LAW 25

Law 25

Quebec’s Act 25 respecting the protection of personal information in the private sector establishes strict rules governing the collection, use, communication and retention of personal information. To comply with this law, here are some important controls that organizations must put in place:

Law 25 provisions come into force today

New provisions of Law 25 come into force


Protecting the rights
of individuals

Transparency and




Audits and
verification preparation

Privacy and data usage policies

Establish and communicate clear and understandable privacy policies that explain how personal information is collected, used, disclosed and retained.

Enlightened consent

Obtain informed and explicit consent from individuals before collecting, using or disclosing their personal information. Consent must be free, informed and specific to the purpose of the collection.

Limitation on data collection

Limit the collection of personal data to that which is strictly necessary for the purposes identified and legitimate.

Data security

Implement appropriate security measures to protect personal information against unauthorized access, loss, theft or accidental disclosure.

Accès aux renseignements personnels

Allow individuals to access their personal information held by the organization, and to request corrections if necessary.

Security incident management

Implement a security incident management plan to respond quickly and appropriately in the event of a breach or unauthorized access to personal information.

Staff training

Educate and train staff on Bill 25 and the organization’s privacy policies to ensure compliance.

Data retention

Establish appropriate retention periods for personal information, ensuring that it is kept no longer than necessary.


Be transparent about how personal information is used and communicated, providing clear information to the individuals concerned.


Designate a privacy officer within the organization to oversee compliance with Bill 25. The use of a security framework is of paramount importance for organizations in Quebec in relation to Bill 25 on the protection of personal information in the private sector.

Here are just a few reasons why a security framework is essential to comply with this law: a security framework like the one from GC Brieau with CIS helps identify the measures needed to comply with these legal obligations.

Looking for an IT partner?

Schedule a 30-minute appointment with an expert to discuss current issues, but also to understand your future needs and expectations.