Privacy Impact Assessment (PIA) Requirements under Law25

PIA Law25

Share This Post

Quebec’s commitment to modernizing its data protection measures is evident in the provisions of Law25, the most important provisions of which came into effect on September 22, 2023. A significant component of this new legislation is the requirement for private companies to conduct Privacy Impact Assessments (PIAs). While already mandatory in certain circumstances for public institutions in Canada, PIA Law25 now also mandates the private sector to engage in a thorough assessment of privacy risks associated with certain personal information handling practices. PIAs serve as a systematic evaluation tool, ensuring that projects or initiatives involving personal data are in line with the law’s rigorous privacy standards. 

Along with the coming into force of relevant provisions of Law25 itself, the Quebec privacy regulator, Commission d’accès à l’information du Québec (“CAI”), published a comprehensive Companion Guide for conducting PIAs on September 21, 2023. They also included a template, only available in French. This can be easily translated( e.g., using DeepL); however, the customization of the document is then limited. If you find yourself restricted by the dropdown options the CAI provided, for example because you want your template to cover other legislations, you can download Private AI’s much more customizable version here (download will begin automatically)

When is a PIA Required?

Law25 mandates businesses to “conduct an assessment of the privacy-related factors of any project of acquisition, development and redesign of an information system or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information.” (Section 3.3.) In other words, PIAs are required for a broad range of projects involving personal information, both in the implementation stage as well as before significant changes are made.

In addition, a PIA is also required when personal information is proposed to be disclosed outside of Quebec. (Section 17.) 

Components of a PIA Law25

The CAI’s guidance suggests the following steps to go through during the PIA:

Project description and scope

Describing the project, its territorial and temporal scope, the situation that gave rise to it, as well as its objectives provides the foundation of the PIA.

Roles and responsibilities

Setting out who is responsible for conducting, consulting on, and approving the PIA within or outside of the organization may vary depending on the project. Clarifying these roles and responsibilities assures that the relevant expertise went into the PIA.

Personal information involved and scope of assessment

The next step of every PIA should be the identification of the personal information that is involved, as well as the kind of processing it will be subjected to (collection, use, creation, inferences, disclosure, etc.). It will also be informative to determine the sensitivity level of the personal information, which can differ depending on the kind and volume of personal information as well as the proposed data recipient, if any. Noting the source of the personal information will also be informative for the following determination of any consent requirements, because by default, personal information should be collected from the individuals themselves.

This section also includes determining the purpose for processing, the means of collection, use, disclosing, and destroying the information, as well as details on the storage location. The last point is important as a jurisdiction assessment will have to follow if the data is communicated outside of Quebec. For details see our blog post “Law25 and Data Transfers Outside of Quebec.”

The CAI also suggests to include the individuals, internally as well as externally, that will have access to the personal information, and why this is necessary.

On the basis of the details gathered here, a justification of the scope of the PIA should follow, for example, internal procedures, hosting offerings of customer data, employee confidentiality agreements, system infrastructure, etc.

Compliance with privacy obligations and principles

Next should follow a thorough examination to ensure that all data activities are in line with the stipulations of Law25 and other applicable laws. As mentioned, this will involve consent requirements, but also whether data minimization principles have been met and whether the security measures in place are adequate for the proposed processing, considering the sensitivity of the personal information as well as the overall risk to which the project exposes the data. The CAI proposes to indicate the exact legislative provision that is relevant here and the measures taken to meet the stipulated requirement.

Identification of risks and mitigation strategies

This section of the PIA should describe the privacy risks generated by the assessed project and the consequences for the individuals concerned. It should also present the strategies put in place to eliminate or mitigate these risks, as well as an analysis of the effect of these measures on the residual level of risk. The CAI proposes to assess the risk separately for the collection, use, disposition, and disclosure of personal information.

Action plan

The action plan that follows the conclusion of the PIA should include a strategy to implement the new risk mitigation strategies identified, including responsible individuals and completion date.

Approval of the report and versions

The CAI’s template next provides for an approval signature, for links to attached documents, and evaluation update logging. A PIA isn’t a one-off task. Given the evolving nature of technology and data practices, PIAs should be periodically revisited and updated. This ensures that any new challenges or risks that emerge as the project progresses are addressed promptly.

Conclusion

The introduction of mandatory PIAs under Law25 underscores Quebec’s commitment to fostering a proactive approach to data protection. Rather than being viewed as a regulatory hurdle, PIAs should be embraced as strategic tools, helping organizations to preemptively address privacy concerns. In the age of digital transformation, where personal data is both a valuable asset and a potential vulnerability, a thorough PIA process becomes an essential beacon, guiding entities towards responsible and compliant data practices. Instantly download our PIA template here.

Depending on the project to be assessed, Private AI’s personal information detection technology can support Step 3, above, as well as risk mitigation in Step 5. Sometimes you will have to identify the existing personal information in your systems or a data set, and that can be a daunting task if your business processes a lot of data, especially unstructured data. This task can be reduced to implementing three lines code, and in no time you will have state-of-the-art AI-driven technology scan and report on your data. If you realize throughout your PIA that not all the personal information is actually required for the objective to be met, you need to fulfill your data minimization obligations, and Private AI can help you with that too. Our tech can detect over 50 entities of personal information in over 52 languages and replace it with synthetic data or simply redact the personal identifiers. Try it on your own data using our web demo, or get a free API key.

Subscribe To Our Newsletter

Sign up for Private AI’s mailing list to stay up to date with more fresh content, upcoming events, company news, and more! 

More To Explore

Download the Free Report

Request an API Key

Fill out the form below and we’ll send you a free API key for 500 calls (approx. 50k words). No commitment, no credit card required!

Language Packs

Expand the categories below to see which languages are included within each language pack.
Note: English capabilities are automatically included within the Enterprise pricing tier. 

French
Spanish
Portuguese

Arabic
Hebrew
Persian (Farsi)
Swahili

French
German
Italian
Portuguese
Russian
Spanish
Ukrainian
Belarusian
Bulgarian
Catalan
Croatian
Czech
Danish
Dutch
Estonian
Finnish
Greek
Hungarian
Icelandic
Latvian
Lithuanian
Luxembourgish
Polish
Romanian
Slovak
Slovenian
Swedish
Turkish

Hindi
Korean
Tagalog
Bengali
Burmese
Indonesian
Khmer
Japanese
Malay
Moldovan
Norwegian (Bokmål)
Punjabi
Tamil
Thai
Vietnamese
Mandarin (simplified)

Arabic
Belarusian
Bengali
Bulgarian
Burmese
Catalan
Croatian
Czech
Danish
Dutch
Estonian
Finnish
French
German
Greek
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Italian
Japanese
Khmer
Korean
Latvian
Lithuanian
Luxembourgish
Malay
Mandarin (simplified)
Moldovan
Norwegian (Bokmål)
Persian (Farsi)
Polish
Portuguese
Punjabi
Romanian
Russian
Slovak
Slovenian
Spanish
Swahili
Swedish
Tagalog
Tamil
Thai
Turkish
Ukrainian
Vietnamese

Rappel

Testé sur un ensemble de données composé de données conversationnelles désordonnées contenant des informations de santé sensibles. Téléchargez notre livre blanc pour plus de détails, ainsi que nos performances en termes d’exactitude et de score F1, ou contactez-nous pour obtenir une copie du code d’évaluation.

99.5%+ Accuracy

Number quoted is the number of PII words missed as a fraction of total number of words. Computed on a 268 thousand word internal test dataset, comprising data from over 50 different sources, including web scrapes, emails and ASR transcripts.

Please contact us for a copy of the code used to compute these metrics, try it yourself here, or download our whitepaper.