This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Bill 64 and its sweeping amendments to Quebec's Act Respecting the Protection of Personal Information in the Private Sector (the "Quebec Act"). To view other blog posts in the series, please visit this page.
As addressed in our previous article, the Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Bill 64")1 will introduce significant amendments to the Quebec Act, including mandatory breach notification and record keeping requirements following a confidentiality incident, that come into effect on September 22, 2022.2 Specifically, Bill 64 requires businesses to notify Quebec's privacy regulator, the Commission d'accès à l'information ("CAI"), as well as to the affected individuals whenever such businesses experience a "confidentiality incident" that poses a "risk of serious injury" to an individual.3 In addition, Bill 64 requires businesses to keep a register of all confidentiality incidents in the manner prescribed by regulation, regardless of whether or not they pose a risk of serious injury.4
On June 29th, 2022, the draft Regulation respecting confidentiality incidents (the "Draft Bill 64 Regulation")5 was published in the Gazette officielle du Québec. The Draft Bill 64 Regulation provides businesses with details related to the content of the new notification and record-keeping requirements. In this blog, we describe the content of these new notification and record-keeping obligations, comparing and contrasting them with analogous requirements under federal and Alberta law.
Existing Requirements under PIPEDA and Alberta PIPA
Similar to the above-mentioned provisions of Bill 64, the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and Alberta's Personal Information Protection Act ("AlbertaPIPA")6 require businesses to report any "breach of security safeguards" to the federal or Alberta commissioner, as applicable, and to affected individuals when there is a "real risk of significant harm".7 Moreover, the content requirements for PIPEDA and Alberta PIPA's breach notification and record-keeping are set out in the Breach of Security Safeguards Regulations ("PIPEDA Regulation")8 and Personal Information Protection Act Regulation ("AlbertaPIPA Regulation"),9 respectively.
As discussed in our previous blog, Bill 64's definition of "confidentiality incident" could extend to activities beyond the existing "breach of security safeguards" under PIPEDA or Alberta PIPA. Moreover, the "risk of serious injury" notification standard introduced by Bill 64 differs from PIPEDA and Alberta PIPA's established "real risk of significant harm" standard. Businesses should thus be mindful that this wording could be interpreted in a manner that is more stringent than the PIPEDA and Alberta PIPA standard.
Notice to the regulatory authority
Some of the required information that businesses would need to provide to the CAI under the Draft Bill 64 Regulation mirrors obligations found in the PIPEDA Regulation and the Alberta PIPA Regulation. These include:10
- the date or time period when the incident occurred or, if unknown, the approximate time period;
- a description of the personal information affected by the incident;
- a description of the circumstances and, if known, the cause of the incident;
- the number of individuals affected, including the number of affected Quebec residents;
- the steps taken to reduce the risk of injury;
- the business' contact information; and
- a description of the elements that led the business to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use, and the likelihood that such information will be used for injurious purposes (this obligation is only found in the Alberta PIPA Regulation, although less detailed).
The Draft Bill 64 Regulation would also require that businesses provide certain information to the CAI that while not formally required under the PIPEDA Regulation or Alberta PIPA Regulation, is found in the breach reporting forms recommended by the regulatory authorities. This information includes: 11
- the date or time period when the body became aware of the incident;
- the date when affected individuals were notified, or the expected time limit for the notification;
- the name of the company;
- the measures aimed at preventing future incidents of the same nature; and
- if applicable, an indication that a privacy commissioner outside of Quebec has been notified of the incident.
Finally, the Draft Bill 64 Regulation would introduce certain disclosure requirements not found under either the PIPEDA Regulation or the Alberta PIPA Regulation. The notice to the CAI must include a mandatory explanation if it is impossible to provide a description of the personal information involved.12 In addition, the Draft Bill 64 Regulation would oblige businesses to keep the CAI updated with all additional or new information subsequent to the initial report.13 The PIPEDA Regulation only provides an optional reporting requirement for any additional information related to the breach.14 No equivalent provision is found in the Alberta PIPA Regulation.
Notice to the persons concerned
As the with notice to the CAI, the obligations regarding notification to affected individuals is very similar to the PIPEDA and Alberta PIPA regimes. The Draft Bill 64 Regulation would require that the notification sent by businesses to individuals affected by the confidentiality incident (where such incident involves a "risk of serious injury") include the date or time period when the incident occurred or, if unknown, the approximate time period; a description of the personal information affected by the confidentiality incident; the steps taken to reduce the risk of injury; and the business's contact information.15 Similar requirements are found in the PIPEDA Regulation and Alberta PIPA Regulation. In addition, the Draft Bill 64 Regulation would require that the notice include a description of the steps that can be taken by the individual to reduce the risk of injury or to mitigate the injury resulting from the incident.16 A similar obligation is found under the PIPEDA Regulation.17 Finally, common to all three regimes is the direct notification requirement to the persons concerned should be the primary approach of notification, subject to certain exceptions.
The only unique Quebec element with respect to notifying affected individuals is the requirement to include an explanation of why it is impossible, if applicable, to furnish a description of the personal information involved in the confidentiality incident.18 The same unique Quebec requirement is found in the provisions for notification to the CAI.
Record-keeping requirements
The Draft Bill 64 Regulation would require that businesses keep in a register a record of all confidentiality incidents for at least 5 years19 which would have to minimally include the following information:
- the date or time period when the incident occurred or, if unknown, the approximate time period;
- a description of the personal information affected by the incident;
- a description of the circumstances and, if known, the cause of the incident;
- the number of individuals affected; and
- the steps taken to reduce the risk of injury.20
Moreover, the information in the register must be kept up to date.
By contrast, the PIPEDA Regulation requires records to be kept for 24 months and does not specify the content of the record, nor does it require updates.21 Meanwhile, the Alberta PIPA Regulation does not contain any record-keeping obligation.
Conclusion
The Draft Bill 64 Regulation has added significant details as to what mandatory reporting and record keeping requirements under the Quebec Act could look like in practice. The majority of the requirements found in the Draft Bill 64 Regulation are similar to the existing under the PIPEDA and Alberta PIPA regimes; either directly in their respective regulations or as a matter of recommended practice based on the standard breach reporting forms provided under those regimes. Businesses with a presence in Quebec can thus already draw from the practices under the federal and Albertan regimes to achieve partial compliance, but will also have to take into account the requirements that are unique to Quebec. Time is of the essence regarding these obligations, as the amendments that give effect to them come into force on September 22, 2022.
Stay tuned for further McCarthy Tétrault publications on the subject.
To learn about how the Cyber/Data Group can assist you in navigating the privacy and data landscape and prepare you for developments in cybersecurity, please contact national co-leaders Charles Morgan and Daniel Glover for more information.
Footnotes
1.Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1.
2. Bill 64 defines "Confidentiality Incident" as as any access, use, or communication of personal information not authorized by law, as well as any loss or other breach of the protection of such information (s. 3.6).
3. Bill 64 s. 3.5
4. Bill 64 s. 3.8.
5. Draft of Regulation Respecting Confidentiality Incidents.
6.Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. 2(1); Personal Information Protection Act, SA 2003, c P-65, s. 34.1.
7. PIPEDA, s. 10.1.
8.Breach of Security Safeguards Regulations, SOR/2018-64.
9.Personal Information Protection Act Regulation, Alta Reg 366/2003.
10. Bill 64 Regulation, s. 3.
11. Bill 64 Regulation, s. 3
12. Bill 64 Regulation, s. 3.
13. Bill 64 Regulation, s. 4.
14. PIPEDA Regulation, s. 2(2).
15. Bill 64 Regulation, s. 5.
16. Bill 64 Regulation, s. 5(5).
17. PIPEDA Regulation, s. 3(e).
18. Bill 64 Regulation, s. 3.
19. Bill 64 Regulation, s. 8.
20. Bill 64 Regulation, s. 7.
21. PIPEDA Regulation, s. 6(1) and (2).
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
