Quebec Law 25 for driving schools: a practical privacy checklist

Driving schools handle identity documents, dates of birth, learner permits, contact details, schedules, invoices, progress records, and sometimes sensitive accessibility or health notes. Privacy compliance is therefore an operating practice, not a paragraph hidden in a footer.

Disclaimer: This article provides general information, not legal advice. The law that applies depends on your location, activities, contracts, and the people whose information you handle. Consult qualified counsel for your school.

Which laws may apply?

For a Quebec private-sector school, Quebec’s private-sector privacy law, as modernized by Law 25, is central. PIPEDA may also apply to federally regulated activities and personal information that moves across provincial or national borders. Other provinces have their own private-sector privacy laws.

The practical lesson is simple: do not publish a policy that says only “we comply with PIPEDA.” Identify the laws relevant to your operations and build one privacy program that can satisfy the strongest applicable requirements.

Official starting points:

• Quebec Commission d’accès à l’information: responsibilities of private enterprises
• Office of the Privacy Commissioner of Canada: PIPEDA requirements

1. Appoint and publish a privacy contact

Quebec businesses must have a person responsible for protecting personal information and publish the person’s title and contact details. That role needs real authority: approving policies, reviewing privacy impact assessments, handling access requests, and coordinating incidents.

For a small school, the owner may hold the role. The important part is that staff know where privacy questions go and the public can find the contact.

2. Inventory the information you actually hold

Map information by category, system, location, purpose, access, vendor, and retention period. Include:

• learner identity, permits, dates of birth, and guardian details;
• contact information and communication preferences;
• instructor qualifications, availability, and employment information;
• schedules, attendance, progress, notes, and disciplinary records;
• invoices, balances, receipts, and payment metadata;
• uploaded documents, exports, spreadsheets, shared drives, and paper files;
• email, SMS, WhatsApp, support tickets, logs, backups, and analytics.

If a record exists in a group chat or an employee’s personal spreadsheet, it is still part of the risk.

3. Explain collection clearly and limit it

At or before collection, explain what is collected, why it is needed, who may receive it, whether it is required, and what happens if the person declines. Collect only what is necessary.

Sensitive information generally requires stronger protection and may require express consent. A free-text “notes” field is not a good home for unnecessary medical details, passwords, social-insurance numbers, or full card numbers.

4. Separate service messages from marketing consent

A learner may need a lesson-change notice to receive the service, while a product promotion is a commercial electronic message. Do not bundle every channel and purpose into one vague checkbox.

For commercial email or text messages, Canada’s Anti-Spam Legislation generally requires valid consent or another permitted basis, sender identification, and a working unsubscribe mechanism. Keep proof of consent and act on withdrawals. See the CRTC’s CASL guidance.

5. Protect minors and guardian relationships

Driving schools regularly serve minors. Decide when a parent or guardian must authorize collection, receive notices, access records, or consent to documents and communications. Avoid giving a guardian broader access than needed, and update the relationship when the learner becomes legally able to act alone.

6. Conduct privacy impact assessments

In Quebec, a privacy impact assessment may be required for projects involving new or substantially changed information systems and before certain communications outside Quebec. Make it a normal gate for:

• a new school-management platform;
• online payments or identity verification;
• WhatsApp, SMS, email, AI, maps, or analytics integrations;
• mobile apps, portals, cameras, geolocation, or automated scheduling;
• large imports, data migrations, or cross-border support.

The assessment should identify the purpose, necessity, sensitivity, access, retention, vendors, transfer locations, threats, and mitigating controls.

7. Manage vendors and transfers

Canadian hosting can reduce transfer risk, but it is not a complete privacy program and is not a blanket substitute for legal analysis. A provider may still use global support, fraud, messaging, identity, or AI services.

Maintain a current vendor list. Contractually address confidentiality, security, permitted use, incident notice, deletion, sub-processors, transfer locations, audit information, and assistance with individual requests.

8. Be ready for access, correction, and portability

People may have rights to access and correct their information. Since September 22, 2024, Quebec’s portability provisions also allow eligible computerized information collected from the person to be provided in a structured, commonly used technological format.

Build a repeatable workflow:

1. verify identity and authority;
2. find the information across systems;
3. review legal exceptions and third-party information;
4. export it securely;
5. record the response and deadline;
6. correct connected systems where appropriate.

Deletion is not always absolute. Tax, regulatory, contractual, safety, or litigation duties may require some information to be retained. Explain the result rather than promising that every record can always be erased immediately.

9. Prepare for confidentiality incidents

Quebec organizations must act quickly, assess the risk of serious injury, notify the Commission and affected people when required, and keep a register of confidentiality incidents—including incidents that do not reach the notification threshold.

PIPEDA has its own breach-record and notification requirements where it applies. Your incident plan should name decision-makers, evidence sources, legal contacts, notification criteria, communication templates, and steps to prevent recurrence.

10. Set retention and destruction rules

“Keep everything forever” increases both privacy and security risk. Define retention by record type: leads, learner files, attendance, financial records, certificates, documents, communication logs, audit logs, exports, and backups.

At the end of a period, securely destroy the information or anonymize it only when the method meets applicable legal standards. De-identification is not the same as irreversible anonymization.

11. Treat security as an operating control

Useful controls include:

• individual accounts and multi-factor authentication;
• role- and branch-based access;
• encryption in transit and at rest;
• managed secrets and prompt removal of former staff;
• audit logs for sensitive actions;
• secure uploads, malware scanning, and restricted downloads;
• tested backups and restore procedures;
• vendor review, patching, monitoring, and an incident process.

No single badge, cloud region, or policy sentence proves compliance.

A practical checklist

• Privacy lead title and contact are published.
• Data inventory, purposes, systems, vendors, and retention periods are documented.
• Collection notices are clear and available in the learner’s language.
• Sensitive data and minor/guardian workflows receive extra protection.
• Commercial messaging consent and unsubscribe records are maintained.
• Privacy impact assessments are part of technology and vendor changes.
• Cross-border processing and sub-processors are documented.
• Access, correction, portability, and deletion workflows are tested.
• All confidentiality incidents can be recorded and escalated.
• Staff access is reviewed and removed promptly.

DrivingOps is being designed to support these operational controls, including tenant-scoped roles, consent records, audit events, export workflows, retention states, and Canadian regions for core workloads. Those tools help, but each school remains responsible for its own notices, decisions, and legal obligations. See the Privacy policy, Security overview, and sub-processor list.