The question comes up in almost every Bill 25 compliance engagement I take on.
“Patrick, when you say personal information inventory, what exactly should be on the list?”
As a reminder: Bill 25 requires every organization that collects personal information to know what it holds. Before you can manage anything, you first need to know what you’re looking for.
What the Law Says
The Act respecting the protection of personal information in the private sector defines personal information as any information concerning a natural person that allows them to be identified, directly or indirectly.
Two words matter in this definition.
“Natural person”: the Act does not apply to legal persons. A company’s registration number or head office address is not personal information within the meaning of the Act.
“Indirectly”: that’s the word that broadens everything. Information doesn’t need to identify a person on its own to qualify as personal. It’s enough that, combined with other information, it allows identification. An IP address alone doesn’t name you. Cross-referenced with a timestamp and session identifier, it can identify a person with precision. The Act covers this type of information.
What If You Sell to Clients in Europe?
The GDPR applies to your organization, even if you’re based in Quebec.
The General Data Protection Regulation doesn’t apply only to European companies. It covers any organization that processes data of European Union residents, regardless of where it’s established. A Quebec SMB that sells online to French, German, or Spanish clients must comply.
The GDPR definition is nearly identical to Bill 25: any information relating to an identified or identifiable natural person. That’s no coincidence. Bill 25 drew heavily from the European framework when it was drafted. Both regimes rest on the same principle: what matters is the ability to identify an individual, not naming them directly.
There are nevertheless two important nuances to know.
The first concerns professional contact details. Under Bill 25, the name, title, and professional email of a business contact are generally not considered personal information in a purely professional context. Under the GDPR, an address like someone@company.com clearly identifies an individual. It’s personal data, full stop. If you maintain a client contact list in Europe, treat them accordingly.
The second concerns sensitive categories. The GDPR has a formal list in Article 9: racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data used for identification, health data, and sexual orientation. These categories are subject to much stricter rules. Bill 25 also uses the notion of sensitivity, without a formal list. Sensitivity there is assessed according to context and privacy risks.
What You’re Looking for in Your Organization
Here are the categories. For each one, the question to ask is simple: do I have any of this somewhere?
Direct identification. Full name, date of birth, Social Insurance Number (SIN), health insurance number (RAMQ), passport number, driver’s licence number. This is the most obvious and riskiest category: a breach allows direct identity theft.
Personal contact details. Mailing address, personal email (@gmail.com, @hotmail.com), home phone, mobile number. A phone number remains personal information even if it appears in a public directory.
Digital footprint. This is where most organizations are surprised. A website visitor’s IP address is personal information as soon as it can be cross-referenced with other data to identify an individual. The same applies to cookie identifiers, browsing history linked to an account, unique mobile device identifiers (IMEI), MAC addresses, geolocation data, and file metadata revealing author, creation date, and device used.
That’s precisely why your website must display a cookie consent banner. Digital marketing tools you use — Google Analytics, Meta Pixel, advertising pixels — collect visitors’ IP addresses, build behaviour profiles, and transmit that data to third parties for targeting. All of this constitutes collection of personal information. Without explicit visitor consent, it’s not compliant with Bill 25. Nor with the GDPR if your audience includes European residents.
Your website probably collects personal information even if you have no visible registration form. (You can test your website for free here: https://loi25.certi360.com)
Biometric data. A photo that allows identifying a person is personal information. Fingerprints, facial recognition data, voiceprint, retina or iris data. These data deserve special attention because they’re permanent. You can’t change your fingerprints after a breach.
Financial data. Credit or debit card number, bank account number, transaction history linked to an individual, credit score, declared or estimated income, insurance policy information.
Health data. Medical record, diagnoses, medication lists, test results, blood type, genetic data, information about a disability or chronic condition. These data are among the most sensitive in both regimes.
Human resources data. Often the largest volume in an SMB and the most dispersed. CVs, cover letters, performance evaluations, disciplinary files, pay stubs, group insurance information, background check results. This data frequently ends up in spreadsheets on individual workstations, archived emails, and cloud services nobody maintains a formal register for.
Sensitive data. Racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, sexual orientation, gender identity. Collect these only if a clear legal reason justifies it.
When I do an inventory with a client, we proceed by flow. Where information comes from, who processes it, where it’s stored, who has access, and how long it’s retained.
This isn’t a checklist to complete once. It’s a living register that must be updated when your processes change.
Most organizations discover mid-exercise that they hold personal information in unexpected places. That’s normal. That’s exactly why inventory is the first step.
In short, personal information is any information that allows identifying a natural person, directly or indirectly. The definition is broader than most organizations realize at the outset. Before protecting what you hold, you must first know what you’re looking for.
Do you have that list?