Quebec privacy impact assessment (Law 25)

A privacy impact assessment template for Quebec employers handling personal information under Law 25 (formerly Bill 64). Covers purpose, sensitivity, retention, transfers, and risk mitigations.

Live documentReviewed for Quebec

About this template

Quebec's Law 25 (the Act to modernize legislative provisions as regards the protection of personal information, formerly Bill 64) gave Quebec the strongest private-sector privacy regime in Canada. Privacy impact assessments are now mandatory before launching any project that processes personal information of Quebec residents, and especially before communicating that information outside Quebec.

When to use it

You're launching a new HR system, payroll system, or third-party tool that handles employee personal information.
You're transferring personal information outside Quebec — to a US-based SaaS, a cloud region, or a service provider.
You're updating an existing process and the change materially affects how personal information is collected, used, or stored.

What to include

Identification of the privacy officer and contact info.
Project description and the specific personal information involved.
Stated purposes for collection and processing.
Legal basis (consent, contract, statutory obligation).
Data flow — who collects, stores, transmits, and accesses.
Retention schedule with destruction or anonymization at end of life.
Transfers outside Quebec, with the section 17 assessment.
Risk identification and mitigations (technical and organizational).
Consultations with internal counsel, the privacy officer, and (where applicable) the CAI.

Frequently asked questions

Do I need a PIA for every system that touches employee data?

The statutory trigger is "acquisition, development, or overhaul of any information system project or electronic service delivery project" involving personal information. In practice, anything more than incidental — payroll, HRIS, performance, employee monitoring tools — should have a PIA. Trivial uses (e.g., a basic contact list maintained internally) probably don't trigger formal PIA requirements but documenting the analysis briefly is best practice.

What about transfers to the US (e.g. payroll provider in the US)?

Section 17 requires a privacy-related impact assessment before the transfer. The assessment must conclude that the destination jurisdiction provides adequate protection for the information. Standard Contractual Clauses or equivalent contractual safeguards are usually necessary; some Quebec lawyers recommend keeping data in Canada where feasible.

Do we have to notify the CAI of a breach?

Yes — for any "confidentiality incident" presenting a risk of serious injury (a defined term under Law 25). The notification must go to the CAI and the affected persons, with documented timing. A confidentiality incident register is required regardless of whether a single incident triggers notification.

Legal disclaimer. Law 25 carries fines up to $25M or 4% of worldwide turnover for serious violations — the highest in Canada. The Commission d'accès à l'information (CAI) issues binding rulings and has audit powers. PIAs and the broader Law 25 program should be reviewed by Quebec privacy counsel; this template is a starting structure, not a substitute for that review.

Related templates

Workplace harassment & violence policy

A statutorily required harassment, violence, and discrimination policy with jurisdiction-specific reporting language and statutory references.

Open

Employee handbook

A starter employee handbook covering hours, conduct, confidentiality, time off, and the policies every growing team needs.

Open

Quebec privacy impact assessment (Law 25)

Privacy Impact Assessment — Quebec Law 25

1. Privacy officer

2. Project

3. Categories of personal information

4. Purposes of processing

5. Legal basis

6. Data flow

7. Retention

8. Transfers outside Quebec

9. Risks identified

10. Mitigations & safeguards

11. Consultations

12. Law 25 compliance checks