Bill 64: data security at the heart of HR departments

Bill 64: data security at the heart of HR departments

In companies, a large amount of sensitive information circulates daily. Therefore, the security of this data must be a priority.

That is why HR departments must take their place in the management of personal data, which is, until now, still too often left to IT departments.

Deontologically, HR managers should never forget these four guiding principles:

  • The professional is personally responsible for securing the personal and confidential information entrusted to them.
  • If the professional must share this information, they must ensure that it is necessary, and they must do so with the utmost care.
  • If the professional does not have the necessary expertise, they should seek advice and support from someone else.
  • When the professional identifies a risk to data protection or the maintenance of confidentiality, they should report it to their supervisor and, where appropriate, to their client or to the managers of the organization that uses their services.

These principles are directly related to Bill 64, which intends to advance personal data protection in Quebec.


Bill 64 has been making much noise for several months in Quebec.

It is essential to pay particular attention to this bill, which imposes new obligations on Quebec businesses in particular while significantly increasing the powers of the Commission d'accès à l'information ("CAI").

If adopted, the bill will promote transparency, increase data confidentiality and reinforce user consent.

There is a natural link between the European General Data Protection Regulation (GDPR) and Quebec's Bill 64.

As a reminder, the objective of the RGPD regulation is to harmonize the management of personal data at the European level. The law was passed in 2016 and implemented in 2018. This regulation affects European companies and international organizations managing, in one way or another, European data (customers, branches in Europe...).

Thus, for some Quebec companies, Bill 64, if passed, will only be an addition to changes already implemented with the RGPD.

Indeed, the primary goal of both texts is to reform the obligations of public organizations and private sector companies concerning the protection of personal information.

One of the common aspects of both texts is the concept of the data protection officer.

The data protection officer is the key contact person. They will have the knowledge and skills to evangelize the notion of data protection within the company, on the one hand in terms of awareness, and ensure that the rules are well implemented.

It has become a daily occurrence for companies already doing business in Europe and is one of the aspects of this bill to be closely monitored.

Several recommendations suggest that a member of the company's senior management be chosen for this crucial task. They could then be supported or accompanied by someone in the organization.

It will demonstrate the importance of data privacy as it affects all areas of the organization.


Bill 64 also provides for specific protocols in the event of data incidents or leaks.

First, companies will be required to disclose leaks to affected individuals and notify the Commission d'accès à l'information. The Commission will also be able to impose administrative monetary penalties on violators.

It would ensure that all affected individuals are made aware of a potential leak and allow for post mortems to be conducted to prevent such incidents from happening again.

Of course, to be transparent in case of incidents, it is necessary to recognize when they occur.

That is why we advise companies to think about implementing secure systems that will ensure control over these systems and that the data within these systems is protected.

An HRIS allows, among other things, to centralize and secure a company's data in one place. It also provides data granularity at all times. Thus, teams can identify who has access to specific data and act accordingly!


The Quebec government was the first to introduce its Bill 64 on June 12, 2020.

In November, the federal government followed suit by introducing Bill C-11, the Digital Charter Implementation Act, 2020, which proposes to replace the Personal Information Protection and Electronic Documents Act (PIPEDA) with a new private-sector law.

Once passed, Bill C-11 also proposes granting new rights to individuals, imposing new obligations on organizations, and forcing them to be more transparent. Bill C-11 also proposes giving more extraordinary powers to the Privacy Commissioner of Canada, establishing a new Privacy and Data Protection Tribunal, and imposing substantial penalties for breaches of the law.

A Bill very similar to what is being proposed in the province of Quebec.

The law firm Fasken, which has operations in Canada, the United Kingdom, South Africa and China, provides a table summarizing and comparing the key private sector provisions of the two proposed regimes.