Every person carrying on an enterprise must establish and implement policies and practices regarding the governance of personal information and to ensure the protection of such information. These policies and practices must, in particular, provide a framework for the retention and destruction of such information, set out the roles and responsibilities of its employees throughout the life cycle of the information, and establish a process for handling complaints about the protection of personal information. They must also be proportionate to the nature and importance of the company's activities and be approved by the Chief Privacy Officer. Details of these policies and practices are published on the website in clear and simple terms.

Every person carrying on a business is required to conduct a privacy impact assessment of any information system acquisition, development, redesign, or electronic service delivery project involving the collection, use, disclosure, retention, or destruction of personal information. For the purposes of this assessment, the individual must consult with his or her Privacy Officer at the outset of the project. The individual must also ensure that the project allows for computerized personal information collected from the individual to be disclosed to the individual in a structured and commonly used technological format. The conduct of a privacy impact assessment under this Act shall be proportionate to the sensitivity of the information, the purpose for which it is to be used, and the amount, distribution, and format of the information.

The Chief Privacy Officer may, at any stage of a project referred to in section 3.3, suggest measures for the protection of personal information applicable to that project, such as

  1. The designation of a person responsible for the implementation of the privacy measures. 
  2. Privacy safeguards in any documents related to the project. 
  3. A description of the privacy responsibilities of project participants. 
  4. The conduct of privacy training activities for project participants. 

Consult HERE the complete official document of Bill 25 (from the Commission d'accès à l'information du Québec website)