This article explains some of the requirements coming into effect on September 22, 2023 under Quebec’s privacy legislation.
What is Law 25?
Law 25 (or Act 25 or Bill 25 or Loi 25) is a shorthand way of referring to An Act to modernize legislative provisions as regards the protection of personal information, which came into force in September 2022.
The legislation requires private and public sector enterprises in Quebec to take measures to prevent the disclosure of sensitive data and the sale of confidential data as well as data-related breaches.
Why it’s important
By ensuring that you comply with the Act, you can enhance your organization’s reputation and avoid significant penalties for non-compliance.
The legislation applies to data on customers as well as personnel and suppliers.
Examples of personal data
Personal data means any information or data sets that can be used to identify an individual:
- Full name
- Social insurance number
- Driver’s licence number
- ID card number
- Personal email address
- Personal phone number
- Home address
- Birth date
- Credit card number
Examples of sensitive data
Other information is considered sensitive, such as data about an individual’s health status or finances:
- Gender
- Age
- Nationality
- Profession
- Education level
- Postal code
- Religion
- Marital status
- Consumer preferences
- Location
- Other demographic or behavioural data
Appointing a privacy officer
It’s important for your organization to designate a “person in charge of the protection of personal information“ (privacy officer). This requirement has been in effect since September 2022.
If no one has been named privacy officer, the individual with the highest level of authority within the organization is automatically assigned that role by default under the Act.
New requirements starting September 22, 2023
Among the various new measures coming into effect, pay particular attention to the following:
1. Privacy impact assessment (PIA)
In the situations specified in the legislation, it’s your responsibility to assess the privacy impact of the personal data you use. For example, do you share sensitive data outside Quebec?
2. Confidentiality and privacy policy
You’re required to develop and distribute a policy on how you use sensitive data. The policy must be easy to access and understand.
3. Consent
Be sure to find out more about the rules on consent for gathering, disclosing and using data. For instance, you need to obtain explicit consent before saving anyone’s personal data. Individuals must also be able to revoke their consent.
4. Confidentiality breach
In case the rules aren’t followed, you need to establish a procedure for:
- Limiting possible damage
- Informing the Quebec Commission d’accès à l’information and the affected individuals, if applicable
- Keeping a register of incidents
Will you be able to determine when a “confidentiality incident” has occurred in order to report it to the authorities and the individuals concerned?
Further considerations
You will also want to find out about other measures, rules and obligations, such as:
- Destruction and anonymization of data
- Use of personal information
- Disclosure of personal information without the consent of the person concerned
- Information and transparency for citizens
- Disclosure of personal information outside QC
- Collection of personal information concerning a minor
- Disclosure of personal information to facilitate the grieving process
- Right to cease dissemination, reindex or de-index
For a complete list of the rules, you can visit the site of the Quebec Commission d'accès à l'information.
We also recommend that you refer to the convenient guide prepared by the Adviso firm, which specializes in digital transition: Quebec's Law 25: business cases, legal impacts and solutions.
If you have any doubts about data privacy, information access and cybersecurity, it’s always a good idea to consult a legal expert.