Specifically address customer agreements and obligations
- Specifically address infringing instruction
3. Preliminary Legal Notes
The table presented below contains a preliminary mapping of the controls of ISO/IEC 27701 against the Act, as it would be amended following the passing of Bill 64. The mapping between ISO/IEC 27701:2019 and Bill 64 shows how compliance to the controls of ISO/IEC 27701 can be relevant to fulfill obligations of Bill 64. However, it is purely indicative and as per this document, it is the enterprise’s responsibility to assess their legal obligations and decide how to comply with them.
The Act applies to the personal information collected, held, used, and communicated to third persons while carrying on 3 an enterprise (as defined under 1525 of the Civil Code of Quebec). It also applies to the personal information held by a professional order and, if Bill 64 is adopted, to the personal information of electors held by an authorized entity under the Election Act.
The Act applies to the collection, use, and disclosure of PII which occurs exclusively in the province of Quebec, as inter-provincial collection, use, and disclosure are subject to the federal legislation. The Act, in contrast, does not apply to federal undertakings, works, and businesses which are subject to the federal legislation. The same data flow may have some actions that fall under the federal law and others that fall under the Act.
Art. 2 of the Act defines personal information, referred as PII in this document, as “any information which relates to a natural person and allows that person to be identified.” As per Art. 93(2) of Bill 64, the notion of personal information excludes “personal information concerning the performance of duties within an enterprise by the person concerned, such as the person’s name, title, and duties, as well as the address, email address, and telephone number of the person’s place of work.” This refers to business contact information, not employees’ PII processing.
Bill 64 was introduced on June 12, 2020, during the 1st session of the 42nd Legislature and has been adopted in principle on October 20, 2020. However, it is currently, as of October 2020, still subject to additional modifications, which may impact the mapping against ISO/IEC 27701. As such, the table provided below will be updated accordingly, if changes are made. The last date of modification, which is indicated below, is the date at which this table is accurate.
To learn more about Bill 64 and have free access to many articles, guides, and other resources covering and summarizing amendments proposed through Bill 64, please visit Fasken’s Resource Center on Bill 64.
The table below refers to the articles in the Act, as they would be amended by the current version of Bill 64.
To use this mapping effectively, it is important to note that the use of expressions such as “information security” under ISO/IEC 27001 should include “privacy” and “information security risk assessments” should include privacy-related risk assessments.
Last date of modification: October 25, 2020.
BILL 64 MAPPING OF THE CONTROLS OF ISO/IEC 27701:2019
Abbreviations:
ISO/IEC 27701 ISO/IEC 27701:2019
The Act Act respecting the protection of personal information in the private sector, Ch. P-39.1. as modified by Bill 64
Bill 64 An act to modernize legislation provisions as regards the protection of personal information
PII Personally Identifiable Information as used in ISO/IEC 27701 is used as a synonym for personal information in Bill 64
GDPR The European Union’s General Data Protection Regulation
| Subject | Clauses in ISO/IEC 27701 | Articles in the Act (as amended by Bill 64) | Legal Notes |
|---|---|---|---|
| Context of the enterprise | 5.2.1 | 1(3), 3, 3.1, 3.2, 17, 19, 78 | The notions of “controller” or “processor” do not exist under Quebec’s legal framework. All enterprises are equally accountable. Art. 1(3) of Bill 64 states that this accountability applies regardless of whether the hosting is done by a third party. For instance, as per Art. 3.1 “Any person carrying on an enterprise is responsible for protecting the personal information held by the person” or as per Art. 3.2 “Any person carrying on an enterprise must establish and implement governance policies.” The legal framework must be known to enterprises in advance for PII to be communicated outside Quebec so that an enterprise can determine the degree of equivalency between the recipient’s laws and Quebec’s laws for the protection of PII. However, enterprises must determine if a PII agent is required depending on their type of processing. Pursuant to Art. 70, PII agents must register with the Commission d’accès à l’information (Commission). |
| Understanding the needs and expectations of interested parties | 5.2.2 | 3.7, 9.1 | There are provisions in Bill 64 which oblige enterprises to take into consideration stakeholders other than the person whose PII is being processed, such as in risk assessment or through the obligations to inform them. Design requirements for privacy-by-default under Art. 9.1 also require a user-centric approach. Enterprises must identify and determine stakeholders. |
| Determining the scope of the information security management system | 5.2.3 | 3.2, 10 | As per Art. 3.2, enterprises must implement a governance system which is aligned with the life cycle of PII (e.g., from its creation to its destruction). Therefore, the scope of the information security management system (ISMS) and privacy information management system (PIMS) must minimally cover the information processing facilities, business processes, and assets relating to this life cycle. |
| Information security management system | 5.2.4 | 3.2, 3.5, 10 | Under Art. 3.2, all enterprises subject to the Act must have policies and practices regarding the governance and protection of PII. There is no minimal threshold in terms of size, sensitivity, or otherwise. These policies must be available to the public via a website or otherwise. Our understanding is that only policies and not procedures or standard operating procedures must be published. However, the term “policies” is undefined. Our assumption is based on the exclusion of the word “practices” from the second paragraph on the publication of the policies. Art. 3.5 provides documentation requirements for confidentiality incidents that should be part of the ISMS. |
| Leadership and enterprise roles | 5.3 | 3.1, 3.2 | Art. 3.1 sets forth important principles regarding leadership, starting with the accountability of enterprises over the PII that it holds. By default, according to Bill 64 the person with the highest authority in an enterprise is responsible for the operationalization of the Act. This function can only be delegated in writing. The law contains roles and responsibilities for this person. The Act also includes roles and responsibilities for the information security agent. |
| Planning | 5.4 | 3.2, 3.5, 3.7, 10 | When determining what policies and practices are required under Art. 3.2, an enterprise must determine what is “proportionate to the nature and scope of the enterprise’s activities.” This proportionality exercise is best completed at the outset of a risk assessment, which may also be useful for the notification requirements under Art. 3.5 and 3.7 of Bill 64 that are based on sensitivity of the information, anticipated consequences, and likelihood. Therefore, these factors should be considered in an enterprise’s risk assessments, information assets classification, and inventories. Art. 10 of the Act is similar to Art. 32 of the GDPR and requires from any person who exploits an enterprise to implement the “necessary” security measures by considering the sensitivity of information, the purposes for which it is used, the quantity and distribution of the information, and the medium on which it is stored. This approach should trigger a risk assessment. |
| Information security | 5.5, 5.6, 5.7, 5.8, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.8, 6.9, 6.10, 6.11, 6.12, 6.14, 6.15 | 2, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 4, 5(1), 8.2, 9.1, 10, 16, 20, 21.0.1, 21.0.2, 70 | Under the Act, the adequacy of the security measures must be reasonable, given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information, and the medium on which it is stored. These factors should be considered in the risk assessment. The measures must cover all phases of the information life cycle from collection to destruction. Information security is also a mandatory component of the assessment of privacy-related factors introduced under Bill 64, including international transfer. Therefore, vendor due diligence is also a critical component when using international processors and sub-processors of PII. Note that ISO/IEC 27701 adds requirements to ISO/IEC 27001 in terms of information privacy. These requirements are relevant for the application of Art. 10 of the Act. |
| Cryptography | 6.7 | 10, 12, 19, 23, 91(3) |
Bill 64 introduces the notion of “de-identified” information, which refers to PII that “no longer allows the person concerned to be directly identified.” In fact, any attempts made to re-identify such de-identified information would be a penal offense leading to a fine of up to $25,000,000 (presumably Canadian) or 4% of worldwide turnover for the preceding fiscal year for a legal entity. In parallel, Bill 64 also introduces the notion of “anonymization” under Art. 23, which seems to be a method of storage limitation. “Anonymized information” includes information which is “anonymized according to generally accepted best practices” and which “irreversibly no longer allows the person to be identified directly or indirectly.” Therefore, it seems like anonymization would be a higher threshold as it refers to indirect reidentification whereas de-identified information would be considered as such if it cannot be directly re-identified. It is unclear what the distinctions are, and where pseudonymized PII will fit into this data model. |
| Information security incident management | 6.13 | 3.5, 3.6, 3.7, 3.8 |
Under Bill 64, when a confidentiality incident involving PII that presents a risk of serious injury occurs, the person carrying on an enterprise must promptly notify the Commission d’accès à l’information as well as any person whose PII is concerned by such incident. In addition, the person may also notify any person or body that could reduce the risk, by releasing to the person or body only the PII necessary for that purpose without the consent of the person concerned. For example, if credit information is concerned, you may notify banks. In assessing the risk of injury to a person whose PII is concerned by a confidentiality incident, an enterprise must consider, in particular, the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that such PII will be used for injurious purposes. |
| A. Controls for PII controllers | |||
| Identify and document the purposes for processing | A.7.2.1 | 3.2, 4, 8 | ISO/IEC 27701’s control A.7.2.1 is about the identification and documentation of the purpose of processing. Likewise, as per Art. 4, it is mandatory to determine the purpose of collecting the PII. ISO/IEC 27701 also requires documenting such purpose. Under the Act and Bill 64, such documentation is required through the obligation to draft and publish policies and make this information available to concerned individuals. |
| Identify lawful basis for processing | A.7.2.2 | 3.2, 4, 6, 8, 12, 13, 18, 18.1, 18.2, 18.3, 18.4 | Under the Act, the only legal basis for processing of PII is consent of the concerned individuals, subject to certain specific exceptions, which are set out, notably, in Art. 6 and Art. 18 to 18.4. |
| Determine when and how consent is to be obtained | A.7.2.3 | 4.1, 6, 13, 14 | Under the Act, the consent to the collection, communication, or use of PII must be “manifest, free, and enlightened, and must be given for specific purposes.” Furthermore, Bill 64 specifies that consent must be given in an explicit manner such as with a checkbox or an action when the concerned PII is sensitive. |
| Obtain and record consent | A.7.2.4 | 6, 8, 13, 14 |
Under Bill 64, when obtaining consent, the person who collects PII must, at the moment of collection, inform the person concerned in clear and simple language of the following:
If applicable, the person concerned is informed of the name of the third person for whom the information is being collected and of the possibility that the information could be communicated outside Quebec. On request, the person concerned is also informed of the PII collected from him, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of PII. |
| Privacy impact assessment | A.7.2.5 | 3.3, 21 |
Bill 64 proposes that enterprises are required to conduct "assessments of privacy-related factors" (APFs):
|
| Contracts with PII processors | A.7.2.6 | 10, 18.3, 21.0.2 | Bill 64 does not recognize the notion of processor. However, it proposes that if a person carrying on an enterprise needs to communicate PII to any person or body, it must entrust the mandate or contract in writing and specify in the mandate or contract the measures the mandatary or the person performing the contract must take to protect the confidentiality of the PII communicated, to ensure that the information is used only for carrying out the mandate or performing the contract, and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract. |
| Joint PII controller | A.7.2.7 | 10, 18.3, 21.0.2 |
Bill 64 does not recognize the notion of joint PII controller, nor does it distinguish between controllers and processors. Under Bill 64, when a person carrying on an enterprise communicates PII to another person or body, it must enter into an agreement in writing, stating:
If the person communicates the PII for study or research purposes or for the production of statistics, the parties must enter into an agreement containing the stipulations that are listed in Art. 21.0.2. |
| Records related to processing PII | A.7.2.8 | 3.2, 4, 8 | Bill 64 proposes that a person carrying on an enterprise must establish and implement governance policies and practices regarding PII that ensure the protection of the PII. Bill 64 proposes that these policies and practices must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of PII. |
| Determining and fulfilling obligations to PII principals | A.7.3.1 | 3.2, 8(4), 16, 27, 28, 28.1, 29, 30, 31, 32, 33, 34, 35, 36 | According to Bill 64, under certain conditions and subject to certain exemptions, PII principals are granted some rights regarding their PII, including a right to access, to rectification, and to de-indexation. In accordance with ISO/IEC 27701’s guidance given in clause 7.3.1, “clear documentation should be provided to the PII principal describing the extent to which the obligations to them are fulfilled and how, along with an up-to-date contact point where they can address their requests.” For enterprises seeking to implement ISO/IEC 27701, Art. 3.2 of Bill 64 should be interpreted to include such documentation, which should be published in accordance with the Act. Note that Arts. 35 to 40 of the Civil Code of Quebec contain individual rights, which are expanded upon in the Act, such as through Art. 16. The Act does not contain as many rights as the GDPR, and the word “right” is not clearly indicated in a distinct section, which makes it unclear to decide whether or not an article provides a PII principal with a “right.” For instance, according to Art. 12.1 of Bill 64, enterprises must inform the PII principal of some requirements in the case of automated decision-making, and the PII principal “must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.” However, it is unclear whether this is a right, and enterprises have a corresponding obligation, given the language used, although it is clear that PII principals have the right to have the information used for the decision corrected. By comparison, Art. 8(4) covers the right to withdraw the consent, and only identifies the rights of access and rectification as additional rights. Art. 28.1 of Bill 64 seems to introduce a new right regarding de-indexation, although it is not named as a right elsewhere. This right seems to be a Canadian interpretation of the right to be forgotten and the extent of this right would need to be clarified through guidance and legal precedents. The Act does not have the same exclusions than those found under GDPR, which makes the rights more encompassing in scope. |
| Determining information for PII principals | A.7.3.2 | 7, 8, 8.1, 8.2, 29 | This control, A.7.3.2, involves determining the legal requirements for when information is to be provided to PII principals. Several information obligations were already found in the Act regarding the source of the information, the purposes and means of collection, the rights of access and rectification, and Bill 64 has added further information obligations regarding the right to withdraw consent, and a number of other obligations that are context-specific, such as where automated decision-making is used. To fulfill the purposes of this control, enterprises will have to review the legal requirements in the Act. |
| Providing information to PII principals | A.7.3.3 | 3.2, 8, 8.1, 8.2, 12.1, 29 |
Bill 64 proposes that a person carrying on an enterprise must publish policies and practices regarding PII on their website or if they do not have a website, by any other appropriate means. Bill 64 also proposes that the person carrying on an enterprise needs to provide information on (1) the purposes for which the PII was collected, (2) the means by which it was collected, (3) the concerned person’s lawful right to access and rectify their information, and (4) the person’s right to withdraw their consent to the use and communication of their PII at the moment of collection. Moreover, Bill 64 adds that the information about PII must be communicated clearly and simply. Any person who collects PII through technological means must publish on the enterprise’s website, if applicable, a confidentiality policy drafted in clear and simple language and disseminate it by any appropriate means to reach the persons concerned. The person must do the same for the notice required for any amendment to such a policy. |
| Providing mechanism to modify or withdraw consent | A.7.3.4 | 8, 22 |
Bill 64 proposes that the person concerned must be informed of their right to withdraw their consent to the communication and use of their PII at the moment that the information is collected. Moreover, Bill 64 proposes that if a person carrying on an enterprise uses PII for commercial prospection purposes, they must identify themselves to the person concerned and inform them about their right to withdraw their consent for their PII being used. |
| Providing mechanism to object to PII processing | A.7.3.5 | 8, 12.1, 22 | Bill 64 proposes that any person carrying on an enterprise who uses PII to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the person concerned of their right not to have their PII used to render a decision based on automated processing. The person concerned must also be given the opportunity to submit their observations on the decision to a member of the enterprise’s personnel. |
| Access, correction, and/or erasure | A.7.3.6 | 27, 28, 28.1, 29, 30, 32, 33, 34, 35, 36, 78 |
Bill 64 proposes that any person who collects PII from the person concerned must communicate to them that they have the right to access and correct their PII at the time of collection. Bill 64 modifies the existing law to propose that a person carrying on an enterprise must provide a copy of the PII they hold to the person if they request that information. Moreover, Bill 64 proposes that the person concerned can require from the enterprise to rectify their PII if the information is inaccurate, incomplete, or equivocal, or if collecting, communicating, or keeping the information is not authorized by law. Bill 64 maintains the standard the person in charge of protecting the PII must respond to an access or rectification request within 30 days. Bill 64 also proposes that a concerned person can require from the enterprise to stop disseminating their PII or de-index any hyperlink attached to their name that provides access to the information by technological means, if the dissemination of the information:
|
| PII controllers’ obligations to inform third parties | A.7.3.7 | 16 | ISO/IEC 27701’s control A.7.3.7 is not addressed in the Bill 64. |
| Providing copy of PII processed | A.7.3.8 | 27 |
Bill 64 proposes that every person carrying on an enterprise must provide a copy of the PII they hold on another person if that person requests it. Bill 64 further proposes that computerized PII must be communicated in the form of a written and intelligible transcript. This is aligned with the requirement in A.7.3.8 of ISO/IEC 27701. Bill 64 further proposes that computerized PII collected from the person concerned must be provided to that person in a standard, commonly used technological format if the person requests their information. |
| Handling requests | A.7.3.9 | 27, 29, 30, 32, 33, 34, 35, 36 | Bill 64 does not modify the current state of the law, which is that a person carrying on an enterprise who holds PII on other people must take the necessary steps to ensure that those people can exercise their rights under the act and under the Civil Code. Control A.7.3.9 of ISO/IEC 27701 requires from enterprises to define and document policies for handling requests. |
| Automated decision-making | A.7.3.10 | 12.1 |
Bill 64 introduces new requirements about automated decision-making, specifically, any person carrying on an enterprise who uses PII to render a decision based exclusively on automated processing must inform the person whose information is concerned that their information will be used for automated decision-making. If the person concerned requests it, the person carrying on an enterprise must also provide:
Bill 64 also proposes that the person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision. |
| Limit collection | A.7.4.1 | 4, 5, 9.1 | According to control A.7.4.1 of ISO/IEC 27701, enterprises must limit the collection to the minimum that is relevant, proportional, and necessary. Bill 64 maintains the notion that was present under existing Act that collection must be limited to what is necessary. Bill 64 introduced a new requirement that any person carrying on an enterprise who collects PII when offering a technological service must set the highest level of confidentiality by default. This indicates that technologies that are used to collect information will be required to be set to the most privacy friendly settings without people needing to change the settings. |
| Limit processing | A.7.4.2 | 4, 12, 20, 23 | According to control A.7.4.2 of ISO/IEC 27701, enterprises must limit the processing of PII to what is adequate, relevant, and necessary. Bill 64 states that when collecting PII, the person must determine the purposes for collecting the information. The Act states that PII must only be accessible to authorized employees who need it to complete their functions. Bill 64 adds the requirement that when the information is no longer required for the purposes for which it was collected, the information must be destroyed or anonymized. |
| Accuracy and quality | A.7.4.3 | 10, 11 | Bill 64 maintains the requirements under the present Act that state that a person carrying on an enterprise must take measures to protect the PII and ensure that it is up to date and accurate. |
| PII minimization | A.7.4.4 | 5, 9.1, 23 | Bill 64 adds new requirements to favor PII minimization: Art. 23 of Bill 64 adds the notion that once the purposes for which PII was collected or used are achieved, the person carrying on the enterprise must destroy or anonymize the PII. Art. 9.1 of Bill 64 states that when the collection is done through a technological product or service, the parameters must provide the highest level of confidentiality by default. However, Art. 9.1 does not provide more specific information at the moment, but it introduces the notion of privacy-by-default which may include incorporating data minimizing steps in the technology used. |
| PII de-identification and deletion at the end of processing | A.7.4.5 | 23 | Bill 64 adds the requirement that an enterprise must destroy or anonymize PII once the purposes for which that information was collected or used are achieved. |
| Temporary files | A.7.4.6 | 23 | Bill 64 does not contain specific requirements regarding temporary files. However, Bill 64 does state that data that is no longer required must be destroyed or anonymized at the end of the processing. |
| Retention | A.7.4.7 | 9.1, 11, 23 | According to control A.7.4.7 of ISO/IEC 27701, enterprises must not retain PII for longer than is necessary for the purposes for which the PII is processed. Under Bill 64, PII that has been used to render a decision should be kept for at least one year following the decision. Bill 64 introduces the requirement that PII should be destroyed when it is not useful anymore for the purposes of collection, indicating that PII should not be retained longer than required to fulfill the purpose for which it was collected. |
| Disposal | A.7.4.8 | 3.2, 10, 23 | Bill 64 and the Act do not specifically set out policies for the method of disposal of PII. Bill 64 proposes that PII must be deleted or anonymized when no longer necessary. Moreover, the Act states that the person carrying on an enterprise must take security measures to protect PII including during destruction of the information. |
| PII transmission controls | A.7.4.9 | 3.2, 10, 18.3, 21.0.2 | The Act requires that a person carrying on an enterprise must take the necessary security measures to protect PII, including when communicating such PII. However, the Act does not contain specific requirements for PII transmission, except that confidentiality should be addressed in agreements. Control A.7.4.9 should be used to interpret the risk-based and proportionality requirements in the Act and constitute useful guidance. |
| Identify basis for PII transfers between jurisdictions | A.7.5.1 | 8, 12 | In Quebec, the collection, use, and disclosure of PII relies on consent or on a legislative exception to consent. The term “transfer” can be considered a “use” (e.g., for a service provider) or a “disclosure.” There is no requirement for having a specific lawful basis for international transfers. However, enterprises must ensure that the consent collected allows for such data manipulation or that there is a legislative exemption that is applicable. According to Art. 12, the initial consent will cover a “use for purposes consistent with the purposes for which it was collected” but not a “disclosure,” which are often done to governmental entities or public bodies based on legislative exemption. It should be noted that the consent must fulfill the legislative requirements, including as it relates to being informed. If there are risks associated with the transfer to another jurisdiction, these risks should be disclosed to ensure a valid consent. Art. 8 requires that the person or enterprise collecting consent inform PII principals that the PII would be communicated outside Quebec. |
| Countries and international organizations to which PII can be transferred | A.7.5.2 | 17, 17.1 |
Bill 64 amends Art.17 of the Act to add that enterprises are required to complete an assessment of privacy-related factors prior to communicating PII outside Quebec. This obligation seems to include other provinces within Canada. The assessment must consider the sensitivity of the PII, the purposes for which it is to be used, the protection measures that would apply to it, and the legal framework applicable in the state in which the PII would be communicated. Specifically, enterprises are required to assess whether the legal framework of the recipient would provide an equivalent degree of protection with the PII protection in Quebec. This would be a somewhat complex legal assessment which requires legal knowledge and which has been extensively criticized during the governmental review. There is also a great deal of uncertainty about the meaning of “state.” The Minister would be required to publish and maintain a list of states whose legal framework governing PII is equivalent to the PII protection in Quebec. While this introduces concepts on international transfers that are recurrent worldwide and under GDPR, it is unclear how this will be interpreted in the context of the free trade agreement that is to be signed between Mexico, Canada, and the United States, and which prevents impeding on the free transfers of PII. These requirements apply whenever an enterprise retains the services of another enterprise outside of Canada, such as for hosting purposes. |
| Records of transfer of PII | A.7.5.3 | While there is no specific obligation for records of transfer of PII in the Act, there are other requirements in relation to the assessment of privacy-related factors, such as in the case of international transfers, which act as indirect records. Enterprises must determine the extent of the documentation required based on Arts. 3.2 of Bill 64. Enterprises that have implemented a mechanism for documenting the assessment of privacy-related factors may want to create an index of these assessments and the related transfers to organize themselves. Enterprises must use their Statement of Applicability to document what is proportional to them based on their context, including by leveraging legal opinions where relevant. Auditors should not be required to perform legal assessments when auditing enterprises. | |
| Records of PII disclosure to third parties | A.7.5.4 | 3.2, 10, 18.3, 18.4, 21.0.2. | Bill 64 does not specify that records of PII disclosure to third parties must be kept. However, the Act does indicate that agreements must be signed between the entity disclosing the PII and the entity receiving it in certain circumstances, such as to carry out a mandate or to perform a contract (in that case, the requirements are set out in Art. 18.3 of Bill 64) or when the communication of PII is necessary for concluding a commercial transaction (see Art. 18.4 of Bill 64).These can be used as records. Enterprises must determine if it is necessary and proportional for them to create such records in accordance with Arts. 3.2 and 10 of the Act. If it is not necessary or proportional, this control A.7.5.4 could be excluded with proper justifications in a Statement of Applicability. |
| B. Controls for PII processors | |||
| Customer agreement | B.8.2.1 | 17, 18.3 |
Under the Act, there is no distinction between PII processors and PII controllers, which means that all entities are always equally accountable and liable. In this context, the practice has developed to allocate roles and responsibilities through agreements, which often include representations and warranties around responsibilities such as obtaining consents. Under the Act, the collection, use, and disclosure of PII by a PII processor on behalf of a PII controller is considered a “use” and not a disclosure. Given the new provisions on international transfers, we expect much more contractual negotiation and limitations on this topic of customer agreement and the assessments of privacy-related factors. The introduction of mandatory breach notification requirements should also change the landscape of contractual negotiations. This control should be interpreted accordingly. Art. 18.3 of Bill 64 states that whenever PII is communicated to another entity for the performance of a contract or for services entrusted to that person, a written agreement must be in place, and it must specify the measures needed to ensure that the PII is used only for carrying out the mandate or performing the contract and to ensure deletion after the completion of the mandate or contract. It is also required to notify the PII controller without delay of any violation or attempted violation concerning the confidentiality of the information communicated. This is a departure from current contractual agreements which tend to define a security breach as an actual violation but include availability and integrity concerns. Finally, the agreement will also need to provide the PII controller’s person in charge of PII the right to conduct any verifications relating to confidentiality requirements. This would introduce an audit rights that seems to be unlimited, but specific to the person in charge of PII and to confidentiality (therefore excluding availability and integrity). However, this contractual obligation would not apply if the recipient is a public body or a member of a professional order, such as a lawyer or doctor. |
| Organization’s purposes | B.8.2.2 | 5 | While the Act does not distinguish between PII controller and PII processor, it does require all entities to collect, use, and disclose PII only for the identity purposes, except for the exceptions noted in the Act. |
| Marketing and advertising use | B.8.2.3 | 8, 8.1, 12, 13, 14, 22 | The use of PII for marketing is not specifically covered by the Act. However, Bill 64 states that the person concerned must consent to the use of PII and be informed of the purposes. Bill 64 further states that PII must only be used for the purposes for which it was collected. Bill 64 states that the use of PII using technology that allows profiling, identification, or localization must only be done under specific conditions (see Art. 8.1 of Bill 64). |
| Infringing instruction | B.8.2.4 | 4, 5, 18.3 | This control is not addressed in the Act. However, the Act does not distinguish between controllers and processors. Each party that handles PII is responsible for ensuring its compliance. Therefore, an enterprise must not process PII in a way that violates the law, even if they are required to do so by the customer. If that is the case, they will be held accountable. |
| Customer obligations | B.8.2.5 | 18.3 | There is no specific obligation to provide PII controllers with information for compliance purposes. However, in practice, through contractual agreements, enterprises must attribute roles and responsibilities. The obligation to collaborate is a standard contractual clause which we expect will take more importance due to new obligations that will require sharing information, such as the assessments of privacy-related factors. In addition, the customer must be provided with a right to audit confidentiality-related measures in accordance with Art. 18.3 of Bill 64. |
| Records related to processing PII | B.8.2.6 | 3.2 | There is no legal obligation to maintain a record of processing as under GDPR, but a compliance system must be documented and published. Control B.8.2.6. of ISO/IEC 27701 does not specify which records. Whether an enterprise has enough records to demonstrate compliance must be determined in accordance with the risk criteria factors of the law, such as sensitivity of the PII. |
| Obligations to PII principals | B.8.3.1 | 16, 27, 28, 28.1, 29, 30, 31, 32, 33, 34, 35, 36 | As there is no distinction between PII processor and PII controller, this control is applied as described under A.7.3.1 of ISO/IEC 27701. In practice, enterprises may allocate roles and responsibilities for the obligations to PII principals through contractual agreements in which the enterprise which is facing the PII principals will be responsible for responding, and the other enterprise for collaborating. |
| Temporary files | B.8.4.1 | 3.2, 10, 23 | The Act does not specifically address the disposal of temporary files. However, Bill 64 does state that PII should be destroyed or anonymized when no longer necessary. |
| Return, transfer, or disposal of PII | B.8.4.2 | 10, 23 | The Act uses the word “destroy” rather than “securely delete.” It is unknown if the reference is intended to have the meaning set forth in ISO/IEC 27701 or if it is intended to be different from “securely delete.” Anonymization is identified as a disposal method; however, the threshold appears to be relatively high given the wording used. Appropriate methods of anonymization may need to be clarified by the guidance of the authorities. |
| PII transmission controls | B.8.4.3 | 3.2, 10, 18.3, 21.0.2 | Please refer to control A.7.4.9 of ISO/IEC 27701. Under the Act, this control applies to all entities in the same manner. |
| Basis for PII transfer between jurisdiction | B.8.5.1 | 17, 17.1 | This control is not required under the Act, as there is no equivalent legal requirement to have a basis to transfer PII between jurisdictions. Bill 64 amends Art.17 to require enterprises to conduct an assessment of privacy-related factors, the whole as set forth under control A.7.5.1 of ISO/IEC 27701. |
| Countries and enterprise s to which PII can be transferred | B.8.5.2 | 17, 17.1 | Please refer to the legal notes under control A.7.5.2 of ISO/IEC 27701. |
| Records of PII disclosure to third parties | B.8.5.3 | N/A | Please refer to the legal notes under control A.7.5.4 of ISO/IEC 27701. |
| Notification of PII disclosure requests | B.8.5.4 | 18 |
Under the Act, a person carrying on an enterprise may, without the consent of the person concerned, communicate the PII they hold on that person under certain circumstances listed under Art.18. There is no requirement under the Act nor under Bill 64 to notify any legally binding disclosure requests to the enterprise on behalf of which a processor or service provider processes PII. However, a person carrying on an enterprise must make an entry of every communication made under subparagraphs 6 to 10 of Art.18.1 of the Act. |
| Legally binding PII disclosures | B.8.5.5 | 18 | Under the Act, an enterprise may be legally bound and required to communicate, without the consent of the person concerned, some PII. These circumstances are found in the Act at Art.18. Enterprises must assess the extent to which they must document these disclosures and the processes that would be required under Art. 3.2 of Bill 64, taking into consideration their particular situations. For instance, banking institutions which are often solicited for legal disclosures would need to have more formalized and robust processes to respond to this control, whereas others may very well address this in an ad hoc manner without significant risks. This should be documented in the Statement of Applicability. |
| Disclosure of subcontractor used to process PII | B.8.5.6 | 8, 8.1, 8.2 | This control is not required under the Act; however, an enterprise is accountable for each subcontractor. The obligation to inform PII principals does not include these obligations. The Act uses a different mechanism requiring the performance of an assessment of the privacy-related factors prior for authorizing an international disclosure. |
| Engagement of a subcontractor to process PII | B.8.5.7 | 10, 18.3 |
Bill 64 adds Art. 18.3 stating the requirements for contracting. The contract must stipulate the measures required for the confidentiality of the PII to prevent secondary use and must allow for conducting “any” verification. The notification obligations for security incident would appear to include an “attempted violation.” This obligation would require reviewing all agreements with subcontractors in line with the requirements of Art. 18.3.
Change of subcontractor to process PII B.8.5.8 This control is not a requirement of the Act.
|
Company Profile
Fasken is a leading international law firm with over 750 lawyers and 10 offices on 4 continents. We offer a full range of legal advice on privacy and cybersecurity issues and have been recognized as the "Law Firm of the Year in Privacy and Data Security Law" by the Best Lawyers Guide 2021. We assist businesses of all sizes in implementing privacy management systems in accordance with the requirements of ISO/IEC 27701:2019 through FaskenEdge, a unique technology for compliance, risk, and governance management. Our data governance team is certified against ISO/IEC 27701:2019 Lead Implementer and Certified Data Protection Officer. For more information, please visit our website.
