Quebec's Draft Regulation on Confidentiality Incidents: a Comparative View with Federal Requirements

On June 29, 2022, the Quebec government presented the draft Regulation respecting confidentiality incidents (the “Quebec Regulation”).

The Quebec Regulation specifies the content of the new notification and record-keeping requirements following the occurrence of a confidentiality incident. The regulation is set to enter into force on September 22, 2022, along with the first amendments to Quebec's Act respecting the protection of personal information in the private sector (the “Private Sector Act”), following the adoption of Bill 64,  An Act to modernize legislative provisions as regards the protection of personal information (“Bill 64”).

Bill 64 received assent on September 22, 2021, which marked the start of Quebec's transition into modernizing the rules that apply to the protection of personal information. We recently published an insight which provides an overview of the amendments that Bill 64 is bringing along for the next few years.

In this post, we review the requirements that now apply to the private sector under the Quebec Regulation in the event of a confidentiality incident and offer a comparative view with its federal equivalent, the Breach of Security Safeguards Regulations (the “Federal Regulation”).

What is a confidentiality incident?

As amended by Bill 64, Section 3.6 of the Private Sector Act provides the following definition of a “confidentiality incident”:

1. access not authorized by law to personal information;
2. use not authorized by law of personal information;
3. communication not authorized by law of personal information; or
4. loss of personal information or any other breach in the protection of such information.

Requirements coming into force on September 22, 2022

In Canada, subject to some sector-specific exceptions, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to all private-sector organizations unless a province has enacted its own privacy laws that are substantially similar to PIPEDA (currently Alberta, British Columbia and Quebec), in which case the provincial legislation applies. In provinces with substantially similar legislation, PIPEDA will still apply to personal information collected through interprovincial and international transactions.

No mandatory reporting and notification requirements existed under the Private Sector Act until the recent Bill 64 amendments. As of September 22, 2022, Quebec’s mandatory notification regime for confidentiality incidents in the private sector will become the third one along with the federal and Alberta regimes in Canada outside the sector-specific regimes. Organizations subject to the Private Sector Act will therefore have to comply with new requirements in the handling of such events.

When does a confidentiality incident trigger notice requirements?

In case of a confidentiality incident, organizations will need to assess the risk of injury to individuals whose personal information is concerned. If the incident presents “a risk of serious injury” (“ROSI”), an organization must promptly notify the CAI as well as any person whose personal information is concerned by the incident.

We note that the ROSI threshold could be distinguished from PIPEDA’s “real risk of significant harm” (“RROSH”) threshold given the difference in the wording and notably the word “real” being omitted. While it is difficult at this stage to determine precisely if this was meant to establish a lower reporting/notification threshold, the factors to be considered in the assessment of the “risk of serious injury” are similar to PIPEDA, namely: the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes. Organizations should continue to monitor developments as to how the CAI will treat these differences and whether the wording will be interpreted more strictly than the requirements under PIPEDA.

 

Reporting to the Commission d'accès à l'information

Section 3 of the Quebec Regulation clarifies the obligation to provide a written notice to the Commission d'accès à l'information (“CAI”).

The notice must include the following:

• the name of the body affected by the incident;
• the name and contact information of the contact person at said body;
• a description of the personal information covered by the incident and if this is not known, reasons need to be specified as to why it is not known;
• a brief description of the circumstances of the incident;
• the date and time period when the incident occurred;
• the date and time period when the body became aware of the incident;
• the number of people concerned by the incident and the number of those who reside in Quebec;
• a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned;
• the measures the body will take or has taken to notify the persons concerned;
• the measures the body will take or has taken following the incident, including those aimed at reducing the risk of injury and at preventing new incidents of the same nature to occur;
• if applicable, the notification of the incident to a body outside of Quebec that exercises similar functions to the CAI’s.

In the event of new information regarding the incident becoming available after the submission of the notice, Section 4 requires the body to communicate the additional information to the CAI "promptly".

Notice to persons concerned

The following obligation is to provide a similar notice to individuals affected by the confidentiality incident.

Section 5 provides organizations with the information that the notice needs to contain:

• a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
• a brief description of the circumstances of the incident;
• the date or time period when the incident occurred or, if that is not known, the approximate time period;
• a brief description of the measures the body has taken or intends to take after the incident occurred in order to reduce the risks of injury;
• the measures that the body suggests the person concerned take in order to reduce the risk of injury or mitigate any such injury; and
• the contact information where the person concerned may obtain more information about the incident

Section 6 only specifies that notices are 'sent to the persons concerned by the confidentiality incident”.

In some instances, however, a public notice may be issued:

• when the fact of sending such notice is likely to cause increased injury to the person concerned;
• when the fact of sending such notice is likely to cause undue hardship for the body;
• when the body does not have the contact information for the person concerned.

A public notice may also be issued if there is a necessity to act rapidly to mitigate or reduce the risk of serious injury due to the incident. If this is the case, a personal notice still needs to be issued in addition to the public notice, unless one of the criteria mentioned above applies to the situation at hand.

Register of confidentiality incidents

Finally, confidentiality incidents need to be registered in the registers provided for by the Private Sector Act. Section 7 of the Quebec Regulation lays out what the register needs to contain. The incident must remain registered for at least five years after the date or time period when the body became aware of the incident.

Federal vs. Quebec Regulation

There are several similarities between the Quebec Regulation and its federal equivalent. Both regulations are structured in a similar way, laying out criteria for the notification of the incident to the regulatory authority – i.e. the CAI for Quebec and the Office of the Privacy Commissioner of Canada (“OPC”) at the federal level – and the affected individuals, followed by the record-keeping requirement.

However, we highlight below the sections of the Quebec Regulation which differ from the Federal Regulation: 

Quebec Regulation		Federal Regulation
NOTICE TO THE REGULATORY AUTHORITY
The report to the CAI must include “a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes”. (Section 3 (8))		No such description is required.
In the event that new information regarding the same confidentiality incident arises after issuing the report to the CAI, this information must be communicated promptly. (Section 4)		In the event that new information regarding the same confidentiality incident arises after the issuance of the report to the OPC, this information may be communicated. (Section 2 (2))
NOTIFICATION TO THE AFFECTED INDIVIDUALS
An organization that cannot include a description of the personal information concerned by the incident in the notice must at least provide a reason for this impossibility. (Section 5 (1))		A notice is only required to include the nature of the information concerned “to the extent that the information is known”. (Section 3 (a))
The organization is required to specify the measures it has taken or intends to take after the incident. (Section 5 (4))		The organization is required to specify the measures taken at the time the notice is issued. (Section 3 (d))
Notices are “sent to the persons concerned by the confidentiality incident”. (Section 6)		Direct notification must be given to the affected individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances. (Section 4)
RECORD-KEEPING
Registers of confidentiality incidents must be kept for at least 5 years after the date of when the body became aware of the incident. (Section 8)		Registers of confidentiality incidents must be kept for at least 24 months after the date of when the body became aware of the incident. (Section 6 (1))

Conclusion

Significant changes regarding the notification of confidentiality incidents in Quebec will come into force this week, on September 22, 2022. Whereas notification was previously made by organizations on a voluntary basis or in incidents involving the application of other Canadian privacy legislation, as of September 22, 2022, the Quebec regulatory framework will provide mandatory breach reporting requirements similar to those existing in Alberta, under PIPEDA or under certain sector-specific statutes.

For any questions that your organization may have regarding this Insight, general compliance with the new Quebec legislation on cybersecurity or PIPEDA, please feel free to contact our Data Protection and Privacy Group.