This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 7 Β· OPERATIONAL PRIORITY

Confidentiality Incident Management

Mandatory since September 2022. Every incident must be logged in the register β€” even minor ones. Notifying the CAI is only required when there is a risk of serious harm.

7.1 Β· Legal definition

What is a confidentiality incident?

Defined in section 3.6 of the law as: any unauthorized access, use or disclosure of personal information, the loss of personal information, or any other breach of its protection.

Concrete examples:

  • An email containing personal data sent to the wrong recipient
  • Theft or loss of a laptop containing records (encrypted or not)
  • A ransomware attack encrypting servers containing customer data
  • A misconfigured database exposed publicly on the internet
  • An employee accessing records without a legitimate reason
  • A confidential document thrown out without shredding
Precautionary principle: when in doubt about whether an event constitutes an incident, log it, then assess it. It's better to over-report than under-report.
7.2 Β· Two distinct obligations

Register (always) vs. Notification (if serious harm)

Obligation 1 β€” ALWAYS
Log it in the register

Every incident β€” even minor, even with no risk of harm β€” must be entered in the register.

Obligation 2 β€” IF SERIOUS HARM
Notify the CAI + the individuals

Only when the incident presents a risk of serious harm to the individuals concerned.

7.3 Β· Assessment

Assessing the risk of serious harm β€” 4 factors

To determine whether there is a risk of serious harm, assess:

  1. The sensitivity of the information involved
  2. The possible malicious uses of that information
  3. The anticipated consequences of its use (identity theft, fraud, reputational harm, bodily harm)
  4. The likelihood that it will be used for harmful purposes
Examples of serious harm: identity theft, financial fraud, reputational harm, humiliation, bodily harm. If you're uncertain β€” notify.
7.4 Β· Deadlines

72 hours to notify the CAI

When the assessment concludes there is a risk of serious harm:

  • Notify the CAI with diligence β€” reference point: 72 hours, per the CAI's guidelines
  • Notify the individuals concerned within a timeframe that allows them to protect themselves (change a password, monitor their credit)
7.5 Β· Full process

6 steps of incident response

  1. Detect and contain: isolate the system, limit the spread. The whole IT team on alert.
  2. Log it in the register as soon as it's discovered β€” even before knowing if it's serious.
  3. Assess the risk of serious harm with the Privacy Officer (the 4 factors above).
  4. Notify the CAI and the individuals concerned if the threshold is met β€” aim for 72 hours.
  5. Remediate: fix the root cause, strengthen controls, apply patches.
  6. Document the closure and lessons learned β€” update your incident response plan.
7.6 Β· The register

Mandatory contents of the incident register

For each incident, the register must contain:

  • A description of the information affected (or reasons if it cannot be specified)
  • A brief description of the circumstances
  • The date or period of the incident and the date of discovery
  • The approximate number of individuals concerned
  • A description of the factors leading to the conclusion on serious harm
  • The dates notices were sent to the CAI and the individuals (if applicable)
  • A description of the measures taken to reduce the risks
Minimum retention: 5 years. The register may be requested by the CAI during an inspection or investigation. See the register template (chapter 13).

βœ“ Incidents checklist

  • ☐ Is an incident register in place and up to date since Sept. 2022?
  • ☐ Do we have a written incident response plan with clear roles?
  • ☐ Do we know how and when to notify the CAI (official form available on cai.gouv.qc.ca)?
  • ☐ Do staff know how to recognize an incident and who to report it to?
  • ☐ Has the register been kept since at least Sept. 2022 and accessible for 5 years?