What exactly is Law 25? This law, which came into effect on September 22, 2022, aims to protect the personal information of Quebec residents. Quebec-based private companies will be subject to obligations such as transparency, consent, and disclosure! This law will be implemented over a three-year period, from September 2022 to September 2024, and for each year, additional measures will be added to the existing ones. Here’s a quick guide to help you understand what needs to be implemented before the deadlines. But for now, don’t worry, it’s not too late!
What to implement since September 2022
Companies already had obligations to comply with regarding the protection of personal information. Since September 22, 2022, the following task has been added to the list:
- Designation of a privacy protection officer and publication of their contact information and title on the company’s website.
The choice of the designated person is straightforward; it’s the person with the highest authority in the organization who holds this role. However, they can delegate this role to someone internal or external to the organization. Both will have the same decision-making power. The privacy protection officer will have new responsibilities:
- Training and raising awareness within the company about personal information,
- Maintaining a register in the event of an incident (in french only), managing it, and taking prompt measures to reduce the risk. The points that should be included in your register are, for example: the date and location of the incident, the circumstances, the personal information involved, the number of people affected by the incident, the severity level of the incident, and the measures taken by the company after the incident (feel free to add more information, the more details, the better!). In the event of an incident, the Access to Information Commission and the individuals concerned must be notified of any incident presenting a serious risk,
- Disclosing to the Commission any verification or compliance with identity performed using biometric features or measures,
- Any verification or compliance with identity performed using biometric measures or features must be disclosed to the Commission,
- Observing the new guidelines concerning the communication of personal information without the prior consent of the individuals concerned, in the context of a commercial transaction or for the purposes of studies, research, or statistical production.
Public agencies, on the other hand, must comply with the above responsibilities and also form a committee on access to information and the protection of personal information.
What to implement by September 22, 2023
New measures will come into effect on September 22, 2023, and one of the most significant changes is the requirement to obtain consent from individuals before collecting, using, or disclosing their personal information. To do this, the creation of a consent form (separate from the general terms of sale or use) will be required. This form must clearly state the purposes for which the information is being collected. Everything should be stated clearly to ensure transparency. The right to withdraw consent must be indicated, along with:
- The possibility that information may be transmitted outside Quebec,
- The means of collection.
In addition, the following points must also be explained:
- For each purpose for which information is collected, consent must be sought,
- The name of each party for which information is collected must be clearly indicated,
- The name of any third party to whom it is necessary to transmit the information for the stated purposes.
Privacy Policy
The privacy policy must be written in clear and simple terms. Law 25 requires the following points to be included in the policy:
- Roles and responsibilities of the members of the team related to information,
- The process for handling complaints related to data protection,
- Rules for retention, destruction, and anonymization of personal information,
- Measures taken to protect personal information.
Of course, these terms must be posted on the company’s website. Take the opportunity to update your existing policies!
Governance with respect to personal information
The Law requires a public agency to establish rules governing governance with respect to personal information; these rules must then be published on the organization’s website.
The policies must address the following elements:
- Establishment of a framework for the protection of information and monitoring,
- Rules for retention, destruction, and anonymization of personal information,
- Implementation of protective measures for personal information,
- Process for handling complaints related to data protection,
- Roles and responsibilities of team members related to information,
- Assessment and verification of each party with access to information.
Anonymization or destruction of personal information
It will now be mandatory to destroy any information when the entire collection has been completed. If, for legal reasons, the information must be retained, the organization must anonymize it. Anonymization of data and the retention period are also part of the new measures to be implemented.
Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) must be conducted when one of the following situations occurs:
Before disclosing personal information outside Quebec,
- When obtaining, developing, or revising an information system,
- Before providing electronic services using personal information.
What to implement by September 2024
Don’t wait until the last minute; get a head start!
There’s only one thing to implement for 2024; the right to data portability. Every organization will be required to provide the individual concerned with the information they hold about them, upon request. In addition, they must also transmit the information to an authorized organization if the individual requests it.
This law contains many criteria, and this article aims to provide general information. To learn more or to receive assistance with Law 25, contact us; we can help you put everything in place before the important dates.
