At the Transportation Cybersecurity and Functional Safety Forum, one of the panels was entitled “Data protection for collaborative innovation in mobility.” A key topic of discussion was whether there was a law (or laws) governing this area. The answer is ‘Yes’.
Whether one thinks of information showing the times of use of a bicycle or a car; the route taken from point A to B in the morning and vice versa in the evening; or even information that allows one to locate individuals and inform them about the closest bus or metro lines, all this information is personal.
Information collected by fobs (for those who still have a BIXI fob, for example), mobile apps or RFID tags, like those used in bike or car-sharing services, is linked to individuals and makes it possible to identify them, directly or indirectly. Such devices are often associated with a surname, first name, date of birth, mailing and e-mail addresses, as well as a credit card number.
In Quebec, if a public body—such as a city—or a business wants to collect such information to develop an urban plan or enhance a service offering, it must take into account the laws governing the protection of personal information.
The focus here will be on the Act respecting access to documents held by public bodies and the protection of personal information (public sector) and the Act respecting the protection of personal information in the private sector. Even though, at the time of writing, Bill 64, which aims to modernize these laws, is still under consideration, it is nonetheless possible to identify a few key elements to guide those who collect, use/analyze, distribute and retain such information.
Before collecting personal information or acquiring, developing or redesigning an information system or digital services operation, public bodies and businesses must:
- have a serious and legitimate interest;
- identify the purpose for which they intend to collect personal information;
- collect only the information necessary to fulfil this purpose;
- identify the factors/risks that may impact the privacy of the individuals affected and put in place measures to eliminate or at least minimize them;
- inform individuals of, among other things, the purpose for which their personal information is collected; how it is collected; the third parties for whom it is collected or to whom it will be disclosed; the fact that it may be sent outside the province; the length of time it will be retained; their right to access and potentially correct the information; and the name of the person in charge of protecting this personal information;
- inform individuals that they are using technology that can identify them, locate them or create a profile of them, and, in turn, provide the means to activate these functions;
- obtain the consent of individuals: consent must be clear, free and informed; it must be given for specific purposes and only for as long as necessary to achieve those purposes.
- In some cases, such as when biometric characteristics are to be collected, consent must be expressly given, and the Commission d’accès à l’information (CAI) must be informed at least 60 days before the start of any process to capture such characteristics in order to verify or confirm a person’s identity (reference is made here to the Act to establish a legal framework for information technology as amended by Bill 64).
In addition, public bodies and businesses must:
- establish and implement policies and practices to guide their governance of personal information and to ensure its protection;
- adopt security measures to ensure the protection of personal information.
- In the event of unauthorized access, use, disclosure or any loss of personal information, public bodies and businesses must report the privacy incident to the CAI and the individual affected. This declaration must be made with diligence and with due regard to the fact that there is a risk of serious harm to the person whose information was involved in the incident;
- enter into an agreement if they intend to disclose personal information without individuals’ consent to a third party who intends to use it for study, research or statistical purposes;
- destroy or anonymize personal information once the purposes for which it was collected or used have been fulfilled.
As mentioned in the introduction, there are indeed laws governing the processing of location data. These laws are under review and provide for new obligations for public bodies and businesses.
Even if these obligations are not yet in force, it is advisable to consider them in order to anticipate the issues that could arise with regard to the collection, use, distribution and retention of personal information, especially since the future penalties for non-compliance will be higher than at present.
If you have any questions about this topic, please feel free to contact us.