On June 29, 2022, the Québec government published draft regulations respecting confidentiality incidents (the Draft Regulations) that provide details on how public and private sector organizations should be required to handle breaches affecting personal information under the new privacy regime in Québec. 

Last September, Québec passed An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) that will introduce major changes to the province’s current framework for the protection of personal information, as previously reported by the E-TIPS® Newsletter here. Among the changes are the new mandatory notification of confidentiality incidents to the Commission d’accès à l’information (CAI) and the persons concerned where the incident “presents a risk of serious injury”. These mandatory notification provisions in Bill 64 are set to come into force on September 22, 2022. The Draft Regulations are proposed to take effect on the same day.

The Draft Regulations cover the following three areas:

  1. Notice to the CAI

Where a confidentiality incident has occurred that presents a risk of serious harm, an organization must promptly notify the CAI in writing and provide certain prescribed information, including, among other things:

  • a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
  • a description of the elements that led the affected organization to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes; and
  • if applicable, an indication that a person or body outside Québec that exercises similar functions to those of the CAI has been notified of the incident.
  1. Notice to the persons concerned

An organization must provide notice to persons whose personal information was affected by a confidentiality incident presenting a risk of serious injury. No time frame is specified to provide such notice. The notice must contain:

  • a description of the personal information that was compromised or, if that information is not known, the reasons why it is impossible to provide such a description;
  • a brief description of the circumstances of the incident.
  • the date or time period when the incident occurred or, if that is not known, the approximate time period;
  • a brief description of the measures the organization has taken or intends to take after the incident occurred in order to reduce the risks of injury;
  • the measures that the organization suggests the person concerned take in order to reduce the risk of injury or mitigate any such injury; and
  • the contact information where the person concerned may obtain more information about the incident.

The Draft Regulations further specify that the notice to persons concerned may be given directly or indirectly by means of a public notice, under certain circumstances.

  1. Register of confidentiality incidents

An organization must keep the register of confidentiality incidents up to date and retain it for a period of five years after becoming aware of the incident. The register must contain, among other things:

  • a description of the elements that led the organization to conclude that there is a risk of serious injury to the persons concerned;
  • if the incident presents the risk of serious injury, the dates on which notices were transmitted to the CAI and the persons concerned. If applicable, specify whether any public notices were provided and the reasons for doing so; and
  • a brief description of the measures taken by the organization following the incident to reduce the risk of injury.

While the Draft Regulations may still change before they are passed into law, organizations doing business in Québec and public bodies in Québec should become familiar with these new requirements and review their current security incident response processes to ensure compliance before September 22, 2022.

Summary by: Anna Troshchynsky

E-TIPS® ISSUE

22 08 10

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

By Anna Troshchynsky
August 10, 2022
Cybersecurity