What is the scope of the responsibilities of the person in charge of the protection of personal information within the organization (the “Privacy Officer”) and how can this individual be identified?
The appointed Privacy Officer should first have expertise in risk management and compliance within a company. Except in special circumstances, it is generally not recommended that this task be delegated externally. The ideal individual would be someone who knows the company, its operations and already holds a position of authority. A volunteer is always an asset, as performing the duties of the Privacy Officer is time-consuming.
The Privacy Officer is generally responsible for ensuring compliance and implementation of the law. Their specific responsibilities include managing security incidents, participating in Privacy Impact Assessments (“PIAs”) and educating company personnel about privacy issues related to PIAs, handling requests for exercising individuals’ rights, and approving the company’s privacy governance policies and practices. The Privacy Officer has thus an active role to play in the company.
Does Law 25 contain specific requirements for delegation?
Delegation must be made by the person with the highest authority within the company. It must be in written form and may then be tabled with the board of directors at a board meeting to become part of the minutes and to have a record of the delegation, at the discretion of each company. When an organization holds more than one company in the same group, more than one delegation may be required.
Once the responsibility of the Privacy Officer has been delegated in writing, private companies are required to publish the Privacy Officer title and contact information on their website, unlike public organizations that are required to notify the Commission d’accès à l’information (“CAI”) in writing of the title, contact information and start date of the person performing the Privacy Officer function.
Should the name of the acting Privacy Officer be published?
The Act does not require the name of the acting Privacy Officer on the company’s website, which means that general contact information could be posted (for example, “email@example.com”). That being said, the Privacy Officer should be clearly identified internally so that anyone can contact them with any privacy-related questions.
Law 25 provides for an obligation for businesses and public bodies to structure and adopt documents and policies. Where do we start?
An effective compliance program is tailored to each organization and reflects its practices in a transparent manner. The greatest danger in setting up a compliance program is reusing policy models without adapting them to the organization’s context and practices. The policies that make up the compliance program must be the result of a reflective exercise between privacy stakeholders. More specifically, the policies must set out the applicable privacy principles and the roles and responsibilities of each party in this regard.
 For the purposes of this bulletin, all legislative references must be read as incorporating the amendments introduced by An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25 ("Law 25"), which come into effect in several phases. For a reminder of the different effective dates, see the Annotated Private Sector Act or the Annotated Access Act (available in French only).
 Private Sector Act, s. 3.2 para. 2.
 Private Sector Act, s. 3.5 para. 2 and 3.7.
 Private Sector Act, s. 3.3 para. 2 and 3.4.
 Private Sector Act, s. 3.4
 Private Sector Act, s. 28.1 para. 4, 30 para. 2, 32, 34 and 35; C.C.Q., s. 40.
 Private Sector Act, s. 3.2 para. 1.
 Private Sector Act, s. 3.1 para. 2.
 Private Sector Act, s. 3.1 para. 3.
 Access Act, s. 8. para. 4.