Compliance assistant Β· Quebec Β· Law 25

Can I email this document?

T4, RL-1, pay stub, void cheque, patient file… In Quebec, every type of document has its own rule: sometimes email is allowed, sometimes it requires written consent, sometimes it is simply off-limits. Pick the document and the recipient β€” the assistant gives you the verdict, the applicable rule and its official source.

The assistant

1 β€” Which document do you want to send?
2 β€” Who are you sending it to?

General information as of July 2026 β€” this is not legal advice. When in doubt, consult a professional.

Summary table

DocumentRegular email?Key rule (source)
T4Yes, with conditionsPrior written consent required for email; secure portal allowed without consent (CRA, guide RC4120)
RL-1 slipYes, with conditionsPrior written consent; secure portal without consent (Revenu QuΓ©bec)
RL-31 slipYes, with conditionsTenant's written, revocable consent; verifiable identity (Revenu QuΓ©bec)
Pay stubYes, with conditionsElectronic delivery allowed if secure, accessible and printable (ALS s. 46, CNESST)
Record of employmentNot recommendedContains the SIN; ROE Web goes straight to Service Canada (ESDC)
Notice of assessmentNot recommendedSIN + financial data = high sensitivity (Law 25; OPC)
SINNoNever by unsecured email (Office of the Privacy Commissioner of Canada)
Void chequeNoBanking data = safeguards proportional to sensitivity; payroll-diversion fraud risk (Law 25, CAI)
ID documentNoHigh-value document for fraudsters (OPC; CAI warning)
Patient fileNoHealth information = maximum protection, encryption required (AHSSSI/Law 25)

Simplified summary β€” the detailed verdicts and exact sources are in the assistant above.

Can you email a T4 slip?

Yes, but only with the employee's prior written or electronic consent: that is the CRA rule in guide RC4120 and its "Distribute the slips" page. Without consent, two options remain: paper delivery (two copies, in person or by mail) or a secure portal with protected access, which requires no prior consent at all. The trap with regular email: a T4 contains the SIN, salary and home address β€” one wrong recipient or one compromised inbox becomes a confidentiality incident to document under Law 25. An encrypted link with recipient authentication checks both boxes: security and proof of delivery.

Can you email an RL-1 slip?

Revenu QuΓ©bec allows the RL-1 to be sent by email only if the employee has first given written consent. The no-consent alternative: making the slip available on a secure electronic portal that meets confidentiality rules β€” the employee keeps the right to request a paper copy. For a beneficiary who is not an employee, written consent is mandatory in all cases, must be revocable, and you must explain how to revoke it. Since the RL-1 carries the SIN and income data, the delivery method must protect confidentiality: plain, unencrypted email is a real risk.

Can you email an RL-31 slip to a tenant?

Yes, under four conditions set by Revenu QuΓ©bec: obtain the tenant's or subtenant's written consent beforehand (valid until revoked), tell them how to revoke it, protect their personal information during transmission, and be able to verify the identity of the person consenting. Otherwise, deliver copy 2 (RL-31.CS) in person or by mail by the last day of February. A regular email struggles with the last two conditions; a secure link that authenticates the tenant meets all four.

Can you email a pay stub?

Quebec's Act respecting labour standards (s. 46) requires employers to hand over a pay sheet with every pay, without imposing paper. Electronic delivery is therefore allowed, with conditions: use a secure platform that protects the information, make sure the employee can view, download and print the stub confidentially, and provide a paper version on request. A regular email to an unverified personal address is weak protection for salary data; a payroll portal or an encrypted, authenticated link satisfies both the ALS and Law 25's security obligation.

Can you email a record of employment (ROE)?

Avoid it. The record of employment contains the employee's social insurance number β€” exactly the kind of data the Office of the Privacy Commissioner says should never travel by unsecured email. The good news: with Service Canada's ROE Web, employers submit the ROE electronically straight into the federal database; the employee views it in My Service Canada Account and no paper copy or email is required. If the employee still asks for a copy, use an encrypted channel with authentication rather than a plain attachment.

Can you email a notice of assessment?

Not recommended. A notice of assessment (CRA or Revenu QuΓ©bec) combines SIN, address, income and tax balances β€” a complete identity-theft kit. Governments themselves never email it: it arrives by mail or in a secure portal (My Account), and fake emailed "notices of assessment" are among Canada's most common phishing lures. When a lender or landlord requires it, Law 25 demands safeguards proportional to that sensitivity: use an encrypted link with recipient authentication rather than an unprotected attachment.

Can you email a SIN?

No. The Office of the Privacy Commissioner of Canada is categorical: the social insurance number should never be sent by unsecured email. The SIN is the master key to identity theft β€” it can unlock credit, benefits and documents in the victim's name, and an intercepted or forwarded email never truly disappears. Organizations that collect SINs must limit their use to what the law requires and protect them with appropriate safeguards. If a SIN absolutely must be transmitted, use an encrypted channel where the recipient proves their identity before access.

Can you email a void cheque?

Strongly discouraged. A void cheque exposes the institution, transit and account numbers β€” everything needed for payroll or wire-transfer diversion fraud, a growing scheme where the fraudster swaps in their own banking details in place of the employee's or supplier's. Law 25 requires security measures proportional to the sensitivity of the information, and banking data is highly sensitive. The compliant method: collection through a secure HR portal, or an encrypted link that authenticates the recipient (and gives you an access trail if things are ever disputed).

Can you email an ID document?

No. A driver's licence, passport or health-insurance card is, according to the Office of the Privacy Commissioner, a document of great value to fraudsters: government-issued, it lends credibility to any impersonation. Quebec's Commission d'accès à l'information also warns against needless copying and circulation of ID documents — a visual check is enough in most cases. If a copy is legally necessary (remote identity verification, for instance), send it through an encrypted channel with recipient authentication — never as an attachment to a regular email.

Can you email a patient file?

Not by regular email. Health information enjoys maximum protection in Quebec: the Act respecting health and social services information (CQLR c. R-22.1) and Law 25 require safeguards that match that sensitivity β€” encrypted transmission, access restricted to authorized persons, audit logging. A lab result or treatment plan sent as an unencrypted attachment to an unverified address is a potential confidentiality incident, with notification obligations. The de facto standard: an encrypted link where the patient authenticates their identity before opening the document.

Can you email a contract or a lease?

Yes, generally. Technology-based documents have full legal value in Quebec, and sending a contract to its own signatory carries limited risk. One important nuance: section 34 of the Act to establish a legal framework for information technology (ALFIT) requires that the confidentiality of any confidential information the document contains be protected by means appropriate to the mode of transmission β€” and that you be able to document those means. If the lease or contract includes a SIN, banking details or third-party information, switch to an encrypted, authenticated link: regular email no longer cuts it.

Can you email financial statements?

Yes, with conditions. No law forbids emailing corporate financial statements, but Law 25 applies as soon as they contain personal information (executive compensation, shareholder advances), and business confidentiality calls for the same caution: an intercepted set of statements is a gift to competitors and fraudsters. The CAI recommends encrypting communications and restricting access to authorized persons. For personal financial statements sent to a lender β€” often bundled with notices of assessment β€” treat the package as highly sensitive: encrypted link, recipient authentication, access log.

Frequently asked questions

Is consent given by email valid for the T4 or RL-1?

Yes. The CRA accepts consent "in writing or in electronic format" and Revenu QuΓ©bec accepts written consent sent electronically. What matters: get it before sending, keep it on file, and allow it to be revoked at any time.

Is a password-protected PDF enough?

Better than nothing, but fragile: the password often travels in a second email to the same inbox, PDF protection can be stripped, and you have no proof of who actually opened the document. An encrypted link with recipient authentication (SMS code, voice call, secret question) proves identity and logs every access.

What does a business risk by sending these documents through regular email anyway?

A wrong recipient or a compromised inbox becomes a confidentiality incident under Law 25: entry in the incident register, notification to the CAI and to the individuals concerned if there is a risk of serious injury, and administrative penalties of up to $10M or 2% of worldwide turnover (up to $25M or 4% for penal offences).

Does a secure portal really waive consent for tax slips?

Yes β€” for the T4 (CRA) and for the RL-1 given to an employee (Revenu QuΓ©bec), provided the portal is genuinely secure and confidential. The employee keeps the right to request paper. For email, on the other hand, prior written consent remains mandatory under both regimes.

What if the client or employee asks me to email the document?

Their request can count as consent for documents where consent is enough (T4, RL-1, RL-31). But it does not release you from your own security obligation: for a SIN, an ID document or health information, offer a secure channel instead β€” that responsibility is yours, not theirs.

An encrypted link with recipient authentication meets the requirements

That is exactly what doclinc does, right from Outlook: encrypted document, recipient authenticated by SMS, voice call or secret question β€” no account to create β€”, Canadian hosting and a full access log. Built for the expectations of Law 25, the CRA and Revenu QuΓ©bec for confidential documents.

Start a free trialSee how it works

The content of this page is provided as general information and does not constitute legal advice. Rules verified in July 2026 against the official sources cited; they may change.