Law 25: Personal Data Protection in Construction

Technological breakthroughs come hand in hand with a host of advantages, including the speed at which data can be compiled and the ease with which multiple pieces of information can be centralized. However, booming IT proficiency and ready access to digital tools also spell greater hacking risks and the need to protect large volumes of sensitive information.

As a contractor, you without a doubt regularly collect a lot of personal and professional information, such as client contact information, employee SIN numbers, banking information, and much more. This goes without saying but, you have to ensure the confidentiality of all the aforementioned information. 

How to Protect a Company’s Personal and Professional Data

Source: Canva

Firstly, let’s take a closer look at the meaning of the terms used in this blog article. 

Personal information is defined as follows:

Recorded information that can, directly or indirectly, identify an individual (name, date of birth, social insurance number, email address, etc.). 

A privacy policy is defined as follows:

An overview of practices and measures instilled by a company to ensure the protection of an individual’s personal information. This policy is designed to inform the target public of the level of commitment involved in protecting the data collected and to help individuals provide informed consent.

The risk of injury is defined as:

An act and event that’s likely to harm the concerned individual or their property. This is a situation that could harm their interests, damage their reputation, cause financial losses, harm their credit history, expose them to identity theft, result in their loss of employment, etc.

A confidentiality incident is defined as:

Unauthorized access, unauthorized use and communication, or loss of personal information. In addition to various scenarios, this could encompass situations where an employee exceeds their authorized rights and responsibilities by snooping or usurping an identity. It could also include inadvertent data leaks, such as an email mistakenly sent to the wrong recipient, instances of cyber-attacks, or the loss or theft of a USB key containing a sensitive database, among other potential incidents. 

How to Legally Harvest Personal Information

Canadian companies must maintain complete transparency when collecting personal data from individuals.

You must:

1. Explain how data is collected (telephone numbers, software, quotes, forms, etc.).

2. Provide information about how data will be used (communication, contracts, newsletters, exclusive discounts, payments, etc.).

3. Gather only information relevant and justifiable in relation to objectives. (For example, there’s no need to obtain a client's banking information for in-person payments or their date of birth for promotional email subscriptions.)

4. Avoid disclosing the information to any third party without explicit consent from the concerned individual, and clearly state the purpose for which the information is being disclosed. (For example, a construction contractor has to provide a client’s information to a field expert to carry out plumbing or electrical work.)

5. State that the individual can withdraw consent for the use of their information.

6. Highlight the rights of access and rectification granted by law.

7. Retain data only for a period that’s reasonably necessary.

How to Write a Privacy Policy

While specific regulations may not explicitly outline requirements in this matter, it’s best to have an easily accessible privacy policy that’s readily available to your clients. It should be written in straightforward language that’s easy to understand.

It should include the following elements:

1. A short description of your company’s activities and services.

2. Include the name and contact information of the company responsible for collecting data (most likely your company but could also include a referral platform like ours).

3. The name and contact information of the person(s) responsible for protecting personal information. 

4. Numbers 1-2-5-6-7 of the aforementioned list.

5. The duration for which the collected data will be retained.

6. The security measures implemented to protect information.

7. The date the policy took effect and when it was last updated.

What are the mandates imposed by Law 25?

Source: Canva

Since September 22, 2022, Quebec's Law 25 has modernized the legislative provisions concerning personal data protection, imposing new obligations on all individuals conducting business activities. Additional security regulations are set to be introduced in September 2023 and 2024.

Since September 2022, you must:

• Appoint a data protection officer to oversee your company’s personal information protection and publish their contact information on your website (or any other media readily available if you don’t have a website). 

• In the event of a privacy-related incident, promptly notify the Commission d'accès à l'information du Québec and all relevant parties, while maintaining an accurate and current log of such incidents.

• Obtain consent from the concerned individual prior to using their information for research, statistical analysis, commercial transactions, or any advertising and promotional purposes.

As of September 22, 2023, you’ll need to:

• Apply policies regarding the governance of personal information, and state them in plain language on your website (or other communication methods).

• Write and publish a clear and concise privacy policy, particularly if you’re harvesting personal data through technology.

• Inform concerned individuals when they’re solely making a decision based on an automated process and when identification, location, or profiling technologies are employed.

• Destroy or render anonymous all personal information that’s no longer of use.

• Assess privacy factors when the law requires it and abide by new communication conditions, prior to divulging personal information outside of the province of Quebec, for example. 

• Adhere to the latest regulations regarding obtaining consent for the collection, disclosure, or use of personal information belonging to minors or legal adults.

• Configure default settings to enforce the highest level of confidentiality and privacy.

• Comply with current personal information disclosure regulations to ease the grieving process.

As of September 2024, you’ll need to:

• Provide all personal data collected through technology at the request of the concerned individual.

The above-mentioned obligations regarding the protection of personal information apply regardless of the size of your company. Whether you employ 700 individuals, operate as a sole proprietorship, joint-stock company, or general partnership, all physical or artificial persons must adhere to their responsibilities by establishing and implementing best practices in terms of data protection.

What’s cybercrime?

Cybercrimes target your company’s confidential information and can manifest as the following:

• Malware that’s installed in incognito mode through apps or websites with the purpose of allowing a thief to access the content of your computer.  

• Ransomware that blocks access to your computer and attempts to convince you to pay a sum of money to recover important data before it’s sold. 

• Phishing uses more conventional methods, such as bogus emails or computerized calls intended to trick you into willingly providing personal information.

• Denial-of-service (DoS) attacks considerably increase the traffic on your website, making it virtually impossible for your clients to access. It’s a money-making technique that either asks you to pay to restore accessibility or sells you a bogus repair service.

• Rainbow tables access your server to get ahold of everyone’s information at once, then analyze password algorithms and gain access to an entire server. 

How to Protect Your Company’s Data

Below are some valuable tips to help prevent cyber attacks.

Regularly check your software

Ensure that your operating system, software, and firewall are up to date, that your antivirus software is of the highest quality, and that your Wi-Fi network is secure.

Identify any gaps in your data management and protection, and fine-tune your approach. If necessary, consult experts to find the right tools for your situation, and resolve any problems or potential cyber-security loopholes.

Secure data internally

Unfortunately, the threat of an untrustworthy individual within your immediate circle or company is a possibility. While countering such adversaries can be challenging, you have to establish effective measures to minimize the risk of data breaches. 

You could, for example, impose restrictions on computer access in your absence, prohibit USB keys, frequently reset passwords, deny former employees access to internal websites, and install software that logs who had access to what and when that occurred, etc.

Furthermore, when hiring new talent, don't be shy about having them sign an ethical code and non-disclosure agreement (NDA).

Educate yourself about data protection

Train your employees about the risks of using technology outside a highly secure network. For example, logging on to a public network to find client information in your database or clicking on a pop-up ad aren’t recommended, nor is leaving your computer unattended in the presence of your children when you're getting ready to send a confidential email, and so on.

Establish a cybersecurity protocol 

First, outline the steps to be taken, and identify whom to contact in the event of a security breach (police, banks, clients, suppliers, etc.).

Then, systematically backup documents on the Cloud and an external hard drive. Likewise, all folders containing personal information should be encrypted, and their encryption keys kept off servers.

Get cyber insurance

Such insurance could prevent financial losses and crisis management issues, while also putting you in touch with a variety of experts (IT security experts, legal advisors, public relations specialists, etc.).

This insurance could cover legal or mediation fees, partially refund your business operating losses, finance a client credit monitoring service, and even contribute to hiring a public relations firm if you require media communication.

How to Protect Against Data Breaches

Source: Canva

As soon as you have reason to believe or are aware that your company's and/or your clients' personal data has been compromised, and that the situation involves a risk of significant injury, you must report it to the Privacy Commissioner of Canada and to the Commission d'accès à l'information du Québec. You should also inform all those concerned, and immediately log the incident in a database for a period of 5 years.

Subsequently, put into practice measures to minimize the extent of the leak and prevent such an event from happening again. For example, you could recover or require the complete destruction of stolen personal information, then fine-tune your security methods and correct any shortcomings identified at the time of the incident.

How to Provide Government Services with a Written Notice 

Include the following information:

1. Company name and NEG (Quebec Enterprise Number).

2. Name and contact information of the individual to contact in regard to the breach.

3. Description of personal information involved.

4. Circumstances of the incident, if possible.

5. Date or period during which the breach occurred and when your company took notice.

6. The number of individuals involved in the breach.

7. List the elements that led you to believe that there was a serious risk of injury.

8. Measures put in place to inform affected persons.

9. Measures taken or planned to minimize the risk of a breach occurring to mitigate the impact of a breach and prevent your company's data protection from being jeopardized by another breach.

How to Provide Those Involved with a Written Notice

Include the following information:

1. Name and contact information of the individual to contact in regard to the breach.

2. Description of personal information involved.

3. Circumstances of the incident, if possible.

4. Date or period during which the breach occurred and when your company took notice.

5. Advise provided by your company suggesting ways in which the affected person can reduce the risk of injury.

6. Measures taken or planned to minimize the risk of a breach occurring to mitigate the impact of a breach and prevent your company's data protection from being jeopardized by another breach.

Last but not least, besides the embedded links we've provided, here are a few other articles about construction IT that may be of interest:

• Construction Contractor: Why You Should Optimize Your Profile

• How to Create a Good Website for Your Home Renovation Company

• Renovation Contractor: Choosing an Estimation Software

• 6 Apps to Help You Run Your Renovation Business

• Contractors: Acquiring News Clients Through Social Media

• How to Use Artificial and Augmented Reality in Construction Industry