Publication
Financial services monthly wrap-up: October 2024
In October 2024, the Australian Securities and Investments Commission (ASIC) was successful in its action against a life insurer in relation to misleading statements.
Canada | Publication | June 2024
Since the adoption in September 2021 of the Act to modernize legislative provisions as regards the protection of personal information (Law 25), several new concepts and mechanisms have been introduced to the Quebec legislation.
These new concepts include anonymization, i.e. modifying personal information in such a way that it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.”
Anonymization is also one of the mechanisms put in place to comply with the law. In fact, once the purposes for which personal information was collected have been fulfilled, businesses and public bodies are required to stop keeping it, either by destroying it or by anonymizing it if they wish to use it for other purposes:
Anonymization must be carried out in accordance with generally recognized best practices and the criteria and procedures determined by regulation.
In this regard, the Regulation respecting the anonymization of personal information (Regulation), in force since May 30, 2024, provides a framework for the anonymization process, given its complexity, and guarantees that the person concerned cannot be re-identified by any technological means.
According to the Regulation, the anonymization process is divided into three phases: the preparatory stage prior to the anonymization process, the implementation of the process and its aftermath.
Preliminary steps
Before beginning a process of anonymization, the business or public body (body) must establish the purposes for which it intends to use the anonymized information, and ensure those purposes are consistent with the criterion of serious and legitimate purposes (for businesses) or public interest (for public bodies). If the purposes identified do not meet this criterion, the body will be required to destroy the personal information rather than retain it for anonymization. The body must also ensure the anonymization process is carried out under the supervision of a person qualified in the field (e.g. its Privacy Officer). The Regulation also specifies that if a new use is found for anonymized information, an analysis must be conducted to confirm that the new use meets the purpose criterion.
Implementation
At the start of the process of anonymization, all personal information that directly identifies the data subject must be removed from the information to be anonymized. The body must then carry out a preliminary analysis of the risks of re-identification, considering the following criteria in particular:
Depending on the re-identification risks identified, the body must identify and implement the anonymization techniques to be used to address these risks, which must be consistent with generally accepted best practices. The body must also establish protection and security measures to reduce re-identification risks.
After implementing the anonymization techniques and the protection and security measures, the body must analyze the re-identification risks. The results of this analysis must show that the residual risk of re-identification is very low, although it is not necessary to demonstrate that zero risk exists.
Aftermath
Once the information has been anonymized, the body must periodically assess the anonymized information to ensure it remains anonymized, by updating its re-identification risk analysis. It must also record certain information, including a description of the personal information that has been anonymized, in a register.
Anonymized information is no longer considered personal information within the meaning of applicable laws, and can therefore be more easily processed.
Bodies may, however, prefer to destroy personal information because of the simplicity of this process and the risks associated with anonymization. On the subject of risks, the
Commission d'accès à l'information (CAI) (Quebec’s privacy regulator) has already mentioned:
This position may evolve over time, given the current Regulation.
In all cases, however, it remains important for enterprises and public bodies to establish a framework for retaining or destroying the personal information they hold. In particular, implementing a document management procedure should be considered.
Compliance with the Regulation is all the more important given CAI's ability to impose administrative monetary penalties on bodies that attempt to identify an individual using anonymized information. To find out more about the sanctions process and how to avoid them, please consult our recent update here.
The Regulation thus adds an additional element to the framework applicable to handling personal information, which will have to be considered when a body wishes to resort to anonymization.
The authors would like to thank Marilou Bouthiette, articling student, for her contribution to preparing this legal update.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023