# Law 25 — Privacy Impact Assessment > Draft a PIA under Quebec Law 25 for communication of personal information outside Quebec (s. 17). Covers four factors (sensitivity, purposes, protection measures, legal framework), adequate protection conclusion, and written agreement considerations. Tags: Quebec, Law 25, Bill 64, PIA, Cross-border, Canada ## Example Prompts - Conduct a PIA for transferring customer data to the US - Draft the PIA for our Quebec cross-border communication - Assess whether our vendor in Ontario provides adequate protection under Law 25 URL: https://rakenne.app/skills/law25-pia/index.md Try this skill: https://rakenne.app/a/?skill=law25-pia ## Overview Draft a PIA under Quebec Law 25 for communication of personal information outside Quebec (s. 17). Covers four factors (sensitivity, purposes, protection measures, legal framework), adequate protection conclusion, and written agreement considerations. ## Getting Started Add your source materials to the project workspace, then activate the *Law 25 — Privacy Impact Assessment* skill. The agent will guide you through the process step by step. ## Example conversation **You:** We’re about to send customer data to a processor in the US. We need the PIA required under Law 25 before we do that. **Agent:** I’ll draft the PIA for the cross-border communication under section 17. I’ll load the Law 25 PIA requirements and use the outline template. I need: categories of personal information, purposes of the transfer, the US recipient and any safeguards (e.g. contract, SCCs), and a summary of the US legal framework for privacy. I’ll document the four factors (sensitivity, purposes, protection measures, legal framework), conclude whether the information would receive adequate protection, and note what should go in the written agreement. Then I’ll run the validation tool to ensure all four factors and the conclusion are present. ## Output excerpt **PIA — Adequacy conclusion (excerpt)** **4. Adequacy conclusion** Based on the four factors above: The assessment **establishes** that the information would receive **adequate protection**, particularly in light of generally recognized principles regarding the protection of personal information. Communication may proceed subject to a written agreement that reflects the assessment and includes [e.g. standard contractual clauses, sub-processor restrictions, audit rights]. **5. Written agreement considerations** The written agreement must take into account the results of this assessment and include terms agreed upon to mitigate identified risks (e.g. specific security obligations, return/destruction at end of contract). ## References and validation - **references/law25-pia-requirements.md** — Section 17 (communication outside Quebec); four factors (sensitivity, purposes, protection measures, legal framework); adequate protection and written agreement; study/research/statistics; EN/FR term glossary. - **assets/pia-outline-law25.md** — Template for PIA sections (context, flows, four factors, conclusion, agreement terms). - **validate_law25_pia** — Checks the PIA document for: sensitivity of the information, purposes for which it will be used, protection measures (including contractual), legal framework in the destination state, and adequacy conclusion. Reports missing elements. Use after drafting the PIA to ensure a complete section 17 assessment. --- Back to [Skill Library](https://rakenne.app/skills/index.md)