Person in charge of the protection of personal information

Since September 22, 2022, every enterprise that operates in Quebec and collects, holds, uses or communicates personal information must designate a person in charge of the protection of personal information (s. 3.1 PPIPSA). Failing to designate is a violation of the Act on its own — even without any incident.

The default designation#

The person exercising the highest authority within the enterprise ensures the function of person in charge of the protection of personal information. They may, however, delegate all or part of that function in writing to a member of the staff or to a third party.

In concrete terms:

• If no written designation exists, the president, managing director or sole administrator is automatically the privacy officer — with the personal responsibilities that come with it.
• If you want someone else to hold the role, the designation must be written, signed, dated and kept in the administrative file.

At Hilo Tech, Pascal Dupuis holds this role internally, by written designation of the two co-founders. His contact details are published on our privacy page.

Who can be a privacy officer?#

The Act imposes no diploma, no certification and no specific profession. The privacy officer can be:

• An internal executive (HR director, IT director, financial controller, admin director).
• A member of senior leadership (president, VP, general manager).
• An external mandatary (specialized consultant, lawyer, notary).
• Shared: a primary holder + a backup for absences.

The exact title is not regulated, but the person must be identifiable and reachable during normal business hours.

What the person must have#

• Actual authority: they must be able to impose organizational and technical changes without being blocked by hierarchy.
• Time: ideally 10–20% of an FTE for an SMB of 20–100 employees. Not a role piled on top of the existing workload without relief.
• Knowledge of the Act: initial training + ongoing awareness. The CAI regularly publishes guides and opinions.
• Access to files: ability to read policies, contracts, registers and, in case of incident, technical logs.

Core responsibilities#

1. Oversight of the governance policy (s. 3.2)#

The enterprise must adopt a personal information governance policy that describes:

• Internal roles and responsibilities.
• Complaint-handling processes.
• Retention and destruction procedures.
• Employee training procedures.
• Requirements for vendors and service providers.

This policy must be published (website), updated as needed and approved by the privacy officer.

2. Handling requests from individuals#

Every person has the right to exercise their rights (access, rectification, de-indexing, portability, withdrawal of consent). These requests are addressed to the privacy officer — who must respond within 30 days (s. 32).

See the Individual rights chapter for detail.

3. Privacy impact assessments (PIA)#

Any new initiative that involves personal information — new CRM, new internal app, new vendor outside Quebec — requires a PIA (s. 3.3). The privacy officer oversees this assessment even if they don't draft it themselves.

4. Incident management#

In a confidentiality incident, the privacy officer coordinates:

• The risk-of-serious-harm assessment.
• Notification to the CAI and to affected persons (as required).
• Entry into the incident register.
• Implementation of corrective measures.

See the Confidentiality incident notification chapter.

5. Training and awareness#

The privacy officer organizes (or has organized) the annual training of employees on their obligations, on spotting incidents and on best practices.

6. Ongoing watch and continuous improvement#

The CAI regularly publishes opinions, guides and decisions. The privacy officer must monitor these and adapt internal practices accordingly.

Publishing the contact details (s. 8 para. 3)#

The name and contact information of the person in charge of the protection of personal information must be published on the enterprise's website or, if it has none, made accessible by any other appropriate means.

What must be published:

• Full name of the officer.
• Exact title (Person in charge of the protection of personal information / Privacy officer).
• Contact details: dedicated email (e.g. privacy@yourcompany.ca), phone number, postal address.
• Language of correspondence (French by default; English/Spanish if offered).

Our public page: hilotech.ca/en/privacy — section Person in charge of the protection of personal information.

What the privacy officer should not do alone#

• They don't draft the official legal policies without lawyer involvement.
• They don't decide alone to notify the CAI in a complex case — the decision must involve leadership and legal counsel.
• They don't bear penal liability in place of the enterprise: sanctions target the enterprise, not the officer personally (absent individual gross misconduct).

Our role on the IT side#

At Hilo Tech, we support the client's internal privacy officer on the technical side:

• Tooling to process access requests (searches across Microsoft 365, SharePoint, CRM).
• Configuration of alerts and logs that will feed an incident investigation.
• Access controls, encryption and logging.
• Automation (Power Automate, n8n) of reminder, follow-up and notification procedures.

We do not replace the client's privacy officer and we do not draft legal documents — that's their lawyer's role.

Quick checklist#

• A privacy officer is designated in writing (even if it's the president).
• The officer's contact details are published on the website.
• A dedicated email (e.g. privacy@) is in place and routed to the right person.
• The officer has attended Law 25 training within the last 12 months.
• A backup is identified for extended absences.
• The officer has access to technical logs (Entra ID, SharePoint, CRM) — directly or through the IT provider.
• A register of requests (access, rectification, withdrawal, complaint) is maintained.

Common mistakes#

• "The officer is the IT director, obviously." — Not necessarily. The IT director knows the systems but doesn't always have the authority to change company policy. The role requires cross-functional authority.
• Designating without freeing up time. — A president stretched at 120% who "is also privacy officer on paper" will not process a request within 30 days. Someone must actually carry the load.
• Not publishing the contact details. — Simple breach, easy for the CAI to verify, immediate sanction.
• Confusing the privacy officer with the GDPR DPO. — The European DPO has very specific independence obligations. The Quebec privacy officer has a more flexible framework, but the roles are not identical.

Questions to ask your legal counsel#

• Do we need a privacy officer per subsidiary, or a single one for the group?
• Can our European DPO (if we have EU operations) also hold the Quebec privacy officer role?
• What designation clauses should we write to limit the officer's personal liability?
• If we hire an external consultant as privacy officer, what selection criteria and what type of contract?