Analyzing mobility data makes it possible to assess whether, depending on an upcoming festival or a time of day, service supply should be maximized in one area of a city rather than another. However, the data used to perform these analyses may relate to an individual and identify them. Officials within cities or companies seeking to improve the environment in which we operate must integrate rules for the protection of personal information into their activities. But what are these rules?
During the Forum on Cybersecurity and Safety in Transportation, one of the panels was titled “Ensuring data protection in a context of collaborative innovation in mobility.” The discussion focused in particular on whether there was a law (or laws) governing all of this. The answer is yes.
Whether one thinks of information indicating the hours a bike or car is used; the route taken from point A to point B in the morning and, conversely, in the evening; or of who is able to locate a person and inform them about the nearest bus or metro lines, etc., all of this information is personal information.
Indeed, this information collected by keys (if you are one of those who still have their BIXI key, for example), mobile applications or RFID smart cards used to access a shared bike/car service, for example, relates to an individual and allows them to be identified, directly or indirectly, especially since it is often associated with their last name, first name, date of birth, postal and email addresses and credit card number.
In Quebec, if a public body, such as a city for example, or a company wants to collect such information to develop its urban planning or to improve its service offering, they must take into account the laws relating to the protection of personal information.
The focus here will be on the Act respecting access to documents held by public bodies and the protection of personal information (public sector) and the Act Respecting the Protection of Personal Information in the Private Sector. Although at the time of writing Bill 64 (PL64), which aims to modernize these laws, is still under review, it is nevertheless possible to consider some elements that must (will) guide those who collect, use/analyze, disclose and retain such information.
Before collecting personal information or acquiring, developing or overhauling an information system project or electronic service delivery, public bodies or companies must:
- have a serious and legitimate interest;
- determine the purposes for which they intend to collect personal information;
- collect only the information necessary to achieve those purposes;
- identify the factors/risks that may impact the privacy of the individuals concerned and implement measures to eliminate them or at least minimize them;
- inform individuals, among other things, of the purposes for which their personal information is collected; the means by which it is collected; the third parties for whom it is collected or to whom it will be disclosed; that it may be disclosed outside the province; the retention period; their rights of access and rectification; the name of the person responsible for the protection of personal information;
- inform individuals that a technology is being used that allows them to be identified, located or profiled and, accordingly, the means offered to activate these functions;
- obtain individuals’ consent. This consent must be explicit, free and informed. It must be given for specific purposes and is valid only for the time necessary to achieve those purposes.
- In some cases, notably when biometric characteristics are to be collected, consent must be given expressly and the Commission for Access to Information must be informed at least 60 days before the launch of a process allowing such characteristics to be captured to verify or confirm a person’s identity (This refers here to the Act respecting the legal framework for information technologies amended by PL64).
Furthermore, public bodies and companies must:
- establish and implement policies and practices governing their management of personal information and appropriate to ensure its protection;
- adopt a privacy policy;
- adopt security measures aimed at ensuring the protection of personal information.
- In the event of unauthorized access, use or disclosure, or the loss of personal information, public bodies and companies must report this confidentiality incident to the Commission for Access to Information and to the person concerned. This notification must be made diligently and taking into account the fact that there is a risk that serious harm may be caused to the person whose information is affected by the incident;
- enter into an agreement if they intend to disclose, without the consent of the individuals concerned, their personal information to a third party who intends to use it for study, research or statistical purposes;
- destroy or anonymize personal information once the purposes for which it was collected or used have been fulfilled.
As mentioned at the outset, there are indeed laws governing the processing of mobility data. These laws are under review and provide for new obligations for public bodies and companies.
Even though these obligations are not yet in force, they should be considered in order to anticipate the issues that could arise regarding the collection, use, disclosure and retention of personal information, especially since the penalties that may be imposed for non‑compliance will be higher than they are currently.
If you have any questions on this subject, do not hesitate to contact us to discuss it.
