Scope and purpose

The LRSSS establishes a 'governance model based on transparency and on the responsibility and accountability of service providers and bodies in the health and social services sector.' The LRSSS applies to health and social services bodies, institutions, and providers, such as the Department of Health and Social Services, the Health and Welfare Commissioner, and the National Institute of Public Health of Quebec.

More specifically, a service provider under the LRSSS is 'a natural person who offers health services or social services within a health and social services body or who provides such a person with technical or administrative support services.' Whereas an 'institution' refers to an establishment 'governed by the law respecting health services and social services or the law respecting health services and social services for Cree Native persons.'

The LRSSS applies to 'health and social services information' held by a body, even if such body entrusts its keeping to a third person. In terms of the LRSSS' scope, the use and communication of information related to individuals' adoption and the protection of such information remain governed by the Civil Code and other acts concerning adoption.

Further, the LRSSS does not restrict the communication of health or social services information if it is required by the Public Protector or by a legal order, including summons.

Definitions

Importantly, 'health and social services information' is defined as information that identifies, directly or indirectly, an individual and:

• concerns their mental or physical health, including their medical or family history;
• concerns any material taken from them for assessment or treatment, such as biological material, implants, and prostheses;
• concerns health and social services provided to them, including the nature of the services and the results;
• was obtained by a function of the Public Health Act; or
• any other characteristics determined by Government regulation.

Notably a 'confidentiality incident' under the LRSSS refers to 'access to information or any other use or communication of information not authorized by law, the loss of information or any other breach of its protection.'

Rights and protections

The LRSSS grants individuals many rights, including the right to:

• be informed and have access to the information concerning themselves held by a body, unless this could cause the individual serious harm;
• refuse access to their health and social services information to specific persons or categories of persons, including spouses, close relatives, and researchers; and
• request the rectification of information the individual believes to be inaccurate, incomplete, or kept in contravention of the law.

Notably, a person's right to receive health services and social services may not be compromised by refusing to consent to the use or communication of information concerning them, or by the person's will to restrict or refuse access to it.

Minors

Minors under 14 years of age do not have the right to be informed or the right of access, unless through their lawyer in a judicial proceeding. Those with parental authority or tutors have the right to be informed, the right to access, and the right to rectify information concerning the minor, unless a youth protection director determines that the same would harm the minor's health or safety.

Representatives of individuals

The LRSSS grants the right to be informed, access, and rectify information related to someone incapable of doing so themselves or to a deceased person. In the case of a deceased person, the heirs and spouses may exercise these rights in some situations.

Service providers

Professional service providers also have the right to be informed and access information if the service provider is required to provide health or social services to an individual or for teaching, training, and reflective purposes. If they are not professionals, service providers may still be informed or have access to information in accordance with regulations, if the service provider needs the information to provide:

• health services or social services; or
• technical or administrative support services to another service provider.

Service providers can be restricted access, but this does not apply when such restriction could endanger the person's life and it is not possible to obtain their consent.

Researchers

Certain researchers may be informed or access information to carry out a research project unless the person concerned has refused access to their data. Requests must be submitted in writing to 'the person exercising the highest authority' and include details on the research project, such as objectives, the information necessary to achieve the objectives, the intent to pair information, and a Privacy Impact Assessment (PIA), among others. Requests may be approved where the following criteria are met:

• consent of the person (to whom the information concerns) is not required;
• the research project objectives outweigh the impact of communicating the privacy information to the person(s) concerned;
• there are suitable security measures in place; and
• the PIA confirms there is adequate protection.

Obligations and requirements of bodies

Bodies covered by the scope of the LRSSS must only collect information necessary to achieve their mission or purposes, carry out their functions, or implement a program under its management.

Information must only be used for the purposes for which it was collected unless the other purposes are consistent with the original purposes, further use is for the benefit of the individual concerned, or if further use is necessary for the application of another law in Quebec.

Information provision

At the point of collection and in case information is requested, bodies must inform individuals, in clear and simple language:

• the name of the body collecting the information or on whose behalf it is being collected;
• the purposes for collection;
• the means by which the information is collected;
• the possibility of restricting or refusing access to the information and the terms to express these possibilities;
• the period for which the information will be kept; and
• the use of technology allowing individuals to be identified, located, or profiled and the means to activate such functions of this technology, if applicable.

Bodies are exempt from providing individuals with this information if it has already been provided.

The LRSSS stipulates that bodies holding files on individuals' adoption with information that would allow parents of origin or adopted persons to be located are not required to inform the individuals concerned of the intended use of such information.

If bodies use information to make decisions based solely on automated processing, they must inform the individuals concerned regarding:

• the information used to render the decision;
• the reasons and main factors that led to the decision; and
• the right to have the information used to rectify the decision.

All information must be free of charge and provided in a 'structured, commonly used technological format.'

Responding to access requests

Requests for access or rectification must be submitted in writing. Individuals must prove their identity and if the request is insufficient, the person in charge must assist the person in identifying the information sought. Those in charge must respond to requests promptly and no later than 30 days after a request is received.

If a request is granted, the person in charge of information within the body or a professional should assist the individual in understanding the information given. If a request is refused, the person in charge must provide the individual with reasons for such refusal in writing.

Other communications

Bodies may communicate information in other specified circumstances, including when:

• expressly provided for by law;
• necessary for public safety or for the prosecution of an offense;
• required to carry out a mandate or for the performance of a contract; and
• authorized by the 'delegated manager of government digital data.'

Notably, bodies must conduct a PIA before communicating any information outside Quebec.

Retention

Bodies must not keep information beyond the periods necessary to achieve the stated purposes. The LRSSS stipulates that when the period for data retention ends, bodies must destroy or anonymize the data. 

Furthermore, Government regulation may determine a minimum retention period, which will vary depending on the category of information and body or bodies concerned.

Service providers may keep information requested from bodies if it is necessary for health or social services offered and for compliance with their professional obligations.

Consent

Information is subject to the express consent of the individual concerned and must be 'clear, free, and informed, and be given for specific purposes.' Consent must also be sought for each purpose in clear and simple language and is only valid for the period necessary to achieve the purposes for which it was requested. The LRSSS explains that consent for minors under the age of 14 years must be given by those with parental authority or by tutors. Minors who are 14 years of age and above may give their own consent, unless the law requires consent to be obtained by those with parental authority.

The LRSSS also stipulates that people who may give consent to care for another individual also have the right to be informed and the right to access information concerning such individuals.

Information security and governance

All information held by bodies is confidential. Bodies are responsible for protecting the information they hold and must implement appropriate security measures. A body must also ensure that 'the information it holds is up to date, accurate, and complete so that it serves the purposes for which it was collected or is used.'

A body may enter into an agreement with another body in which case the obligations under the LRSSS will be assumed by the other body. A copy of the agreement must be sent to the Minister of health and social services (the Minister) and the CAI.

The person with the highest authority in a body is responsible for ensuring compliance with the LRSSS. Their title and contact details must be sent to the Minister and the CAI and published on the body's website or made available to the public by other means.

Logging

Bodies must log all access to information and other uses by its staff, including communications of such information. Bodies must send a report of this information to the Minister each year, who will then send a summary of the reports to the CAI.

Governance policy

Bodies must adopt a governance policy for the information they hold which includes specifying:

• the roles and responsibilities of the body's staff, including students and trainees, regarding information protection;
• the categories of persons who may use the information in the exercise of their functions;
• the logging mechanisms and the security measures for ensuring the protection of the information that the body has implemented;
• a procedure for processing confidentiality incidents and complaints; and
• a description of the training and awareness activities offered by the body to its staff regarding the protection of the information.

The policy must be communicated to the body's staff and published on its website.

PIAs

Bodies must conduct PIAs 'for any project to acquire, develop, or overhaul technological products or services or an electronic service delivery system where the project involves the collection, keeping, use, communication, or destruction of information held by the body.' This must be proportionate to the sensitivity of the information collected.

Confidentiality incidents

Bodies must take reasonable measures to reduce the risk of injury and to prevent new incidents if they believe a confidentiality incident occurs concerning the information they hold. If the incident presents a risk of serious injury, they must notify the Minister and the CAI. Bodies may also notify 'any person or group that could reduce the risk and send the person or group, without the consent of the person concerned, any information necessary for that purpose.'

The LRSSS states that to evaluate the risk of damage to people whose information is involved in a confidentiality incident, bodies must consider the sensitivity of the information involved, the possible consequences of use, and the likelihood of information being used to cause damage.

Bodies must keep records of confidentiality incidents which must be sent to the CAI upon request.

Information governance

The Minister

The Minister may establish the governance rules that the bodies must adhere to by regulation. They must also publish a report on their website each year on the requests submitted by researchers, stating the number of requests accepted or refused and the processing time for such requests.

The Minister may introduce regulations to determine circumstances when only certified technological products or services may be used by a body and the criteria for such certification. A list of the certified products and services must be published on the Minister's website.

Network information officer

The Minister designates the network information officer whose tasks include defining special rules for bodies' management of information, covering areas such as information security management and the protection and confidentiality of information. The network information officer ensures compliance with these rules and may require bodies to file information necessary to verify compliance.

Enforcement

The CAI is responsible for overseeing the implementation of the LRSSS and, more generally, for ensuring respect for the protection of information.

Inspectors

The CAI may authorize inspectors to verify compliance with the LRSSS. The functions of the inspectors include visiting a body's premises, accessing a body's equipment, devices, and systems, and requiring bodies to provide information related to compliance. Inspectors must identify themselves and provide certification when requested. Notably, judicial proceedings cannot be brought upon inspectors in their capacity to carry out duties under the LRSSS.  

Investigations

The CAI may designate people to conduct penal investigations relating to the application of the LRSSS. Similar to the inspectors, no judicial proceedings may be brought against this person in their capacity to exercise functions under the LRSSS.

The CAI may conduct administrative investigations on its own initiative or following a complaint, which may be filed anonymously. Disciplinary measures against individuals who file complaints are forbidden.

During investigations or confidentiality incidents, the CAI may order any person or group to take necessary measures to protect the rights of individuals under the LRSSS.

CAI decisions

The CAI will issue its decisions in writing to the parties, giving the reasons for the decision, and may make any order it feels appropriate. The CAI must render its decision within three months unless extended by the chair.

Decisions that prescribe a course of action are enforceable within 30 days of it being received by the parties, whereas decisions ordering a party from refraining from taking actions are enforceable from the delivery date to the party concerned. However, a decision of the Commission on a question of fact within its competence cannot be appealed.

Individuals can apply to the CAI to review decisions made by people in charge of the protection of information, including reviewing rejected requests for access or rectification. The LRSSS further details the processes of the application and information. Notably, the CAI may authorize a body to disregard requests that are abusive because of their repetitive nature.

Penalties

The following actions violate the LRSSS and are subject to fines of between CAD 1,000 (approx. $725) and CAD 10,000 (approx. $7,265) in the case of a natural person, and between CAD 3,000 (approx. $2,180) and CAD 30,000 (approx. $21,805) in other cases:

• keeping or destroying information in contravention of the LRSSS;
• refusing to communicate necessary information or impeding such communication, such as by destroying, modifying, or concealing the information;
• hindering a person in charge of the protection of information in the performance of their duties;
• failing to report confidentiality incidents to the Minister or CAI; and
• failing to comply with authorization or agreement conditions, other than the condition relating to the use of information.

The following actions violate the LRSSS and are subject to fines of between CAD 5,000 (approx. $3,635) and CAD 100,000 (approx. $72,680) in the case of a natural person, and between CAD 15,000 (approx. $10,900) and CAD 150,000 (approx. $109,020) in other cases:

• communicating information that must not be communicated according to the LRSSS;
• collecting, assessing, or using information in contravention of the LRSSS;
• selling or alienating information held by a body, unless the information concerns themselves;
• identifying or attempting to identify natural persons using de-identified data without authorization;
• failing to comply with authorization or agreement conditions relating to the use of information;
• contravening the conditions on the use of certified technological products or services;
• holding information without complying with obligations stated under the LRSSS;
• impeding the progress of or providing false or inaccurate information in investigations or inspections; and
• failing to comply with an order of the CAI.

The LRSSS stipulates that the minimum and maximum fines are doubled for second offenses and tripled for subsequent offenses. Fines may also be doubled for offenses committed by directors or officers of a legal person. Additionally, offenses that continue for more than one day are counted as separate offenses for each day the offense continues.

Isabelle Strong Editor
[email protected]