Law 25 (stemming from Bill 64) on the protection of privacy has been phased in since September 2022 in Quebec. What does this mean for businesses?
If you’re a business manager or owner in Quebec, whatever the size of your organization, you handle information that is now governed by Law 25. The new law has ramifications on the personal information of your employees, customers, suppliers and/or patients.
For the past two years, Agendrix has been laying the groundwork for earning ISO 27001 and ISO 27701 certifications, which are directly connected to Law 25. Our goal is to secure all the sensitive information we come across, which is why all our employees are also involved in implementing a variety of security measures.
To help demystify Law 25 and the changes it entails, I spoke with Charles Vallières, CTO, cofounder and head of data security at Agendrix. 🔒
What is Law 25?
Law 25 is an outgrowth of Bill 64, which was unanimously adopted by the Quebec National Assembly on September 21, 2021.
The official name of Law 25 is the Modernization of Personal Information Protection Legislation Act.
It ushers in important changes to all aspects of the protection of individuals’ privacy,
in order to better reflect today’s digital world.
Why privacy legislation?
This law gives individuals greater power over the handling of their personal data and a better understanding of how it is used—with the ultimate goal of better protecting human rights. Organizations must take concrete action to secure the information they handle. This applies to public agencies as well as private-sector businesses.
In other words, Law 25 provides a framework for business measures pertaining to the collection, storage and handling of personal information.
Gone are the days when any business could obtain and indefinitely hang on to citizens’ personal data.
So, what does this mean for businesses?
Each business must conduct a privacy impact assessment, which I’ll explain in more detail below. In addition, any business’s collection of personal data must be justified. Why does the business need this information? Is it really necessary? What is more, people must give their consent to share their personal data.
What is considered personal data?
Personal data is any information relating to a person that allows that individual to be identified. Some examples include their:
- Name
- Social insurance number
- Address
- Age
- Gender
- Family situation
- Online login credentials
- Employee identification number
Other elements may pertain to their physical, physiological, genetic, psychological, economic, cultural or social identity.
Why is the Quebec government implementing Law 25 on the protection of personal information?
Quebec is not the first place to introduce such legislation to protect its citizens. Europe launched efforts along these lines several years ago (in 2018) with the adoption of the General Data Protection Regulation (GDPR), which defines how personal data is to be handled across the European Union.
What are the three main objectives of Law 25?
- To strengthen the protection of personal information in the possession of public- and private-sector organizations
- To bolster citizens’ trust in these organizations
- To support innovation while taking into account new technologies
What is a privacy impact assessment (PIA)?
Privacy impact assessments are a preventive approach in line with Law 25 to better protect personal information and ensure people’s privacy. A PIA will help a business make sure they have the right measures in place.
When conducting a PIA—which is in fact a risk analysis—you need to consider all the factors that might positively or negatively impact individuals’ privacy. These risks can then be diminished via analysis and specific action.
Privacy impact assessments are proportionate to the sensitivity, volume and purpose of the information concerned.
Businesses must complete a PIA for any information-system acquisition, development or redesign project, and for any electronic service-delivery project involving personal information.
For example, if a company wants to change its computerized patient/customer record management system, it must begin by performing a privacy impact assessment.
A PIA must also be completed prior to disclosing personal information outside of Quebec.
What would be some concrete examples of use of personal data for an SME?
Here are 3 examples that could apply to any business with employees.
Hiring
Hiring is one of the times when companies collect the most personal information about their employees. Among other things, they will collect the employee’s name, address, SIN, banking information for payroll, and more—all legitimate data required within the first days of hiring.
Employers must ask themselves why they want certain information. In compliance with Law 25, there must be some justification for collecting what they are asking for.
For example, an employer who asks employees if they smoke must prove that this information is relevant to the job. In addition, it must obtain and securely store the employee’s consent.
In the case of biometric information (fingerprints, facial features, eyes, etc.)—which is used, among other things, to record work hours, the law is very strict. The need to collect this information must be assessed and the employee must give their informed consent.
Dismissal and employee turnover
What happens in the case of an employee’s dismissal or departure? Although businesses must keep certain information to meet legal or tax obligations, anything that is not required must be destroyed in order to comply with Law 25.
It is recommended that a schedule be drawn up with specific expiry dates for retaining employees’ personal information. What can or should be kept? For how long? And for what purpose? Again, everything must be justifiable and legitimate.
Telework
If you have telecommuting employees, Law 25 places strict restrictions on the transfer of personal information outside of Quebec. Do your employees have access to the personal information of customers, other employees, patients or suppliers? You have a responsibility to comply with the law, even when an employee is teleworking—and especially if they are located outside the province.
In this case, a privacy impact assessment must be conducted, including factors such as the sensitivity of the information to which the employee has access, the laws of the country where the remote work is being done, etc. To protect both parties, a telecommuting agreement is required between the employee and the employer. The agreement must factor in privacy risks and include a security policy to preserve the confidentiality of data outside Quebec.
In addition, employers should make sure that their employees use proper password-management practices, such as two-factor authentication. Employees should also avoid connecting to unsecured Wi-Fi networks.
What are the key dates connected to Law 25?
Law 25 began gradually entering into force in September 2022. While the majority of the provisions are applicable in 2023, the law will only take full effect in 2024. The go-to resource for better understanding the guidelines under the new obligations and the key dates is the Commission d’accès à l’information du Québec.
September 2022
As of September 22, 2022, businesses must designate a person responsible for the protection of personal information. In the event of an incident that affects confidentiality and could cause serious harm, the persons concerned must be informed.
September 2023
Starting in September 2023, businesses will be required to develop a governance framework for the protection of personal information. In some circumstances, personal information will need to be destroyed or made anonymous.
Companies will also be required to assess the privacy risks of certain communications or uses involving personal information. Finally, individuals’ consent will be required in order to use their personal information for commercial purposes.
September 2024
In September 2024, when requested by the individual, companies will be required to disclose the personal information they’ve collected about them.
What are the consequences for businesses that do not comply with Law 25?
Any business not complying with Law 25 may face stiff penalties from the Commission d’accès à l’information. The fines will be steep—up to $25 million or 4% of the company’s revenue. Penalties will be relative to the severity of the negligence and the business’s ability to pay.
Where can I find resources on Law 25 and data protection?
The Quebec government offers several tools to help businesses prepare for the impacts of Law 25 on their operations:
- Checklist: Provides an overview of Law 25 including a timeline of key dates
- Guide d’accompagnement de la Commission d’accès à l’information du Québec – Réaliser une évaluation des facteurs relatifs à la vie privée: supports risk assessment for projects that involve personal information or that may have an impact on privacy
- Commission d’accès à l’information website: explains the conditions that require a PIA
- Government of Quebec website: covers everything you need to know, including definitions, the law, and what to do in case of an incident
