Everything you need to know about Quebec's Law 25

• Designate a person in charge of the protection of personal information.
• In the event of a confidentiality incident involving personal information:
  1. Take reasonable measures to reduce the risk of injury being caused to the persons concerned, and to prevent new incidents of the same nature from occurring;
  2. Notify the Commission d’accès à l’information du Québec (CAI) and the person concerned, by completing this form (in French);
  3. Keep a register of confidentiality incidents, which a copy of it must be sent to the Commission at its request.
• Respect the new rules for the communication of personal information without the consent of the person concerned (in French) for study, research or statistical purposes, and in the context of a commercial transaction.
• Conduct a Privacy Impact Assessment (in French) before communicating personal information without the consent of the person concerned, for study, research or statistical purposes.
• Notify the Commission before carrying out an identity verification or confirmation by using biometric characteristics or measurements, by completing this form (in French).

• Develop a policy on practices that regulates the business governance on the protection of personal information.
  This policy must provide:
  1. Rules applicable to the retention and destruction of personal information;
  2. The roles and responsibilities of staff members throughout the life cycle of personal information;
  3. A privacy complaints process.
• Respect the new transparency obligations.
• Obtain, in advance, the person’s free and informed consent to collect, communicate and use their personal information and comply with the new consent rules.
• Destroy personal information when the purpose of its collection is accomplished or make it anonymous to use it for serious and legitimate purposes, subject to the conditions and retention period provided for by law.
• Conduct a privacy impact assessment when required by the law, for example, before disclosing personal information outside Quebec^*.
  ^*The communication of personal information outside Quebec can only take place if the evaluation shows that the information benefits from adequate protection.
• Respect the right to de-indexation and the cessation of dissemination, meaning that individuals will be able to ask companies to stop disseminating their personal information or to de-index any hyperlink attached to their name that provides access to the information if this dissemination causes them injury or contravenes the law or court order (right to be forgotten).
• Comply with the new rules for the communication of personal information facilitating the grieving process, that is to say, an organization may release personal information concerning a deceased person to the spouse or a close relative of the person if knowledge of this information is likely to help this person in his grieving process unless the deceased person has recorded in writing his refusal to grant such a right of access.
• Respect the new rules regarding the collection of personal information concerning a minor under the age of 14, stating that personal information concerning a minor under the age of 14 can no longer be collected from him, without the consent of the person having parental authority or of the tutor.
• Obligation to provide, by default, the parameters ensuring the highest level of confidentiality of a technological product or service offered to the public^*.
  ^*This provision does not apply to privacy settings for browser cookies.

Respond to requests for the portability of personal information [i.e., to communicate, at the request of a person concerned, his or her personal information].