Quebec Law 25 — Private Sector personal-information modernisation · vQuebec Law 25 — Act to mode…
Quebec Law 25 — Private Sector personal-information modernisation
Quebec Law 25 — Private Sector personal-information modernisation — 100% covered.
5 requirements · 5 enforced · 0 designed · 0 advisory · 0 deferred.
Source: An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25 (Law 25 / former Bill 64), amending the Act respecting the protection of personal information in the private sector (CQLR c. P-39.1). Privacy-impact-assessment duty (s.3.3), automated-decision transparency + right to submit observations (s.12.1 / s.65.2), confidentiality-incident reporting to the CAI (s.3.5-3.8), data portability (s.27), and consent for sensitive information (s.12).
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Privacy impact assessment (s.3.3) | 1 | 1 | 0 | 0 | 0 | 100% |
| Automated-decision transparency (s.12.1) | 1 | 1 | 0 | 0 | 0 | 100% |
| Confidentiality-incident reporting (s.3.5-3.8) | 1 | 1 | 0 | 0 | 0 | 100% |
| Data portability (s.27) | 1 | 1 | 0 | 0 | 0 | 100% |
| Consent for sensitive information (s.12) | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
quebec-law-25.s3.3 |
Section 3.3 — Privacy impact assessment: conduct a PIA before any project to acquire, develop or overhaul an information system or electronic-service-delivery system involving personal information | enforced | audit_events: kye.assurance.risk_assessment.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
quebec-law-25.s12.1 |
Section 12.1 — Automated decision-making: when a decision is based exclusively on automated processing, inform the individual and, on request, of the personal information used, the reasons and principal factors, and the right to submit observations | enforced | audit_events: kye.evidence.decision_map.v1, kye.replay.proof.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
quebec-law-25.s3.5 |
Sections 3.5-3.8 — Confidentiality incidents: keep a register of incidents and, where there is a risk of serious injury, notify the Commission d'accès à l'information and the affected individuals | enforced | audit_events: kye.signal.incident.opened.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
quebec-law-25.s27 |
Section 27 — Data portability: on request, communicate computerised personal information collected from the individual in a structured, commonly used technological format | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
quebec-law-25.s12 |
Section 12 — Use limitation + consent for sensitive information: personal information must be used only for the purposes for which it was collected, and express consent is required for sensitive personal information | enforced | audit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |