Are you a contractor?

Join our network and attract real clients!

Table of Contents

Law 25: Personal Data Protection in Construction

Law 25: Personal Data Protection in Construction

Advice for contractorLaw 25: Personal Data Protection in Construction

Technological breakthroughs come hand in hand with a host of advantages, including the speed at which data can be compiled and the ease with which multiple pieces of information can be centralized. However, booming IT proficiency and ready access to digital tools also spell greater hacking risks and the need to protect large volumes of sensitive information.

As a contractor, you without a doubt regularly collect a lot of personal and professional information, such as client contact information, employee SIN numbers, banking information, and much more. This goes without saying but, you have to ensure the confidentiality of all the aforementioned information. 

How to Protect a Company’s Personal and Professional Data

law 25

Source: Canva

Firstly, let’s take a closer look at the meaning of the terms used in this blog article. 

Personal information is defined as follows:

Recorded information that can, directly or indirectly, identify an individual (name, date of birth, social insurance number, email address, etc.). 

A privacy policy is defined as follows:

An overview of practices and measures instilled by a company to ensure the protection of an individual’s personal information. This policy is designed to inform the target public of the level of commitment involved in protecting the data collected and to help individuals provide informed consent.

The risk of injury is defined as:

An act and event that’s likely to harm the concerned individual or their property. This is a situation that could harm their interests, damage their reputation, cause financial losses, harm their credit history, expose them to identity theft, result in their loss of employment, etc.

A confidentiality incident is defined as:

Unauthorized access, unauthorized use and communication, or loss of personal information. In addition to various scenarios, this could encompass situations where an employee exceeds their authorized rights and responsibilities by snooping or usurping an identity. It could also include inadvertent data leaks, such as an email mistakenly sent to the wrong recipient, instances of cyber-attacks, or the loss or theft of a USB key containing a sensitive database, among other potential incidents. 

How to Legally Harvest Personal Information

Canadian companies must maintain complete transparency when collecting personal data from individuals.

You must:

  1. Explain how data is collected (telephone numbers, software, quotes, forms, etc.).

  2. Provide information about how data will be used (communication, contracts, newsletters, exclusive discounts, payments, etc.).

  3. Gather only information relevant and justifiable in relation to objectives. (For example, there’s no need to obtain a client's banking information for in-person payments or their date of birth for promotional email subscriptions.)

  4. Avoid disclosing the information to any third party without explicit consent from the concerned individual, and clearly state the purpose for which the information is being disclosed. (For example, a construction contractor has to provide a client’s information to a field expert to carry out plumbing or electrical work.)

  5. State that the individual can withdraw consent for the use of their information.

  6. Highlight the rights of access and rectification granted by law.

  7. Retain data only for a period that’s reasonably necessary.

How to Write a Privacy Policy

While specific regulations may not explicitly outline requirements in this matter, it’s best to have an easily accessible privacy policy that’s readily available to your clients. It should be written in straightforward language that’s easy to understand.

It should include the following elements:

  1. A short description of your company’s activities and services.

  2. Include the name and contact information of the company responsible for collecting data (most likely your company but could also include a referral platform like ours).

  3. The name and contact information of the person(s) responsible for protecting personal information. 

  4. Numbers 1-2-5-6-7 of the aforementioned list.

  5. The duration for which the collected data will be retained.

  6. The security measures implemented to protect information.

  7. The date the policy took effect and when it was last updated.

What are the mandates imposed by Law 25?

law 25

Source: Canva

Since September 22, 2022, Quebec's Law 25 has modernized the legislative provisions concerning personal data protection, imposing new obligations on all individuals conducting business activities. Additional security regulations are set to be introduced in September 2023 and 2024.

Since September 2022, you must:

  • Appoint a data protection officer to oversee your company’s personal information protection and publish their contact information on your website (or any other media readily available if you don’t have a website). 

  • In the event of a privacy-related incident, promptly notify the Commission d'accès à l'information du Québec and all relevant parties, while maintaining an accurate and current log of such incidents.

  • Obtain consent from the concerned individual prior to using their information for research, statistical analysis, commercial transactions, or any advertising and promotional purposes.

As of September 22, 2023, you’ll need to:

  • Apply policies regarding the governance of personal information, and state them in plain language on your website (or other communication methods).

  • Write and publish a clear and concise privacy policy, particularly if you’re harvesting personal data through technology.

  • Inform concerned individuals when they’re solely making a decision based on an automated process and when identification, location, or profiling technologies are employed.

  • Destroy or render anonymous all personal information that’s no longer of use.

  • Assess privacy factors when the law requires it and abide by new communication conditions, prior to divulging personal information outside of the province of Quebec, for example. 

  • Adhere to the latest regulations regarding obtaining consent for the collection, disclosure, or use of personal information belonging to minors or legal adults.

  • Configure default settings to enforce the highest level of confidentiality and privacy.

  • Comply with current personal information disclosure regulations to ease the grieving process.

As of September 2024, you’ll need to:

  • Provide all personal data collected through technology at the request of the concerned individual.

The above-mentioned obligations regarding the protection of personal information apply regardless of the size of your company. Whether you employ 700 individuals, operate as a sole proprietorship, joint-stock company, or general partnership, all physical or artificial persons must adhere to their responsibilities by establishing and implementing best practices in terms of data protection.

What’s cybercrime?

Cybercrimes target your company’s confidential information and can manifest as the following:

  • Malware that’s installed in incognito mode through apps or websites with the purpose of allowing a thief to access the content of your computer.  

  • Ransomware that blocks access to your computer and attempts to convince you to pay a sum of money to recover important data before it’s sold. 

  • Phishing uses more conventional methods, such as bogus emails or computerized calls intended to trick you into willingly providing personal information.

  • Denial-of-service (DoS) attacks considerably increase the traffic on your website, making it virtually impossible for your clients to access. It’s a money-making technique that either asks you to pay to restore accessibility or sells you a bogus repair service.

  • Rainbow tables access your server to get ahold of everyone’s information at once, then analyze password algorithms and gain access to an entire server. 

How to Protect Your Company’s Data

Below are some valuable tips to help prevent cyber attacks.


Regularly check your software

Ensure that your operating system, software, and firewall are up to date, that your antivirus software is of the highest quality, and that your Wi-Fi network is secure.

Identify any gaps in your data management and protection, and fine-tune your approach. If necessary, consult experts to find the right tools for your situation, and resolve any problems or potential cyber-security loopholes.

Secure data internally

Unfortunately, the threat of an untrustworthy individual within your immediate circle or company is a possibility. While countering such adversaries can be challenging, you have to establish effective measures to minimize the risk of data breaches. 

You could, for example, impose restrictions on computer access in your absence, prohibit USB keys, frequently reset passwords, deny former employees access to internal websites, and install software that logs who had access to what and when that occurred, etc.

Furthermore, when hiring new talent, don't be shy about having them sign an ethical code and non-disclosure agreement (NDA).

Educate yourself about data protection

Train your employees about the risks of using technology outside a highly secure network. For example, logging on to a public network to find client information in your database or clicking on a pop-up ad aren’t recommended, nor is leaving your computer unattended in the presence of your children when you're getting ready to send a confidential email, and so on.

Establish a cybersecurity protocol 

First, outline the steps to be taken, and identify whom to contact in the event of a security breach (police, banks, clients, suppliers, etc.).

Then, systematically backup documents on the Cloud and an external hard drive. Likewise, all folders containing personal information should be encrypted, and their encryption keys kept off servers.

Get cyber insurance

Such insurance could prevent financial losses and crisis management issues, while also putting you in touch with a variety of experts (IT security experts, legal advisors, public relations specialists, etc.).

This insurance could cover legal or mediation fees, partially refund your business operating losses, finance a client credit monitoring service, and even contribute to hiring a public relations firm if you require media communication.

How to Protect Against Data Breaches

law 25

Source: Canva

As soon as you have reason to believe or are aware that your company's and/or your clients' personal data has been compromised, and that the situation involves a risk of significant injury, you must report it to the Privacy Commissioner of Canada and to the Commission d'accès à l'information du Québec. You should also inform all those concerned, and immediately log the incident in a database for a period of 5 years.

Subsequently, put into practice measures to minimize the extent of the leak and prevent such an event from happening again. For example, you could recover or require the complete destruction of stolen personal information, then fine-tune your security methods and correct any shortcomings identified at the time of the incident.

How to Provide Government Services with a Written Notice 

Include the following information:

  1. Company name and NEG (Quebec Enterprise Number).

  2. Name and contact information of the individual to contact in regard to the breach.

  3. Description of personal information involved.

  4. Circumstances of the incident, if possible.

  5. Date or period during which the breach occurred and when your company took notice.

  6. The number of individuals involved in the breach.

  7. List the elements that led you to believe that there was a serious risk of injury.

  8. Measures put in place to inform affected persons.

  9. Measures taken or planned to minimize the risk of a breach occurring to mitigate the impact of a breach and prevent your company's data protection from being jeopardized by another breach.


How to Provide Those Involved with a Written Notice

Include the following information:

  1. Name and contact information of the individual to contact in regard to the breach.

  2. Description of personal information involved.

  3. Circumstances of the incident, if possible.

  4. Date or period during which the breach occurred and when your company took notice.

  5. Advise provided by your company suggesting ways in which the affected person can reduce the risk of injury.

  6. Measures taken or planned to minimize the risk of a breach occurring to mitigate the impact of a breach and prevent your company's data protection from being jeopardized by another breach.

Last but not least, besides the embedded links we've provided, here are a few other articles about construction IT that may be of interest:

Get new contracts for your construction or renovation company can help you get new contracts. We get new project proposals from clients seeking top-rated and trustworthy renovation professionals like yourself. To get started, fill in the form on our homepage (it only takes a few minutes) and receive information regarding potential clients by way of our services.

Dial 1-844 828-1588 to speak with one of our customer service representatives.

Get 3 free quotes for your project!

Submit a project and get 3 free quotes!

Last modified 2023-11-07

List of sources

Get 3 free quotes for your project!

Submit a project and get 3 free quotes!

Looking for something else?

Table of contents

Get 3 free quotes for your project!

Submit a project and get 3 free quotes!

Are you a contractor?

Join our network and receive real leads!

Download the price guide for renovations

We’ll be emailing you the latest market price guide for renovations.

Related articles

The latest industry news, interviews, technologies, and resources.

2 min read

N/A • 07 Nov 2023

5 tips for making your renovation site more ecological

We often hear about green homes. But did you know there are also green building sites? A construction or renovation project is a serious source of pollution.

8 min read • 03 Jun 2024

6 Useful Resources for Women in Construction

As things stand, in Quebec, women are still under-represented in the construction industry. However, a lot of them aren’t second-guessing themselves when it comes to pursuing training in the hopes of carving out a place for themselves in this male-dominated industry.

5 min read • 07 Nov 2023

4 Types of Exterior Plumbing Projects that Require an Expert

During those summer months when the weather is extremely hot, we try to spend most of our time outside. If we’re lucky, our homes come equipped with a backyard or some green space where we can relax. There are endless ways to enhance outdoor spaces, including certain installations that require plumbing.

4 min read

Léa Plourde-Archer • 07 Nov 2023

Concrete Crack Repair: Epoxy or Polyurethane?

Concrete is known for being a solid, durable material that can be maintained over time. It is the most used material for solid foundations and for major projects such as bridges and viaducts. Over time, it has proven itself as an essential building material.

5 min read

Cynthia Pigeon • 07 Nov 2023

How to Effectively Manage Construction Waste

Since cities and suburbs are ever-developing, interior design and building trends rapidly evolving, and outdated buildings are brought up to code, it’s no wonder the construction, renovation, and demolition industry is booming. Although the desire for something new and beautiful is not likely to wane, it's becoming increasingly important, logical even, to reduce the waste generated by this industry. This includes recycling, processing, and repurposing materials.

Looking for a contractor?

Submit a project and get 3 free quotes now!