Privacy Incidents: What Are Your Obligations?
Art. 3.5, 3.6, 3.7, 3.8, LPRPSP
What the law requires
Quebec's Act respecting the protection of personal information in the private sector imposes strict obligations when a privacy incident occurs. In 2023-2024, the Commission d'accès à l'information (CAI) received 444 incident declarations — a 559% increase since mandatory reporting came into effect in September 2022.
Obligation 1 — Incident Registry (Art. 3.5): You must maintain a registry of all privacy incidents, whether or not they present a serious risk. This registry must be kept for at least 5 years and be available to the CAI upon request.
Obligation 2 — Risk Assessment (Art. 3.6): For each incident, you must assess whether it presents a risk of serious harm to the affected individuals. This assessment considers the sensitivity of the information, potential consequences, and likelihood of malicious use.
Obligation 3 — CAI Notification (Art. 3.7): If the incident presents a risk of serious harm, you must notify the CAI "with diligence." This notification is made via an online form on the CAI website.
Obligation 4 — Individual Notification (Art. 3.7): Individuals whose information is affected by an incident presenting a serious risk must also be notified, so they can take steps to protect themselves.
Legal reference
Any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.
If the incident presents a risk of serious injury, the person carrying on an enterprise must promptly notify the Commission d'accès à l'information established by section 103 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1). He must also notify any person whose personal information is concerned by the incident, failing which the Commission may order him to do so. He may also notify any person or body that could reduce the risk, by communicating to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the communication of the information.
Despite the second paragraph, a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.
A government regulation may determine the content and terms of the notices provided for in this section.
— Art. 3.5, Act respecting the protection of personal information in the private sector
What you must do
A privacy incident can occur in many ways: cyberattack (25% of cases according to the CAI), ransomware (16%), accidental disclosure (10%), equipment theft, or employee error. Here's how to respond:
- Contain the incident immediately. Revoke compromised access, change passwords, isolate affected systems. Every minute counts to limit damage.
- Document what happened. When was the incident discovered? What information is affected? How many individuals are concerned? How did the incident occur?
- Assess the risk of serious harm. Ask yourself: Is the information sensitive (SIN, banking data, health)? Could it be used for fraud or identity theft? How many people are affected?
- Record the incident in your registry. Even if the risk isn't serious, the incident must be documented. The registry has been mandatory since September 2022.
- If serious risk: notify the CAI. Use the CAI's online form. Provide a description of the incident, the types of information involved, the number of affected individuals, and measures taken.
- If serious risk: notify affected individuals. The notice must enable individuals to take protective measures. Include: what happened, what information is affected, what they can do (monitor accounts, etc.), and who to contact for more information.
Example: Email to wrong recipient. An employee accidentally sends a client list with phone numbers to a vendor. The company records the incident in the registry, assesses that the risk isn't serious (names and phone numbers only, trusted vendor who deleted the email), and doesn't notify the CAI.
Example: Ransomware. An accounting firm is hit by ransomware. Data from 200 clients is potentially compromised, including SINs and financial data. The firm isolates systems, records the incident in the registry, assesses the risk as serious, notifies the CAI within 48 hours, and notifies all affected clients by email and phone.
Common mistakes
- Not having a registry. The registry has been mandatory since September 2022. Its absence is a violation of the law, even if no incident has occurred.
- Minimizing incidents. An email sent to the wrong recipient is an incident. An employee accessing a file without authorization is an incident. All must be documented.
- Delayed response. CAI notification must be made "with diligence." Waiting weeks to assess the risk is not acceptable. Aim for 72 hours maximum.
- Not notifying affected individuals. If the risk is serious, individuals have the right to know so they can protect themselves. Failing to notify them is a separate violation.
- Confusing incidents with breaches. An incident isn't necessarily a cyberattack. Losing a USB drive with client files is an incident. Sending a statement to the wrong client is an incident.
- Not training employees. Your employees must know how to recognize an incident and who to report it to. Without clear procedures, incidents go unnoticed.
Frequently asked questions
What is a privacy incident under Loi 25?
A privacy incident is any unauthorized access to, use of, or disclosure of personal information, as well as its loss or any other breach of its protection. Examples include: email sent to the wrong recipient, stolen laptop, cyberattack, employee accessing files without authorization.
How quickly must I notify the CAI?
You must notify the Commission d'accès à l'information (CAI) 'with diligence' if the incident presents a risk of serious harm. The law doesn't specify an exact timeframe in hours, but notification should be made promptly after assessing the risk, ideally within 72 hours of discovery.
How do I know if an incident presents a serious risk?
Assess the sensitivity of the information (health data, financial data = more sensitive), the likelihood of malicious use, and the potential consequences for individuals. An email containing SINs sent to the wrong person = serious risk. A first name sent in error = generally not serious.
Must I keep a registry even for minor incidents?
Yes. All incidents must be recorded in the registry, whether or not they present a serious risk. The registry must be kept for at least 5 years after the incident.
What are the penalties for not reporting an incident?
For legal persons, administrative penalties can reach $10 million or 2% of worldwide revenue. Criminal penalties can reach $25 million or 4% of worldwide revenue. For individuals, fines range from $5,000 to $100,000.
Is an email sent to the wrong recipient an incident?
Yes, it's a privacy incident (unauthorized disclosure). You must record it in your registry and assess whether it presents a serious risk. If the email contained sensitive information, you'll likely need to notify the CAI and the affected individuals.
Must I notify affected individuals even if I don't know who they are?
If you cannot directly notify the affected individuals, you must issue a public notice through means likely to reach them (e.g., notice on your website, press release).
How long must I keep the incident registry?
The registry must be kept for at least 5 years. The CAI may request to review it at any time during an investigation or audit.
Next step
Incident management is part of a broader compliance program. Make sure you've also designated a person responsible for the protection of personal information (RPRP) and implemented appropriate security measures.
Useful resources: