Anonymization of Personal Information

0 Comments

Order in Council 783-2024 outlines regulations regarding the anonymization of personal information under two key legislative frameworks: the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1) and the Act respecting the protection of personal information in the private sector (chapter P-39.1). These regulations establish the necessary procedures, criteria, and security measures required for public bodies and private entities to anonymize personal information while ensuring compliance with best practices to prevent re-identification of individuals.

The regulation is grounded in obligations set forth by section 73 of chapter A-2.1 and section 23 of chapter P-39.1, which stipulate that public bodies and enterprises must destroy or anonymize personal information once the purposes for which it was collected have been fulfilled.

The regulation applies to all public bodies governed by the Act respecting Access to documents held by public bodies and the Protection of personal information and private sector enterprises under the Act respecting the protection of personal information in the private sector. It also applies to professional orders, as outlined in the Professional Code (chapter C-26). Key terms defined within the regulation include the correlation criterion, ensuring that datasets cannot be connected to the same person; the individualization criterion, preventing the isolation or identification of an individual within a dataset; and the inference criterion, which prevents personal information from being inferred from other available data.

First, before anonymization begins, the entity must define the purposes for which the anonymized data will be used, ensuring these purposes align with the objectives of section 73 or section 23 of the relevant Acts. The anonymization process must be supervised by a qualified individual to ensure compliance with best practices. Initially, all personal information that directly identifies individuals must be removed. The body must then conduct a preliminary analysis of the risks of re-identification, considering the individualization, correlation, and inference criteria, as well as the availability of external data that could be used to re-identify individuals.

Once risks are identified, the entity must select appropriate anonymization techniques that align with best practices and establish protection and security measures to mitigate re-identification risks. Following the implementation of these techniques, a thorough post-anonymization analysis must be conducted to assess the likelihood of re-identification. Although zero risk is impossible to guarantee, the regulation requires that residual risks remain very low.

By establishing a robust framework for anonymizing personal information, the regulation aims to minimize re-identification risks, ensure data security, and promote transparency through proper documentation, ultimately safeguarding individual privacy while allowing the use of anonymized data for beneficial purposes in both public and private sectors.

Quebec (783-2024) May 15, 2024