Law 25: What are the requirements and how to comply?

The requirements of Law 25

Your business must protect citizens’ personal information. The Privacy Act requires it. Since September 2022, new obligations adapted to today’s technological reality have also enhanced this protection.

The law applies to personal information that your business:

• Collects;
• Holds;
• Used;
• Communicates to third parties

The law applies to personal information, whether its retention is ensured by the company or by a third party. It aims to protect all personal information, whether the nature of its medium or its form is:

• Written;
• Chart;
• Sound;
• Visual;
• Computerized;

For the Privacy Act to apply, it is not necessary that personal information be constituted or kept in a “file” identified in the name of an individual. The obligations of companies revolve around the purpose of the collection

What is Personal Information?

This is information that allows a natural person to be identified, directly or indirectly.

Personal information is confidential. Their confidentiality arises from the right to privacy, allowing any person to exercise control over the use and circulation of their information.

Personal information about an individual is:

• The name
• The title
• Function
• Email, address and telephone number of their place of work;

Public information

Some information that directly identifies individuals is public.

Please note that information concerning the exercise of a function of a person within a company or a public body such as:

• The name
• The title
• Function
• Email, address and telephone number of their place of work;

are public and are not subject to laws protecting personal information. Also note that, in public organizations and ministries, the email address is public:

• Members of the board of directors
• Management staff
• From the deputy minister and his deputies
• Management staff
• Staff members

Steps to comply with Law 25

By September 22, 2022

1. If you are the highest authority in the company and do not want to serve as Privacy Officer, designate someone who can effectively assume this role. For example, it should have the required skills and significant decision-making power;

2. Support the person responsible for the protection of personal information with the necessary resources (human, technical and financial) to ensure the success of your compliance;

3. Take an inventory of the personal information held by your company (or on its behalf by a third party) and assess its sensitivity;

4. Implement measures to prevent or limit the consequences of a confidentiality incident involving personal information;

5. Establish practices that will allow you to react adequately and quickly in the event of a confidentiality incident involving personal information (e.g.: incident response plan and staff directive);

6. If you plan to use a biometric technique (e.g. fingerprint, facial or voice recognition), inform yourself in advance of your obligations in this area.

By September 22, 2023

To establish and implement your governance policies regarding the protection of personal information, you will need in particular:

1. Take inventory of personal information held by your company (or on its behalf by a third party) and assess its sensitivity;

2. Since the inventory of personal information is evolving, it is important to keep it up to date to reflect changes that may have occurred within your company (e.g.: new collection of personal information for a project) and to ensure to adequately plan your actions and respect all your obligations;

3. Specify the roles and responsibilities of staff members involved in the protection of personal information throughout its life cycle.

To respect the new rights of citizens and your new obligations of transparency towards them, you will have to put in place the mechanisms (e.g.: directive, process, form or adapted technological solution) which will allow you in particular:

1. To obtain separate valid consent for each specific purpose in simple and clear terms;

2. To present the request for consent separately from the other information provided if it is in writing;

3. To provide the information required by law to the person whose information is collected;

4. To inform a person when they are the subject of a decision based exclusively on automated processing;

5. To inform a person before using a technology allowing them to be identified, located or profiled and of the means offered to activate these functions;

6. To publish detailed information on your policies and practices on the company’s website or, if it does not have a site, to make this information accessible by any other appropriate means;

7. To publish a privacy policy written in simple and clear terms on your company’s website and disseminate it by any means likely to reach the people concerned if you collect personal information using a technological means such as ‘a website;

8. To process requests and complaints from citizens regarding your management of personal information.

By September 22, 2024

Inform the team responsible for maintaining, updating or developing your computer systems that you have new business needs related to the right to portability of personal information, namely:

1. that your systems make it possible to communicate, upon request from a data subject, computerized personal information collected from them, in a structured and commonly used technological format;

2. that this communication may also be made to a person or body authorized by law to collect the information, at the request of the person concerned.

Make sure you train your staff so that they develop good reflexes when it comes to protecting personal information.

How technology can help businesses comply?

Although law 25 as a whole does not require any particular technology, certain technological solutions can greatly facilitate the compliance process for Quebec businesses.

• Setting up a data management and classification system is a major advantage in terms of efficiency to meet the legal requirements related to the assessment of privacy factors (PIA), i.e. an inventory kept up to date personal information held by the company;
• Set up a portal bringing together all of your policies and procedures as well as consent, destruction request and complaint forms in order to facilitate access for people;
• Integrate a CMP consent management system to meet the requirements of the law regarding services offered to the public through web services.

Law 25 encourages best practices in information security. Businesses can take this moment to review the measures in place and take advantage of the compliance process to assess their cybersecurity posture by:

• Maximize the technological tools in place above all in order to take advantage of their full potential;
• Carry out a risk analysis on your IT and cloud infrastructures;
• Evaluate the structure and processes of identity and permission management;

Integrate detection and control methods to identify anomalies related to personal information or other sensitive company data.