How to Report an Incident to the CAI

Experiencing a privacy incident with serious risk? Here's how to report it to the CAI.

To understand your incident management obligations, see Incident Management — Section 3.5.

Step-by-step process

  1. 1

    Assess: Is reporting required?

    Risk of identity theft, fraud, or reputational harm? If yes, reporting is mandatory. When in doubt, report anyway.

  2. 2

    Gather the information

    Date of discovery, type of data, number of affected individuals, actions taken. You'll need this for the form.

  3. 3

    Complete the CAI form

    Download the "Notice to the Commission" form from cai.gouv.qc.ca. Complete all sections. You don't need to wait until you have every detail.

  4. 4

    Submit to the CAI

    By email: incidents@cai.gouv.qc.ca. Or via the online portal. Keep proof of submission with date and time.

  5. 5

    Notify affected individuals

    Required if there's serious risk. Include: what happened, what data was involved, how to protect themselves, who to contact.

  6. 6

    Record in your register

    Log the incident in your register. Keep records for at least 5 years. Even incidents not reported to the CAI must be recorded.

Tips and warnings

Serious risk = mandatory reporting

  • SIN, health data, financial info = high risk
  • Hacking, targeted theft = more serious than human error
  • Unencrypted data = increased risk
  • When in doubt = report

Immediate checklist

  • ☐ Incident contained (access revoked, passwords changed)
  • ☐ Privacy officer informed
  • ☐ Evidence preserved (logs, files)
  • ☐ CAI form completed and submitted
  • ☐ Affected individuals notified
  • ☐ Register updated

Common mistakes

  • Waiting to have all the details. Report with what you know. Complete later.
  • Forgetting to notify individuals. The CAI notice alone isn't enough.
  • Not recording in the register. Even minor incidents must be logged.

Frequently asked questions

What's the deadline to report?

"With diligence" according to the law. Aim for 72 hours. The longer you wait, the greater the risk of penalties.

Where do I find the form?

On cai.gouv.qc.ca, under "Privacy Incidents" section. Look for "Notice to the Commission."

Do all incidents need to be reported?

No. Only those with risk of serious harm. But record all incidents in your register.

I discovered an old incident. What should I do?

Report it anyway. Explain why you just discovered it.

Where can I find the complete requirements?

See our incident management guide for the legal text and detailed requirements.

Related tool

Privacy incident register template.

Download the register