Skip to main content
This website uses cookies. By continuing to use this website you are agreeing to our use of cookies as described in our privacy policy.
Bulletin | Article

Bill 64: What Are the Key Takeaways for Public Bodies regarding the Proposed Amendments to the Act respecting Access?

Fasken
Reading Time 8 minute read
Subscribe

Bulletin #12 | Special Series - Bill 64 & Act to modernize legislative provisions as regards the protection of personal information

Adopted in 1982, the Act respecting Access to documents held by public bodies and the Protection of personal information (the "Act respecting Access") applies to documents (text, graphics, audio or video, electronic or otherwise) held by a Quebec public body in the exercise of its duties, whether safeguarded by the public body itself or a third party.[1] Although many amendments have since been made to the Act respecting Access, Bill 64[2] ("Bill 64") aims to modernize the provisions of the Act respecting Access by enhancing the framework concerning the protection of personal information and by adding new provisions specifically regarding the processing of access to information requests by public bodies.

In addition to the Government's designation of a personal information manager,[3] new confidentiality incident reporting obligations, new rules regarding consent, new obligations on the use and disclosure of research data and on exporting personal information outside of Quebec as well as many other topics that have been or will be separately covered in Bulletins prepared by our team, the Act respecting Access could be reformed with respect to, among other things, enhancing the accountability principle, drafting and publishing governance rules online, processing abusive access to information requests and amending the procedure and powers of the judicial branch of the Commission d'accès à l'information du Québec (the "Commission"). For an overview, please also consult our working paper which sets out in tracked changes all of the proposed amendments of Bill 64 to the current Act respecting Access (in French only).

Accountability Principle

Firstly, Bill 64 proposes an amendment to the accountability of the person exercising the "highest authority"[4] in each public body. This person will exercise the function of person in charge of access to documents as well as the person in charge of the protection of personal information.[5] Section 8 of the Act respecting Access, if amended as proposed under Bill 64, provides that this person, even if the latter will still be able to delegate the functions in writing to another person, must thereafter see to it that this "exercise is facilitated"[6] even if that person "does not exercise those functions himself."[7]

Accordingly, if Bill 64 is subsequently adopted as tabled in June, it will afford a higher degree of visibility to the respective roles of the person in charge of the access to documents and the person responsible for protecting personal information in a public body. Bill 64 stipulates that the Commission must be notified as soon as possible regarding the contact information and start date of such persons.[8]

Moreover, the highest authority within a public body will now be supported by a "committee on access to information and the protection of personal information," which will report directly to that person. This committee will be composed of the person in charge of access to documents and the person in charge of protecting personal information and "any other person whose expertise is required."[9] The Act specifically provides for the possibility of including the persons responsible for, respectively, information security and document management. Some of the functions delegated to this committee are discussed further below.

Governance Rules and Assessing Privacy-related Factors

Bill 64 also proposes adding certain provisions that will likely have a significant impact on how public bodies manage personal information in their possession.

Firstly, under Bill 64, all public bodies will have to draft and publish their governance rules regarding personal information on their website, which may be in the form of a policy, directive or guide and must be approved by its committee on access to information and the protection of personal information and must, in particular, define[10]:

  • the roles and responsibilities of the members of its personnel throughout the life cycle of such information;
  • a procedure for processing complaints regarding the protection of personal information;
  • a description of the training and awareness activities offered by the public body to its personnel regarding the protection of personal information; and
  • the protective measures to be taken in respect of the personal information collected or used as part of a survey, including an assessment of the necessity of conducting the survey and the ethical aspect of the survey, taking into account, in particular, the  sensitivity of the personal information and the purposes for which it is to be used.

Secondly, any public body that "collects personal information through technological means" must also draft and publish on its website a confidentiality policy "drafted in clear and simple language" and then "disseminate it by any appropriate means to reach the persons concerned."[11]

Thirdly, public bodies that intend to undertake any "information system project or electronic service delivery project involving the collection, use, release, keeping or destruction of personal information" must first conduct an "assessment of the privacy-related factors" ("APRF") of that project.[12] Accordingly, the Commission recently published a draft version of the supporting guidelines for assessing privacy-related factors (in French only) .

The committee on access to information and the protection of personal information in public bodies will also have a say in how such projects are carried out. And for the purposes of APRF, a public body will have to consult its committee from the outset of the project. This committee will, at any stage of such a project, be able to propose personal information protection measures to apply to the project, such as:

  • the appointment of a person to be responsible for implementing the personal information protection measures;
  • the measures to protect personal information in any document relating to the project, such as specifications or a contract;
  • a description of the project participants' responsibilities with regard to protecting personal information; and
  • training activities for project participants on the protection of personal information.[13]

Note that such an APRF must also be carried out by public bodies prior to collecting and disclosing certain personal information without the consent of the affected persons.[14]

Access requests that are abusive, vexatious, frivolous or made in bad faith

Over the past few years, there is a growing volume of case law addressing the issue of access requests which, in the public body's view, seem to be abusive, repetitive, vexatious and/or frivolous.[15] However, the Commission has lacked the necessary tools to handle such requests.

As such, Bill 64 provides some new provisions regarding the processing of such access requests:

  • A new provision providing that a request for authorization to disregard applications that are clearly abusive must be made within no more than 10 days upon receiving the requester's last access request.[16]
  • When the Commission decides to refuse or cease to examine a matter involving an access request that is frivolous or made in bad faith, it now has two new powers. It may prohibit a person from making another request without the authorization of the Chair of the Commission or subject to the conditions determined thereby. It may also prohibit a person from presenting a pleading in an ongoing proceeding.[17]

Changes to Procedure and Powers of Commission's Judicial Branch

The judicial branch of the Commission, which is primarily responsible for access to information requests to public bodies, will be granted new rules of procedure and new powers.

One of the key proposals of Bill 64 in this respect, namely the addition of an element of proportionality with regard to actions taken by parties and even the Commission itself, also aims to improve the efficiency of the administration of the Act respecting Access.[18]

134.4. The parties to a proceeding must ensure that their actions, their pleadings and the means of proof they use are proportionate, in terms of the cost and time involved, to the nature and complexity of the matter and the purpose of the application.

The Commission must do likewise in managing each proceeding it is assigned. I must ensure that the measure and acts it orders or authorizes are in keeping with that principle of proportionality, which having regard to the proper administration of justice.[19]

The proposals also aim to modernize the Act respecting Access by implementing procedural rules and conducting proceedings using information technology.

As such, for example, the duty to notify a third party who provided personal information that is the subject of a pending access request must now be done by "sending a written notice" rather than by "mail."[20]

Another noteworthy proposal involves adding greater flexibility with regard to using information technology during the course of a proceeding:

137.4. The Commission may, at any stage of the proceeding, use technological means that are available to both the parties and itself. I may, even on its own initiative, order that such means be used by the parties. If the Commission considers it necessary, it may also, despite an agreement between the parties, require a person to appear in person at a hearing, conference or examination.[21]

 

BILL 64 RESOURCE CENTER Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation.

FASKEN INSTITUTE - Register now to our training that will shed light on the main changes and impacts to be expected in the management of your businesses.

DISTRIBUTION LIST If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill. 

 


[1]       Act respecting Access, sec. 1.

[2]       Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, First Session, 42nd Legislature, Quebec, June 12, 2020, (Introduction) ("Bill 64").

[3]       Bill 64, sec. 27; One of the upcoming Bulletins in our special series on Bill 64 will focus entirely on this new requirement.

[4]       Act respecting Access, sec. 8.

[5]       Bill 64, sec. 1.

[6]       Ibid.

[7]       Ibid.

[8]       Ibid.

[9]       Ibid.

[10]     Bill 64, sec. 14.

[11]     Ibid.

[12]     Ibid.

[13]     Ibid.

[14]     See, inter alia, Bill 64, sections 15, 23, 25 and 27.

[15]     See, inter alia, Ville de Ste-Adèle v. M.L., 2017 QCCAI 27, a decision addressed in a previous Bulletin by Antoine Aylwin, "Ville de Ste-Adèle: an Obviously Improper Request for Access to Information," April 10, 2017.

[16]     Bill 64, sec. 52.

[17]     Bill 64, sec. 53.

[18]     Bill 64, sec. 49.

[19]     Ibid.

[20]     Bill 64, sec. 51.

[21]     Bill 64, sec. 54.

    Subscribe

    Receive email updates from our team

    Subscribe