On March 6, 2024, the Government of Québec published a regulation entitled the Regulation respecting the governance of health and social services information (PDF) (“Draft 2”). This is the second draft presented under the Act respecting health and social services information (“AHSSI”), the first being the Regulation respecting the application of certain provisions of the Act respecting health and social services information (PDF)(“Draft 1”). To read our bulletin on this draft regulation, please click here.
Here are the key takeaways.
Responsibilities of Bodies
Draft 2 sets out the obligations of bodies with respect to training their personnel. Personnel, including students and trainees, must receive recognized training regarding the protection of information as soon as they begin working or practising their profession within the body.[1]
This initial training for personnel must be followed up by an annual refresher training. The refresher training must focus on:
- the roles and responsibilities of personnel with regard to the information held by the body;
- the rules and terms for keeping, destroying and anonymizing information;
- the security measures for ensuring the protection of information put in place by the body, in particular to minimize the risk of a confidentiality incident;
- the procedure for managing confidentiality incidents;
- the secure use of the body’s technological products or services.[2]
In addition to training personnel, at least once a year, a body must:
- analyze the relevance of the categories of persons identified in the body’s information governance policy adopted under section 105 of the AHSSI and, where applicable, review those categories;
- assess the compliance of the logging mechanisms and the effectiveness of the security measures put in place to ensure the protection of the information that the body holds and, where applicable, review those mechanisms and measures.[3]
Bodies must also, on a monthly basis, analyze access to the information they hold and all other uses and communications of that information. The purpose of this analysis is to detect situations that do not comply with applicable standards and, where applicable, to take appropriate measures. However, a body referred to in Schedule II to the AHSSI need only conduct such an analysis once a year.[4] In our view, it is interesting that the legislator created different rules depending on the schedule in which the body is listed. We further believe there may be operational issues associated with mandatory monthly reviews, which may prove onerous.
Draft 2 also requires bodies other than those referred to in Schedule II of the AHSSI to establish an information governance committee. This requirement is in keeping with the Act respecting Access to documents held by public bodies and the Protection of personal information, which requires public bodies to establish a committee on access to information responsible for enforcing that law.[5] Similarly, the purpose of the information governance committee is to support the person exercising the highest authority within the body in the exercise of their responsibilities under the AHSSI.[6]
Draft 2 requires bodies to designate a person from among its personnel to be in charge of communicating with individuals who file a notice of restriction. This person must properly inform these individuals, in clear and simple language, of the potential consequences and risks associated with exercising the right of restriction.[7]There is no similar provision regarding the right of refusal.
Keeping and Destroying Information
Draft 2 requires bodies to establish a number measures for keeping and destroying information. First, records containing information the body holds must be kept in a manner that ensures their integrity.[8] Bodies must then ensure that the information they hold remains usable despite any incident affecting the medium on which it is stored.[9] This includes any consents received by such bodies. Regardless of whether the consent is verbal or written, the body receiving it must, within the meaning of Draft 2, keep proof of that consent.[10]
Information must be retained in a manner that ensures its protection at all times, in particular by taking the necessary measures to control access to the premises where the information is kept.[11] Bodies must ensure that the information they hold that is subject to a restriction or refusal of access is kept in a manner that complies with that restriction or refusal.[12]
The destruction of information is also covered by Draft 2. Any destruction must be carried out in a secure manner adapted to the sensitivity of the information and the medium on which it is stored, in keeping with generally accepted best practices. The destruction must be irreversible to prevent the reconstitution of the information.[13] We note that the legislator does not define the applicable concept of irreversibility. Furthermore, there is no indication of how a body might validly prevent the reconstitution of information, particularly in the absence of anonymization rules applicable to the AHSSI.[14]
Where the destruction of information held by a body is entrusted to a third person, the body must enter into a contract with the third person that sets out, in addition to the elements referred to in the second paragraph of section 77 of the AHSSI:
- The procedure for the destruction of the information.
- Where applicable, the third person’s obligation to render an account to the body of the destruction of the information.
- The obligation, for a third person that retains a person or group to perform the contract, to notify the body and to ensure that the person or group complies with the other obligations incumbent on the third person under the contract. The confidentiality agreement and notice of violation provided for in section 77 of the AHSSI must be sent by the person or group to such third person.[15]
Finally, Draft 2 requires bodies to keep proof of any destruction of information.[16]
Technological Products and Services
Bodies must take the necessary measures to avoid or mitigate any potential impact of technological products and services on their activities.[17] Draft 2 provides for the following mitigation measures:
- Keeping a calendar of the known or expected dates on which such products or services are to be terminated for the purpose of analyzing the relevance of maintaining or replacing them.[18]
- Designating a person from among its personnel to be in charge of ensuring the application of the standards applicable to the technological products or services the body uses, in particular the special rules defined by the network information officer under section 97 of the AHSSI. That person will also be in charge of supervising the implementation and maintenance of the security measures for ensuring the protection of the information contained in those products or services.[19]
- Evaluating the technological products or services the body uses and their compliance with applicable standards at least once every other year and every time a special rule is modified.[20]
If you need assistance with your personal information or health information compliance program, Fasken is here to help. For more information, please contact the authors of this bulletin.
[1] Draft 2, s 1.
[2] Draft 2, s 2.
[3] Draft 2, s 6.
[4] Draft 2, s 7.
[5] Act respecting Access to documents held by public bodies and the Protection of personal information, s 8.1.
[6] Draft 2, s 8.
[7] Draft 2, s 4.
[8] Draft 2, s 9.
[9] Draft 2, s 5.
[10] Draft 2, s 3.
[11] Draft 2, s 10.
[12] Draft 2, s 11.
[13] Draft 2, s 12.
[14] See our Bulletin on this topic: Data Anonymization Under Law 25: Québec Interpretation — European Facsimile.
[15] Draft 2, s 13.
[16] Draft 2, s 14.
[17] Draft 2, s 15.
[18] Draft 2, s 15.
[19] Draft 2, s 16.
[20] Draft 2, s 17.
