Law 25: modernizing data protection in the digital age

Bill 25, adopted in 2021, made significant changes to privacy laws. It should be noted that the changes brought by Bill 25 will come into effect gradually over a period of three years, until 2024. The next date to remember is September 22, 2023.

 

This reform modernizes the rules protecting personal information in Quebec to better address the new challenges posed by the current digital and technological environment.

 

 

Main New Obligations

 

In addition to complying with current obligations regarding the protection of personal information, businesses must, in particular:

 

• Designate a person responsible for the protection of personal information and publish their title and contact information on the company's website;
• In the event of a confidentiality incident, maintain a record of all incidents and take prompt action to reduce the risk of harm to the affected individuals. A business must also notify the Commission and the affected individuals of any incident presenting a serious risk of harm;
• Disclose to the Commission in advance any verification or confirmation of identity carried out using biometric characteristics or measures;
• Comply with the new framework applicable to the communication of personal information without the consent of the affected individual in the context of a commercial transaction or for the purposes of study, research, or statistical production.

 

Sources:

• Bill 25 - New provisions protecting the privacy of Quebecers - Some provisions come into effect today Government of Quebec
• Main changes… | Commission d’accès à l’information du Québec

 

At Altura – Compliance with Bill 25 is important!

 

We are proud to confirm that we have implemented a comprehensive compliance program for Bill 25 and that our employees undergo rigorous ongoing training on the subject!

 

We have, in particular:

 

1. Used the tools provided to businesses by the Commission d’accès à l’information du Québec (Summary of new obligations for businesses) to implement the compliance program for Bill 25
2. Reviewed our Privacy Policy published on our website
3. Drafted a Personal Information Governance Policy
4. Drafted the attestation of signature by our employees of the readings of the Privacy Policies and Personal Information Governance Policy
5. Drafted and published a summary of the Personal Information Governance Policy on our website
6. Appointed a Responsible Person for Information
7. Inventoried the electronic products/licenses used that collect personal information and/or on which personal information is archived
8. Drafted an electronic file structure for the Bill 25 compliance program
9. Identified and/or created training for our employees
10. Implemented a personal information destruction alert every 6 months
11. Published the contact information of the Responsible Person on our website
12. Inventoried the types of personal information and archived where currently in the borrower client files
13. Created a register of confidentiality breach incidents
14. Created a register of types of personal information and their destruction process/confidentiality measures
15. Reviewed our Consent model