Canada:
Québec Releases Draft Regulation On Mandatory Breach Reporting
To print this article, all you need is to be registered or login on Mondaq.com.
Introduction
On June 29, 2022, the Québec government published a draft regulation on the process for reporting
privacy breaches under the new privacy law. This regulation
describes what information needs to be sent to the Commission
d'accès à l'information (the CAI) and to
affected individuals when a breach meets the threshold for
mandatory reporting, as well as the minimum retention period for
records of all confidentiality incidents.
What you need to know
- If the Regulation is approved, Québec will have two
requirements that differ from the federal regime:
- Provide the CAI with a summary of the factors that establish a
real risk of serious harm. The Québec proposal aligns with
the current Alberta requirements.
- Retain records of confidentiality incidents for five years,
which exceeds the federal two-year requirement.
- The requirement to describe the factors that support the
mandatory reporting threshold may create tensions with maintaining
privilege over legal advice.
- The Regulation may come into force as early as September 2022,
so businesses should be updating their internal procedures now to
ensure compliance.
Overview of the measures proposed
Comparison with federal regulation
Although similar to the breach reporting requirements under
federal PIPEDA, some aspects of the proposed Québec
regulation are more onerous:
Proposed
Québec Regulation
|
Federal
Regulation
|
Requirement: Contents of regulatory
report
|
- brief description of the circumstances of the breach;
- the date or time period when the incident occurred or, if that
is not known, the approximate time period;
- a description of the personal information affected by the
incident or, if that information is not known, the reasons why it
is impossible to provide such a description;
- the number of individuals affected by the breach or, if
unknown, the approximate number and the number among them, of
individuals residing in Québec;
- the measures taken or planned to remediate the incident;
- the measures taken or planned to notify affected
individuals;
- details for the organization's contact person;
- the date or time period in which the organization became aware
of the incident;
- a description of the elements that lead the organization to
conclude that there is a real risk of serious injurysuch as the
sensitivity of the information, possible misuses of such
information, the anticipated consequences of misuse, and the
likelihood of such information will be used for harm;
- whether other privacy regulators have been notified of the
incident.
|
- description of the circumstances of the breach;
- the day on which, or the period during which, the breach
occurred or, if neither is known, the approximate period;
- a description of the personal information affected to the
extent known;
- the number of individuals affected or, if unknown, the
approximate number;
- a description of the steps that the organization has taken to
reduce the risk of harm to affected individuals or to mitigate that
harm;
- a description of the steps that the organization has taken or
intends to take to notify affected individuals of the breach;
- details for the organization's contact person.
|
Requirement: Contents of individual
notification
|
- a brief description of the circumstances of the incident;
- the date or time period (or approximation) when the incident
occurred;
- a description of the personal information affected or, if that
information is not known, the reasons why it is impossible to
provide such a description;
- a brief description of the measures taken to reduce the risk of
harm;
- suggested measures that the individual can take to reduce the
risk of harm or mitigate any such injury; and
- contact information should the individual require more
information.
|
- a description of the circumstances of the breach;
- the day on which, or period during which, the breach occurred
(or approximation);
- a description of the personal information affected to the
extent known;
- a description of the steps that the organization has taken to
reduce the risk of harm;
- suggested measures that the individual can take to reduce the
risk of harm or mitigate any such injury; and
- contact information should the individual require more
information.
|
Requirement: Record retention
|
5 years after the date the
organization became aware of the incident.
|
2 years after the breach has
occurred.
|
Privilege and transactional considerations
Notably, the draft Regulation would require organizations to
describe the elements that lead it to conclude the "risk of
serious injury" threshold for mandatory reporting was met.
This is similar to the Alberta regime, but is not a federal
requirement. This may pose strategic challenges for organizations
that wish to err on the side of caution in reporting incidents that
do not clearly meet the threshold, while minimizing litigation and
reputational risk. Businesses will need to carefully craft their
breach reports to meet this requirement without waiving privilege
over legal advice that informed the reporting assessment, and
without creating admissions that may be used against them in
litigation relating to the incident.
Similarly, business should consider privilege when creating
internal records of confidentiality incidents and should keep legal
advice in a separate file from the factual summaries contained in
their breach records. Companies engaged in transactions should
expect to be asked to provide their breach records in the course of
due diligence, which emphasizes the need to ensure they do not
contain privileged legal and risk assessments.
Preparation
The Québec government proposed that the regulation will
take effect on September 22, 2022 for the private sector.
Organizations should review their breach response policies,
regulatory report, individual notification and breach record
templates, breach record retention periods, and privilege protocols
to ensure they align with the Québec requirements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Canada
Do You Collect IP Addresses? Here Are Three Things You Must Do
MLT Aikins LLP
In a landmark ruling, the Supreme Court of Canada in R. v. Bykovets, 2024 SCC 6, confirmed that Canadians' IP addresses are private, mandating law enforcement to obtain a search warrant for access, as well as setting a precedent ...
Privacy Pulse: A Series On Data Governance
Siskinds LLP
As a business owner or professional, you may be experiencing challenges navigating privacy laws throughout various jurisdictions, protecting personal and confidential information...
Privacy Update
Carters Professional Corporation
Universities are within their lawful rights to use software to monitor students during exams taken with computers, but they should take extra measures to protect student data, according to the provincial privacy commissioner.