The essentials

Law 25 imposes 10 concrete obligations on Quebec elementary schools, including designating a privacy officer (RPI), obtaining explicit consent, and conducting a privacy impact assessment (EFVP) before any transfer of personal data outside Quebec.

Legal responsibility rests with the school service centre, not the individual teacher. Using an unapproved tool still exposes your institution to regulatory and disciplinary risks. Administrative penalties can reach $10 million or 2% of global revenue.

Law 25 requires schools to protect students' personal information under 10 specific obligations. Here is what it changes concretely in your classroom. This guide is up to date with the third phase, in force since September 22, 2024, which introduced the most important obligations for elementary teachers.

What you need to know right now

You are not personally legally liable. Your school service centre (CSS) is. But every digital tool you use in the classroom without your administration's approval creates a documented risk for your institution, and potentially for you disciplinarily. This guide gives you the tools to act with full information.

What is Law 25?

Law 25 is the common name for the Act to modernize legislative provisions as regards the protection of personal information, formerly Bill 64. The Quebec National Assembly adopted it unanimously on September 21, 2021 [1]. It updated several existing Quebec laws, notably the Act respecting access to documents held by public bodies and the protection of personal information (A-2.1), which applies to school service centres.

The body that oversees enforcement is the Commission d'accès à l'information du Québec (CAI) [2]. It receives incident reports, can impose penalties, and publishes guidelines for public sector organizations.

The three-phase timeline (2022-2024)

Law 25 did not come into force all at once. It rolled out in three waves:

September 2022: the foundations

Obligation to designate a privacy officer (PO) and publish their contact information. Obligation to have a governance policy. Mandatory reporting of confidentiality incidents to the CAI and to affected individuals.

September 2023: new rights

Right to data portability (ability to receive one's data in a structured format). Right to digital erasure (requesting content removal or anonymization). Obligation to conduct a privacy impact assessment (PIA) before any new technology project.

September 22, 2024: the most important phase for classrooms

Explicit and distinct consent required for collection of sensitive information. Specific consent for communicating information to third parties. Mandatory PIA before any data transfer outside Quebec. Right to digital erasure applies to minors for data published before age 14.

The 10 concrete obligations for your school

  1. Appoint a privacy officer (PO)
    Your CSS must have designated a PO and published their name and contact information on its website. If you don't know who this is in your institution, that's the first question to ask your administration.
  2. Publish a governance policy
    Your CSS must have a written policy describing how personal information is managed, retained, and destroyed. This policy must be publicly accessible, typically on the CSS website.
  3. Maintain a confidentiality incident register
    Every incident, even minor, must be logged in an internal register. An incident can be: a student photo sent to the wrong parent, an email with a class list visible to all recipients, or unauthorized access to a digital classroom account.
  4. Conduct a PIA before any new technology project
    Before implementing a new digital tool involving student personal information, your CSS must conduct a privacy impact assessment (PIA). This is not your responsibility as a teacher, but if your CSS has not done one for a tool you use, flag it in writing to your administration.
  5. Obtain explicit consent for each type of collection
    Consent must be clear, free, and informed. For your class: the consent form must name the tool (not just "digital tools"), describe what will be collected, and state who will have access. A general consent at the start of the year is no longer sufficient for sensitive information collection since September 2024.
  6. Limit collection to the strictly necessary
    The minimization principle: only enter into a digital tool the information truly required for the function being used. Student first name? Necessary. Date of birth? Generally not. Parent phone number? Only if the tool needs to send SMS. If a tool asks for unnecessary data, either don't enter it or choose a different tool.
  7. Destroy records when they are no longer needed
    At the end of the school year (or when the student leaves your class), data that is no longer useful must be deleted or anonymized. This includes classroom accounts in digital applications. An abandoned Seesaw or ClassDojo account with your former students' data is a potential violation of this obligation.
  8. Respond to access and correction requests within 30 days
    A parent can ask to see all the data your school holds about their child, or request corrections. Your CSS has 30 days to respond. In practice: if a parent makes this request directly to you, redirect them to your CSS's PO.
  9. Report serious incidents to the CAI and affected individuals
    If a confidentiality incident presents a real risk of harm to a person, your CSS must report it to the CAI without delay. The CAI recommends targeting 72 hours from the time the incident is discovered for the initial report.
  10. Conduct a PIA before any transfer outside Quebec
    If a tool hosts data outside Quebec (for example, on US servers), your CSS must have conducted a PIA and concluded that the level of protection in the destination country is adequate. This is the obligation that creates the most friction with tools like Seesaw, ClassDojo, or certain Google Workspace features.

What are the penalties under Law 25?

Type of penalty Maximum amount Who is targeted
Administrative monetary penalties $10M or 2% of worldwide turnover The organization (CSS or private school)
Criminal prosecution $25M or 4% of worldwide turnover The organization, directors or officers

School service centres are public bodies. In practice, maximum fines apply more to private companies. But CSS face other consequences: mandatory public disclosure of incidents, CAI audits, and political pressure. The real risk for your CSS is not the fine — it's having its name in the news for an incident involving student data.

What does Law 25 mean for your classroom?

Before using any digital tool with your students, ask yourself three questions:

  1. Has my CSS approved this tool? (Check with administration or the IT technician.)
  2. Is student data hosted in Canada? (Check the tool's privacy policy.)
  3. Have parents given explicit consent for this specific tool?

If you answer "yes" to all three: you're in compliance. If you answer "no" or "I don't know" to any of them, flag it to your administration before continuing to use the tool.

For tools that raise Law 25 questions, our comparison of Seesaw, ClassDojo, and Google Classroom covers what each tool's own privacy policy says.

Ready to try LinoClass?

LinoClass is designed to comply with Law 25 by default: Canadian hosting, minimal data collection, explicit consent. Create your class for free in under 15 minutes, no credit card required.

Try LinoClass for free