Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

Collection of Personal Information During Recruitment

  • Élyse Rioux
  • Dany Guimond-Valcourt
By Élyse Rioux and Dany Guimond-Valcourt
Are you recruiting for your organization? Are you aligned with the new guidelines from the Commission d’accès à l’information?

On March 17, 2025, the Commission d’accès à l’information du Québec (CAI) published new guidelines governing the collection of personal information during the recruitment process.

This document, intended for employers, recruitment agencies and subcontractors, provides useful information at all stages of the hiring process. It can be accessed here (in French only): Recruitment | Commission d’accès à l’information du Québec.

Why is it important for our practice and our clients?

1.    Increased obligations under Bill 25 

These new guidelines reflect the CAI’s clear intent to actively and systematically enforce the protection of personal information, particularly during the hiring process and with respect to:

  • Justification of data collection practices
  • Transparency with job applicants
  • Data minimization

Any unnecessary or excessive data collection could expose you to candidate complaints, regulatory investigations and administrative fines.

2.    New due diligence standard for HR practices

The Commission sets concrete guidelines for the four stages of the recruitment process:

  1. Receipt of applications
  2. Evaluation of top candidates
  3. Confirmation of the skills and qualifications of the selected candidate
  4. Hiring of selected candidate

Only information that is strictly necessary for the intended purpose may be collected. The applicant’s consent to the collection, the relevance of the collection or its appropriateness are no longer sufficient.

For example, information contained on an ID used to confirm the identity of the applicant cannot be photocopied, photographed or otherwise recorded in the applicant’s file.

3.    Increased employer liability, even in cases of subcontracting 

The CAI reiterates that the employer remains fully responsible for the processing of personal information, even when third parties act on its behalf (e.g., recruitment agency, automated screening tool, psychometric test by an external provider).

Therefore, all outsourced recruitment activities must be governed by a contract to comply with privacy legislation (e.g., confidentiality clauses, access limitations, data deletion undertakings, etc.).

4.    Regulation of emerging practices

The CAI provides clear guidelines on the use of psychometric tests, artificial intelligence (AI), and the review of social media profiles, which are often misunderstood and poorly managed in the workplace.

In particular, with regard to AI:

  • Avoid using emotion or psychological recognition technologies during virtual interviews.
  • If a decision is made solely through automated processing of personal data—such as the automatic rejection of certain applications by screening software—the employer is required to notify the applicants not later than at the time the decision is shared. The employer must also provide additional information to applicants and advise them of their right to request a review of the decision.
  • Before using an AI system, the employer must conduct a privacy impact assessment (PIA).

 5.    Specific guidelines for certain types of verification

  • References: prohibited at the initial stage and require informed consent after a conditional offer.
  • Credit file: to be avoided; the Commission deems them intrusive unless a valid exception applies.
  • Medical and legal: highly regulated and to be handled with great care, particularly in terms of retention and access. The Commission specifically recommends that medical information be stored in separate files.

6.    Retention period and destruction of personal information

Employers, as well as their subcontractors, cannot retain the personal information of unsuccessful candidates indefinitely. When the purposes for which personal information was collected or used have been fulfilled, it must be securely destroyed. Moreover, the CAI raises important caveats regarding the anonymization of personal information. It is therefore recommended to destroy personal information.

This highlights the importance of reviewing internal policies and contractual agreements with third-party recruitment providers to include clear commitments on data retention periods and destruction methods.

What we can do for our clients:

  • Due diligence of internal HR practices, application forms and interview questions to ensure compliance.
  • Review and update agreements with recruitment agencies, technology platform service providers and test providers (psychometric or AI).
  • Guidance on the use of AI in HR processes, particularly for automated resume screening or behavioural analysis.
  • Update of internal policies and HR procedures related to the collection, consent, access and retention of personal information.
  • Support in conducting PIAs for any technological tool used in the hiring process.
  • Awareness and training of internal teams on new requirements, particularly regarding collection restrictions, the use of AI and the protection of sensitive information (health, background, online reputation, etc.).

Self-assessment

Assess your practices with our 10-question diagnostic questionnaire: https://app.inputkit.io/#/feedback/rwTMnknhg

Recruitment is a strategic lever for your growth. Don't let it become a risk for your company.

Share this article
2