This podcast series, intended for private sector companies doing business in Quebec, addresses the requirements of Law 25, which takes effect on September 22, 2022. Candice Hévin and Marie-Eve Jean from our Privacy and Data Protection Group are leading the discussions on the changes to the private sector regime, namely the changes to the Personal Data Protection Act.
In this episode, discover your responsibilities regarding biometric data and disclosure requirements to the Quebec Data Protection Authority.
Please note that the following statements only provide an overview and do not constitute legal advice. Listeners are cautioned against making decisions based solely on this material. Rather, specific legal advice should be obtained.
Marie-Eve Jean: Hello and welcome to Privacy 101 – Obligations under Act 25, a series of podcasts designed to help you prepare for compliance with Quebec’s new privacy laws.
Candice Hevin: I’m Candice Hevin.
Marie-Eve Jean: And I’m Marie-Eve Jean.
Candice Hevin: We are both attorneys at McMillan LLP and work together as a team to help companies doing business in Quebec comply with Quebec’s privacy laws.
Marie-Eve Jean: To give you some context, Quebec passed a new law on September 22, 2021. Bill 64 aims to modernize the data protection framework for both the private and public sectors. This series focuses on the changes in the private sector regime, namely the changes in the Personal Data Protection Act in the Private Sectorwe will refer to it as Act 25.
Candice Hevin: The requirements will come into effect in three phases over the next three years. Although most of the new requirements will take effect on September 22, 2023, some important requirements this month will take effect on September 22, 2022. Some requirements will also come into effect on September 22, 2024.
Marie-Eve Jean: In our previous episodes, we talked about enforcement mechanisms and your obligation to appoint a data protection officer and the obligations related to data breach notification, which will come into effect on September 22, 2022. In this episode we will talk about the measures related to the use of biometric data that will come into effect on September 22, 2022. So what exactly is biometric data?
Candice Hevin: These are techniques used to analyze one or more physical or morphological characteristics. Physical features can include fingerprints, facial features, the iris or the retina of the eye. Biometric data can also include behavioral characteristics such as a person’s gait or biological characteristics such as DNA.
Marie-Eve Jean: Biometric data is unique and specific to each person. This makes it highly sensitive information. They are therefore considered “sensitive personal data” under Law 25. In general, companies use them to automate identification and authentication processes. Common examples in the everyday world are the use of employees’ fingerprints to record their “clock in” and “clock out” times; or using a facial recognition system to authorize access to a facility or room. Biometric data can be very useful, but as said, it is “sensitive personal data” and therefore a risk.
Candice Hevin: This information is permanent, distinctive and unique and allows an individual to be identified. The greatest risk is that they could be used to derive information other than an individual’s identity, e.g. B. a disease, or to impersonate or steal the identity of a person. Another significant risk from a business perspective is that if your organization has a biometric database that does not comply with the law, the CAI may consider it an invasion of privacy and order its permanent destruction.
So what do you need to do to make your biometric database compliant?
Marie-Eve Jean: Here are the three steps you need to take. Step 1: Conduct a privacy impact assessment (PIA) before creating a biometric feature or measurement database or biometric system. In the PIA, you need to ask yourself about necessity, purpose, proportionality, and alternatives:
- It must be necessary to collect biometric data. And no, the fact that it’s a lot more convenient doesn’t in itself justify the need to collect it.
- The purpose must be important, legitimate, and real.
- The data collected must be in reasonable proportion to the use. For example, you will collect a fingerprint instead of the five fingers of the hand because you want to be proportional.
- Alternatives are other actions that the company must offer to an individual if they refuse to consent to the collection of their biometric data. For example, an alternative measure may be to provide a personalized password instead of someone providing their fingerprint or something else.
Candice Hevin: Step 2: Report the project no later than 60 days before the implementation of the CAI and notify the CAI before using biometric technologies to verify or confirm an individual’s identity:
- This declaration must be made as soon as possible, as the CAI may require adjustments to the biometric data system, which could delay its implementation.
- Important clarification: Only biometric databases that are (i) used to identify or authenticate individuals (ii) are specifically used by technical means are affected. Only these databases need to be reported to the CAI. For example, a static photo bank does not need to be declared.
- A small note here, customers are often confused and often ask us who exactly should declare the biometric system – the one creating it or the one using it? The declaration of the biometric system is usually made by the company that will use the system. As it is generally the company that owns and uses the personal data and not the company that developed it, although the company that develops the system may be required to store their customers’ biometric information.
- Note that this is not an absolute rule, it is sometimes reviewed on a case-by-case basis, and particularly given the context and obligations of Act 25, the CAI could request additional information from the entity that designed the system. possibly after analyzing the statement of the company using the biometric system.
Marie-Eve Jean: Step 3: Fulfillment of the various obligations under Law 25 during the project implementation (i.e. before its operation):
- You must obtain the express consent of the data subjects. For this purpose, the CAI provides a sample consent form for use on its website. You can always ask us to help you prepare and create this form.
- Confirm people’s identities.
- Check if other means of identification are available and suggest them if so. This leads back to our “alternatives” we discussed earlier, like providing a password instead of collecting a person’s fingerprint.
- Note the purpose for which the data is collected.
- Implement appropriate data protection and security measures.
- Ensuring the secure and final destruction of the biometric data. When destroying, you must be careful to delete both the image and the encrypted code associated with the image, as both are considered sensitive personal information.
- Finally, you must implement a process for user access and rectification requests.
Candice Hevin: This concludes our third episode. We have some more tips and tricks on how to handle biometrics and how to conduct a privacy impact assessment, so don’t hesitate to contact us.
Marie-Eve Jean: Be sure to tune in to the following episodes, which will be released in the following months, as we address your commitments, effective from September 2023. This is Marie Eve Jean.
Candy Hevin: And Candice Hevin.
Marie-Eve Jean: From McMillan LLP. It was a pleasure to host you!
The foregoing is for an overview only and does not constitute legal advice. Readers are cautioned not to base any decisions solely on this material. Rather, specific legal advice should be obtained.
© McMillan LLP 2021