Rights and Governments

The Protection of Your Personal Information


Personal information circulates rapidly in today’s “digital” world. But that doesn’t mean you’ve lost control of your private life! Public bodies and enterprises must respect certain rules to protect your personal information. You can also take certain actions to control the use of this information.

What is “personal information”?  

Personal information has a broad definition. It’s information that makes it possible to identify you, directly or indirectly. This information often pertains to your family and social situation, health, finances, and work. Here are some examples:

  • family name and given name
  • residential address
  • personal email address
  • telephone number
  • age
  • marital status
  • driver’s licence number
  • area of studies
  • education level
  • sexual orientation
  • political opinions
  • religious beliefs
  • nationality

We provide personal information, online or in person, in many everyday situations. For example:

  • You start a new job and you have to give your social insurance number to your employer.
  • You order a product online, and you have to provide your residential address for delivery.
  • You apply for a government benefit, and you provide many types of information to identify yourself and describe your personal situation.

Sensitive information

Some personal information is “sensitive” because it is generally considered very private. For example, medical information and biometrics (fingerprints, voice signature, DNA, etc.) are sensitive information. You should be very careful when sharing such info.

Public bodies and enterprises must protect your personal information

Quebec law obliges public bodies and enterprises to protect your personal information. The term “Enterprise” includes, for example, sole proprietorships and business corporations. It can also include non-profit organizations (NPOs). Public bodies include:

  • government departments
  • municipalities
  • school service centres, and
  • health and social service establishments

Important! Federal organizations and enterprises under federal jurisdiction (for example, banks and airlines) may be governed by legislation other than that discussed in this article to protect your personal information. For more information, you can contact the Office of the Privacy Commissioner of Canada.

Responsibilities of organizations

Public bodies and enterprises have responsibilities during the whole “life cycle” of your personal information. This cycle begins when the organization collects the information and ends when it destroys the information.

These responsibilities include:

  • The organization must have serious and legitimate reasons for requesting the personal information and must collect only the information necessary to accomplish its objectives.
  • In principle, the organization must obtain your consent to use and share your personal information. If it is sensitive information, your consent must be explicit and leave no doubt as to your wishes.
  • The organization must inform you of the rules governing the management of your personal information. These rules are often set out in a privacy policy or a policy concerning the protection of personal information, accessible on the organization’s website.
  • The organization must designate a person to be responsible for the protection of personal information. This person is responsible for receiving requests and complaints regarding personal information.
  • The organization must adopt security measures to protect your personal information against loss or theft.  

Breaches of confidentiality

Even when organizations take precautions, breaches of confidentiality may occur, for example:

  • sending an email to the wrong person
  • loss of data due to a cyberattack
  • losing a digital device, such as a USB key that is not password-protected

If the breach may cause you serious harm (for example, identity theft), the organization must, in principle, inform you and the Commission d’accès à l’information du Québec (access to information commission).

The organization must also take reasonable measures to prevent future breaches and minimize the risk of harming people’s private lives.

Automated decisions

An organization must warn you when an automated decision is made based on your personal information. An automated decision is one that is made without human intervention. For example, your information is entered into a computer system that determines whether or not you are eligible for insurance coverage.

If you request it, the organization must also tell you which information was considered and the reasons for the decision.

You can ask the organization to correct the personal information used to make the decision. You can also ask the organization to review the decision. The organization must give you an opportunity to present your observations to a staff member who is authorized to review the decision.

For more information on the obligations of organizations, visit the website of the Commission (French only).

Controlling your personal information

Fraud, identity theft, phishing … there are all types of threats out there! It’s important to protect your personal information and your privacy. Here are some examples of actions you can take to control your personal information:

  • Be careful about sharing your personal information, especially sensitive information.
  • Ask whether the information being collected is really necessary. For example, just because you are asked for your social insurance number does not necessarily mean you must provide it.
  • Before agreeing to share your information, make sure you know why it’s being collected, how it will be used, and with whom it will be shared. To obtain this information you can:
    • read the privacy policy or the protection of personal information policy of the organization in question
    • ask questions to the person responsible for the protection of personal information at the organization.
      • To find the relevant person in a public body, consult this repertoire (in French only), drawn up by the Commission.  
      • For private organizations, the contact information of the person responsible should be on the organization’s website.  

You have rights and recourses

You can contact the person responsible for the protection of personal information at an organization to

  • consult the personal information about you held by the organization,
  • correct your personal information or update it,
  • withdraw your consent to the use of your personal information, or
  • make a complaint.

To learn more about your rights and recourses regarding personal information, see our article on the topic as well as the website of the Commission (French only).