Skip to main content

The New and the Familiar: Changes to Health Information - Part 2

Reading Time 5 minute read


Privacy & Cybersecurity Law Bulletin

As we discussed in our previous bulletin, the purpose of Bill 3, An Act respecting health and social services information and amending various legislative provisions (“Bill 3”)[1] is to establish a legal framework specific to health and social services information in order to facilitate a safer and more seamless flow of such information, all in the same legislation.

The previous bulletin presented the rules of governance within each organization covered by Bill 3, whereas this bulletin is more specifically aimed at the use of health information, namely what individuals can do with their own health information and how researchers can use it.

1. Specific Rights for Individuals

1.1. Consent, or a First Attempt to Align With Bill 25

The concept of consent in Bill 3 is virtually identical to the one in Bill 25,[2] for example[3]:

  • any consent to the use or communication of information held by a body must be clear, free and informed and be given for specific purposes, even if under Bill 3 it is limited to use or communication;
  • consent must be requested for a specific purpose, and in clear and simple language;
  • the duration of the consent is the same: it is valid only “for the time necessary to achieve the purposes for which it was requested”;
  • the person concerned may obtain assistance in understanding the scope of the consent requested.

However, there are some particularities:

  • as concerns research, consent may cover research themes, categories of research activities, or categories of researchers;
  • under Bill 25, the consent of a minor 14 years of age or over is given by the minor, by the person having parental authority, or by the tutor, whereas Bill 3 provides that such consent is given by the minor alone, unless the law provides for consent by the person having parental authority.

1.2. Right to Restrict Access

The person concerned may expressly request[4] that access to their health information be restricted in two situations:

  • if the person indicates that a particular service provider or a service provider belonging to a category of service providers is not entitled to have access to one or more pieces of information determined by the person, unless it could endanger the life or integrity of the person concerned[5];
  • to the person’s spouse, direct ascendant or direct descendant, in the case of information related to the cause of the person’s death, or a researcher, if the access sought is for the purpose of soliciting the person’s participation in a research project, or if the researcher is unaffiliated[6].

1.3. Right to Information

Before any health information is collected, and on request, the person concerned must be informed in clear and simple language[7] of:

  • the name of the body collecting the information or on whose behalf it is collected;
  • the purposes for which the information is collected;
  • the means by which the information is collected;
  • the person’s right to have access to the information or to have it rectified;
  • the possibility of restricting or refusing access to the information;
  • the period of time the information will be kept.

Unlike Bill 25, this section is not drafted in two parts. In other words, it does not distinguish between the information that must be disclosed at the time of collection and the information that can be disclosed on request. Under Bill 3, all this information must be given at the same time.

If the body uses a technology that includes functions allowing the person to be identified, located, or profiled[8], the same obligations set out in Bill 25 apply, which means that the person must be informed (i) of the use of such technology; and (ii) of the means available to activate those functions.

Note that information may not be retained beyond the time necessary to achieve the purposes for which it was collected or used[9].

Finally, as is the case in Bill 25, Bill 3 sets out the circumstances in which the person concerned may request access to and rectification of personal information[10].

2. Special Rules for Research

Researchers using health information will no longer have to comply with the obligations tunder privacy laws, but will instead have to comply with the obligations provided under Bill 3.

Bill 3 distinguishes between an affiliated researcher (a researcher attached to a body referred to in Schedule I, to a public institution or to a private institution under agreement that operates a hospital centre[11] and other researchers[12] regarding access to health information for a research project.

If the researcher is “attached” as provided above, the researcher must submit a written request for authorization to the person exercising the highest authority, and enclose the following documents:

  • a detailed presentation of the activities related to the research project;
  • a report containing a privacy impact assessment;
  • the documented decision of a research ethics committee.

This is where the requirement to implement a privacy impact assessment for research projects appears, regardless of whether the information is transferred outside of Quebec.

The person exercising the highest authority shall then consult each of the bodies that hold information covered by the request, which then have 10 days to submit observations[13].

If all opinions are favourable, the authorization will be made official by a written agreement between the researcher and the body to which the researcher is attached[14].

Other researchers will have to submit a written request to a research access centre[15], i.e., a body referred to in the Act respecting the governance and management of the information resources of public bodies and government enterprises[16], which will have been designated as such by the government, on the recommendation of the Minister[17].

If you have questions, Fasken can provide you with information or advice, such as by helping you apply the right law in the right circumstances and finding practical solutions for complying with the new obligations created by Bill 3.

[2] Bill 25, An Act to modernize legislative provisions as regards the protection of personal information, assented to on September 22, 2021. For more information, you can visit Fasken’s Resource Center.

[3]  (Bill 3, s 6)

[4]  (Bill 3, s 9)

[5]  (Bill 3, s 7)

[6]  (Bill 3, s 8)

[7]  (Bill 3, s 14)

[8]  (Bill 3, s 15)

[9]  (Bill 3, s 16)

[10] (Bill 19[3], ss 17–22 and ss 31–35)

[11] (Bill 3, ss 39–47) 

[12] (Bill 3, ss 48–54)

[13] (Bill 3, s 41)

[14] (Bill 3, s 43)

[15] (Bill 3, ss 48–54)

Contact the Author

For more information or to discuss a particular matter please contact us.

Contact the Author



    Receive email updates from our team