Registration as a Personal Information Agent

Under Quebec Law 25, a personal information agent is any organization that, on a commercial basis, establishes files on individuals to prepare and communicate credit, character, reputation, or solvency reports to third parties.

Section 70 requires registration when an enterprise operates as a personal information agent in Quebec. If your business model involves commercially preparing and sharing credit or character reports with third parties, CAI registration is mandatory.

Yes, if your organization prepares and communicates these credit checks or background reports on a commercial basis to third parties, you qualify as a personal information agent and must register with the CAI.

To register as a personal information agent, organizations must file an application with the CAI according to their specified procedures and pay the required regulatory fees. The application must include details about operational methods and privacy practices.

Registration typically requires the organization's name and address, contact information for the privacy officer, a description of the operational methods ensuring data accuracy, rules of conduct for access requests, and details of security measures.

After registering, agents must maintain accurate and up-to-date files, publish their privacy practices, establish rules of conduct for data access and rectification, and securely destroy data collected more than seven years ago.

Organizations must inform the Commission d'accès à l'information of any changes to their registration information, such as address updates or a new privacy officer, no later than 30 days following the change.

Failing to register or contravening personal information agent obligations can result in monetary administrative penalties of up to $10,000,000 or 2% of worldwide turnover, and penal fines up to $25,000,000 or 4% of worldwide turnover.

Generally, yes. If the agency or provider commercially prepares and communicates reports regarding a person's character, reputation, or solvency to third parties, they meet the definition of a personal information agent under Law 25.

Organizations hiring third-party credit or background check vendors must ensure those vendors are properly registered with the CAI. Using unregistered personal information agents introduces significant third-party risk and compliance violations. Tools like WatchDog Security's Vendor Risk Management can help document registration checks, store attestations, and track remediation when gaps are identified.

Registration compliance often fails when responsibilities, evidence, and deadlines are tracked informally. Tools like WatchDog Security's Compliance Center can centralize the control, map required proof (e.g., registration confirmation, governance documents), and track recurring reviews and change-driven updates so teams can demonstrate ongoing compliance.

Vendor risk increases when the organization cannot consistently verify whether providers are registered and operating within legal constraints. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor catalog, collect registration attestations and supporting evidence, and record risk-tiering and remediation actions when a provider cannot demonstrate CAI registration.