Quebec has released final regulations for a mandatory confidentiality incident (breach) reporting regime that came into force in late 2022.
The reporting framework has three key requirements. Companies must:
- Report confidentiality incidents carrying a risk of serious injury to the provincial privacy regulator, the Commission d’accès à l’information du Quebec (CAI)
- Notify affected individuals
- Keep registers (records) of confidentiality incidents for 5 years
The regulations list numerous specifics that must be included and steps that must be taken. For example, reports to the CAI must include a description of why the incident carries a risk of serious injury, number of people affected, dates and expected timelines for notifying those affected and for taking mitigating measures, in addition to other requirements.
These regulations are part of significant amendments to modernize Quebec’s privacy regime. Even members without stores in Quebec can still fall under this regime if they collect or process Quebecers’ data, e.g. for e-commerce or as part of a Canada-wide audience. More amendments are coming into force in 2023 and 2024, including new financial penalties. View more information.