Are you a contractor?
Join our network and attract real clients!
Law 25: Personal Data Protection in Construction
By Editorial Team
Updated on November 7, 2023
Technological breakthroughs come hand in hand with a host of advantages, including the speed at which data can be compiled and the ease with which multiple pieces of information can be centralized. However, booming IT proficiency and ready access to digital tools also spell greater hacking risks and the need to protect large volumes of sensitive information.
As a contractor, you without a doubt regularly collect a lot of personal and professional information, such as client contact information, employee SIN numbers, banking information, and much more. This goes without saying but, you have to ensure the confidentiality of all the aforementioned information.
How to Protect a Company’s Personal and Professional Data
Source: Canva
Firstly, let’s take a closer look at the meaning of the terms used in this blog article.
Personal information is defined as follows:
Recorded information that can, directly or indirectly, identify an individual (name, date of birth, social insurance number, email address, etc.).
A privacy policy is defined as follows:
An overview of practices and measures instilled by a company to ensure the protection of an individual’s personal information. This policy is designed to inform the target public of the level of commitment involved in protecting the data collected and to help individuals provide informed consent.
The risk of injury is defined as:
An act and event that’s likely to harm the concerned individual or their property. This is a situation that could harm their interests, damage their reputation, cause financial losses, harm their credit history, expose them to identity theft, result in their loss of employment, etc.
A confidentiality incident is defined as:
Unauthorized access, unauthorized use and communication, or loss of personal information. In addition to various scenarios, this could encompass situations where an employee exceeds their authorized rights and responsibilities by snooping or usurping an identity. It could also include inadvertent data leaks, such as an email mistakenly sent to the wrong recipient, instances of cyber-attacks, or the loss or theft of a USB key containing a sensitive database, among other potential incidents.
How to Legally Harvest Personal Information
Canadian companies must maintain complete transparency when collecting personal data from individuals.
You must:
Explain how data is collected (telephone numbers, software, quotes, forms, etc.).
Provide information about how data will be used (communication, contracts, newsletters, exclusive discounts, payments, etc.).
Gather only information relevant and justifiable in relation to objectives. (For example, there’s no need to obtain a client's banking information for in-person payments or their date of birth for promotional email subscriptions.)
Avoid disclosing the information to any third party without explicit consent from the concerned individual, and clearly state the purpose for which the information is being disclosed. (For example, a construction contractor has to provide a client’s information to a field expert to carry out plumbing or electrical work.)
State that the individual can withdraw consent for the use of their information.
Highlight the rights of access and rectification granted by law.
Retain data only for a period that’s reasonably necessary.
How to Write a Privacy Policy
While specific regulations may not explicitly outline requirements in this matter, it’s best to have an easily accessible privacy policy that’s readily available to your clients. It should be written in straightforward language that’s easy to understand.
It should include the following elements:
A short description of your company’s activities and services.
Include the name and contact information of the company responsible for collecting data (most likely your company but could also include a referral platform like ours).
The name and contact information of the person(s) responsible for protecting personal information.
Numbers 1-2-5-6-7 of the aforementioned list.
The duration for which the collected data will be retained.
The security measures implemented to protect information.
The date the policy took effect and when it was last updated.
What are the mandates imposed by Law 25?
Source: Canva
Since September 22, 2022, Quebec's Law 25 has modernized the legislative provisions concerning personal data protection, imposing new obligations on all individuals conducting business activities. Additional security regulations are set to be introduced in September 2023 and 2024.
Since September 2022, you must:
Appoint a data protection officer to oversee your company’s personal information protection and publish their contact information on your website (or any other media readily available if you don’t have a website).
In the event of a privacy-related incident, promptly notify the Commission d'accès à l'information du Québec and all relevant parties, while maintaining an accurate and current log of such incidents.
Obtain consent from the concerned individual prior to using their information for research, statistical analysis, commercial transactions, or any advertising and promotional purposes.
As of September 22, 2023, you’ll need to:
Apply policies regarding the governance of personal information, and state them in plain language on your website (or other communication methods).
Write and publish a clear and concise privacy policy, particularly if you’re harvesting personal data through technology.
Inform concerned individuals when they’re solely making a decision based on an automated process and when identification, location, or profiling technologies are employed.
Destroy or render anonymous all personal information that’s no longer of use.
Assess privacy factors when the law requires it and abide by new communication conditions, prior to divulging personal information outside of the province of Quebec, for example.
Adhere to the latest regulations regarding obtaining consent for the collection, disclosure, or use of personal information belonging to minors or legal adults.
Configure default settings to enforce the highest level of confidentiality and privacy.
Comply with current personal information disclosure regulations to ease the grieving process.
As of September 2024, you’ll need to:
Provide all personal data collected through technology at the request of the concerned individual.
The above-mentioned obligations regarding the protection of personal information apply regardless of the size of your company. Whether you employ 700 individuals, operate as a sole proprietorship, joint-stock company, or general partnership, all physical or artificial persons must adhere to their responsibilities by establishing and implementing best practices in terms of data protection.
What’s cybercrime?
Cybercrimes target your company’s confidential information and can manifest as the following:
Malware that’s installed in incognito mode through apps or websites with the purpose of allowing a thief to access the content of your computer.
Ransomware that blocks access to your computer and attempts to convince you to pay a sum of money to recover important data before it’s sold.
Phishing uses more conventional methods, such as bogus emails or computerized calls intended to trick you into willingly providing personal information.
Denial-of-service (DoS) attacks considerably increase the traffic on your website, making it virtually impossible for your clients to access. It’s a money-making technique that either asks you to pay to restore accessibility or sells you a bogus repair service.
Rainbow tables access your server to get ahold of everyone’s information at once, then analyze password algorithms and gain access to an entire server.
How to Protect Your Company’s Data
Below are some valuable tips to help prevent cyber attacks.
Regularly check your software
Ensure that your operating system, software, and firewall are up to date, that your antivirus software is of the highest quality, and that your Wi-Fi network is secure.
Identify any gaps in your data management and protection, and fine-tune your approach. If necessary, consult experts to find the right tools for your situation, and resolve any problems or potential cyber-security loopholes.
Secure data internally
Unfortunately, the threat of an untrustworthy individual within your immediate circle or company is a possibility. While countering such adversaries can be challenging, you have to establish effective measures to minimize the risk of data breaches.
You could, for example, impose restrictions on computer access in your absence, prohibit USB keys, frequently reset passwords, deny former employees access to internal websites, and install software that logs who had access to what and when that occurred, etc.
Furthermore, when hiring new talent, don't be shy about having them sign an ethical code and non-disclosure agreement (NDA).
Educate yourself about data protection
Train your employees about the risks of using technology outside a highly secure network. For example, logging on to a public network to find client information in your database or clicking on a pop-up ad aren’t recommended, nor is leaving your computer unattended in the presence of your children when you're getting ready to send a confidential email, and so on.
Establish a cybersecurity protocol
First, outline the steps to be taken, and identify whom to contact in the event of a security breach (police, banks, clients, suppliers, etc.).
Then, systematically backup documents on the Cloud and an external hard drive. Likewise, all folders containing personal information should be encrypted, and their encryption keys kept off servers.
Get cyber insurance
Such insurance could prevent financial losses and crisis management issues, while also putting you in touch with a variety of experts (IT security experts, legal advisors, public relations specialists, etc.).
This insurance could cover legal or mediation fees, partially refund your business operating losses, finance a client credit monitoring service, and even contribute to hiring a public relations firm if you require media communication.
How to Protect Against Data Breaches
Source: Canva
As soon as you have reason to believe or are aware that your company's and/or your clients' personal data has been compromised, and that the situation involves a risk of significant injury, you must report it to the Privacy Commissioner of Canada and to the Commission d'accès à l'information du Québec. You should also inform all those concerned, and immediately log the incident in a database for a period of 5 years.
Subsequently, put into practice measures to minimize the extent of the leak and prevent such an event from happening again. For example, you could recover or require the complete destruction of stolen personal information, then fine-tune your security methods and correct any shortcomings identified at the time of the incident.
How to Provide Government Services with a Written Notice
Include the following information:
Company name and NEG (Quebec Enterprise Number).
Name and contact information of the individual to contact in regard to the breach.
Description of personal information involved.
Circumstances of the incident, if possible.
Date or period during which the breach occurred and when your company took notice.
The number of individuals involved in the breach.
List the elements that led you to believe that there was a serious risk of injury.
Measures put in place to inform affected persons.
Measures taken or planned to minimize the risk of a breach occurring to mitigate the impact of a breach and prevent your company's data protection from being jeopardized by another breach.
How to Provide Those Involved with a Written Notice
Include the following information:
Name and contact information of the individual to contact in regard to the breach.
Description of personal information involved.
Circumstances of the incident, if possible.
Date or period during which the breach occurred and when your company took notice.
Advise provided by your company suggesting ways in which the affected person can reduce the risk of injury.
Measures taken or planned to minimize the risk of a breach occurring to mitigate the impact of a breach and prevent your company's data protection from being jeopardized by another breach.
Last but not least, besides the embedded links we've provided, here are a few other articles about construction IT that may be of interest:
Construction Contractor: Why You Should Optimize Your Profile
How to Create a Good Website for Your Home Renovation Company
How to Use Artificial and Augmented Reality in Construction Industry
Get new contracts for your construction or renovation company
RenoQuotes.com can help you get new contracts. We get new project proposals from clients seeking top-rated and trustworthy renovation professionals like yourself. To get started, fill in the form on our homepage (it only takes a few minutes) and receive information regarding potential clients by way of our services.
Dial 1-844 828-1588 to speak with one of our customer service representatives.
Looking for something else?
Related articles
The latest industry news, interviews, technologies, and resources.
Editorial Team
•07 Nov 2023
As a contractor working in the industry, you’ll understand the time, energy and dedication every aspect of the job requires. Regardless of your field, the health and safety of workers are of the utmost importance.
Editorial Team
•07 Nov 2023
Cellular concrete was invented in Germany during the latter part of the 19th century. Albeit it isn’t ground-breaking technology, it’s still considered innovative as it has contributed to building extremely energy-efficient, modern-day single-detached homes.
Editorial Team
•02 Aug 2024
The shed has come a long way since it’s modest days of being a wooden box that holds gardening materials. Modern sheds have developed to host a variety of functions, aside from keeping landscaping tools clean and dry. Now, a shed can be turned into backyard haven, home-away-from-home, or a retro space to live out your hobbies.
Cynthia Pigeon
•05 Dec 2023
Are your windows in need of new coverings or a spiffy new look? If you are not a blind- or curtain-enthusiast, why not opt for shutters? It is not always the most obvious option, however, shutters can revamp your windows as well as allow for great sightlines.
Editorial Team
•07 Nov 2023
Among the many renovation projects out there, painting projects are most accessible to apprentices in the industry. Indeed, painting is part of our daily lives and few are those who can ever say they've never been called to lend a hand to change the appearance of one or more rooms inside a home.