Updated on May 31, 2024
Your organization is required to comply with Law 25 and implement an information governance program. What exactly are your obligations?
In Québec, any private enterprise that collects, processes or communicates personal information is covered by this law. It is therefore likely that it applies to you!
Let’s take a look at the main provisions of Law 25 and what they mean for your business.
What is Law 25?
What are a private business’s obligations under Law 25?
Why have an information governance program?
How can you create an effective governance program?
What is Law 25?
The Act respecting the protection of personal information in the private sector, also known as Law 25, is designed to protect the Québec population by making organizations accountable for the personal information they hold.
Some provisions of the new legislation came into effect on September 22, 2022. Others came into effect in September 2023, including the requirement to implement a personal information governance policy, or will come into effect in 2024.
The Commission d’accès à l’information du Québec is the agency responsible for monitoring compliance with the law. The Commission can impose significant penalties for non-compliance, up to $25 million or 4% of a company’s worldwide sales.
What are a private business’s obligations under Law 25?
Since September 22, 2022, Law 25 imposes a number of responsibilities for private enterprises in Québec, regardless of their size.
Appoint a Privacy Officer
The enterprise must appoint a Privacy Officer to ensure compliance with the law. This role will fall to the person with the highest authority in the organization, but some or all of the duties can be delegated to another individual. Their title and contact details must be published on your website.
Maintain a register of confidentiality incidents
It is also necessary to keep a register of confidentiality incidents. You must be able to provide a copy of this register to the Commission d’accès à l’information at its request. In addition, if an incident occurs that poses a serious risk of harm, you are required to notify the Commission and the individuals involved.
Forward information under certain conditions
Lastly, new rules allow you, under certain conditions, to disclose personal information without the consent of the individual concerned when concluding a commercial transaction. You should make sure that the supplier to whom you are disclosing this information complies with the obligations set out in the law.
For a detailed description of your current and future obligations, consult the Commission d’accès à l’information’s checklist (French only).
Why have an information governance program?
New provisions of Law 25 came into effect in September 22, 2023. Among them: the obligation to have established policies and practices regarding personal information governance.
There are several advantages to creating an information governance program, beyond compliance with legal obligations. Here are a few of them.
Clearly defining everyone’s responsibilities and obligations
The information governance program is designed to ensure that privacy responsibilities and obligations are clearly defined and understood by all.
Better protecting information
It helps protect the information within the organization by making it accessible only to those who need it.
Reacting efficiently
It is a tool that fosters a quick response in the event of a confidentiality incident despite the preventive measures in place.
Showcasing your organization’s diligence
This program also serves as proof that the organization has acted diligently if a privacy incident occurs that poses a serious risk of harm.
Not only can a privacy incident be costly to your organization, it can also damage its reputation or compromise profitability. That’s why it is important to have an information governance plan with adequate protection for the organization.
How can you create an effective governance program?
To build an effective information governance program, it is important to take an inventory of the personal information your organization holds. You should also map out how this information flows through the organization. Among others, this will allow you to identify the type of information you collect, define the activities for which it is used and determine who should have access to it.
During this process, you may also discover unnecessary information. For example, if your company only has about 30 workers, having more than 500 employee records in your system is not normal. If you find that you have retained personal information that is no longer useful, it is important to destroy it.
Set a data retention schedule
This is one of the reasons why it is advisable to prepare a data retention schedule, which states that after a certain date, the information you have collected will be destroyed. For example, at the end of a hiring process, you will need to delete or anonymize personal information contained in the resumes you received.
These are just a few of the factors to consider when developing an effective information governance plan. Other aspects you should address include:
- Setting up an incident management plan;
- Introducing surveillance measures;
- Documenting staff roles and responsibilities.
For advice on implementing an information governance program tailored to your organization or for others obligations to come, contact our team of experts.