A little over nine months after it passed An Act to modernize legislative provisions as regards the protection of personal information ("Bill 64") overhauling, among other legislation, the province's public and private sector personal information protection laws, Québec has introduced its Draft Regulation (the "Regulation") detailing how entities will be expected to handle breaches involving personal information ("Confidentiality Incidents").
Québec is late to the game when it comes to mandatory breach reporting. Every American state, the European Union, as well as Alberta and Canadian provinces subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA") require entities to report breaches involving personal information to appropriate regulators and to the individuals whose personal information is compromised. Each law, however, is somewhat different with respect to how, when and what to disclose. Québec's Regulation is no exception. The following paragraphs identify some of the specificities that mark the Regulation, notably with respect to record keeping, thresholds, and the definition of a Confidentiality Incident. They then present the specific disclosure and record keeping requirements this Regulation imposes.
- Record keeping: Unlike PIPEDA that requires an organization to maintain a record of every breach of security safeguard for 24 months, the Regulation proposes a 5-year retention period from the date or time-period the entity became aware of the Confidentiality Incident.
- Threshold: Whereas PIPEDA and Alberta's Personal Information Protection Act require notification to their respective privacy commissions and the individuals whose personal information is compromised, if the breach could lead to a "real risk of significant harm", Bill 64 requires notification in the event of a "risk of serious injury". Although it is too soon to know whether this difference in terminology will lead to significantly different reporting thresholds, the possibility exists.
- Confidentiality Incident: PIPEDA defines a breach of security safeguards as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards [...] or from a failure to establish those safeguards." Bill 64, however, defines a "confidentiality incident" as follows:
-
- access not authorized by law to personal information;
- use not authorized by law of personal information;
- communication not authorized by law of personal information; or
- loss of personal information or any other breach in the protection of such information.
Again, although it is too soon to know the impact of this differing terminology, the definition of a Confidentiality Incident appears to cover a broader scope of activity than the "breach of security safeguards".
Disclosure and Record-keeping Requirements
If the Regulation comes into effect as is, an entity located in Québec that is subject to a Confidentiality Incident will be required to adhere to the following disclosure and record-keeping requirements.
Notice to the Commission d'accès à l'information ("CAI")
|
When |
If the entity holding personal information has reason to believe that a Confidentiality Incident has occurred that could cause a risk of serious injury. No specific time frame. If some of the information below becomes available after the sending of a first notice, follow up notices must be sent as soon as the information is available. |
|
How |
In writing. |
|
Content |
· Name of the entity that was the target of the Confidentiality Incident and its Québec business number – if applicable; · Name of a contact person designated by the entity to respond to questions regarding the Confidentiality Incident; · Description of the Personal Information that was compromised or if it is not known, the reasons why it is not known; · A brief description of the Confidentiality Incident and it cause - if known; · Date or (approximate) time period during which the Confidentiality Incident occurred; · Date or time period when the entity became aware of the Confidentiality Incident; · The number of people whose personal information was compromised and the (approximate) number of those residing in Québec; · A description of why the entity believes that the Confidentiality Incident could cause a risk of serious injury; · The measures and the date at which the entity took or intends to take such measures to notify the people whose personal information was compromised; · The measures and the date at which the entity took or intends to take such measures following the incident to reduce the risk of injury and to prevent incidents of the same nature in the future; and · Any data protection commission other than the CAI that has been notified of the Confidentiality Incident. |
Notice to individuals whose personal information was compromised
|
When |
If the entity holding personal information has reason to believe that a Confidentiality Incident has occurred that could cause a risk of serious injury. No specific time frame. |
|
How |
By personal notice to each individual whose personal information was compromised. By public notice if: · sending a personal notice would cause increased injury to the individual concerned; · sending the notice will cause undue hardship to the entity; or · the entity does not have the contact information of the individual concerned. By public notice to reduce the risk of serious injury or mitigate such risk. The individuals concerned must still receive an individual notice. |
|
Content |
· Description of the Personal Information that was compromised or if it is not known, the reasons why it is not known; · A brief description of the Confidentiality Incident; · Date or time period when the entity became aware of the Confidentiality Incident; · A description of the measures the entity took or intends to take to reduce the risk of injury; · The measures that the individual whose personal information was compromised can take to reduce the risk of injury; and · Contact information where the individual can receive more information on the Confidentiality Incident. |
Contents of the Confidentiality Incident Register
|
When |
A Confidentiality Incident occurs at an entity that holds personal information regardless of whether such incident requires notice to the CAI and to the individuals whose personal information was compromised. |
|
How Long |
5 years from the date or time-period the entity became aware of the Confidentiality Incident. |
|
Content |
· Description of the Personal Information that was compromised or if it is not known, the reasons why it is not known; · A brief description of the Confidentiality Incident; · Date or (approximate) time period during which the Confidentiality Incident occurred; · Date or time period when the entity became aware of the Confidentiality Incident; · The number or if not known the approximate number of individuals affected; · A description of why the entity believes that the Confidentiality Incident could cause a risk of serious injury; · If the Confidentiality Incident presents a risk of serious injury, the notifications dates of the CAI and of the Individuals whose personal information was compromised as well as whether a public notice was required; and · Description of the measures taken post Confidentiality Incident to reduce the risk of injury. |
Timetable for Implementation
The Regulation, which was introduced on June 29, 2022, is scheduled to take effect 45 days after – roughly a month before the first provisions of Bill 64, including the breach notification piece, are scheduled to take effect. As of September 22, 2022, entities operating in Québec will be required to disclose Confidentiality Incidents and comply with the above notice and record keeping requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
