Introduction

On June 29, 2022, the Québec government published a draft regulation on the process for reporting privacy breaches under the new privacy law. This regulation describes what information needs to be sent to the Commission d'accès à l'information (the CAI) and to affected individuals when a breach meets the threshold for mandatory reporting, as well as the minimum retention period for records of all confidentiality incidents.

What you need to know

  • If the Regulation is approved, Québec will have two requirements that differ from the federal regime:
    • Provide the CAI with a summary of the factors that establish a real risk of serious harm. The Québec proposal aligns with the current Alberta requirements.
    • Retain records of confidentiality incidents for five years, which exceeds the federal two-year requirement.
  • The requirement to describe the factors that support the mandatory reporting threshold may create tensions with maintaining privilege over legal advice.
  • The Regulation may come into force as early as September 2022, so businesses should be updating their internal procedures now to ensure compliance.

Overview of the measures proposed

Comparison with federal regulation

Although similar to the breach reporting requirements under federal PIPEDA, some aspects of the proposed Québec regulation are more onerous:

Proposed Québec Regulation

Federal Regulation

Requirement: Contents of regulatory report
  • brief description of the circumstances of the breach;
  • the date or time period when the incident occurred or, if that is not known, the approximate time period;
  • a description of the personal information affected by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
  • the number of individuals affected by the breach or, if unknown, the approximate number and the number among them, of individuals residing in Québec;
  • the measures taken or planned to remediate the incident;
  • the measures taken or planned to notify affected individuals;
  • details for the organization's contact person;
  • the date or time period in which the organization became aware of the incident;
  • a description of the elements that lead the organization to conclude that there is a real risk of serious injurysuch as the sensitivity of the information, possible misuses of such information, the anticipated consequences of misuse, and the likelihood of such information will be used for harm;
  • whether other privacy regulators have been notified of the incident.
  • description of the circumstances of the breach;
  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information affected to the extent known;
  • the number of individuals affected or, if unknown, the approximate number;
  • a description of the steps that the organization has taken to reduce the risk of harm to affected individuals or to mitigate that harm;
  • a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach;
  • details for the organization's contact person.

Requirement: Contents of individual notification
  • a brief description of the circumstances of the incident;
  • the date or time period (or approximation) when the incident occurred;
  • a description of the personal information affected or, if that information is not known, the reasons why it is impossible to provide such a description;
  • a brief description of the measures taken to reduce the risk of harm;
  • suggested measures that the individual can take to reduce the risk of harm or mitigate any such injury; and
  • contact information should the individual require more information.
  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred (or approximation);
  • a description of the personal information affected to the extent known;
  • a description of the steps that the organization has taken to reduce the risk of harm;
  • suggested measures that the individual can take to reduce the risk of harm or mitigate any such injury; and
  • contact information should the individual require more information.

Requirement: Record retention

5 years after the date the organization became aware of the incident.

2 years after the breach has occurred.

Privilege and transactional considerations

Notably, the draft Regulation would require organizations to describe the elements that lead it to conclude the "risk of serious injury" threshold for mandatory reporting was met. This is similar to the Alberta regime, but is not a federal requirement. This may pose strategic challenges for organizations that wish to err on the side of caution in reporting incidents that do not clearly meet the threshold, while minimizing litigation and reputational risk. Businesses will need to carefully craft their breach reports to meet this requirement without waiving privilege over legal advice that informed the reporting assessment, and without creating admissions that may be used against them in litigation relating to the incident.

Similarly, business should consider privilege when creating internal records of confidentiality incidents and should keep legal advice in a separate file from the factual summaries contained in their breach records. Companies engaged in transactions should expect to be asked to provide their breach records in the course of due diligence, which emphasizes the need to ensure they do not contain privileged legal and risk assessments.

Preparation

The Québec government proposed that the regulation will take effect on September 22, 2022 for the private sector. Organizations should review their breach response policies, regulatory report, individual notification and breach record templates, breach record retention periods, and privilege protocols to ensure they align with the Québec requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.