On June 29, 2022, the Québec government published draft regulations respecting confidentiality incidents (the Draft Regulations) that provide details on how public and private sector organizations should be required to handle breaches affecting personal information under the new privacy regime in Québec.
Last September, Québec passed An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) that will introduce major changes to the province’s current framework for the protection of personal information, as previously reported by the E-TIPS® Newsletter here. Among the changes are the new mandatory notification of confidentiality incidents to the Commission d’accès à l’information (CAI) and the persons concerned where the incident “presents a risk of serious injury”. These mandatory notification provisions in Bill 64 are set to come into force on September 22, 2022. The Draft Regulations are proposed to take effect on the same day.
The Draft Regulations cover the following three areas:
Where a confidentiality incident has occurred that presents a risk of serious harm, an organization must promptly notify the CAI in writing and provide certain prescribed information, including, among other things:
An organization must provide notice to persons whose personal information was affected by a confidentiality incident presenting a risk of serious injury. No time frame is specified to provide such notice. The notice must contain:
The Draft Regulations further specify that the notice to persons concerned may be given directly or indirectly by means of a public notice, under certain circumstances.
An organization must keep the register of confidentiality incidents up to date and retain it for a period of five years after becoming aware of the incident. The register must contain, among other things:
While the Draft Regulations may still change before they are passed into law, organizations doing business in Québec and public bodies in Québec should become familiar with these new requirements and review their current security incident response processes to ensure compliance before September 22, 2022.
Summary by: Anna Troshchynsky
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.