Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Quebec: Health and Pharma Overview

MF3d / Signature collection /

1. Governing Texts

In Quebec, public bodies and private organisations operating in the health or pharmaceutical field are subject to the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c A-2.1 ('the Access Act') and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 ('the Private Sector Act'), respectively, with regard to the protection of personal data. 

It should be noted that several of the statutes detailed below, but primarily the Access Act and the Private Sector Act, are covered by Quebec's Act to Modernize Legislative Provisions Respecting the Protection of Personal Information ('Act 25' and formerly known as 'Bill 64'). Act 25 received royal assent on 22 September 2021, resulting in significant changes to various laws in order to modernise the regulatory framework for the protection of personal data in Quebec. Act 25's provisions are set to take effect over a three-year period.

Public bodies and private organisations may also be subject to specific laws governing certain aspects of their practice or specifying the rights and obligations to be implemented. In this Guidance Note, we will refer to several of these laws in order to illustrate the requirements to be taken into account in the health and pharmaceutical sectors. 

It should be noted that at the federal level and in the other Canadian provinces, there are legal provisions applicable to the health and pharmaceutical sectors in addition to the general laws on the protection of personal information. The focus of this Guidance Note is on Quebec. 

1.1. Legislation

In Quebec, both the Access Act and the Private Sector Act apply to the health and pharmaceutical sectors. 

The Access Act regulates the collection, use, and disclosure of personal information by public bodies and provides individuals with a right to access their personal information. The Private Sector Act regulates the collection, use, and disclosure of personal information by private organisations (referred to as 'enterprises'). 

Consideration should also be given, but not limited to, the following: 

  • The Civil Code of Quebec, which sets out the rules relating to the integrity of the person and, more specifically, those relating to the consent of persons to care, to participation in research or to the alienation of a part of the body, depending on whether they are minors, 14 years of age or older, or unfit adults (Sections 11 to 25). 
  • The Act Respecting Health Services And Social Services ('the HSSS'), which is aimed in particular at coordinating, monitoring, and regulating health and social services, while providing for specific rules regarding access to the user's file (Sections 17 to 28). 
  • The Pharmacy Act, which specifies the rules relating to the registration and practice of pharmacies.
  • The Act Respecting the Sharing of Certain Health Information, the purpose of which is to implement informational assets allowing the sharing of health information deemed essential to front-line services and the continuum of care, in order to improve the quality and safety of health and social services, as well as access to such services. The purpose of this Act is also to improve the quality, efficiency, and performance of the Quebec health system by allowing the management and controlled use of health and social information. 
  • The Medical Act, which specifies the rules relating to the registration and practice of medicine.
  • The Professional Code and, in particular, the Code of Ethics of Pharmacists
  • The Act to Establish a Legal Framework for Information Technology ('the Quebec Information Technology Act'), which specifies the rules aimed at maintaining the integrity of a document, and databases, throughout its life cycle. This Act also specifies the requirements for the creation of a bank of biometric characteristics or measurements (Sections 44 and 45). 

1.2. Supervisory authorities

The Quebec Commission on Access to Information ('CAI') is responsible for overseeing the application of the Access Act and the Private Sector Act. It may also have to take into consideration certain specific laws regarding the protection of personal data. 

In addition, the Minister of Health and Social Services ('MSSS') and the professional orders are responsible for ensuring that the provisions applicable are respected.

1.3. Guidelines

The CAI publishes various factsheets and guidelines, mostly in French, relating to the protection of personal data, such as: 

It is also possible to consult relevant publications available on the websites of the MSSS, the Order of Pharmacists of Quebec, and the Quebec Health Insurance Board ('RAMQ'). 

Another useful resource is the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans ('the TCPS'), generated by the Canadian Institutes of Health Research, the Natural Sciences and Engineering Research Council of Canada, and the Social Sciences and Humanities Research Council of Canada. The purpose of the TCPS is to promote the ethical conduct of research involving humans to the Canadian public.

1.4. Definitions

Biobank: 'Biobank' is not defined under Quebec laws. However, the Quebec Board of the French Language defines it as 'an orderly and searchable collection of human biological samples and associated clinical data collected from voluntary participants for therapeutic or research purposes'. Moreover, the TCPS offers the following definition of a 'biobank' as 'a collection of human biological materials. A biobank may also contain information about the individuals from whom the biological materials were collected.'

Biometric data: 'Biometric data' is not defined under Quebec privacy laws. However, the Quebec Information Technology Act regulates the collection, use, and disclosure of 'biometric characteristics or measurements'.

Consent: 'Consent' is defined as having to be manifest, free, enlightened, given for specific purposes and valid only for the length of time needed to achieve the purposes for which it was requested. Consent must be expressly given whenever it concerns sensitive, biometric, or otherwise intimate personal information. Consent to the processing of a child's personal information must be given by the person having parental authority or their tutor. When a minor is 14 years of age or over, consent is given by the minor or by the person having parental authority or their tutor.

Health data: 'Health data' is not defined under Quebec privacy laws.

Personal data: 'Personal information' is defined as information which relates to a natural person and allows that person to be identified, directly or indirectly.

Research: 'Research' is not defined under Quebec laws.

Sensitive data: Personal information is deemed sensitive if, due to its nature of the context of its use or release, it entails a high level of reasonable expectation of privacy. Sensitive information requires express consent and must be safeguarded by a higher level of protection.

2. Clinical Research and Clinical Trials

2.1. Data collection and retention

The research may involve any type of personal information, including human biological material and genetic material. 

2.2. Consent

Research involving human subjects

When research involves human subjects, individuals who participate in such research 'should do so voluntarily, understanding the purpose of the research, and its risks and potential benefits, as fully as reasonably possible' (Chapter 3: The Consent Process of the TCPS). They must also express their consent. 

As such, the Civil Code of Quebec states that:

  • 'a person of full age who is capable of giving his consent may participate in research that could interfere with the integrity of his person provided that the risk incurred is not disproportionate to the benefit that can reasonably be anticipated. […]' (Article 20 of the Civil Code of Quebec); 
  • 'a minor or a person of full age who is incapable of giving consent may participate in research that could interfere with the integrity of his person only if the risk incurred, taking into account his state of health and personal condition, is not disproportionate to the benefit that may reasonably be anticipated. Moreover, a minor or a person of full age incapable of giving consent may participate in such research only if, where he is the only subject of the research, it has the potential to produce benefit to his health or only if, in the case of research on a group, it has the potential to produce results capable of conferring benefit to other persons in the same age category or having the same disease or handicap. In all cases, a minor or a person of full age incapable of giving consent may not participate in such research where he understands the nature and consequences of the research and objects to participating in it. […]' (Article 21 of the Civil Code of Quebec);
  • 'consent to research that could interfere with the integrity: 
    • of a minor may be given by the person having parental authority or the tutor. A minor 14 years of age or over, however, may give consent alone if, in the opinion of the competent research ethics committee, the research involves only minimal risk and the circumstances justify it.
    • of a person of full age incapable of giving consent may be given by the mandatary, tutor or curator. However, where such a person of full age is not so represented and the research involves only minimal risk, consent may be given by the person qualified to consent to any care required by the state of health of the person of full age. Consent may also be given by such a qualified person where a person of full age suddenly becomes incapable of giving consent and the research, insofar as it must be undertaken promptly after the appearance of the condition giving rise to it, does not permit, for lack of time, the designation of a legal representative for the person of full age. In both cases, it is incumbent upon the competent research ethics committee to determine, when evaluating the research project, whether it meets the prescribed requirements.' (Article 21 of the Civil Code of Quebec).  

Consent must be given in writing, except in special circumstances approved by the research ethics board. It must be free and informed, given for specific purposes, and valid only for the time necessary for the research. It may be withdrawn at any time, even verbally (Article 24 of the Civil Code of Quebec, and Act 25). 

According to the TCPS, the information generally required for informed consent includes (Chapter 3: The Consent Process of the TCPS):

  • information that the individual is being invited to participate in a research project;
  • a statement of the research purpose in plain language, the identity of the researcher, the identity of the funder or sponsor, the expected duration and nature of participation, a description of research procedures, and an explanation of the responsibilities of the participant;
  • a plain language description of all reasonably foreseeable risks and potential benefits, both to the participants and in general, that may arise from research participation;
  • an assurance that prospective participants:
    • are under no obligation to participate and are free to withdraw at any time without prejudice to pre-existing entitlements;
    • will be given, in a timely manner throughout the course of the research project, information that is relevant to their decision to continue or withdraw from participation; and
    • will be given information on their right to request the withdrawal of data or human biological materials, including any limitations on the feasibility of that withdrawal - in fact, in some research projects, the withdrawal of data or human biological materials may not be possible (e.g., when personal information has been anonymised and added to a data pool), and participants must be informed that it is impracticable, if not impossible, to withdraw results once they have been published or otherwise disseminated;
  • information concerning the possibility of commercialisation of research findings, and the presence of any real, potential or perceived conflicts of interest on the part of the researchers, their institutions or the research sponsors;
  • the measures to be undertaken for dissemination of research results and whether participants will be identified directly or indirectly;
  • the identity and contact information of a qualified designated representative who can explain scientific or scholarly aspects of the research to participants;
  • the identity and contact information of the appropriate individual(s) outside the research team whom participants may contact regarding possible ethical issues in the research;
  • an indication of: 
    • what information will be collected about participants and for what purposes; 
    • who will have access to information collected about the identity of participants; 
    • how confidentiality will be protected; 
    • the anticipated uses of data; and 
    • who may have a duty to disclose information collected, and to whom such disclosures could be made;
  • information about any payments, including incentives for participants, reimbursement for participation-related expenses and compensation for injury;
  • a statement to the effect that, by consenting, participants have not waived any rights to legal recourse in the event of research-related harm; and
  • in clinical trials, information on stopping rules and when researchers may remove participants from trial. 

Research not involving human subjects

When research does not involve human subjects, but involves access to personal information held by public bodies or enterprise without the consent of the individual concerned, mechanisms are in place to ensure the protection of that personal information.

2.3. Data obtained from third parties

When a researcher needs to collect personal information held by public bodies or enterprises without the consent of the individual concerned, they must comply with the requirements of the research ethics boards, the director of professional services of an institution and apply for access. 

Under Act 25, in order to disclose and use personal information for statistical study, research, or production purposes, without the consent of the individual, it is necessary to: 

  • conduct a privacy impact assessment; 
  • file a written request;
  • attach the research protocol and, if applicable, the decision of the researcher's research ethics board;
  • state, among other things, that the purpose of the research can only be achieved if the information is disclosed in identifiable form, that it is unreasonable to require consent, that the purpose of the research outweighs the impact of the disclosure and use of the information on the privacy of the individuals involved, and that the information will be used in a manner that ensures confidentiality; and 
  • enter into an agreement to be forwarded to CAI, which will be effective within 30 days of receipt. 

This agreement must stipulate, among other things, that the information: 

  • may be made accessible only to persons who need to know it to exercise their functions and who have signed a confidentiality agreement;
  • may not be used for purposes other than those specified in the research protocol;
  • may not be cross-matched with any other information file that has not been provided for in the research protocol; and
  • may not be released, published, or otherwise distributed in a form allowing the persons concerned to be identified.

The agreement must also:

  • specify the information that must be provided to the persons concerned if personal information concerning them is used to contact them to participate in the study or research;
  • provide for measures for ensuring the protection of the personal information;
  • determine a preservation period for the personal information;
  • set out the obligation to notify the public body of the destruction of the personal information; and
  • provide that the public body and the CAI must be informed without delay of:
    • non-compliance with any condition set out in the agreement;
    • any failure to comply with the protection measures provided for in the agreement; and
    • any event that could breach the confidentiality of the information. 

Also noteworthy is the Act respecting the Institut de la Statistique du Québec ('the SQ Act') which must also be taken into consideration. Indeed, one of the Quebec Statistical Institute's ('ISQ') roles is to ensure that researchers attached to a public body have better access, for research purposes, to information held by public bodies (see the ISQ Research Data Access Services).  

3. Pharmacovigilance

When a health product, drug or medical device produces an adverse reaction, a Side Effect Reporting Form is submitted to the Health Canada Canada Vigilance Program. Consumers and health professionals can submit this form on a voluntary basis, while manufacturers and distributors are required to do so under the Food and Drugs Act, RSC 1985, c. F-27.  

The form contains, among other things, personal information about the affected person, the reporter, the side effects, and the suspected health product.  

The form states that the information is collected in accordance with the Department of Health Act, SC 1996, c. 8 for the purpose of monitoring licensed products, detecting potential emerging safety issues and trends, mitigating the risks and improving the safe use and efficacy of the health products. It is also stated that information relating to the identity of the patient and/or reporter will be protected as personal information under privacy legislation.

4. Biobanking

There are no specific laws governing biobanks in Quebec. Therefore, the requirements contained in the Access Act and the Private Sector Act, but also in the Civil Code of Quebec, the HSSS and the Quebec Information Technology Act apply, such as: 

  • appointment of a person responsible for the protection of personal data; 
  • assessment of privacy risks; 
  • consent of the persons concerned; 
  • purpose of collection and use; 
  • communication; 
  • security; 
  • declaration of confidentiality incidents; and 
  • rights of the persons concerned

5. Data Management

The management of the data requires certain principles to be respected, such as: accountability, identifying purposes, limiting collection, consent and information of the person concerned, limiting use, disclosure and retention, accuracy, safeguards and confidentiality, individual access and response to request.

6. Outsourcing

An organisation is responsible for the protection of the personal information in its custody, including information transferred to a third party for processing.

When personal information is transferred by the organisation to a third party to 'carry out a mandate or perform a contract of enterprise or for services entrusted to that person or body' (subsequently referred as a 'third party processor'), the organisation must:

  • entrust the mandate or contract in writing; and
  • specify the measures that must be taken to protect the confidentiality of the personal information, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the information is not kept after the expiry of the mandate or contract.

The third-party processor must notify the organisation's privacy officer without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information disclosed, and must also allow the organisation's privacy officer to conduct any verification relating to confidentiality requirements.

7. Data Transfers

Before disclosing personal information outside of Quebec, an organisation must conduct an assessment of privacy-related factors, taking into account:

  • the sensitivity of the information;
  • the purposes for which it is used;
  • the protection measures that would apply to it, including contractual measures; and
  • the legal framework applicable in the state in which the information would be disclosed, including the legal framework's degree of adequacy with Quebec's privacy laws.

The information may only be transferred outside of Quebec if the assessment establishes that it would receive an adequate level of protection.

The disclosure of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.

While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information could be disclosed outside of Quebec.

8. Breach Notification

There is a general obligation for data breach notification (referred to as a 'confidentiality incident') in Quebec. The term 'confidentiality incident' refers to:

  • unauthorised access, use, or disclosure of personal information; and
  • loss of personal information or any other breach in the protection of that information.

When there is reason to believe that a confidentiality incident has occurred, the organisation must take reasonable steps to reduce the risk of injury and to prevent new incidents of the same nature.

In the event of an incident involving a risk of serious injury, the organisation must notify the CAI, as well as any person whose personal information is concerned by the incident (unless doing so would hamper an investigation conducted by a person or body responsible by law for the prevention, detection, or repression of crime or statutory offence). The organisation may also notify any person or body that could reduce the risk, by disclosing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the disclosure of the information.

In assessing the risk of injury, the following factors must be considered:

  • the sensitivity of the information;
  • the anticipated consequences of its use; and
  • the likelihood that it will be used for injurious purposes.

9. Data Subject Rights

The rights provided for under the Private Sector Act must be respected by organisations, where individuals have a right to: 

  • obtain access to their personal information held by organisations; 
  • rectify any inaccurate, incomplete, or equivocal information;
  • require organisations to: 
    • cease disseminating personal information about them;
    • de-index any hyperlink that provides access to that information, if the dissemination contravenes the law or a court order; and
    • re-index any hyperlink that provides access to that information.
  • submit complaints to organisations, to withdraw consent (subject to some limitations), and to file complaints with the CAI;
  • request a copy of computerised personal information in the form of a written and intelligible transcript; and
  • be informed if an organisation uses personal information to render a decision based exclusively on an automated processing of such information.

It should be noted that the HSSS provides for a specific regime regarding access to user files (see Sections 17 to 28 of the HSSS).

10. Penalties

The CAI has the power to impose monetary administrative penalties and to issue fines for penal offences.

The Private Sector Act provides for the imposition of monetary administrative penalties on organisations for the following reasons:

  • failure to adequately inform the individuals;
  • unlawful collection, use, disclosure, keeping, or destruction of personal information;
  • failure to report a confidentiality incident;
  • failure to take the security measures necessary to ensure the protection of the personal information; and
  • failure to inform individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations.

The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. €36,450) (for individuals) and CAD 10 million (approx. €7,299,650) (for businesses) or, if greater, 2% of worldwide turnover for the preceding year.

Under Act 25, businesses can acknowledge their failure to comply with applicable legal requirements and enter into an undertaking with the CAI to remedy the contravention or mitigate its consequences. Where such an undertaking is accepted by the CAI and is respected, the business cannot be subject to a monetary administrative penalty with respect to the acts or omissions covered by the undertaking.

Moreover, the Private Sector Act provides that where individuals have suffered an injury resulting from the unlawful infringement of a right conferred by it or by the Sections 35 to 40 of the Quebec Civil Code, and the infringement is intentional or results from a gross fault, the court will also award punitive damages of at least CAD 1,000 (approx. €730).

11. Other Areas of Interest

Not applicable. 

Cynthia Chassigneux Partner
[email protected]
Caroline Deschenes Partner
[email protected]
Langlois Lawyers, Montréal