Law 25 — officially An Act to modernize legislative provisions as regards the protection of personal information — came into force in stages between 2022 and 2024. It imposes concrete obligations on all organizations that collect, use, or share personal information in Quebec.
Understanding the structure of these obligations helps you organize your approach. Here are the 7 main categories.
1. Governance
Every organization must designate a Privacy Officer. By default, this is the person with the highest authority, but the role can be delegated in writing.
In practice: you must publish this person's name or title and contact information on your website or in your communications. This is not symbolic; the Privacy Officer must have the real authority to implement privacy protection measures.
2. Consent
The collection of personal information must be based on free, informed, specific, and unambiguous consent. The organization must be able to clearly explain what collected data will be used for.
In practice: a pre-checked box in a registration form is no longer sufficient. If you collect data for marketing purposes, consent must be explicitly given for that purpose.
3. Security of Personal Information
Organizations must implement security measures appropriate to the sensitivity of the information they hold. These measures must also be assessed periodically.
In practice: this includes database access controls, access logging, and clear protocols for third-party service providers that process data on your behalf.
4. Rights of Individuals
Individuals have several rights regarding their personal information: access, correction, withdrawal of consent, portability (in certain cases), and the right to de-indexation in specific circumstances.
In practice: you need a clear process for handling these requests and responding within a reasonable timeframe (generally 30 days).
5. Privacy Incident Management
In the event of a data breach presenting a serious risk of harm, you are required to notify the Commission d'accès à l'information (CAI) and the affected individuals.
In practice: you must keep a register of all incidents, including those that do not require notification. This register can be requested by the CAI during an inspection.
6. Privacy Impact Assessments (PIAs)
Before implementing a new system or project involving personal information, a PIA is required when the project presents significant privacy risks.
In practice: if your organization is deploying new HR software, a customer data analytics platform, or a monitoring system, you must assess the risks and document mitigation measures before launching.
7. Staff Training and Awareness
Staff with access to personal information must be trained on legal obligations and on internal privacy practices.
In practice: an internal privacy policy is not enough if no one knows it exists. Training must be documented and renewed regularly, especially when new employees join.
Understanding the Structure to Prioritize Better
These 7 categories are not all equal in terms of effort. Governance and training are foundations: without a designated Privacy Officer and informed staff, other measures struggle to become part of daily practice.
A sound compliance approach starts with an honest inventory: where do you stand on each of these categories? Which gaps present the greatest risk? That prioritization logic is what distinguishes a structured approach from a checklist of boxes to tick.
Observantia is designed to help you assess your compliance level against these 7 categories and build an action plan suited to the size and reality of your organization.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.