Can you send personal information by email under Law 25?
Short answer: Law 25 doesn't ban email โ but it does require you to protect personal information with security measures proportionate to its sensitivity. A plain email attachment isn't designed for that, so for sensitive personal information it's the wrong tool.
The practical path is to send personal information through an encrypted, authenticated channel โ one that verifies the recipient and keeps a record. That's exactly what doclinc does, right from Outlook.
Why plain email falls short
- No recipient verification. Anyone with access to the inbox โ or a forwarded copy โ can read it.
- Misdelivery is easy. One wrong address and personal information is exposed.
- Attachments linger. Copies sit in inboxes and sent folders indefinitely.
- No audit trail. You can't show who actually opened the document.
- Hard to revoke. Once it's sent, you can't take it back.
What Law 25 expects when you share personal information
- Security proportionate to sensitivity. The more sensitive the data, the stronger the protection.
- Access limited to authorized people. Only the intended recipient should be able to open it.
- Accountability. Be able to show how personal information was handled and delivered.
- Breach risk management. Reduce the chance โ and the impact โ of a confidentiality incident.
doclinc is built around these expectations: encryption, recipient authentication, a full audit trail, and Canadian data residency.
Plain email vs doclinc
| Plain email | doclinc | |
|---|---|---|
| Encryption | Limited / in transit only | Encrypted link, AES-256 |
| Recipient verification | None | SMS, voice or secret question โ no account |
| Misdelivery / forwarding risk | High | Authentication blocks the wrong person |
| Audit trail | None | Full record of access |
| Data residency | Varies | Canada (AWS ca-central-1) |
General comparison for sharing personal information by email.
A compliant way to send it โ from Outlook
With doclinc, you send the document as an encrypted link straight from Outlook. The recipient verifies their identity with a one-time SMS code, a voice call or a secret question โ no account to create โ and you keep a full audit trail. The personal information stays in Canada and is handled the way Law 25 expects.
Frequently asked questions
Does Law 25 forbid sending personal information by email?
No. Law 25 doesn't prohibit email, but it requires protecting personal information with appropriate security. Plain email generally isn't appropriate for sensitive personal information.
Is a password-protected PDF enough?
It's better than nothing, but the password is often shared insecurely, there's no verification of who the recipient is, and there's no audit trail of access.
What about built-in email encryption?
Encryption in transit helps, but for an external recipient you still want identity verification and a record of access โ without forcing them to create an account.
What does doclinc add?
Recipient authentication with no account, authentication on each access, a full audit trail, and Canadian data residency โ all from Outlook.
This page is general information, not legal advice. For your specific obligations, consult your privacy officer.
Send personal information the way Law 25 expects
Encrypted, authenticated, hosted in Canada โ right from Outlook.
