Accueil
Nous joindre
Plan du site
Québec.ca
FAQ
English
Recherche avancée
Lois et règlements codifiés
Lois codifiées
Règlements codifiés
Lois et règlements annuels
Lois annuelles
Règlements annuels
Information complémentaire
L’Éditeur officiel du Québec
Quoi de neuf?
Note d’information
Politique du ministre de la Justice
Lois : Modifications
Lois : Dispositions non en vigueur
Lois : Entrées en vigueur
Lois annuelles : Versions PDF depuis 1996
Règlements : Modifications
Règlements annuels : Versions PDF depuis 1996
Décisions des tribunaux
A-2.1, r. 0.1
- Regulation respecting the anonymization of personal information
Table des matières
Occurrences
0
Version courante
Texte complet
À jour au 30 mai 2024
Ce document a valeur officielle.
chapter
A-2.1, r. 0.1
Regulation respecting the anonymization of personal information
ACCESS TO DOCUMENTS — ANONYMIZATION
Act respecting Access to documents held by public bodies and the Protection of personal information
(chapter A-2.1, s. 155, 1st par., subpar. 6.3)
.
A-2.1
Act respecting the protection of personal information in the private sector
(chapter P-39.1, s. 90, 1st par., subpar. 3.2)
.
P-39.1
05
May
01
1
2024
05
May
30
2024
DIVISION
I
SCOPE AND DEFINITIONS
783-2024
O.C. 783-2024
,
Div.
I
.
1
.
This Regulation applies to all public bodies referred to in section 3 of the Act respecting Access to documents held by public bodies and the Protection of personal information (
chapter A-2.1
), and any person carrying on an enterprise and referred to in the Act respecting the protection of personal information in the private sector (
chapter P-39.1
).
It also applies to professional orders to the extent provided for in the Professional Code (
chapter C-26
).
783-2024
O.C. 783-2024
,
s.
1
.
2
.
In this Regulation,
“
correlation criterion
”
means the inability to connect datasets concerning the same person;
“
individualization criterion
”
means the inability to isolate or distinguish a person within a dataset;
“
inference criterion
”
means the inability to infer personal information from other available information;
“
body
”
means a public body, a person carrying on an enterprise or a professional order to which this Regulation applies.
783-2024
O.C. 783-2024
,
s.
2
.
DIVISION
II
CRITERIA AND TERMS APPLICABLE TO THE ANONYMIZATION OF PERSONAL INFORMATION
783-2024
O.C. 783-2024
,
Div.
II
.
3
.
Before beginning a process of anonymization, a body must establish the purposes for which it intends to use the anonymized information. The body must ensure that those purposes are consistent with section 73 of the Act respecting Access to documents held by public bodies and the Protection of personal information (
chapter A-2.1
) or section 23 of the Act respecting the protection of personal information in the private sector (
chapter P-39.1
), as the case may be.
If a body wishes to use anonymized information for purposes other than those established before beginning the process of anonymization in accordance with the first paragraph, the body must, before using that anonymized information, ensure that those purposes are consistent with, as the case may be, section 73 or section 23.
783-2024
O.C. 783-2024
,
s.
3
.
4
.
The process of anonymization must be carried out under the supervision of a person qualified in the field.
783-2024
O.C. 783-2024
,
s.
4
.
5
.
At the beginning of a process of anonymization, a body must remove from the information it intends to anonymize all personal information that allows the person concerned to be directly identified.
The body must then conduct a preliminary analysis of the re-identification risks considering in particular the individualization criterion, the correlation criterion and the inference criterion, as well as the risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly.
783-2024
O.C. 783-2024
,
s.
5
.
6
.
On the basis of the re-identification risks determined in accordance with the second paragraph of section 5, a body must establish the anonymization techniques to be used, which must be consistent with generally accepted best practices. The body must also establish reasonable protection and security measures to reduce re-identification risks.
783-2024
O.C. 783-2024
,
s.
6
.
7
.
After implementing the anonymization techniques established for the process of anonymization and the protection and security measures in accordance with section 6, a body must conduct an analysis of the re-identification risks.
The results of the analysis must show that it is, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly.
For the purposes of the second paragraph, it is not necessary to demonstrate that zero risk exists. However, taking into account the following elements, the results of the analysis must show that the residual risks of re-identification are very low:
(
1
)
the circumstances related to the anonymization of personal information, in particular the purposes for which the body intends to use the anonymized information;
(
2
)
the nature of the information;
(
3
)
the individualization criterion, the correlation criterion and the inference criterion;
(
4
)
the risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly; and
(
5
)
the measures required to re-identify the persons, taking into account the efforts, resources and expertise required to implement those measures.
783-2024
O.C. 783-2024
,
s.
7
.
8
.
A body must periodically assess the information it has anonymized to ensure that it remains anonymized. For that purpose, the body must update the latest re-identification risk analysis it conducted. The update must consider, in particular, technological advancements that may contribute to the re-identification of a person.
The results of the analysis update must be consistent with the second paragraph of section 7. If they are not, the information is no longer considered anonymized.
For the purposes of the first paragraph, the intervals at which a body must conduct information assessments are determined according to the residual risks identified in the latest re-identification risk analysis conducted by the body and the elements provided in the third paragraph of section 7.
783-2024
O.C. 783-2024
,
s.
8
.
In force: 2025-01-01
9
.
A body that anonymizes personal information must record the following information in a register:
(
1
)
a description of the personal information that has been anonymized;
(
2
)
the purposes for which the body intends to use anonymized information;
(
3
)
the anonymization techniques used and the protection and security measures established in accordance with section 6; and
(
4
)
the date on which the re-identification risk analysis conducted in accordance with section 7 was completed and, as the case may be, the date on which the update of the analysis conducted in accordance with section 8 was completed.
783-2024
O.C. 783-2024
,
s.
9
.
DIVISION
III
FINAL
783-2024
O.C. 783-2024
,
Div.
III
.
10
.
(Omitted).
783-2024
O.C. 783-2024
,
s.
10
.
REFERENCES
O.C. 783-2024, 2024 G.O. 2, 1758
Copier
Sélectionner cet élément
Sélectionner l'élément parent
Désélectionner tous les éléments
Copier vers Rédaction
Copier vers LAW
Copier vers le presse-papier
×
Pour copier : Ctrl+C
0
Nous joindre
Plan du site
Québec.ca
Accessibilité
Politique de confidentialité
© Gouvernement du Québec
Sélections
×
Afficher
Les sélections du document courant
Toutes les sélections de la collection
Fragments sélectionnés
Supprimer toutes les sélections
Afficher les sélections
Cyberlex
×
Version 2.2.0.3