On April 4, 2023, Bill 3, An Act respecting health and social services information and amending various legislative provisions, received Royal Assent making it Québec’s first comprehensive health privacy legislation. Bill 3, which will come into force on a date set by governmental decree, is modelled on the personal health information laws of other Canadian provinces, most notably Ontario’s Personal Health Information Protection Act. However, Bill 3 contains several unique requirements that are directly inspired by Bill 641, Québec’s recent privacy reform that makes the province one of the most stringent jurisdictions in terms of data protection across the globe.
Bill 3 establishes a specific framework for the processing of health and social services information (health information) that applies to every health and social services body (health body) that manages such information. The notion of health information is defined as any information that allows a person to be identified, even indirectly, and that has any of the following characteristics:
- It concerns the person’s physical or mental health state;
- It concerns any material taken from the person in the context of an assessment or treatment, or any implants, braces, prostheses or other aids that compensate for a disability; and
- it concerns the health services or social services provided to the person.
In addition, any personal information that appears in a file along with health information is considered health information. Bill 3 applies to health institutions and to various public bodies involved in the health sector. Bill 3 also applies to private organizations that provide health and social services such as private clinics, pharmacies, medical laboratories, palliative care hospices and private seniors’ residences. Bill 3 also applies to a service provider that processes health information on behalf of a health body.
Bill 3 introduces numerous new legal obligations, many of which mirror what is found in Bill 64, including mandatory breach notification, privacy officer designation, privacy impact assessments for new projects, products and services and for transfers of health information outside of Québec and restrictions on the use of identification, localization and profiling technologies, mobile and web applications and automated decision-making systems. Most notably, Bill 3 provides that health information cannot be processed without the individual’s express consent unless authorized by law. Bill 3 also requires health bodies to log all uses of health information by their staff and to ensure that certain technological products or services are certified by the government
One of the main goals of Bill 3 is to improve the quality of the services offered to the population by enabling easier access to health data for research purposes. Bill 3 provides that a designated public body will act as a research access centre that will be responsible for processing access requests from researchers. These requests will need to be supported with a detailed presentation of the research activities, a privacy impact assessment and a research ethics committee’s decision. The processing of health data by researchers will be governed by an agreement with the research access centre prescribing various measures to protect health information.
1 An Act to modernize legislative provisions as regards the protection of personal information. Also known as “Law 25”.