Acceptable Use Policy (Quebec)

A Quebec Acceptable Use Policy (Politique d'utilisation acceptable, or PUA) is an organizational governance document regulated by the intersection of Quebec's Act respecting the protection of personal information in the private sector (CQLR c P-39.1, commonly called Law 25 or Loi 25), the Civil Code of Quebec (CCQ) obligations of good faith under arts. 1375 and 2088, and the Act respecting occupational health and safety (LSST, CQLR c S-2.1). Law 25, substantially amended in 2021 and fully in force by September 2023, is the most demanding Canadian provincial privacy statute and imposes obligations that no Quebec employer can satisfy without a formal written AUP governing how employees handle personal information on organizational systems.

Law 25 requires every organization in Quebec that handles personal information to designate a person in charge of the protection of personal information (responsable de la protection des renseignements personnels), to establish and publish a privacy governance policy, to conduct Privacy Impact Assessments (PIAs, évaluations des facteurs relatifs à la vie privée or EFVP) before certain data transfers outside Quebec, and to report confidentiality incidents to the Commission d'accès à l'information (CAI) within 72 hours under s. 3.5. The CAI is the independent oversight body that enforces Law 25 and can impose administrative monetary penalties of up to $25 million or 4% of worldwide turnover on organizations in serious breach.

The Quebec Charter of Human Rights and Freedoms (CQLR c C-12), specifically s. 5 which protects the right to respect for private life, creates a higher standard of employee privacy protection than applies in most other Canadian provinces. The Commission des droits de la personne et des droits de la jeunesse (CDPDJ) has established through adjudication that employers monitoring employees' electronic communications — including email, internet usage, and keylogging — must satisfy a three-part justification test: the surveillance must pursue a legitimate business objective, use the least intrusive means available, and employees must receive prior notice. An AUP that discloses monitoring practices and obtains employee acknowledgment satisfies the prior notice requirement that the CDPDJ mandates.

The Civil Code of Quebec imposes a general obligation on employers under art. 2088 to conduct themselves in a manner consistent with good faith toward employees, and on employees to be loyal and protect the employer's confidential information under art. 2088 para. 2. An AUP operationalises these CCQ obligations by specifying what constitutes acceptable and unacceptable use of employer-owned information technology assets, providing the contractual and regulatory basis for disciplinary action including the dismissal procedures under the Act Respecting Labour Standards (ARLS) for just cause termination.

Language compliance is a Quebec-specific dimension. All organizational policies that govern employees in Quebec must be available in French under s. 41 of the Charter of the French Language (CQLR c C-11, as amended by Bill 96). An AUP that exists only in English does not satisfy the employer's obligations under the Charter of the French Language, and the Office québécois de la langue française (OQLF) can require the employer to provide French-language documentation. Employers should also consider a Non-Disclosure Agreement for Quebec to address confidentiality obligations beyond what an AUP can achieve in a standalone IT-governance context.

A Quebec Acceptable Use Policy is required by Law 25 (CQLR c P-39.1) as a component of the mandatory personal information governance framework that every organization handling personal information in Quebec must establish and maintain, and is independently needed to satisfy obligations under the Civil Code of Quebec, the Charter of the French Language, and the Act Respecting Labour Standards.

When an organization processes personal information of customers or employees on its IT systems — which encompasses virtually every Quebec business that maintains a client database, processes payroll through software, or uses cloud-based services — Law 25 requires written governance rules covering how that information is collected, used, stored, and protected. The AUP is the employee-facing component of this governance framework, specifying what employees may and may not do with personal information on organizational systems. Without an AUP, the organization cannot demonstrate to the Commission d'accès à l'information (CAI) that it has implemented the governance structures required under Law 25 s. 3.2.

When implementing electronic monitoring of employees — such as tracking internet usage, recording phone calls, monitoring productivity through screen capture software, or using GPS tracking on company vehicles — the CCQ art. 35 right to privacy and the CDPDJ's three-part justification test require the employer to disclose the monitoring practices in advance. The AUP is the standard vehicle for this disclosure. Without advance disclosure in the AUP, evidence obtained through electronic monitoring may be inadmissible in labour tribunal proceedings before the Tribunal administratif du travail (TAT).

When onboarding new employees who will use company information systems, the AUP provides the contractual basis for the employer's authority to discipline or dismiss for IT misuse, including unauthorized access to personal information (which may constitute a cybercrime under the Criminal Code, RSC 1985 c C-46, s. 342.1), use of company systems for personal commercial activities, or downloading unauthorized software creating malware risk. The ARLS requires just cause for dismissal of employees with two or more years of service under s. 124, and a documented AUP that the employee acknowledged establishes the policy baseline for that justification.

When the organization transfers personal information outside Quebec — including to cloud service providers, parent companies, or outsourced IT services in other provinces or countries — Law 25 s. 17 requires a prior Privacy Impact Assessment (EFVP) and a written agreement with the recipient confirming equivalent protection. The AUP must instruct employees on the prohibition against transferring personal information externally without completing the required EFVP process and obtaining the approval of the designated responsable de la protection des renseignements personnels.

When an organization holds personal information under a PIPEDA (federal Personal Information Protection and Electronic Documents Act, SC 2000 c 5) exemption for provincially regulated activities, the federal exemption in s. 26(2)(b) requires the provincial law to be substantially similar. Law 25 has been declared substantially similar to PIPEDA, meaning Quebec-regulated organizations satisfy federal obligations by complying with Law 25. The AUP must be drafted to satisfy Law 25 requirements, which are in several respects more stringent than PIPEDA, including the 72-hour breach notification rule.

A Quebec Acceptable Use Policy compliant with Law 25 (CQLR c P-39.1), the Civil Code of Quebec, the Charter of the French Language, and the Act Respecting Labour Standards must include the following components.

Scope and application must define which systems, devices, networks, and data assets are covered — including company-owned computers, mobile devices, email accounts, cloud storage, social media accounts, and any personally owned devices used for work purposes under a BYOD (Bring Your Own Device) arrangement. The scope must also specify which personnel are covered: employees, contractors, temporary workers, students, and any third parties with access to the organization's systems.

Personal information governance clause must identify the responsable de la protection des renseignements personnels designated under Law 25 s. 3.1 and their contact information, specify the categories of personal information processed on organizational systems, prohibit unauthorized access to or disclosure of personal information, require employees to complete the organization's privacy incident reporting protocol within the 72-hour timeline required by Law 25 s. 3.5 for reporting to the CAI, and confirm the organization's Law 25 privacy governance policy.

Monitoring disclosure must describe precisely what electronic monitoring the employer conducts — email filtering, internet usage logs, productivity tracking, GPS vehicle monitoring, CCTV surveillance — specifying the purpose, scope, and frequency of monitoring. Under the CDPDJ's guidelines, monitoring must be proportionate to the legitimate business objective and use the least intrusive means. This clause must be drafted in French and any other language under the Charter of the French Language (CQLR c C-11, s. 41).

Permitted and prohibited uses must clearly distinguish authorized activities (work-related communications, professional development, limited personal use within defined parameters) from prohibited activities (accessing personal information without authorization, installing unauthorized software, using systems for personal commercial purposes, accessing illegal or discriminatory content, sharing access credentials). Prohibited activities that constitute grounds for serious disciplinary action including dismissal must be explicitly identified.

Social media policy must balance the employer's reputation interest with employees' freedom of expression rights under the Quebec Charter of Human Rights and Freedoms (CQLR c C-12), specifying what employees may and may not post in their capacity as employees or in contexts that identify them with the employer, and distinguishing between work-hours use and personal time use.

Data retention and security requirements must specify password policies, encryption requirements for portable devices handling personal information, prohibition on storing personal information on personal cloud accounts, and the requirement to use the organization's approved tools for any processing of personal information under Law 25's accountability principle.

The forms-legal.com Quebec Acceptable Use Policy template covers all Law 25 governance framework requirements including the CAI incident reporting protocol, the EFVP requirement for cross-border data transfers, the OQLF-compliant bilingual format, and the CCQ art. 2088 employee loyalty obligation reference.

Employee acknowledgment in writing must be obtained from every employee covered by the AUP, confirming they have read, understood, and agreed to comply with the policy. Under ARLS s. 102, an employer seeking to dismiss for just cause must demonstrate that the employee knew the rule that was violated — a signed acknowledgment of the AUP provides this evidence.