Is your business compliant with Quebec’s Bill 25?

As of September 22, 2024, organizations established in Québec or that do business with individuals living in the province must comply with all provisions of the Act respecting the protection of personal information (Bill 25).

What is the Act respecting the protection of personal information?

Also called Bill 25, the act provides a stricter framework for the gathering, use, sharing, preservation and destruction of personal information. It has various provisions, including the obligation to manage personal information through policies and procedures. Organizations must publish detailed information about said policies and procedures and ensure they have informed consent when obtaining personal information and for its intended uses.

If your business holds personal information outside of Quebec or wishes to update your data management/storage system, you must assess your privacy risks and ensure proper controls are in place to maintain compliance with Bill 25.

Here are some of the measures your organization should have implemented as of September 2024:

• Naming a Privacy Officer or creating an equivalent position
• Adopting specific measures for the use of privacy impact assessments
• Formalizing privacy policies and requirements for in-house data protection methods
• Providing a framework for privacy incident reporting
• Ensuring greater transparency regarding consent and the collection of personal information
• Applying privacy principles to technology and systems

Non-compliant organizations face penalties of up to 25 million dollars or 4 percent of their worldwide turnover.

What is personal information?

Section 2 of Bill 25 defines personal information as “any information which relates to a natural person and directly or indirectly allows that person to be identified.”

Who must comply why Bill 25?

Any business with operations in Quebec that manages personal information, regardless of its size or the industry in which it operates. 

What best practices should be adopted in the context of Bill 25?

Compiling a personal information inventory: Once you have a thorough description of the personal information you have and use, ask yourself: “Is this information useful and relevant for our business activities?”

If your answer is no, consider the possibility of no longer collecting the information and of destroying it. The more personal information you have, the greater your risk exposure.

Accessing personal information: Is the information you hold well protected? Once you’ve completed your inventory, ask: “Is the physical (filing cabinet, office, etc.) and digital (IT system access, etc.) security of the personal information I hold adequate?”

Business culture: Training is essential. You must promote awareness about Bill 25’s various aspects, so that your employees can identify personal information and privacy incidents.

• Privacy incident – example #1: Your office receives a resume that includes the applicant’s personal phone number, mailing address and email. It is accidentally thrown out for recycling rather than placed in the container reserved for confidential documents.
• Privacy incident – example #2: An employee sends an email to the wrong recipient, with an attached file containing names and personal phone numbers.
• To prevent such occurrences, files should be password protected, and the password should be communicated separately.

What MNP can do to help

Our team is committed to providing you with case-by-case advice or personalized support. Our advisors can:

• Analyze your situation and suggest a detailed road map to Bill 25 compliance.
• Provide document templates that you can tailor to your business, thus supporting its compliance efforts and saving you research and drafting time.
• Provide general and personalized training so your employees can apply best practices, prevent privacy incidents and support your Privacy Officer in the performance of his or her duties.