On May 30, 2024, the Quebec government implemented the Regulation on the Anonymization of Personal Information. This regulation, outlined in the Decree 783-2024, establishes the criteria and procedures for anonymizing personal data, affecting public bodies and private businesses within Quebec.
Scope and Applicability
The regulation applies to:
- Public bodies as defined in Section 3 of the Act providing access to documents held by public bodies and the protection of personal information (chapter A-2.1).
- Persons operating a business under the Act providing the protection of personal information in the private sector (chapter P-39.1).
- Professional orders as stipulated in the Code of Professions (chapter C-26).
Key Requirements
Criteria and Procedures
- Pre-Anonymization: Organizations must establish the purposes for using anonymized data, ensuring compliance with the relevant laws (Article 73 for public bodies and Article 23 for private sector).
- Supervision: Anonymization must be carried out under the supervision of a competent individual.
- Risk Analysis: Before anonymization, organizations must remove all directly identifying information and conduct a preliminary analysis of re-identification risks, considering factors like individualization, correlation, and inference.
- Techniques and Measures: Organizations must use recognized anonymization techniques and implement reasonable security measures to minimize re-identification risks.
- Post-Anonymization: After applying anonymization techniques, organizations must analyze re-identification risks to ensure the data cannot reasonably be used to identify individuals, considering residual risks and technological advancements.
Ongoing Assessment
- Organizations must periodically evaluate anonymized data to ensure it remains anonymous, updating their risk analysis to account for technological advancements that could impact re-identification.
Record-Keeping
- Organizations must maintain a register documenting the types of personal information anonymized, purposes, techniques used, and dates of risk analysis. Article 9, which details these record-keeping requirements, will come into effect on January 1, 2025.
👉 Find the press release here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.