Quebec’s commitment to modernizing its data protection measures is evident in the provisions of Law25, the most important provisions of which came into effect on September 22, 2023. A significant component of this new legislation is the requirement for private companies to conduct Privacy Impact Assessments (PIAs). While already mandatory in certain circumstances for public institutions in Canada, Law25 now also mandates the private sector to engage in a thorough assessment of privacy risks associated with certain personal information handling practices. PIAs serve as a systematic evaluation tool, ensuring that projects or initiatives involving personal data are in line with the law’s rigorous privacy standards.
Along with the coming into force of relevant provisions of Law25 itself, the Quebec privacy regulator, Commission d’accès à l’information du Québec (“CAI”), published a comprehensive Companion Guide for conducting PIAs on September 21, 2023. They also included a template, only available in French. This can be easily translated( e.g., using DeepL); however, the customization of the document is then limited. If you find yourself restricted by the dropdown options the CAI provided, for example because you want your template to cover other legislations, you can download Private AI’s much more customizable version here (download will begin automatically).
When is a PIA Required?
Law25 mandates businesses to “conduct an assessment of the privacy-related factors of any project of acquisition, development and redesign of an information system or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information.” (Section 3.3.) In other words, PIAs are required for a broad range of projects involving personal information, both in the implementation stage as well as before significant changes are made.
In addition, a PIA is also required when personal information is proposed to be disclosed outside of Quebec. (Section 17.)
Components of a Law25 PIA
The CAI’s guidance suggests the following steps to go through during the PIA:
Project description and scope
Describing the project, its territorial and temporal scope, the situation that gave rise to it, as well as its objectives provides the foundation of the PIA.
Roles and responsibilities
Setting out who is responsible for conducting, consulting on, and approving the PIA within or outside of the organization may vary depending on the project. Clarifying these roles and responsibilities assures that the relevant expertise went into the PIA.
Personal information involved and scope of assessment
The next step of every PIA should be the identification of the personal information that is involved, as well as the kind of processing it will be subjected to (collection, use, creation, inferences, disclosure, etc.). It will also be informative to determine the sensitivity level of the personal information, which can differ depending on the kind and volume of personal information as well as the proposed data recipient, if any. Noting the source of the personal information will also be informative for the following determination of any consent requirements, because by default, personal information should be collected from the individuals themselves.
This section also includes determining the purpose for processing, the means of collection, use, disclosing, and destroying the information, as well as details on the storage location. The last point is important as a jurisdiction assessment will have to follow if the data is communicated outside of Quebec. For details see our blog post “Law25 and Data Transfers Outside of Quebec.”
The CAI also suggests to include the individuals, internally as well as externally, that will have access to the personal information, and why this is necessary.
On the basis of the details gathered here, a justification of the scope of the PIA should follow, for example, internal procedures, hosting offerings of customer data, employee confidentiality agreements, system infrastructure, etc.
Compliance with privacy obligations and principles
Next should follow a thorough examination to ensure that all data activities are in line with the stipulations of Law25 and other applicable laws. As mentioned, this will involve consent requirements, but also whether data minimization principles have been met and whether the security measures in place are adequate for the proposed processing, considering the sensitivity of the personal information as well as the overall risk to which the project exposes the data. The CAI proposes to indicate the exact legislative provision that is relevant here and the measures taken to meet the stipulated requirement.
Identification of risks and mitigation strategies
This section of the PIA should describe the privacy risks generated by the assessed project and the consequences for the individuals concerned. It should also present the strategies put in place to eliminate or mitigate these risks, as well as an analysis of the effect of these measures on the residual level of risk. The CAI proposes to assess the risk separately for the collection, use, disposition, and disclosure of personal information.
The action plan that follows the conclusion of the PIA should include a strategy to implement the new risk mitigation strategies identified, including responsible individuals and completion date.
The CAI’s template next provides for an approval signature, for links to attached documents, and evaluation update logging. A PIA isn’t a one-off task. Given the evolving nature of technology and data practices, PIAs should be periodically revisited and updated. This ensures that any new challenges or risks that emerge as the project progresses are addressed promptly.
The introduction of mandatory PIAs under Law25 underscores Quebec’s commitment to fostering a proactive approach to data protection. Rather than being viewed as a regulatory hurdle, PIAs should be embraced as strategic tools, helping organizations to preemptively address privacy concerns. In the age of digital transformation, where personal data is both a valuable asset and a potential vulnerability, a thorough PIA process becomes an essential beacon, guiding entities towards responsible and compliant data practices. Instantly download our PIA template here.
Depending on the project to be assessed, Private AI’s personal information detection technology can support Step 3, above, as well as risk mitigation in Step 5. Sometimes you will have to identify the existing personal information in your systems or a data set, and that can be a daunting task if your business processes a lot of data, especially unstructured data. This task can be reduced to implementing three lines code, and in no time you will have state-of-the-art AI-driven technology scan and report on your data. If you realize throughout your PIA that not all the personal information is actually required for the objective to be met, you need to fulfill your data minimization obligations, and Private AI can help you with that too. Our tech can detect over 50 entities of personal information in over 52 languages and replace it with synthetic data or simply redact the personal identifiers. Try it on your own data using our web demo, or get a free API key.