Often associated with cybersecurity, Bill 25 also profoundly affects human resources. Human resources professionals and business leaders, who handle employees’ personal information on a daily basis, are at the heart of compliance.
Understanding Bill 25
This reform modernizes Quebec’s privacy laws and strengthens the right to privacy. It applies to any organization that collects, uses or retains personal data, regardless of sector. There is no minimum number of employees or minimum sales: all companies are concerned by these obligations.
Personal information is information that identifies an individual (name, e-mail address, address, telephone number, etc.). The more sensitive it is, the more stringent the requirements. Human resources have to continually adapt their practices, as bank details, social insurance numbers, dates of birth, medical information…
Non-compliance with Bill 25 can result in fines of up to $25 million or 4% of worldwide sales, as well as civil proceedings and punitive damages. Above and beyond the financial penalties, it exposes the company to major damage to its reputation and loss of confidence among employees and partners.
This includes making an inventory of personal information, drafting a governance policy, a clear consent process and team training (keeping information “under lock and key”, whether in electronic or paper form).
The strategic role of human resources
Human resources manage personal information in a variety of contexts: recruitment, payroll (salaries), absences (medical tickets), accident declarations (diagnoses), group insurance enrolments, disciplinary or confidential processes, etc. Since September 2023, prior consent has been mandatory for any data collection or communication, and this applies to employees.
Policies must also cover the retention, destruction and handling of complaints: How long will you keep files on former employees? When will unsuccessful resumes be destroyed? Who should employees or candidates contact if they believe their information has been communicated to a third party without their consent?
Concrete recruitment examples
A recruitment process (including the collection of CVs and your interview notes) requires clear prior consent from candidates, and secure storage of these documents. Resumes can’t be left on your desk or transferred to other companies without the candidate’s express permission (even if you think you’re doing them a favor).
So before you check a candidate’s references, you need to obtain his or her prior written authorization. You can’t call their former employer without their permission. Similarly, when another employer (even if it’s a friend) calls you to take references on one of your former employees, you must insist on seeing written consent before even confirming that he or she has worked for you.
The importance of up-to-date HR tools
To minimize the risk of data leakage and demonstrate your compliance, certain tools are essential to sound human resources practices:
- Centralize policies and procedures in a structured, documented Employee Manual (data confidentiality, health and safety, sexual harassment and violence).
- Document and retain authorizations (e.g., reference requests).
- Automate certain obligations on departure, such as secure data destruction, within legal deadlines.
Inspiring example: Some companies include training on Law 25 in their induction program, demonstrating their commitment to data protection from Day 1 and raising awareness among their employees of the personal data they too come into contact with in the course of their duties.
An opportunity to seize
Beyond compliance, Law 25 is an opportunity to strengthen the company’s data protection culture and credibility. By placing confidentiality at the heart of HR practices, you protect both the organization and its talent, while building a lasting climate of trust.
An article by our Human Capital team
in collaboration with Valérie Tétreault, CPA auditor
published in LE REFLET Magazine – Chambre de commerce de Sainte Adèle
For further reading
- Protection of personal information | Government of Quebec
- Bill 25- Personal data protection: What are your responsibilities? – Amyot Gélinas
- Bill 25 is a human resources issue – CHRP
- HR procedures: a solid foundation for harmonious labor relations – Amyot Gélinas
