Public Disclosure for Personal Information Agents

Under Quebec Law 25, a personal information agent is an organization that commercially establishes files to prepare and communicate credit, character, reputation, or solvency reports to third parties.

Section 79 requires agents to disclose that they hold personal information, share credit/character reports with contracted third parties, and receive data from those parties. They must also disclose access and rectification rights, privacy officer contact info, operating methods, and security measures.

The required information must be published on the personal information agent's website. If the organization does not have a website, it must be made available by any other appropriate means.

The Law 25 website disclosure data sharing practices must clearly state that the agent communicates credit or character reports to contracted third parties and receives personal information from those same parties.

Yes, the law explicitly requires agents to inform the public of the Law 25 access and rectification rights that individuals can exercise concerning their files held by the agent.

They must disclose the fact that they receive personal information relating to individuals from persons with whom they are bound by contract to establish files and prepare credit reports.

While a standard privacy policy covers general data collection, the Quebec Law 25 notice of collection for personal information agents mandates specific admissions about credit reporting, receiving data from contracted third parties, and disclosing specific operational and security measures required under Section 72.

Disclosures should be updated whenever there is a material change to the privacy officer's contact information, operational methods, rules of conduct, or security measures, ensuring the public is accurately and consistently informed.

Common gaps include failing to clearly state that data is shared for credit or character reports, omitting the specific contact details of the privacy officer, and failing to provide clear instructions on how to handle access and rectification requests Law 25.

Teams should publish clear procedures in their Quebec Law 25 privacy notice, establish secure identity verification methods, and maintain a centralized data subject request log to track the statutory 30-day response deadline.

Law 25 §79 disclosures must stay accurate when privacy officer details, data sharing practices, or access/rectification procedures change. Tools like WatchDog Security's Policy Management can help version-control the public privacy notice, track internal approvals, and record stakeholder acknowledgements so updates are made consistently and are easy to evidence.

Auditors and stakeholders may expect proof that the published disclosure is reviewed, approved, and kept aligned with current practices and contracts. Tools like WatchDog Security's Compliance Center can help track the control, attach evidence (e.g., snapshots of the notice, review records), and flag gaps when required disclosure elements are missing.