According to a survey conducted by the Académie de la transformation numérique, nearly three out of four Quebecers (72%) are concerned about the protection of their personal data collected, stored and used on the Internet. It was in response to these concerns that the Quebec government passed Bill 25(An Act to modernize legislative provisions respecting the protection of personal information in the private sector) in September 2021, which puts in place various requirements concerning the protection and use of personal information collected. In Quebec, all private companies that collect, process or communicate personal information are covered by this law.
Company responsibilities under law 25
Passed in 2021, Bill 25 will be rolled out in three phases from September 2022 to September 2024.
The first phase, implemented in September 2022, imposes the following requirements on companies:
- Designate a person responsible for the protection of personal information and make this person’s contact information available to web users;
- Take steps to reduce the risk of data theft and keep a record of incidents;
- In the event of an incident, notify the persons concerned and the Commission d’accès à l’information du Québec (CAI).
In force since September 2023, the second phase is a little more complex. The main requirements of Law 25 are as follows:
- Establish and publish a governance policy governing the management of personal information;
- Conduct a risk assessment before disclosing personal information outside Quebec;
- Destroy or anonymize any personal information held once the purpose for which it was collected has been fulfilled;
- Respect the new rules concerning consent to the collection and storage of personal information.
Finally, the third phase will be in force from September 2024, and will require companies to respond to requests for portability of personal information. The right to portability enables users to obtain communication of the computerized information they have provided and to obtain access to this information for their personal use.
Penalties for non-compliance
Non-compliance with Bill 25 could result in major financial penalties for companies. In the case of administrative infractions, financial penalties for companies will range from a minimum of $1,000 to a maximum of 2% of sales or $10 million.
In the event that CAI initiates criminal proceedings for a breach, financial penalties will range from $15,000 to $25 million or 4% of sales.
Note that the directors of a legal entity may be held personally liable in the event of non-compliance with the law.
How to meet your responsibilities
Here are a few suggestions for actions and best practices to comply with the first two phases:
- Designate a person responsible for managing personal data;
- Draw up an inventory of personal information held;
- Set up an action plan that will enable you to act quickly in the event of a confidentiality incident;
- Assess the sensitivity of each piece of personal information held;
- If you plan to use biometric data, find out about your obligations beforehand.
It goes without saying that a company with a good digital structure will find it easier to comply with the new requirements of LOI 25. To this end, we invite you to read our article on the Canadian Digital Adoption Program (CDAP ), which provides a grant for the development of a Digital Adoption Plan for a government-recognized consultant.
An article by Gustave Legault-Brousseau, CPA Director – Consulting Services
For further reading :
- Checklist: Summary of new corporate obligations
- Companion guide – Performing a privacy impact assessment
Bill 25 at Amyot Gélinas
“Amyot Gélinas acts in compliance with the Professional Code, the Code of Ethics of Chartered Professional Accountants and the Act respecting the protection of personal information in the private sector with regard to the governance and management of personal information in its possession. As such, we place great importance on the confidentiality and security of our clients’ data and personal information, including data available from third-party suppliers.” See our Information Governance and Security Statement for more information >>>.
