Law 25, or the Act to modernize legislative provisions as regards the protection of personal information, ushers in important changes surrounding the protection of Quebecers’ personal information.
Law 25’s main goals are to improve people’s trust in the organizations that handle their data, to support innovation by taking into account new technologies, and to strengthen the protection of personal information possessed by organizations operating in Quebec.
We at Agendrix take a special interest in this law given that our software processes the data of our customers and their users. That’s why we decided to get ahead of Law 25 long before it came into full effect. We recently obtained certification under two ISO standards pertaining to data security and privacy.
In this post, I’ll give you a few pointers to help you implement certain necessary changes linked to Law 25. For legal documentation and information on the steps to follow, you can also check out the Government of Quebec website.
Law 25 and SMEs—where to start?
Law 25 applies to all Quebec organizations that handle personal data, whether they’re in the public or private sector, and regardless of their size. The law therefore also applies to small businesses.
Hefty fines of up to 4% of revenue—up to a $25 million maximum—loom over any organization found to infringe the law. The penalties will be relative to the severity of the violation and the organization’s ability to pay. The higher your bottom line, the higher your fine.
The first step is to familiarize yourself with the tools made available to you by the Quebec government:
- The Quebec government website for complete information
- The website of the Commission d’accès à l’information (CAI) du Québec, the body that legislates on privacy matters
- The PIA guide, which outlines all the steps for conducting a Privacy Impact Assessment
- The Checklist, which gives an overview of Law 25 with key dates to keep in mind
- The glossary of privacy terminology
Next, you’ll need to get ready for the main steps that might impact your daily operations:
- Designating a “privacy officer” who will be responsible for all privacy matters at your organization
- Establishing your governance framework (i.e., what measures you will be establishing) for privacy protection
- Assessing the privacy risks of your communications or other operations that involve personal information—by conducting Privacy Impact Assessments when necessary
- At any individual’s request, providing the personal information that they have supplied to you
Note that these steps will need to be repeated or reviewed as necessary: this is not a checklist to be completed and then put aside. You will inevitably need to assess the risks associated with new projects, designate a new privacy officer when roles change within your company, and so on.
What is a privacy impact assessment?
A Privacy Impact Assessment (PIA) is a preventive risk analysis aiming to better protect personal information and safeguard individuals’ privacy.
💡It helps you make sure that all the right data security and privacy measures have been applied in your practices.
When conducting a PIA, you need to consider all the factors that may potentially impact the privacy of the individuals concerned. Once the analysis is complete, you need to come up with solutions to diminish these risks, and implement them.
For example, passing on one of your employees’ social security number to another manager via a personal Facebook Messenger conversation is a significant risk. Another case would be failing to password-protect the computer on which you store your customers’ personal information, and letting different employees use it without supervision or user-specific access rights.
How to analyze and assess privacy factors?
According to Law 25, you must complete a PIA for any information-system acquisition, development or redesign project, or for any electronic-service project involving personal information. In simple terms, this means any activity that makes use of the personal information of customers, employees, service providers, or patients.
For private firms, your analysis should be based on the following principles:
What personal information do you need and why do you need it?
You must demonstrate that you have a serious and legitimate interest in obtaining this data. And you need to inform any person concerned before you put together a file on how you intend to use their data. You may collect only the information necessary to provide your product or service.
➡️ For customer records at a hardware store, for example, phone numbers and addresses may be necessary to reach the customer or make a delivery. However, it would be unnecessary—and therefore unlawful—to request the customer’s date of birth or social insurance number.
Have you obtained consent to disclose personal information?
In addition to the use of personal information, you must inform any individual concerned of the profiles of your employees who will have access to it and where the data will be stored. You will also need to get their consent to disclose their information to others, unless the law provides an exception. This consent must be free and informed, for specific uses, and valid for a specific period of time.
➡️ To take up our earlier example, in addition to consenting to provide their phone number and address to open their customer account, hardware store customers may demand to know who will have access to this information. Is it just the customer service and delivery staff? Or will everyone at the company have access? Moreover, if this information is shared with other service providers or subcontractors, the hardware store must first obtain customers’ consent.
What measures apply and what limits are placed on access to and use of personal information?
You must identify security measures to protect any personal information that is collected, used, disclosed, retained or destroyed. Among other things, these measures must take into account the sensitivity, use and quantity of the data. Only individuals whose duties require access to the personal information should be able to access and use it.
➡️ The hardware store probably uses a computer system to store customer records. Do you need an access code to access customer files, or are they available to anyone on any computer at the company?
What is the quality of the personal information collected?
It is your responsibility to make sure that the personal information you possess is accurate and up to date at the time of use. The personal information must also be accessible and editable: the person concerned must be able to ask you what information you have and require you to change it at any time.
➡️ If a hardware store customer moves or wishes to update their customer file, they should be able to request this.
Following up on the Privacy Impact Assessment with an action plan
Once you’re done with your analysis, it’s time to lay down an action plan that will help apply your security measures.
💡 If corrective measures need to be put in place, your action plan will also contain the means associated with these measures.
The action plan allows you to add various tasks to your daily activities in order to comply with the law. This is where you ultimately reap the benefits of the Privacy Impact Assessment!
It’s important to inform your management of the findings of the PIA. They must accept the conclusions of the risk analysis and acknowledge any risks that remain despite any action taken to mitigate them. In addition, it is advisable to appoint managers to monitor the evolution of any residual risks.
Do I have to write a report on my PIA?
While Privacy Impact Assessments are mandatory for private enterprises, PIA reports are not. Only public bodies are required by law to produce a report on their PIA. Yet while a report is not required, companies have much to gain by documenting their data privacy and protection efforts.
Among other things, a report allows you to be transparent with the people who do business with your company. It also enables you to demonstrate that you have taken privacy into consideration in your projects’ development and implementation.
Why create a PIA report?
A Privacy Impact Assessment report collates the findings of your risk analysis. It serves as proof of the steps you have taken, which is particularly useful when a legislative authority wishes to conduct an audit, inspection, or, in some cases, an investigation.
A summary of your report can be shared across your organization and with your customers, partners or any other relevant entity. Some companies choose to publish their summary on their website.
Can Agendrix help my organization comply with Law 25?
Companies that use Agendrix benefit from a number of advantages that make it easier to comply with Law 25, specifically when it comes to the processing and storage of employee data.
The employee records database centralizes all the information required for the smooth running of a company’s day-to-day operations, as well as ensuring data security:
- The application and data are 100% hosted in Canada
- Method and process security at Agendrix (including that of our software) meets the highest industry standards, thanks to our certifications for ISO 27001:2013 and ISO 27701:2019
- All our employees and software development are based in Canada
- Automatic data deletion is offered according to the period chosen by customers. For example, for an employer who wishes to delete data after 3 years:
- All archived employee data is deleted/anonymized after 3 years
- An archived news feed post will be permanently deleted after 3 years
- Manual data deletion is also available on request
- It is possible to strengthen the passwords of members of an organization to limit breaches
- A detailed log of all changes to the platform is available
- Available January 2024: advanced role management to define access to sensitive information within an organization
Reminder of key dates pertaining to Law 25
The following should already have been completed since September 2022:
- Appointing a “privacy officer” responsible for the protection of personal information at your organization
- Informing those impacted by any incident that affects confidentiality and could cause serious harm
The following should already have been completed since September 2023:
- Establish a governance framework for the protection of personal information handled by your organization
- Assess the privacy risks of your communications or uses that involve personal information
- Destroy or anonymize certain personal information, as appropriate
- Secure prior consent from any individual concerned regarding the use of their personal information for commercial purposes
As of September 2024:
- Send individuals the personal information they have provided to you, upon request
Government sites at your disposal
- Government of Quebec website
- Website of the Commission d’accès à l’information (CAI) du Québec
- PIA guide
Congratulations! You’re now better informed and better prepared for the provisions of Law 25.