Analysing location data can help service providers assess whether to boost services in one part of a city versus another, at a particular time of day or in preparation for an upcoming festival, for instance. However, the data used for these analyses is linked to individuals and makes it possible to identify them. City planners and business managers working to improve our ever-changing environment must incorporate the rules for privacy protection into their activities. But what are these rules?
At the Transportation Cybersecurity and Functional Safety Forum, one of the panels was entitled “Data protection for collaborative innovation in mobility.” A key topic of discussion was whether there was a law (or laws) governing this area. The answer is ‘Yes’.
Whether one thinks of information showing the times of use of a bicycle or a car; the route taken from point A to B in the morning and vice versa in the evening; or even information that allows one to locate individuals and inform them about the closest bus or metro lines, all this information is personal.
Information collected by fobs (for those who still have a BIXI fob, for example), mobile apps or RFID tags, like those used in bike or car-sharing services, is linked to individuals and makes it possible to identify them, directly or indirectly. Such devices are often associated with a surname, first name, date of birth, mailing and e-mail addresses, as well as a credit card number.
In Quebec, if a public body—such as a city—or a business wants to collect such information to develop an urban plan or enhance a service offering, it must take into account the laws governing the protection of personal information.
The focus here will be on the Act respecting access to documents held by public bodies and the protection of personal information (public sector) and the Act respecting the protection of personal information in the private sector. Even though, at the time of writing, Bill 64, which aims to modernize these laws, is still under consideration, it is nonetheless possible to identify a few key elements to guide those who collect, use/analyze, distribute and retain such information.
Before collecting personal information or acquiring, developing or redesigning an information system or digital services operation, public bodies and businesses must:
- have a serious and legitimate interest;
- identify the purpose for which they intend to collect personal information;
- collect only the information necessary to fulfil this purpose;
- identify the factors/risks that may impact the privacy of the individuals affected and put in place measures to eliminate or at least minimize them;
- inform individuals of, among other things, the purpose for which their personal information is collected; how it is collected; the third parties for whom it is collected or to whom it will be disclosed; the fact that it may be sent outside the province; the length of time it will be retained; their right to access and potentially correct the information; and the name of the person in charge of protecting this personal information;
- inform individuals that they are using technology that can identify them, locate them or create a profile of them, and, in turn, provide the means to activate these functions;
- obtain the consent of individuals: consent must be clear, free and informed; it must be given for specific purposes and only for as long as necessary to achieve those purposes.
- In some cases, such as when biometric characteristics are to be collected, consent must be expressly given, and the Commission d’accès à l’information (CAI) must be informed at least 60 days before the start of any process to capture such characteristics in order to verify or confirm a person’s identity (reference is made here to the Act to establish a legal framework for information technology as amended by Bill 64).
In addition, public bodies and businesses must:
- establish and implement policies and practices to guide their governance of personal information and to ensure its protection;
- adopt security measures to ensure the protection of personal information.
- In the event of unauthorized access, use, disclosure or any loss of personal information, public bodies and businesses must report the privacy incident to the CAI and the individual affected. This declaration must be made with diligence and with due regard to the fact that there is a risk of serious harm to the person whose information was involved in the incident;
- enter into an agreement if they intend to disclose personal information without individuals’ consent to a third party who intends to use it for study, research or statistical purposes;
- destroy or anonymize personal information once the purposes for which it was collected or used have been fulfilled.
As mentioned in the introduction, there are indeed laws governing the processing of location data. These laws are under review and provide for new obligations for public bodies and businesses.
Even if these obligations are not yet in force, it is advisable to consider them in order to anticipate the issues that could arise with regard to the collection, use, distribution and retention of personal information, especially since the future penalties for non-compliance will be higher than at present.
If you have any questions about this topic, please feel free to contact us.
Poursuivre la lecture sur le sujet
The Quebec economy—and more broadly the world economy—faces multiple challenges: the climate crisis, supply chain problems, labour shortages, inflation, etc. Quebec has an abundant supply of resources, know-how, and expertise; however, the next points on its agenda should include structuring, developing, and planning industrial activities.Read more
Fleet managers are currently facing the colossal challenge of the energy transition, in order to meet legislative requirements and societal demands. For most carriers, both in the passenger transport sector and in the last mile delivery sector, this green shift has already begun.Read more
Ambition EST 2030 : a roadmap for propelling Quebec to the forefront of the electric and smart transportation industry by 2030
Propulsion Québec, the cluster for electric and smart transportation, is announcing Ambition EST 2030, a roadmap for the electric and smart transportation (EST) industry developed in partnership with Deloitte.Read more
The U.S. Department of Energy recently released a report containing a vehicle cost analysis for zero-emission medium and heavy-duty trucks.Read more
Innovation is part of our Alstom in Motion 2025 strategy. It has brought us to where we are today, and we want to go even further. With the new scale and combined expertise, Alstom has doubled its innovation capacity and we will support this growth by doubling the financial investments in R&D, up to 600 million euros (875 million Canadian dollars) per year by 2024.Read more
The story of smart, autonomous transportation began nearly half a century ago. In the early 1980s, avionics systems started to replace more traditional mechanical and hydraulic systems through calculators and embedded software.Read more
To this day, it is not uncommon to see a good number of companies relying on assumptions, sometimes non-global and inaccurate information reports in order to manage their vehicle fleet.Read more
In our ever-changing connected world, digital transformation is affecting every aspect of our lives. The automotive industry is no exception to this evolution: our cars are becoming our best co-pilots, allowing us to plan our trips with real-time data or read and respond to text messages using voice command.Read more
Over the past 10 years, the use of connected systems in transportation and mobility has exploded.Read more