Quebec Law 25 

• Institutions located in the Quebec geographic areas adopting a technological platform must comply to the new law 25 established in September 2023.
• How is the Innovatank platform complying to the critical points of this law?

1. Governance – We assigned 2 executive members to continuously work in the role of the privacy officer.

2. Cybersecurity – We are establishing a confidentiality incident process to ensure our users are well protected. 

3. Server Security – We have a dedicated team managing our data center located in Pierrefond, Quebec, Canada. (effective July 2023).

 What is Law 25?

Law 25 is the latest and most significant privacy legislation development in Canada. It follows the 2021 adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.

Under the provisions of Law 25 in effect on September 22, 2022, it is mandatory for organizations operating in Québec to:

• Designate a privacy officer to oversee the handling of personal information (this role will default to a company’s CEO in the absence of a dedicated privacy officer);
• Notify the Commission d’accès à l’information and affected individuals of any confidentiality incidents, including privacy data breaches and the unauthorized access/use/disclosure of personal information; and
• Keep a record of all security incidents for a period of five years (subject to regulation’s adoption).

The vast majority of the amendments enacted by Law 25 will come into effect on September 22, 2023, and will require significant changes to privacy compliance frameworks, including mandatory PIA’s for the transfer of personal information outside of Québec, mandatory provisions within all outsourcing contracts, the adoption of privacy by default mechanisms for new technologies, and many other significant changes.