On May 15, 2024, the government of Québec published the final version of the Regulation respecting the anonymization of personal information (the Anonymization Regulation), establishing the requirements to anonymize personal information in compliance with Québec's private and public sector privacy legislation.
What you need to know
- The regulation is broadly applicable. The Anonymization Regulation came into force on May 30, 2024 and applies to all private enterprises, public bodies and professional orders in Québec.
- Anonymization can be leveraged as part of data management strategies. Subject to the requirements of the Anonymization Regulation, organizations can now leverage anonymization as part of their data management strategy.
- Establishes an eight-step process to anonymization. The Anonymization Regulation establishes an eight-step process to anonymization, which aims to reduce the risk of re-identifying individuals. It also clarifies that it is not necessary to conclude that there is no risk of re-identification, but rather that the risk is very low.
The requirements
The Anonymization Regulation sets out a process which can be summarized in eight steps required to lawfully anonymize personal information. We have detailed these steps in the chart below, along with additional interpretation and implementation guidance.
Requirements |
Additional Guidance |
---|---|
Designate a person in charge. |
The Anonymization Regulation requires that the anonymization
process be carried out under the supervision of a person qualified
in the field. |
Identify the purpose for which anonymized personal information will be used. |
The Anonymization Regulation states that the purposes must be
"serious" and "legitimate" to respect the
private sector privacy legislation, and for "public interest
purposes" to respect the public sector privacy
legislation. |
Remove all personal information which would allow the individual to be directly identified (identifiers). |
An organization must remove all personal information that allows
the individual to be directly identified (e.g., name, unique
identifier such as social identification numbers) from the data
set. |
Perform a preliminary analysis of re-identification risk. |
The preliminary analysis must assess the re-identification risk with respect to:
|
Apply generally accepted anonymization practices and safeguards to reduce re-identification risk. |
On the basis of the re-identification risks identified, an
organization must identify the anonymization techniques to be used,
which must be consistent with generally accepted best
practices. |
Perform a further analysis of the re-identification risk. |
Taking into account the practices and safeguards applied, the organization then needs to perform a further analysis of the re-identification risk. The organization must consider the following elements:
The results must show that it is reasonable to expect, in the
specific circumstances, that the resulting data is irreversibly
incapable of direct or indirect identification. |
Revisit the re-identification risk analysis periodically. |
The draft version of the Anonymization Regulation stated that
the analysis should be revisited "regularly", which was
then changed in the final version to
"periodically". |
Keep a register of the anonymization performed. |
The register should include:
Note that this requirement only comes into force on January 1, 2025. |
Where to start: tips for compliance
The Anonymization Regulation sets out a rigorous, multi-step process to lawfully anonymize personal information as an alternative to destruction when no longer required for business or legal purposes.
Organizations should review their current practices, procedures and policies for the retention, destruction and de-identification of personal information and determine whether updates are required to align those practices with the Anonymization Regulation. In many cases, multiple stakeholders will need to be involved in the procedure review as well as the resulting anonymization process (for example, legal, compliance, data analytics, information technology). In some cases, external resources will also be needed.
Organizations should then review and update their written procedures and policies to ensure compliance, and determine whether their existing anonymized information databases are still considered anonymized information in Québec pursuant to the Anonymized Regulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.