On July 1st, 2024, certain provisions in the Act respecting health information and social services (“Law 5”) and its regulations came into force. This statute governs how health and social service bodies collect and process health and social services information. Its key objectives are to:
- ensure the protection of health and social services information;
- simplify the flow of this information;
- identify various ways this information may be accessed;
- identify the circumstances and conditions under which such information may be used or communicated by health and social service bodies;
- establish a legal framework founded on transparency and the responsibility and accountability of health service providers and bodies;
See our annotated version to more easily ascertain the effective dates of the different provisions of Law 5.
Download the annotated Act (PDF, 270Ko)What is “health and social services information”?
For the purposes of Law 5, health and social services information includes information that directly or indirectly identifies a person and is related to their physical or mental health or to the health services they received.
Information about the health services or social services provided to the person may also include the nature of those services, their results, the location where they were provided and the identity of the persons or groups that provided them.
However, this information excludes information regarding any staff members of the health and social services body or any professionals practising their profession within such body, or regarding any mandatary (or agent) or service provider of such body if collected for human resources management purposes.
Does Law 5 apply to your organization?
The implementation of a proper compliance program involves identifying which obligations apply to your organization. Law 5 creates a single legal framework[1] that applies to health and social services bodies in connection with the collection and processing of health and social services information.
The scope of Law 5 is not limited to public bodies. In fact, certain private sector organizations, such as private professional firms, are also covered by Law 5. For example, medical and dental clinics must comply with Law 5, but its provisions do not perfectly mirror those of the other privacy laws applicable in Québec, such as the Act respecting the protection of personal information in the private sector (“Private Sector Act”) [2] and the Act respecting Access to documents held by public bodies and the protection of personal information (“Act respecting Access”).[3]
Summary of the implications of Law 5 on your organization and how Law 5 differs from the general legal framework
The following table summarizes the differences between the main privacy laws that apply in Québec.
| Requirement | Act respecting Access | Private Sector Act | Law 5 |
| A designated person in charge of the protection of information | X | X | X |
| Access to Information and Privacy Committee | X | ||
| Implement information governance rules | X | X | X |
| Publish information governance rules | X | X | |
| Express consent by default for use and release of information | X | ||
| Use or release of information in a de-identified form by default, unless this is not possible | X | ||
| Identify the period of time the information will be kept at the time of collection | X | ||
| Restrict the collection of information through identification, geolocation or profiling technology | X | X | X |
| Privacy by default for technology products or services with confidentiality settings | X | X | X |
| Specific requirements for automated decision-making | X | X | X |
| Right to data portability | X | X | X |
| Right to be forgotten (deindexation) | X | ||
| Right to refuse access to one’s personal information | X | ||
| Assessment of privacy factors for projects involving technology products or services | X | X | X |
| Assessment of privacy factors where information is released outside Québec | X | X | X |
| Mandatory contractual provisions where information is released to a service provider | X | X | X |
| Mandatory notice of any confidentiality incident that presents a risk of serious harm | X | X | X |
| Keep a register of confidentiality incidents | X | X | X |
| Possibility of anonymizing information at the end of retention period | X | X | X |
If you need assistance with your privacy compliance program concerning personal and medical information, Fasken can provide you with the help you need. For more information, don’t hesitate to contact the authors of this Bulletin.
[1] See Act respecting Access, supra note 3, s 2 and Private Sector Act, infra note 2, s 3, as amended by s 172 and s 229 of Law 5.
[2] CQLR c P-49.1.
[3] CQLR c A-2.1.
