Governance of personal information

Last updated November 10, 2023

This directive establishes the governance of activities related to the management of personal information. It also identifies the measures to be implemented to fulfill the city’s responsibilities to its employees and to the public.

The city recognizes the importance of respecting privacy and of safeguarding personal information held by either itself or a third party. Necessary steps are taken to comply with all requirements of the Act respecting Access to documents held by public bodies and the Protection of personal information (CQLR, ch. A-2.1).

Scope

This directive applies to all city employees who collect, use and retain personal information.

Definitions

Information asset: Any information, document, information or communication system or technology.

Personal information: Any information concerning an individual that allows for their identification. Information is considered:

  • Sensitive when, due to its nature, context of use or communication, it elicits a high degree of expectation of privacy
  • Se-identified when it no longer allows the person concerned to be directly identified

Privacy Impact Assessment (PIA): A preventive approach aimed at better protecting personal information and respecting the privacy of individuals.

Confidentiality incident: Sections 63.8 to 63.11 of the Act govern the management of confidentiality incidents by public bodies. The following events constitute incidents:

  • Unauthorized access to personal information
  • Unauthorized use of personal information
  • Unauthorized release of personal information
  • Loss of personal information or any other breach of the protection of such information

Personal information - General principles

Collection of information

Personal information is collected from the individual concerned upon obtaining their explicit, voluntary and informed consent, given for specific purposes.

These criteria are defined as follows:

  • Explicit: Consent must be obvious, certain and unequivocal, leaving no doubt about the expressed intent.
  • Voluntary: Consent must be given without coercion.
  • Informed: The request must be precise and thorough to enable the individual to give informed consent.
  • Given for specific purposes: Consent must be requested for specific purposes, and the individual must be able to understand them in order to give consent.

The city must collect only that personal information required for the exercise of its mandates or the implementation of a program under its purview.

City employees must use personal information solely for the purposes for which it was collected and act with caution.

The city does not disclose any personal or otherwise confidential information, except in certain exceptions specified in the Act.

An individual providing personal information must be informed of:

  • The purposes for which the information is required
  • Whether the request is mandatory or optional
  • The consequences of giving or refusing consent
  • The right to access and correct information as stipulated in the Act
  • The measures put in place to ensure the confidentiality of information during transmission
  • The categories of individuals who will have access to this information; in the case where personal information is collected for a third party, the third party’s name and the personal information that will be communicated to them
  • Where applicable, the names of third parties or categories of third parties (e.g., service providers) to whom it is necessary to communicate information for The enumerated purposes (see Communication of personal information to a third party, without the consent of the person concerned, in the context of a service or business mandate or contract)
  • The possibility that information may be disclosed outside of Québec

If the city collects personal information from the person concerned using technology containing features that make it possible to identify, locate or profile them, the individual must first be informed of:

  • The use of such technology
  • The methods available to activate these features

Confidentiality incidents

Any employee who discovers or suspects the existence of an incident must immediately fill out the Confidentiality incident reporting form and inform their manager. Submission of the form is mandatory, whether the risk of harm is presumed or not, and serious or not (Procedure C-OG-GREF-P-22-001).The city clerk’s office handles these incidents.

Minor person

Personal information of an individual under 14 years of age cannot be collected without the consent of a person with parental authority or acting as a guardian, unless this collection is manifestly in the best interests of the minor. Consent of a person over 14 years of age can be given by the same individuals or by the minor themselves.

Access to personal information, protection and right to correction

An individual can request access to information concerning them and ask to have it corrected. 

They can also request:

  • To withdraw their consent for the communication or use of personal information collected
  • To destroy or withdraw personal information, depending on the circumstances; in some cases, the city may refuse a request for destruction or withdrawal, especially when personal information is required for compliance with the Act or with a contractual agreement between the parties, or in relation to a claim
  • To suspend the processing of certain personal information, in particular to establish its accuracy or the reason for its processing
  • To transfer certain personal information to another party

Requests for access or correction, or any questions related to this directive, should be addressed, in writing, to the person in charge of access to information, Emmanuel Tani-Moore at [email protected].

Complaints

A person who considers that their personal information has been handled inappropriately, or who believes that the Act has not been respected, may file a complaint with the city clerk’s office at [email protected].

The complaint may relate to the collection, storage, use, communication or destruction of personal information.

It will be processed confidentially. Personal information is protected, meaning it is accessible only to those people authorized to consult it in the performance of their duties. 

Complaints can also be made in writing to the Commission d’accès à l’information - Direction de la surveillance.

Automated processing of personal information

A decision based on automated processing is made without human intervention (e.g., an algorithm).

In addition to the information provided during the collection of personal information, the city must inform the person concerned that this information is used to make a decision based on automated processing.

It must also inform the person concerned:

  • Of the personal information used to make the decision
  • Of the reasons, major factors and parameters that led to the decision
  • Of their right to correct the personal information used to make the decision
  • That they can ask to have the decision reviewed by a natural person

Communication to a third party without the consent of the person concerned

In the context of a mandate or service or business contract, the city must enter into a written agreement that includes:

  • The provisions of the Act that the other party undertakes to comply with
  • Security measures to protect the confidentiality of the personal information communicated

The other party may only use the information for the execution of its mandate or contract. The agreement should, therefore, prohibit the use of personal information for its own purposes or those of a third party. The other party must destroy the information after the expiration of the agreement.

It must also provide a confidentiality agreement signed by any person to whom the information may be communicated, unless otherwise directed by the privacy officer (PO). It must immediately inform the PO of “any violation or attempted violation of an obligation relating to the confidentiality of information communicated”, and not simply of confidentiality incidents. Finally, the PO can carry out any verification relating to the supplier’s confidentiality obligations, i.e., request any document and carry out any additional verification.

Survey conducted by the city or an agent

Survey:Any information collection conducted for research, evaluation, or investigation purposes from individuals who can be identified by the city.

Before conducting a survey involving the communication or collection of personal information, the city must:

  • Assess the need for conducting the survey
  • Conduct an ethics evaluation of the draft survey, considering the sensitivity of the personal information communicated or collected and the purpose of its use
  • Verify situations where obtaining the consent of the individuals concerned by the information is required

Any person conducting a survey that involves collecting personal information must:

  • Identify themselves
  • Mention that the information is being collected on behalf of the city
  • State the purposes for which the information is being collected and the categories of people who will have access to the collected information
  • Indicate the voluntary nature of participation in the survey

When a survey is conducted by an agent, the city must:

  • Ensure that the communication of personal information to the agent is necessary
  • Conduct an evaluation, especially to verify the sensitivity of the personal information communicated or collected and the purpose of its use
  • Take measures to ensure that only the information needed to conduct the survey is communicated
  • Specify that the personal information communicated is confidential
  • Require the agent and its employees to comply with the provisions of this directive
  • Ask the agent what measures will be taken to ensure that the personal information is used only for the purposes of the mandate
  • Ensure that the personal information communicated to the agent to conduct the survey and the information collected by the agent is returned or destroyed
  • Ensure that the agent completely destroys the information in its possession and submits a report attesting to that fact
  • Require the agent and its employees to comply with the provisions of this directive

Those conducting the survey must consult with the Committee about the measures to protect the personal information collected as part of a survey.

Data retention

The city must destroy or anonymize personal information, subject to the retention periods provided for by law, once the purposes for which it was collected have been achieved. However, it reserves the right to retain, for a reasonable period of time, certain personal information in order to comply with the Act, prevent fraud, collect outstanding fees, settle a claim or other related issues, cooperate with an investigation, and for any other action permitted by the Act.

Training

The city provides training and awareness activities for its employees on the protection of personal information.

The training is prepared by the Service des ressources humaines (human resources department), in collaboration with the city clerk’s office. It is available online and aims to:

  • Define what constitutes personal information
  • Recognize the responsibilities related to the protection of personal information
  • Identify situations where personal information is necessary in the course of work
  • Identify and apply best practices for handling personal information held by the city

Committee on access to information and the protection of personal information

The committee is established in accordance with Section 8.1 of the Act. It is responsible for supporting the person in charge of access to documents and the protection of personal information in the exercise of their responsibilities and the performance of their obligations. It also exercises the functions entrusted to it by this directive and the Act.

Composition of the Committee

The Committee is made up of one representative from each of the following groups:

  • The city clerk, who chairs the Committee and acts as the secretary
  • The city’s general auditor or their representative
  • A lawyer from the Service des affaires juridiques (legal affairs department)
  • A manager from the Service de la concertation des arrondissements (borough coordination department)
  • A manager from the Service de l’expérience citoyenne et des communications (resident experience and communications department)
  • A manager from the Service des ressources humaines (human resources department)
  • A manager from the Service de police de la Ville de Montréal (Montréal police department)
  • The director of the Direction de la sécurité de l’information (information security department) or their representative

Committee’s role

The Committee’s role is to:

  • Approve the governance rules governing personal information
  • Recommend to senior management the necessary frameworks for the protection of personal information
  • Be consulted from the beginning of any project involving the acquisition, development or redesign of an information system or electronic service delivery; the Committee can suggest additional measures for the protection of personal information at any stage of the project
  • Be informed of major confidentiality incidents involving personal information
  • Approve personal information sharing agreements
  • Approve the city’s confidentiality policy and its amendments
  • Review IT development projects involving personal information; if necessary, suggest: 
    • Appointing a person responsible for implementing personal information protection measures
    • Personal information protection measures in any project-related document
    • A description of the participants’ responsibilities regarding the protection of personal information
  • Suggest methods for processing access requests for personal information to the person in charge
  • Approve the training and awareness program for the protection of personal information
  • Approve the release of open data that may affect the confidentiality of personal information
  • Be consulted about the protection measures for personal information that must be collected as part of a survey

Committee operations

The Committee meets a minimum of four times a year, can invite anyone with relevant expertise to support its mandate, and can reach decisions via email when necessary.

Quorum

To achieve quorum:

  • More than half of the Committee members must be present
  • The city clerk, the general auditor and the representative of the Direction de la sécurité de l’information (information security department) must be present

Responsibilities

City clerk’s office

The city clerk acts as the person responsible for implementing the Act, both for access to documents and the protection of personal information. They perform all functions prescribed by the Act, except for those assigned to other entities by this directive. They are the city’s sole contact with the Commission d’accès à l’information regarding personal information.

The city clerk’s office:

  • Processes requests for access to documents and correction of personal information
  • Maintains the personal information communication register
  • Informs the Commission d’accès à l’information of any incidents that may seriously harm the individuals concerned
  • Handles IT and other major incidents involving personal information. A crisis team is formed with representatives from the Direction de la sécurité de l’information (information security department), and the managers of the Service de l’expérience citoyenne et des communications (resident experience and communications department) and the Service des affaires juridiques (legal affairs department).
  • Maintains the confidentiality incidents register
  • Submits an annual report to city council on compliance with the Act

Service des technologies de l’information (information technology department)

The Service des technologies de l’information (information technology department):

  • Presents, from the outset, privacy impact assessments for development projects containing personal information to the Committee on access to information and the protection of personal information
  • Manages and secures the city’s IT assets containing personal information, applying the highest privacy standards.
  • Implements the necessary measures to detect and address confidentiality incidents involving personal information
  • Informs the person in charge of access to documents and the protection of personal information of any incidents that may seriously harm the individuals concerned
  • Performs a proportionate PIA based on the sensitivity of the information, its quantity, the purpose for which it will be used, its distribution and its media
  • Gets approval for the PIAs deemed relevant or requested by the Committee

Service de l’expérience citoyenne et des communications (resident experience and communications department)

The Service de l’expérience citoyenne et des communications (resident experience and communications department):

  • Publishes on the city’s Web site: 
    • Rules governing personal information governance, including employee training and awareness activities
    • Contact information for the person in charge of access to documents and the protection of personal information
  • Supports business units in disseminating information to ensure people are informed of the confidentiality policy and the right to correction during the collection of personal information

Service des ressources humaines (human resources department)

The Service des ressources humaines (human resources department):

  • Ensures that the requirements regarding the protection of personal information are integrated into employee onboarding procedures
  • Provides information about the mechanisms in place to protect personal information through a training session

Director of an administrative unit responsible for an information asset

The director of an administrative unit responsible for an information asset:

  • Limits the collection of personal information to only the information needed to carry out their duties or implement a program they manage
  • Informs the person from whom they are collecting personal information about the conditions governing this collection
  • Communicates personal information only to individuals who are authorized to receive it when necessary for the performance of their duties

Personal information communication registers

Without the consent of the person concerned

The register lists situations in which the citycommunicates:

  • Information about the identity of an individual in order to collect personal information already collected by a private person or organization
  • Personal information required for the application of a law in Québec, whether or not such communication is specifically provided for by the law
  • Personal information required for the application of a collective agreement, decree, order, directive, or regulation establishing working conditions
  • Personal information to an agent or service provider within the scope of a mandate or service contract
  • Personal information for study, research or statistical purposes
  • Personal information in cases referred to in Section 68, after conducting a PIA

In these cases, the register includes:

  • The nature or type of information communicated
  • The person or organization receiving the communication
  • The reason for which the information is being communicated and, if applicable, the mention that it is being communicated outside of Québec
  • The reason for this communication

For the purposes of performing functions or implementing a program of a public body

In this case, it must be a program with which the city collaborates for service delivery or the fulfillment of a common mission.This register of data collection agreements includes:

  • The name of the organization for which the information is collected
  • Identification of the program or assignment for which the information is required
  • The nature or type of service delivery or mission
  • The nature or type of information collected
  • The purpose for which the information is collected
  • The category of individuals who have access to the information within the organization collecting the information and the receiving organization

Without consent, but consistent with the purposes for which the personal information was collected

This register of uses of personal information within the city for other purposes is clearly for the benefit of the person concerned or necessary for the application of a law in Québec. It includes:

  • The subparagraph of the second paragraph of section 65.1 of the Act that allows the use, i.e., the applicable legal basis
  • In the case referred to in subparagraph 3 of the second paragraph of section 65.1 of the Act, the provision of the Act that makes the information necessary and
  • The category of person that has access to the information for the purpose stated

Entry into force

This directive entered into force on June 21, 2023.

Update

This update was issued on August 29, 2023.