Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Quebec: Regulation on breach notification enters into effect

On December 29, 2022, the Regulation respecting confidentiality incidents entered into effect, following public consultation. The regulation outlines breach notification requirements to the Quebec Commission on Access to Information (CAI) and the affected person, in line with the Act to modernize legislative provisions as regards the protection of personal information (Chapter 25). 

Notification to the authority

In regard to the notification to the CAI, the controller must, among other things, provide:

  • the name of the body affected by the breach and any Québec business number;
  • the name and contact information of the contact person;
  • a description of the personal information involved or, where unknown, the reasons why it is impossible to provide such a description;
  • a brief description of the circumstances of the incident and what caused it, if known;
  • the date or time period of the incident, or, if unknown, the approximate time period;
  • the date or time period when the organization became aware of the incident; and
  • the number of persons concerned and who reside in Québec or, if unknown, the approximate numbers.

Notification to individuals

On the other hand, notifications to individuals must include:

  • a description of the personal information, or, if unknown, the reasons why it is impossible to provide such a description;
  • a brief description of the circumstances of the incident;
  • the date or time period of the incident, or, if unknown, the approximate time period;
  • a brief description of the measures taken or intended to reduce the risks of injury;
  • the measures suggested in order to reduce the risk of injury or mitigate any such injury; and
  • the contact information where the person concerned may obtain more information about the incident.

Registration

Furthermore, the regulation introduces a requirement for the registration of breach notifications, whereby such information will be kept in a register for at least five years after the date or time period when the organization became aware of the incident.

You can read the regulation here.

Feedback