An update on new Québec confidentiality incidents and record-keeping requirements

On December 29, 2022, the Québec provincial government regulations clarifying the new notification and record-keeping requirements for confidentiality incidents under Bill 64 (Confidentiality Incidents Regulation) came into force . Québec becomes the third jurisdiction to introduce these obligations for organizations that sustain confidentiality incidents, after the Alberta Personal Information Protection Act (PIPA) in 2010 and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) in 2018. These new requirements come into force in Québec on September 22, 2022.

In this article, we first provide a summary of the new legal requirements pertaining to the management of confidentiality incidents provided under Bill 64, followed by a summary of the Confidentiality Incidents Regulation clarifying the new notification and record-keeping requirements.

Summary of legal requirements when managing confidentiality incidents

Confidentiality incident

New section 3.6 defines a “confidentiality incident” as an unauthorized access, use or disclosure of personal information, loss of personal information, or other breach in the protection of such information. It is interesting to note that Québec is the only jurisdiction in Canada to include unauthorized use of personal information in its definition of confidentiality incident.

Risk of serious injury assessment

All confidentiality incidents will be subject to a “risk of serious injury” assessment process to determine whether the incident in question should be notified to the Commission d’Accès à l’Information (CAI) and the individuals involved. The notion of “risk of serious injury” proposed by the Québec legislator is subtly distinguished from the notion of “real risk of significant harm” provided for in PIPEDA and Alberta’s PIPA, as the word “real” has been omitted. In addition, unlike PIPEDA, Bill 64 does not provide a definition or examples of serious injury, but does set out key factors to be considered in assessing the level of seriousness of the risk of injury:

• The sensitivity of the information involved . Information that, because of its nature (e.g., medical, biometric or otherwise intimate) or the context of its use, entails a high level of reasonable expectation of privacy will increase the risk of injury.
• The anticipated consequences of its use . For example, whether the compromised information is likely to be used to commit fraud or identity theft.
• The likelihood that it will be used for injurious purposes . If, for example, the information has been exfiltrated from the organization’s servers or published on the Dark Web, it is likely to be used for injurious purposes.

Although the assessment criteria for PIPEDA and PIPA are superficially similar to Bill 64 test, we do not rule out the possibility that the CAI will interpret the notification requirements more narrowly, particularly given the omission of the word “real” in its definition of “risk of serious injury”. In any event, the Privacy Officer should be consulted in making this assessment (section 3.7 in fine). To the extent that this assessment criteria is interpreted in a similar way than under PIPEDA and PIPA, the breach notifications decisions published by the Office of the Information and Privacy Commissioner of Alberta may be relevant.

Notification of incidents

If the organization determines that the incident poses a risk of serious injury, it will be required to notify the CAI and any individual affected by the incident, failing which the CAI may order the organization to do so. There is no time limit for reporting incidents, but reporting must be done “promptly”, according to section 3.5.

By comparison, PIPEDA and PIPA require notification as soon as possible to the privacy regulator in the event that a breach of security measures presents a “real risk of significant harm”. If a confidentiality incident occurs at a third party service provider or subcontractor to whom personal information has been outsourced, there may be contractual requirements for notification of incidents. However, since the notification obligations of Bill 64 apply to any organization regardless of their role in the processing of personal information, a service provider or subcontractor may be required to report the incident since reporting the obligation applies to “any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred.”

For a more detailed analysis of Québec Bill 64’s proposed amendments, please see review our Compliance Guide on Bill 64.

New regulations clarifying the new notification and record-keeping requirements

The Confidentiality Incidents Regulation provides some clarification on the form of the notices that organizations must send to the CAI and to the individuals concerned in order to fulfil their notification obligations, as well as pertaining to the new requirements relating to the recording of confidentiality incidents.

Content of notification to privacy regulator

The requirements under the Confidentiality Incidents Regulation are similar to those under PIPEDA and Alberta’s PIPA. According to the regulations, notification to the CAI must be in writing and must contain the following information:

1. Name of the organization (with the Québec Company Registry number);
2. Contact information of a person who can answer for the organization questions about the incident;
3. A description of the personal information that is the subject of the incident if known. If the information is unknown, the reasons why it is impossible to provide such description;
4. A description of the circumstances of the incident and, if known, the cause;
5. The date or period during which the incident occurred (or approximate if unknown);
6. The date on which the organization became aware of the incident;
7. The number of individuals impacted by the incident and the number of individuals residing in Québec (or approximate if unknown);
8. A description of the elements that led to the conclusion that there is a risk of serious injury to impacted individuals;
9. Steps the organization has taken or intends to take to notify impacted individuals of the incident;
10. Steps the organization has taken after the incident, including to reduce/mitigate the risk of serious injury to impacted individuals and to prevent new incident of the same nature, and the date or time period on which such measures were taken or the expected time limit for taking the measures; and
11. If applicable, other privacy regulators informed about the incident.

Content of notification to impacted individuals

For the notification to impacted individuals, the Confidentiality Incidents Regulation provides that an organization must provide the following information:

1. A description of the personal information that is the subject of the incident if known and if unknown, the reasons why it is impossible to provide such description;
2. A description of the circumstances of the incident;
3. The date or period during which the incident occurred (or approximate if unknown);
4. Steps the organization has taken or intends to take to reduce the risk of injury to impacted individuals;
5. Steps impacted individuals could take to reduce/mitigate the risk of injury;
6. Contact information of a person who can answer for the organization questions about the incident.

Notification are to be sent to impacted individuals directly, unless:

1. Sending such notice is likely to cause increased injury to the impacted individuals;
2. Sending such notice is likely to cause undue hardship for the organization;
3. The organization does not have the contact information for the impact individual.

In such cases, the organization may notify impacted individuals by a public notice. While there is currently no indication on what is considered undue hardship for the organization, various factors may be considered (e.g. the assessment of the eDiscovery costs, etc.).

If there is a need to act rapidly to reduce the risk of a serious injury or to mitigate any such injury, the organization may proceed with a public notice, provided a direct notice is later communicated.

Content of confidentiality incidents register

Bill 64 requires organizations to keep a register of confidentiality incidents, a copy of which must be sent to the CAI upon request, pursuant to section 3.8. The Confidentiality Incidents Regulation provides that organizations are required to keep a register of confidentiality incidents for a period of 5 years, which register must contain:

1. A description of the personal information that is the subject of the incident if known (and if unknown, the reasons why it is impossible to provide such description);
2. A description of the circumstances of the incident;
3. The date or period during which the incident occurred (or approximate if unknown);
4. The date on which the organization became aware of the incident;
5. The number of individuals impacted by the incident (or approximate if unknown);
6. A description of the elements that led to the conclusion that there is a risk of serious injury to impacted individuals;
7. If the incident presents a risk that serious injury will be caused, the dates of transmission of the notices to the privacy regulator and to the persons concerned. If indirect notification, the rationale justifying it;
8. Steps the organization has taken to reduce the risk of serious injury to impacted individuals.

Confidentiality Incidents Regulation does not provide any format for the Confidentiality Incidents Register. Organizations may maintain such register through any means to preserve the information.

Conclusion

We have prepared charts summarizing these new Québec requirements as well as charts comparing these requirements with those already in effect in other Canadian jurisdictions: