Law 25 (Loi 25 — the act modernizing Quebec's personal-information protection rules) governs how organizations collect and process personal information in Quebec — including the personal information of employees. An engagement survey collects opinions, perceptions and sometimes demographics: that is personal information. This guide summarizes, from an HR practitioner's perspective, what Law 25 concretely requires when you survey your employees. It is not legal advice.
What Law 25 requires for an employee survey
1. Transparency and consent
Employees must know what data is collected, why, by whom, and for how long. In practice: a clear launch communication, an accessible survey privacy notice, and informed consent whenever sensitive information or demographic questions are used. Participation must be voluntary.
2. Data minimization
Collect only what the survey's purpose requires. If the goal is to measure a team's engagement, you generally do not need a respondent's exact age or address. Every demographic question you add must justify itself.
3. Anonymity threshold (minimum group size)
Survey anonymity is not just about removing names: if a manager can view the results of a two-person group, they can often guess who answered what. The recognized practice is an anonymity threshold: a segment's results are only displayed when the number of respondents reaches a minimum group size. Sparkbay enforces this threshold systematically — results for any group below the organization's configured minimum are never displayed, and segments that are too small are automatically rolled up.
4. Data residency and security
Law 25 requires an assessment before communicating personal information outside Quebec (section 17). The simplest way to reduce that risk: choose a platform that hosts data in Quebec. For its Quebec and Canadian clients, Sparkbay hosts data in Quebec (Canada); employee personal information is pseudonymized, encrypted in transit and at rest, with role-based access control.
5. Retention and deletion
Personal information must be destroyed or anonymized once its purpose is fulfilled. Individuals can also request deletion of their personal information — the platform must be able to honour that.
6. Privacy impact assessment (PIA / EFVP)
Law 25 mandates a privacy impact assessment (in French, EFVP) for any project to acquire, develop or overhaul an information system involving personal information — which includes rolling out an employee survey platform. A survey-project PIA typically documents: the purpose and basis of collection, an inventory of the information collected, the anonymity threshold, hosting location, the vendor's security measures, retention periods and the deletion process. Our team provides clients with the information needed to complete their assessment.
Law 25 vs GDPR vs PIPEDA for HR data
| Requirement | Law 25 (Quebec) | GDPR (European Union) | PIPEDA (Canada, federal) |
|---|---|---|---|
| Applies to employee data | Yes — employee personal information is covered | Yes — employee data is covered | Limited — employees of federally regulated businesses |
| Cross-border transfers | Assessment required before transfer outside Quebec (s. 17) | Transfer mechanisms required outside the EU (SCCs, adequacy) | Accountability for transfers, transparency required |
| Privacy assessment | PIA (EFVP) mandatory for information-system projects | DPIA mandatory when risk is high | Not mandatory (recommended) |
| Right to deletion | Yes | Yes (right to erasure) | Withdrawal of consent |
| Designated officer | Privacy officer mandatory | DPO mandatory in some cases; EU representative if outside EU | Compliance officer |
| Maximum penalties | Up to $25M or 4% of worldwide turnover | Up to €20M or 4% of worldwide turnover | Up to $100,000 per violation |
Sparkbay complies with Law 25 and the GDPR (with a representative in France): see our employee surveys in Quebec page, our GDPR page and our security page.
Frequently asked questions
Can we survey employees under Law 25?
Yes. Law 25 does not prohibit employee surveys; it governs how to run them: transparency about collection, data minimization, consent where required, anonymity protection, security and limited retention. With a compliant platform and clear communication, a continuous survey program is fully compatible with Law 25.
Is an anonymous survey covered by Law 25?
Truly anonymized answers are no longer personal information. In practice, caution is required: answers cross-referenced with team, role or demographics can re-identify a respondent. That is why an anonymity threshold (minimum group size) and restraint on demographic questions remain necessary.
Do we need a PIA (EFVP) to roll out an employee survey platform?
In most cases, yes: acquiring an information system that processes employee personal information triggers the assessment requirement. The vendor must be able to document hosting, security, retention and subcontracting.
Can survey data be hosted outside Quebec?
It can be, but section 17 of Law 25 then requires an assessment demonstrating adequate protection. Hosting the data in Quebec, as Sparkbay does for its Quebec and Canadian clients, avoids that complexity.