It’s February: Time to Implement a Security Freeze on Your Credit?

The province of Québec adopted the Credit Assessment Agents Act a while back, so as to better protect consumers against the practices of credit agencies such a Equifax. When that particular law came into effect, however, the legislator opted to wait before implementing one particular section dealing with what is generally referred to as a “security freeze”.

Good news on that front: since February 1st 2023, Section 8 of the act is now in force, thereby providing Quebecers who wish to do so with the possibility of effecting a credit freeze. As described in the act, a  security freeze prohibits any credit agency (you know, those which hold your credit report and give you a credit score) from communicating your personal information and your credit report when the information was requested by a business claiming that it needs it to provide you with credit.

When such a freeze is in place, for example, a bank will simply be told by the credit bureau it can’t disclose your credit report as you have previously elected to implement a security freeze. In the normal course of things, the bank will then have to have a talk with you or whoever is impersonating you) about this, thereby stopping the attempt to open credit facilities in your name.

Of course, if you’re shopping around of a new credit card, this may prove an inconvenience for you but if you’re not in the process of hoping to secure more credit in the foreseeable future, this is definitely something you may want to think about doing.

Contrary to some subscription services offered by credit agencies, a security freeze must be available to Quebecers FREE OF CHARGE. Though I’m sure implementing one requires jumping through hoops, it may be worthwhile to avoid the eventual headache of having to deal with identity theft! By the way, so far, the act at issue applies to Equifax and Trans-Union, so you will have to contact both these entities to see about implementing a freeze for yourself.

Why You Should Start with an Inventory of Your Business’ Personal Information

As everyone knows by now, privacy-related legislation is now such in Canada that pretty much every organization should take heed and start doing its homework on that front. Complying with privacy law is no longer something only multinationals should do, SMB/SMEs should now do it too.

Though it may seem tempting to jump right into what privacy legislation prohibits and mandates, this is not the first step you should take. A preliminary (but necessary) step is to stop and think about what the organization really does with personal information and how -in detail. Though this exercise may involve expending resources, it should be done, at least if you’re serious about the process.

Indeed, the first order of business when undertaking this process, should be to take inventory of what personal information is collected by the organization, the whole organization, including as to employees, clients, customers (potential and actual), etc. When doing this, it is worthwhile to try and understand how this data comes in, through what processes, tools, partners, etc.

Along with knowing how we go about collecting information, we should strive to inventory the whole of personal information which the organization ends-up having in store, and the system(s) used to collect and store it.

Once we know what information the organization has access to, it will then be important to chart and document what we do with each piece of information, including how we use it, where we send it, who we communicate it to, etc. Though time-consuming, this will later allow us to assess what we need to do to remain compliant with privacy legislation.

All this preliminary work should normally result in providing us with a clear picture of the extent to which personal information is relevant to the organization and what we need to manage moving forward. Equipped with an understanding of what the organization does, we can then start determining whether we are complying with privacy rules as to each instance of collection, of use and of communication and, if not, what remedial steps must be taken.

Though it may prove tempting for many small organizations to start looking at the requirements of privacy legislation right away, without making an adequate inventory, this is definitely not the way to go. If you want to things properly and end-up knowing reasonably well that you do comply with privacy legislation, a modicum of preparatory work is required, including adequately taking stock of what your organization actually does with personal information, throughout.

Though it may feel like spinning your wheels at first, it will pay off in the long run, as it will then allow a proper analysis of your privacy practices and adequate recommendations as to go about thing, moving forward.

Canada One Step Closer to Adopting C-27 and IA-specific Legislation

The Canadian government reiterated last week that we’re collectively moving forward with the revamp of the country’s federal privacy legislation, including an offshoot meant to curb (better control, some would say) rampant and unrestricted adoption of artificial intelligence (“AI”) throughout. At the same time, the bill at issue (named C-27) moved to the second reading stage, bringing us one step closer to a formal adoption of this piece of legislation.

Bill C-27 will reinforce personal information protection throughout Canada but updating a law that is now more than 20 years old and, many would say, quite outdated. The new version of the personal information protection statute at issue will include provisions meant to generally empower individuals in a way that allows them to exercise control over their data, something the current version of the legislation has largely failed to do. Though it’s not quite GDPR, many see this new version of the Canadian privacy legislation as a much needed shot in the arm for our federal privacy regime.

At the same time, this project will likely also include Canada adopting a whole new statute meant to better control the use of AI (e.,g. by businesses), including new rules to try and minimize scenarios where AI is implemented in a way that is incompatible with personal rights and freedoms as well as Canadian values.

The Canadian government clearly says it intends to move forward with all of these. Now, it’s mostly a question of going through the rest of the legislative process, but there’s little doubt that this thing will become law before long. Stay tuned.