Rules of Conduct for Personal Information Agents

Under Quebec Law 25, a personal information agent is any person or organization that commercially establishes files to prepare and communicate credit, character, reputation, or solvency reports to third parties. These entities must register with the CAI and follow strict compliance obligations.

Quebec Law 25 section 78 requires every personal information agent to establish and apply internal rules of conduct. These rules must govern how the enterprise processes an access request or rectification request, ensuring the procedure protects the confidentiality of the data.

To create these rules of conduct, an organization must define clear standard operating procedures for receiving a Quebec Law 25 access request or rectification request. This includes documenting identity verification steps, response timelines, and secure methods for delivering the requested personal information file.

The access request process must include strict identity verification protocols to prevent unauthorized disclosure to malicious actors. It should also utilize secure transmission methods, such as encrypted portals or authenticated communications, when delivering the personal information to the verified individual.

A personal information agent must verify the requester's identity by requiring sufficient proof that they are the person concerned, or their authorized representative, heir, or successor. This verification step is a critical component of the rules of conduct to ensure data is not inadvertently disclosed to the wrong party.

Under Quebec Law 25, the person in charge of the protection of personal information must respond to an access request or rectification request promptly and no later than 30 days after receipt. Failure to respond within this 30-day timeframe is legally deemed a refusal to grant the request.

When an individual proves that their personal information is inaccurate, incomplete, or equivocal, the organization must grant the rectification request and correct the file. The organization must then issue a free copy of the modified information or an attestation of deletion to the requester, and update its data subject request log.

Yes, an agent may refuse a request if the law permits, such as if disclosure would reveal personal information about a third party that could seriously harm them, or if it would hinder a criminal investigation. If refused, the agent must provide the legal reasons for refusal and inform the applicant of their remedies.

Security controls should include multi-factor authentication for digital access, encrypted file transfers, and strict role-based access control limiting which employees can process the access request. The procedure must ensure the protection of the information in transit and at rest.

Organizations should retain documented standard operating procedures outlining their rules of conduct, alongside a comprehensive data subject request log. Keeping records of identity verification and copies of written responses or attestations of rectification helps prove compliance during an audit.

Section 78 requires repeatable, documented rules of conduct and proof that requests are handled securely and on time. Tools like WatchDog Security's Compliance Center can centralize the control requirements, track implementation status, and map evidence (SOPs, request logs, and response templates) so audits can quickly verify the procedure is established and applied.

Access responses often contain sensitive file contents, so delivery should be encrypted and authenticated to reduce misdelivery risk. Tools like WatchDog Security's Secure File Sharing can support encrypted distribution, requester verification (including TOTP), and audit logs that document when and how the information was accessed.