The Privacy Legislation Modernization Act

Written By Marlo Turner Ritchie

Law 25 and the New Obligations for Your Organization Demystified

Welcome to an introduction to the Key Elements of Law 25, including responsibilities of the privacy officer and organization, how to deal with breaches of confidentiality, how to create a policy and what information to add to media platforms.

Law 25 is a new process in Quebec for ensuring transparency, proper management and privacy protection for clients regarding the collection of their personal information. Organizations must adjust their procedures for managing customer data and create policies for maintaining privacy to be in compliance by the end of 2024.

At its base, it's a record-keeping and disclosure issue to make companies more accountable for the valuable data they hold.. In many ways these measures read as common sense policy to protect people and their personal data. While there will be some challenges in the initial assessment and ongoing compliance, these measures will ensure a more secure user experience and is essential to building and retaining trust with the people who use your services.

Law 25 requires personal information be anonymized or destroyed when the purposes for which it is collected or used have been achieved. Ensuring that someone accountable is in place to follow the procedures will be a key for success. Organizations must prioritize  the initial assessment and monitoring compliance and that training for staff is another key part of the process. 

New technologies and record keeping are a challenge for organizations with time constraints for weekly hours and for teams more focused on the ground than on the computer. Breaches of data could be more likely to occur, resulting in client complaints, and resulting fines can reach up to $10 million CAD or 2% of their global turnover, whichever is greater (Penalties of between $5,000 and $50,000, in the case of a natural person.

To help map out the measures and the expectations for the year ahead, we have mapped out some key steps to take to get started on the internal assessment.

Nonprofit management teams will be required to set up the following key elements:

  1. Designate an employee to be responsible for the protection of personal information. The person is titled the Privacy Officer. 

  2. Make an inventory of personal information held by the organization and analyze which documents contain sensitive personal information (physical, on computers and on cloud storage systems. Assess who can access these files and how and create a report on risks. This is called a Privacy Impact Assessment.

  3. Establish internal and public policies to map out how files are kept and how breaches of security are handled.

  4. Publish detailed information on your website about the policies in plain language on your company's website or, if you don't have a website, by any other appropriate means. You will need to publish their title and contact information on the company's website.

Responsibilities of the Privacy Officer:

  1. Puts in place strategies and measures to avoid these risks or effectively reduce them; 

  2. Informs the team of the policy and practices and helps plan training.

  3. Creates forms for: Individual data collection reports, User Complaints, Breach of Confidentiality Reporting, 

  4. Ensures people are well informed when collecting data for the purposes of commercial transaction or for study, research or the production of statistics. (ie. Add text to any survey to detail what the data will be used for and how it will be accessed.)

  5. Works with the communications coordinator to update the website with key information.

  6. Destroys personal information once the purpose for which it was collected has been fulfilled, or anonymizes it to use it for serious and legitimate purposes, subject to the conditions and retention period stipulated by law.

  7. Updates the policy as needed, ensuring compliance of the policy is followed.

  8. Informs the Commission if and when the verification or confirmation of identity is made by biometrics.

In the event of a breach of confidentiality incident, the Privacy Officer must:

  1. Keep a record of all incidents and take prompt action to reduce the risk of harm.

  2. Notify the Commission and the persons concerned of any incident presenting a serious risk of harm.

What is included in a breach of confidentiality?

  • A breach includes the unlawful use of personal details, inadequate privacy notices, and failure to notify people about automated decisions or confidentiality breaches.

  • Companies must track violations of confidentiality and show the measures taken to lessen the risk of similar incidents happening again.

What private data is included?

  • age, name, ID numbers, income, ethnic origin, or blood type

  • opinions, evaluations, comments, social status, or disciplinary actions

  • employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, or intentions such as buying goods or services or applying for a new job

What information is now required for organizations to add to their website?

  • Why they are collecting information and how it will be used.

  • How they gather the information 

  • How people can access or amend details captured. Under the new law, people now have the right to receive a digital copy of all personal information collected from them by any organization. Outline this process.

  • How to withdraw permission. If people want to withdraw permission to use their data, you must explain how the company will remove their details from business systems. 


What should be included in your new public privacy policy?

  • Purpose and scope: Clearly state the purpose of the policy, which is to protect the privacy and confidentiality of personal information collected by the nonprofit.

  • Who is the privacy officer, what they do, and how to contact them

  • What data is included, why and how it is managed

  • When and how personal data is destroyed or anonymized

  • Outline the ‘right to be forgotten’ process that removes individuals from data systems upon request. 

  • Explain how the organization obtains and manages consent for the collection and processing of personal information. Describe the right of individuals to withdraw their consent at any time and the implications of such withdrawal.

  • How to make a complaint

  • How users can request a personal data collection report

  • Outline the organization's procedures for detecting, investigating, and responding to data breaches. Describe the steps to be taken in the event of a breach, including notifying affected individuals, authorities, and any regulatory bodies as required by law.

  • Explain the security measures in place to protect personal information during storage, including encryption, access controls, and safeguards against unauthorized access or disclosure.

  • Info on biometrics, location tracking and automated decision-making


What additional forms will be required?

  • Personal data collection report

  • Privacy breach complaint form

  • Breach of confidentiality report (internal)

  • Incident tracking report (internal)

  • Privacy Assessment report for the organization, including timeframes for data/user management. (internal)

Overview of privacy management responsibilities to your community:


1.Obtain a separate valid consent for each specific purpose in simple and clear terms; 

(ie. Users sign up for a newsletter, but you wish to add their contact/statistics into a survey or analytics. The user must be informed that their personal information is being used for a secondary purpose)

2. Present the request for consent distinctly from the other information provided if it is in writing; 

(ie. In a document, the consent request can be in bold, italics, in a box, so it is distinct)

3. Provide the information required by law to the person whose information is collected; 

4. To inform a person when he or she is the subject of a decision based exclusively on automated processing; 

(Individuals must be informed at the time of collection or before automated processing of their personal information occurs.)

5. To inform a person before resorting to a technology enabling him or her to be identified, located or profiled, and of the means available to activate these functions; 

(ie Ensuring there is always adequate text to outline a user’s interaction with identifying technologies such a gps location, biometrics, organizational databases etc)

6. Publish detailed information about your policies and practices on the company's Web site or, if the company does not have a Web site, make this information available by any other appropriate means; 

(ie. Create a new section or a new page on your website outlining key details such as: privacy officer name and contact and your plain-language privacy policy. This information should also be shared via social media and newsletter)

8. Handle requests and complaints from citizens concerning your management of personal information in a timely and professional manner.

(ie. Ensure an inquiry and complaints process is clearly outlined in your Privacy Policy and that the Privacy Officer responds to requests within Ex. 5 business days.)

Additional Resources:

Sample Policy for Law 25

Information compiled and edited by Social Impact Consulting, including information from the following sources:

https://www.quebec.ca/nouvelles/actualites/details/loi-25-nouvelles-dispositions-protegeant-la-vie-privee-des-quebecois-certaines-dispositions-entrent-en-vigueur-aujourdhui-43212

https://www.cfib-fcei.ca/quebec-law-25

Checklist: Summary of new business obligations

Social Impact Consulting does not give out legal advice.  We give out information based on our understanding of Law 25 as informed by reputable and legitimate sources of legal information and interpretation that we have compiled.

Marlo Turner Ritchie
Previous

2SLGBTQI+ Allies: It’s Time to Step Up Again!
Next

Annual General Meeting (AGM) Basics