Bulletin #33 | Special Series - Quebec unveils the first details for the application of its new privacy regime.

Quebec made waves with the introduction of the Act to modernize legislative provisions as regards the protection of personal information (the "Reform"), Bill 64.

Living up to its name, the Reform creates significant changes for both public bodies and private sector businesses. For a comprehensive view of the legislative reforms, visit our Resource Centre.

As noted in our previous bulletin on the subject, the obligations regarding the management of "confidentiality incidents" will come into force as early as September 22, 2022, less than three months from the publication of this article.

However, several implementation details for the obligations were to be specified by regulation. On June 29, 2022, the government shared a first draft of the long-awaited regulation on this subject (the "Regulation").1

This Regulation specifies three important aspects for incident managers and "privacy officers" who will have to ensure the compliance of their organization (or of the organization who designated them as privacy officer):

  1. The content of the notices to be sent to the Commission d'accès à l'information (the "Commission");
  2. The content and manner of notices to be given to affected individuals;
  3. The content and retention period of the register of confidentiality incidents.

So far, nothing too disorienting for Canadian organizations already dealing with similar obligations under the Breach of Security Safeguards Regulations (the "Federal Regulations"). The Quebec approach nevertheless retains certain specificities that reflect society's increased sensibility to privacy issues since the adoption of the Federal Regulations in 2018.

This article outlines the main obligations and differences with those provided under the Federal Regulations. There are three main differences:

  1. Organizations must be aware of the nature of the personal information involved in the incident or be able to justify why it cannot be identified;
  2. The content of the registers of confidentiality incidents is granular, whereas the Federal Regulations take a more holistic, goal-oriented approach;
  3. Organizations must keep the register of confidentiality incidents up to date and retain it for a period of five years after becoming aware of the incident, whereas the Federal Regulations provide for a retention period of twenty-four months.

Notices to the Commission d'accès à l'information

Organizations must promptly2 notify the Commission in writing if a confidentiality incident presents a risk of serious injury. They must also promptly update the Commission as they become aware of new information after having sent an initial notice. The notice must, to the extent known, contain the following information (colour is used to indicate departures from requirements in the Federal Regulations):

  1. the name of the organization affected by the confidentiality incident;
  2. the name and contact information of the person to be contacted in that organization with regard to the incident;
  3. a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
  4. a brief description of the circumstances of the incident and what caused it, if known;
  5. the date or time period when the incident occurred or, if that is not known, the approximate time period;
  6. the date or time period when the organization became aware of the incident;
  7. the number of individuals affected by the incident and the number of those who reside in Quebec or, if that is not known, the approximate numbers;
  8. a description of the elements that led the organization to conclude that there is a risk of serious injury to affected individuals, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
  9. the measures the organization has taken or intends to take to notify affected individuals, and the date on which such individuals were notified, or the expected time limit for the notification;
  10. the measures the organization has taken or intends to take after the incident occurred, including those aimed at reducing the risk of injury or mitigating any such injury and those aimed at preventing new incidents of the same nature, and the date on which the measures were taken or the expected time limit for taking the measures; and
  11. if applicable, an indication that a person or body outside Quebec that exercises similar functions to those of the Commission with respect to overseeing the protection of personal information has been notified of the incident.

The Regulations would enable the Commission to receive information that the Office of the Privacy Commissioner of Canada ("OPCC") requests through its own breach report form, but which it is not empowered to compel under the Federal Regulations.

The most notable difference between the two approaches is that the Quebec Regulations require organizations to justify to regulators their inability to describe the nature of the personal information involved in an incident.

Notice to affected individuals

The provisions regarding notice to individuals are almost identical to those in the Federal Regulations, both in terms of the means of providing notice and the content of such notice.

Content of the notice

Notices to individuals whose personal information is concerned by a confidentiality incident presenting a risk of serious injury must contain:

  1. a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
  2. a brief description of the circumstances of the incident;
  3. the date or time period when the incident occurred or, if that is not known, the approximate time period;
  4. a brief description of the measures the organization has taken or intends to take after the incident occurred in order to reduce the risks of injury;
  5. the measures that the organization suggests affected individuals take in order to reduce the risk of injury or mitigate any such injury; and
  6. the contact information where the affected individual may obtain more information about the incident.

Much like with the reporting requirements, the most notable difference between the two approaches is that the Quebec Regulations require organizations to justify to individuals their inability to describe the nature of the personal information involved in the incident.

Means of notification

Both texts provide for the possibility of proceeding by direct and indirect notice:

  • Direct notices to affected individuals by any means; or
  • Indirect notices by means of a public notice by any method that could be reasonably expected to reach the affected individuals.

Direct notices are preferred. Organizations may exceptionally give notices by way of a public notice containing the same information as a notice given by way of a direct notice in any of the following circumstances:

  1. when the fact of sending such notice is likely to cause increased injury to the affected individual;
  2. when the fact of sending such notice is likely to cause undue hardship for the organization;
  3. when the organization does not have the contact information for the affected individual.

An organization may proceed by way of a public notice if there is a need to act rapidly to reduce the risk of a serious injury or to mitigate any such injury. In such cases, the organization is still required to promptly follow-up with a direct notice to the affected individual, unless one of the circumstances listed above applies.

Register of incidents

The register of incidents differs from the one under the Personal Information Protection and Electronic Documents Act with respect to content and, notably, to the retention period.

The Federal Regulations are less prescriptive, as they do not specify the exact content of the register. The register must instead contain "any information that enables the Commissioner to verify compliance" with the requirements to report incidents that "create a real risk of significant harm" to the Commissioner and to notify affected individuals. This record must be kept for 24 months following the incident.

The Regulations require organizations to maintain a register of confidentiality incidents containing the following specific information, which they must retain and keep up to date for at least five years after the date or time period when they become aware of the incident:

  1. a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
  2. a brief description of the circumstances of the incident;
  3. the date or time period when the incident occurred or, if that is not known, the approximate time period;
  4. the date or time period when the organization became aware of the incident;
  5. the number of individuals affected by the incident or, if that is not known, the approximate number;
  6. a description of the elements that led the organization to conclude that there is a risk of serious injury to the affected individuals, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
  7. if the incident presents a risk of serious injury, the transmission dates of the notices to the Commission and the affected individuals, as well as an indication of whether the organizations issued public notices and, if applicable, its reasons for doing so; and
  8. a brief description of the measures the organization has taken after the incident occurred in order to reduce the risks of injury.

Diligent organizations subject to the Federal Regulations were already including this type of information in their register of confidentiality incidents (or "Breach records"), as they are helpful pieces of information for the OPCC to verify compliance.

Takeaways

The Quebec Regulation provides much welcome clarity about the scheme and makes explicit what the OPCC implicitly expected through its interpretation of the Federal Regulations.

An inventory of personal information is necessary for compliance with the new obligations introduced by the Reform, and this necessity is reinforced by the obligation to justify the impossibility of determining the nature of the personal information covered by a confidentiality incident.

The register of confidentiality incidents is central to the compliance audit, and for this purpose the retention requirement is increased from two to five years. In 2019, the OPCC had conducted an inspection of these records and shared its findings. Organizations can anticipate a similar exercise by the Commission, in addition to an in-depth review of their register in the event of a confidentiality incident.

Pending the possible adoption of federal Bill C-27, the main difference for organizations doing business across Canada will be in the area of non-compliance, with significant penalties introduced by the Reform coming into effect as early as September 2023.

Footnotes

1. Please note that this is still a draft regulation. Any interested person who has comments to make can do so within 45 days (calculated from June 29, 2022). You can do so either by writing directly to Julie Samuël by email, or by contacting one of our team members who can assist you in your efforts.

2. Note that the translation employs the term "with proper diligence" instead.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.