Law 25 doesn’t ask daycares to become data-protection experts — but it does expect concrete steps. Here’s a general checklist any daycare or CPE director can adapt, especially when choosing software. For the full context of the law, see our Law 25 guide first; this page focuses on concrete steps.
This article is informational and not legal advice.
1. Know what information you hold
Take inventory: names, dates of birth, parent contact details, allergies, health information, photos. You can only protect what you’ve identified — and this inventory is the basis for every other step.
2. Get clear consent
Consent should be free, informed, and given for a specific purpose. Pay particular attention to photos and sensitive information. Consent should also be withdrawable as easily as it was given.
3. Check hosting and data residency
Ask each vendor where data is stored and whether they aim for Canadian residency. Any transfer outside Quebec generally deserves an assessment.
4. Hold vendors to an agreement
A vendor that processes information on your behalf should be bound by a data processing agreement (sub-processor clauses). Responsibility is usually shared; the agreement spells out each party’s obligations.
5. Limit access
Each person should see only what they need: an educator their group, a parent their child. Role-based access is the concrete application of data minimization.
6. Handle photos with care
Children’s images deserve special attention: consent, limited access, and controlled channels rather than text groups. See sharing daycare photos.
7. Plan for retention and incidents
Know how long information is kept and what happens when a child leaves. It helps to have a clear reflex for a privacy incident before one happens.
In practice
Compliance comes down to simple habits: collect little, get clear consent, host in the right place, hold vendors to agreements, and limit access. These principles guide how MonGardy is built for Quebec daycares. Learn more or register.
