Act 25 – First Draft Regulation, On Your Marks, Get Set, Go!

Act 25 – First Draft Regulation, On Your Marks, Get Set, Go!

The coming into force of certain sections of the Act to modernize the legislative provisions as regards the protection of personal information (hereinafter the “Act“) in Quebec is just around the corner. We provided details in our recent publications (Bill 64: A Checklist to Help Businesses Comply with Modern Privacy Requirements in Québec, Bill 64 Enacted: Québec’s Modern Privacy Regime) of the upcoming changes to Quebec’s privacy framework that will take place in three (3) stages between September 2022 and 2024. After a long wait, the Quebec legislator has now taken its first steps to delineate organizations’ new obligations under the Act.

The first draft Regulation respecting confidentiality incidents (hereinafter the “Draft Regulation“) has been published and will come into force, with its corollary obligations, on September 22, 2022.[1] Organizations doing business in Quebec should undertake to take all necessary steps to comply with new obligations regarding the management of confidentiality incidents without delay.

The Act defines “confidentiality incidents” as unauthorized access to, use, or communication of personal information, as well as the loss or any infringement of the protection of such information. Under the Act, any organization that suspects that a confidentiality incident involving personal information in its possession has occurred is required to implement reasonable measures to reduce the risk of injury and to prevent the recurrence of similar incidents.

Confidentiality Incidents with Risk of Serious Injury: Response and Prevention

Organizations must notify the Commission d’accès à l’information (“CAI”), either orally or in writing, as soon as they suspect that a confidentiality incident that presents a risk of serious injury[2] might occur.

The notice to the CAI must contain the following information:

• the name of the organization affected by the incident and its Quebec business number;
• the name and contact information of the person who manages this type of incident;
• a description of the personal information involved in the incident or the reasons why it cannot be described (if the information is unknown);
• a brief description of the circumstances surrounding the incident and its cause (if known);
• the date or time period of the incident or an estimate of the time period (if unknown);
• the date or time period when the organization became aware of the incident;
• the number of persons affected by the incident and the number of persons residing in Quebec or an estimate of this number (if unknown);
• the reasons for which the organization believes that the incident poses a risk of serious injury, such as the sensitivity of the personal information or the possibility of ill-intentioned uses or other deleterious consequences;
• the measures taken or planned to be taken by the organization to notify concerned individuals and the date of such notification or the proposed time frame for completion;
• the measures taken or planned to be taken by the organization in response to the incident to reduce the risk of recurrence or to mitigate the effects of any harm, along with the proposed time frame for completion; and,
• a statement indicating that a person or organization outside of Quebec that performs similar functions to the CAI has been notified of the incident (if applicable).[3]

If the organization is unable to provide information regarding one of the elements listed above in its initial notice to the CAI, it must communicate the information to the CAI as soon as it becomes aware of it.[4]

In addition, organizations will be required to inform individuals whose personal information has been compromised of the circumstances surrounding the incident and ensure that they are adequately supported by providing them with a notice[5] containing:

• a description of the personal information involved in the incident or the reasons why it cannot be provided (if the information is unknown);
• a brief description of the circumstances surrounding the incident;
• the date or time period when the incident occurred, or an estimate if the time period is unknown;
• actions taken or planned to be taken by the organization as a result of the incident in order to reduce the risk of injury;
• suggested actions to reduce the risk of injury or mitigate its effects; and,
• contact information for a person that the concerned individual can contact to learn more about the incident.[6]

Notwithstanding, organizations will be required to notify individuals affected by a confidentiality incident through public notice in certain circumstances, including where:

1. providing individual notice would cause increased injury to those individuals;
2. individual notification would cause undue hardship to the organization; or,
3. the contact information of the concerned individuals is unknown.[7]

Organizations may also choose to provide public notice outside of the above-noted circumstances to mitigate the risk of injury while the organization coordinates the provision of individual notices to concerned individuals, which can be a lengthy process.[8]

Keeping a Register of Confidentiality Incidents 

Act 25 requires all organizations doing business in Quebec to develop and maintain a register of confidentiality incidents. The Draft Regulation specifies that the register must include: [9]

• a description of the personal information involved in the incident or the reasons why such a description cannot be included (if the information is unknown);
• a brief description of the circumstances surrounding the incident;
• the date or time period when the incident occurred or an estimate of the time period (if unknown);
• the date or time period when the organization became aware of the incident;
• the number of people affected or an estimate (if unknown);
• the factors, including the sensitivity of the personal information and/or the possibility of ill-intentioned uses or other deleterious consequences, that led the organization to determine the risk of serious injury to affected individuals;
• the dates on which notices were transmitted to (1) the CAI and (2) concerned individuals (if the incident poses a risk of serious injury). If applicable, organizations must also specify if any public notices were provided and for what reasons; and,
• a brief description of the measures taken by the organization following the incident to reduce the risk of injury.[10]

Businesses will have to retain and update this information (as needed) in the registry for a minimum period of five (5) years following the date on which the organization became aware of the incident.[11]

Impact of the Draft Regulation on your Organization

As of September 22, 2022, you should therefore:

1. Notify the CAI of any confidentiality incidents that could cause serious injury and provide details in your notice of all of the items listed above;
2. Notify concerned individuals of a confidentiality incident that presents a risk of serious injury by sending them a notice containing all of the information specified above or by way of a public notice, if applicable; and,
3. Maintain a register of confidentiality incidents that includes all of the details listed above for at least five (5) years following the occurrence of each incident, if applicable.

Please note that the Draft Regulation is a preliminary version of the Regulation that is meant to be adopted 45 days from the date of its publication, i.e. on August 13, 2022. As such, we cannot confirm the final content of the Regulation at this time. We will keep you informed of any developments in this regard. Please contact a member of our Privacy and Data protection team if you have any questions regarding the Draft Regulation or Act 2

[1] Regulation respecting confidentiality incidents (draft), (2022) n^o 26 G.O. II, 3935, s. 9.
[2] Ibid., s. 3.
[3] Regulation respecting confidentiality incidents (draft), (2022) n^o 26 G.O. II, 3935, s. 3.
[4] Ibid., s. 4.
[5] Ibid., s. 5.
[6] Ibid.
[7] Ibid., s. 6.
[8] Ibid.
[9] Ibid., s. 7.
[10] Regulation respecting confidentiality incidents (draft), (2022) n^o 26 G.O. II, 3935, s. 7.
[11] Ibid., s. 8.

by Candice Hévin, Marie-Eve Jean, Alexandrina Boboc (Summer Law Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022