A-2.1, r. 0.1 - Regulation respecting the anonymization of personal information

Full text
Updated to 30 May 2024
This document has official status.
chapter A-2.1, r. 0.1
Regulation respecting the anonymization of personal information
Act respecting Access to documents held by public bodies and the Protection of personal information
(chapter A-2.1, s. 155, 1st par., subpar. 6.3).
Act respecting the protection of personal information in the private sector
(chapter P-39.1, s. 90, 1st par., subpar. 3.2).
DIVISION I
SCOPE AND DEFINITIONS
O.C. 783-2024, Div. I.
1. This Regulation applies to all public bodies referred to in section 3 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1), and any person carrying on an enterprise and referred to in the Act respecting the protection of personal information in the private sector (chapter P-39.1).
It also applies to professional orders to the extent provided for in the Professional Code (chapter C-26).
O.C. 783-2024, s. 1.
2. In this Regulation,
correlation criterion means the inability to connect datasets concerning the same person;
individualization criterion means the inability to isolate or distinguish a person within a dataset;
inference criterion means the inability to infer personal information from other available information;
body means a public body, a person carrying on an enterprise or a professional order to which this Regulation applies.
O.C. 783-2024, s. 2.
DIVISION II
CRITERIA AND TERMS APPLICABLE TO THE ANONYMIZATION OF PERSONAL INFORMATION
O.C. 783-2024, Div. II.
3. Before beginning a process of anonymization, a body must establish the purposes for which it intends to use the anonymized information. The body must ensure that those purposes are consistent with section 73 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1) or section 23 of the Act respecting the protection of personal information in the private sector (chapter P-39.1), as the case may be.
If a body wishes to use anonymized information for purposes other than those established before beginning the process of anonymization in accordance with the first paragraph, the body must, before using that anonymized information, ensure that those purposes are consistent with, as the case may be, section 73 or section 23.
O.C. 783-2024, s. 3.
4. The process of anonymization must be carried out under the supervision of a person qualified in the field.
O.C. 783-2024, s. 4.
5. At the beginning of a process of anonymization, a body must remove from the information it intends to anonymize all personal information that allows the person concerned to be directly identified.
The body must then conduct a preliminary analysis of the re-identification risks considering in particular the individualization criterion, the correlation criterion and the inference criterion, as well as the risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly.
O.C. 783-2024, s. 5.
6. On the basis of the re-identification risks determined in accordance with the second paragraph of section 5, a body must establish the anonymization techniques to be used, which must be consistent with generally accepted best practices. The body must also establish reasonable protection and security measures to reduce re-identification risks.
O.C. 783-2024, s. 6.
7. After implementing the anonymization techniques established for the process of anonymization and the protection and security measures in accordance with section 6, a body must conduct an analysis of the re-identification risks.
The results of the analysis must show that it is, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly.
For the purposes of the second paragraph, it is not necessary to demonstrate that zero risk exists. However, taking into account the following elements, the results of the analysis must show that the residual risks of re-identification are very low:
(1)  the circumstances related to the anonymization of personal information, in particular the purposes for which the body intends to use the anonymized information;
(2)  the nature of the information;
(3)  the individualization criterion, the correlation criterion and the inference criterion;
(4)  the risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly; and
(5)  the measures required to re-identify the persons, taking into account the efforts, resources and expertise required to implement those measures.
O.C. 783-2024, s. 7.
8. A body must periodically assess the information it has anonymized to ensure that it remains anonymized. For that purpose, the body must update the latest re-identification risk analysis it conducted. The update must consider, in particular, technological advancements that may contribute to the re-identification of a person.
The results of the analysis update must be consistent with the second paragraph of section 7. If they are not, the information is no longer considered anonymized.
For the purposes of the first paragraph, the intervals at which a body must conduct information assessments are determined according to the residual risks identified in the latest re-identification risk analysis conducted by the body and the elements provided in the third paragraph of section 7.
O.C. 783-2024, s. 8.
In force: 2025-01-01
9. A body that anonymizes personal information must record the following information in a register:
(1)  a description of the personal information that has been anonymized;
(2)  the purposes for which the body intends to use anonymized information;
(3)  the anonymization techniques used and the protection and security measures established in accordance with section 6; and
(4)  the date on which the re-identification risk analysis conducted in accordance with section 7 was completed and, as the case may be, the date on which the update of the analysis conducted in accordance with section 8 was completed.
O.C. 783-2024, s. 9.
DIVISION III
FINAL
O.C. 783-2024, Div. III.
10. (Omitted).
O.C. 783-2024, s. 10.
REFERENCES
O.C. 783-2024, 2024 G.O. 2, 1758