The province of Québec has undergone a flood of legislative changes when it comes to privacy and cybersecurity over the last three years:

• In June 2021, when the Government of Quebec enhanced the cybersecurity and data management obligations of public bodies through the adoption of Bill 95 An Act respecting the governance and management of the information resources of public bodies and government enterprises (LGGRI).
• In September 2021, Québec's Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. This bill amended the following acts:
  •  the Act respecting the protection of personal information in the private sector (Private Sector Act);
  • the Act respecting Access to documents held by public bodies and the Protection of personal information (Public Sector Act); and
  • the Act to establish a legal framework for information technology (IT Act); and
• In December 2021, Quebec became the first government in Canada to establish a ministry entirely dedicated to cybersecurity and digital issues by adopting Bill 6 An Act to enact the Act respecting the Ministère de la Cybersécurité et du Numérique and to amend other provisions.

Since the most important changes in cybersecurity for private organizations are found in the Private Sector Act, the following text provides an overview of this revised legislation, focusing on key new obligations in cybersecurity and confidentiality incident management. It concludes by offering insights into anticipating future changes in this field.

The Private Sector Act

The implementation of the new requirements under the Private Sector Act is being carried out over three years, starting from September 22, 2022. While most of the changes, including the introduction of new enforcement measures, will take effect in September 2023, one provision related to data portability will only become effective in September 2024. The requirements outlined below involve the security and safeguarding of personal information and have been generally enforceable since September 22, 2022. As a result, organizations in Quebec should prioritize compliance with these obligations.

Identify the responsible party for data protection

According to Section 3.1 of the Private Sector Act, as of September 22, 2022, all organizations are required to appoint an individual in charge of the protection of personal information. Failure to appoint such an individual will lead to the highest-ranking person within the organization automatically assuming the role by default.

As of September 22, 2023, organizations will also be required to establish and implement governance policies and practices that safeguard personal information, as stated in Section 3.2 of the Private Sector Act. These new policies and practices must encompass various aspects, including defining the roles and responsibilities of the organization's personnel throughout the life cycle, establishing frameworks for information storage and destruction, and aligning with the nature and scope of the organization's activities. These policies and practices must be approved by the person responsible for the protection of personal information.

These new requirements will undoubtedly introduce new responsibilities for compliance and cybersecurity teams and will require significant coordination efforts. Additionally, organizations must take detailed information about those policies and practices readily available. This can be achieved by publishing them on the organization's website or, by using any other appropriate means if a website is not available. In order to ensure compliance, organizations should review the disclosures published on their website, including, for example, their external privacy policy.

It is important to note that the original requirement outlined in Section 10 of the Private Sector Act, which mandates the implementation of appropriate security measures to safeguard personal information based on factors such as its sensitivity, intended use, quantity, distribution, and storage medium, remains unchanged. However, starting from September 22, 2023, the person responsible for protecting personal information within an organization has the authority to propose "measures to protect the personal information" during any phase of a project that necessitates conducting a privacy impact assessment, as per Section 3.4 of the Private Sector Act. This implies that the person in this role should collaborate closely with the IT, cybersecurity, and project implementation teams to review the security measures being implemented.

Prepare a confidentiality incident response plan

Since September 2022, organizations in Quebec must comply with a mandatory confidentiality incident reporting regime for incidents that pose a risk of significant harm. According to the new Section 3.6 of the Private Sector Act, a "confidentiality incident" is defined as any unauthorized access, use, communication, loss, or violation of the protection of personal information. This definition includes the additional element of "unauthorized use", which is a specific and unique inclusion in Quebec's privacy laws, not explicitly mentioned in the equivalent definitions of confidentiality incidents in other Canadian privacy laws. Consequently,  any breach, violation, or incident involving personal information will fall within the scope of Section 3.6 and will trigger the implementation of the following crucial steps.

Assess the risk of significant harm

All confidentiality incidents must undergo a thorough assessment process to determine whether they pose a "risk of significant harm" that warrants notification to the Quebec privacy regulator, the Commission d'accès à l'information (CAI), as well as the affected individuals. The new Section 3.7 of the Private Sector Act outlines the following factors to consider when assessing the level of harm risk:

• sensitivity of the information involved: information such as health and financial data is generally considered to be highly sensitive;
• anticipated consequences of its use: the potential impact that the use of information may have on the affected individuals; and
• likelihood of injurious purposes: the probability that the information will be used to conduct criminal activities, such as identity theft of the affected individuals.

Notify the CAI when required

If an organization determines that an incident presents a risk of significant harm, it is required to promptly notify the CAI, as per Section 3.5 of the Private Sector Act. Under the Regulation respecting confidentiality incidents (the Regulation), the following information, amongst others, must be reported to the CAI when the organization becomes aware of a confidentiality incident that presents a risk of significant harm:

• name of the affected organization and  the contact information of the organization's representative responsible for the incident;
• description of the personal information involved in the incident;
• date or time period when the incident occurred or, if unknown, the approximate time period; and
• number of individuals affected by the incident and the number of those individuals residing in Québec.

Notify impacted individual(s) when required

If an organization determines that the incident poses a risk of significant harm, it is required to notify not only the CAI but also any individual who may be affected by the risk of significant harm resulting from the incident. Failure to do so may result in the CAI issuing an order for the organization to carry out the notification, as stated in Section 3.5 of the Private Sector Act. However, it is important to note that organizations should not notify individuals if such notification could impede an investigation being conducted by a legally designated person or body responsible for preventing, detecting, or prosecuting crimes or statutory offenses. This provision is applicable, for instance, in cases where law enforcement authorities have been involved, are actively investigating a confidentiality incident that includes evidence of ransomware, and have specifically instructed the organization not to notify individuals.

As specified in the Regulation, a notification to individuals must include, amongst other details, the following:

• description of the personal information involved in the incident or, an explanation if it is not possible to provide such description;
• brief description of the circumstances of the incident;
• date or time period when the incident occurred or, an approximation if the exact timeframe is unknown; and
• concise overview of the measures that the organization has taken or plans to take after the incident to mitigate the risks of harm.

Notify third parties when needed

According to the new Section 3.5 of the Private Sector Act, an organization may also, at its own discretion, notify any individual or organization that can potentially reduce the risk of harm, even without the consent of the individuals affected. However, the notification should only include the personal information necessary to do so. In such cases, the person responsible for the protection of personal information within the organization must maintain a record of the disclosure. Third parties that may be contacted under this provision include credit card operators, banks, and credit bureaus, as they are likely to be involved in addressing and preventing financial harm following resulting from incidents such as identity fraud facilitated by a confidentiality breach.

Update your register of confidentiality incidents

As per the new Section 3.8 of the Private Sector Act, organizations must keep a register of all confidentiality incidents, including those that did not meet the threshold for reporting a risk of significant harm. Organizations need to keep this register updated for a minimum of five years from the time they became aware of each incident. Furthermore, if requested by the CAI, organizations must provide them with a copy of the register. This implies that organizations bear responsibility for managing all types of incidents, regardless of whether they meet the threshold for reporting a risk of significant harm, and must ensure that they are appropriately documented and addressed in accordance with legal obligations. Moreover, if recurring incidents indicate the presence of a systemic security issue, the organization should take proactive measures to address it, regardless of whether the incidents were reported to the CAI or affected individuals.

As outlined in the Regulation, the register of confidentiality incidents must include, among other details, the following information:

• description of the personal information involved in the incident or an explanation if it is not possible to provide such a description;
• brief description of the circumstances surrounding the incident;
• date or time period when the incident occurred or an approximation if the exact timeframe is unknown; and
• number of individuals affected by the incident and the number of those individuals who reside in Québec, or an approximation if the exact numbers are unknown.

For more information on the Private Sector Act's new requirements, consult BLG's comprehensive compliance guide.

Upcoming changes

Quebec

Quebec is set to revamp its management and record-keeping system for health-related personal information following the introduction of Bill 3, An Act respecting health and social services information and amending various legislative provisions, in December 2022. The Bill is aimed at establishing a dedicated legal framework for the handling of health and social services information, applicable to all entities that possess such data. It is important to note that the Bill includes provisions governing the collection of health and social services information, as well as specific circumstances in which such information can be used without the consent of the individuals involved. These changes have the potential to impact individuals and organizations engaged in research or collaboration in Quebec.

Canada

On the federal level, there are upcoming changes regarding cybersecurity obligations for businesses under federal jurisdiction. These changes are being introduced through Bill C-26, An Act respecting cyber security, amending the Telecommunications Act, and making consequential amendments to other Acts. Currently, Bill C-26 is at the second reading stage in the House of Commons.

Additionally, a comprehensive federal legislative update is also expected in the areas of privacy and artificial intelligence front. Bill C-27, the Digital Charter Implementation Act, 2022, is currently at the second reading stage in the House of Commons. This bill introduces the Consumer Privacy Protection Act (CPPA), which aims to bring significant changes to Canada's existing federal privacy legislation, the Protection and Electronic Documents Act (PIPEDA). Bill C-27 also introduces the Artificial Intelligence Data Act (AIDA), which represents Canada's first attempt at regulating AI.

These federal initiatives demonstrate the government's commitment to enhancing cybersecurity measures and addressing privacy concerns in the context of evolving technology, providing a framework for businesses to navigate and comply with the changing landscape.

Catherine Labasi-Sammartino Associate
[email protected]
Anthony Hémond Counsel
[email protected]
Borden Ladner Gervais LLP, Quebec