April 17, 2023

Since September 22, 2022, Act 25 respecting the protection of personal information in the private sector applies to all businesses, large and small. Is your organization ready?

This Quebec law modernizing legislation on the protection of personal information in the private sector, is of the same order as the General Data Protection Regulation in Europe better known as the GDPR.

Its objective is to provide a framework for the protection of personal information held by businesses. It applies in respect of personal information that a company collects, holds, uses, discloses to, retains or destroys, regardless of the nature of the medium and the form in which the personal information is held, written, graphic, audible, visual, computerized or other.

What is personal information?

Personal information is information that relates to a natural person and allows that person to be identifiable. It is confidential. Except in exceptional cases, they may not be disclosed without the consent of the person concerned.

A company that collects, holds, uses, discloses, retains or destroys personal information has several obligations under the Act respecting the personal information in the Private Sector Privacy Act (The Private Sector Act).


Does your business meet its new obligations?

In addition to respecting the pre-existing obligations regarding the protection of personal information, since September 22, 2022, you must in particular:

  1. Designate a person responsible for the protection of personal information
  2. In the event of a confidentiality incident involving personal information:
    a. to take reasonable measures to reduce the risk of harm being caused to the persons concerned and to prevent new incidents of the same nature from occurring;
    b. notify the Commission and the person concerned if the incident presents a risk of serious harm;
    c. keep a register of incidents, a copy of which must be sent to the Commission at its request;
  3. Respect the new framework for the communication of personal information without the consent of the person concerned for the purposes of study, research or the production of statistics and in the context of a commercial transaction;
  4. Carry out a privacy factor assessment (PIA) before disclosing personal information without the consent of the persons concerned for the purposes of study, research or the production of statistics;
  5. Disclose in advance to the Commission the verification or confirmation of identity made by means of biometric characteristics or measurements.

In addition, from September 22, 2023, private organizations must, among other things:

  1. Have established policies and practices ruling the governance of personal information
  2. Respect the new rules surrounding consent to the collection, communication or use of personal information
  3. Destroy personal information when the purpose of its collection is accomplished, or anonymize it to use it for serious and legitimate purposes, subject to the conditions and retention period provided for by law
  4. Respect the right to cease dissemination, re-indexing or de-indexing (or right to be forgotten)

In addition, depending on the nature and scope of your business activities, other obligations may exist with respect to the protection of personal information.

To learn more about your personal information protection obligations and the actions to take to comply with them, visit: necando.com/en/act-25/



About Necando Solutions

Necando helps North American organizations optimize their most valuable corporate assets – people and data. We have worked with government agencies, financing, transportation, etc. Our rich and diversified experience and understanding combined with the IBM data solutions portfolio are what we are proud to provide to our clients.

Contact us today to learn more about how to be compliant with the new provisions of Act 25.