All Things Newz
Law \ Legal

Québec Releases Draft Regulation On Mandatory Breach Reporting – Privacy Protection



To print this article, all you need is to be registered or login on Mondaq.com.

Introduction

On June 29, 2022, the Québec government published a draft regulation on the process for reporting
privacy breaches under the new privacy law. This regulation
describes what information needs to be sent to the Commission
d’accès à l’information (the CAI) and to
affected individuals when a breach meets the threshold for
mandatory reporting, as well as the minimum retention period for
records of all confidentiality incidents.

What you need to know

  • If the Regulation is approved, Québec will have two
    requirements that differ from the federal regime:

    • Provide the CAI with a summary of the factors that establish a
      real risk of serious harm. The Québec proposal aligns with
      the current Alberta requirements.

    • Retain records of confidentiality incidents for five years,
      which exceeds the federal two-year requirement.


  • The requirement to describe the factors that support the
    mandatory reporting threshold may create tensions with maintaining
    privilege over legal advice.

  • The Regulation may come into force as early as September 2022,
    so businesses should be updating their internal procedures now to
    ensure compliance.

Overview of the measures proposed

Comparison with federal regulation

Although similar to the breach reporting requirements under
federal PIPEDA, some aspects of the proposed Québec
regulation are more onerous:
















Proposed
Québec Regulation

Federal
Regulation

Requirement: Contents of regulatory
report

  • brief description of the circumstances of the breach;

  • the date or time period when the incident occurred or, if that
    is not known, the approximate time period;

  • a description of the personal information affected by the
    incident or, if that information is not known, the reasons why it
    is impossible to provide such a description;

  • the number of individuals affected by the breach or, if
    unknown, the approximate number and the number among them, of
    individuals residing in Québec;

  • the measures taken or planned to remediate the incident;

  • the measures taken or planned to notify affected
    individuals;

  • details for the organization’s contact person;

  • the date or time period in which the organization became aware
    of the incident;

  • a description of the elements that lead the organization to
    conclude that there is a real risk of serious injurysuch as the
    sensitivity of the information, possible misuses of such
    information, the anticipated consequences of misuse, and the
    likelihood of such information will be used for harm;

  • whether other privacy regulators have been notified of the
    incident.

  • description of the circumstances of the breach;

  • the day on which, or the period during which, the breach
    occurred or, if neither is known, the approximate period;

  • a description of the personal information affected to the
    extent known;

  • the number of individuals affected or, if unknown, the
    approximate number;

  • a description of the steps that the organization has taken to
    reduce the risk of harm to affected individuals or to mitigate that
    harm;

  • a description of the steps that the organization has taken or
    intends to take to notify affected individuals of the breach;

  • details for the organization’s contact person.

Requirement: Contents of individual
notification

  • a brief description of the circumstances of the incident;

  • the date or time period (or approximation) when the incident
    occurred;

  • a description of the personal information affected or, if that
    information is not known, the reasons why it is impossible to
    provide such a description;

  • a brief description of the measures taken to reduce the risk of
    harm;

  • suggested measures that the individual can take to reduce the
    risk of harm or mitigate any such injury; and

  • contact information should the individual require more
    information.

  • a description of the circumstances of the breach;

  • the day on which, or period during which, the breach occurred
    (or approximation);

  • a description of the personal information affected to the
    extent known;

  • a description of the steps that the organization has taken to
    reduce the risk of harm;

  • suggested measures that the individual can take to reduce the
    risk of harm or mitigate any such injury; and

  • contact information should the individual require more
    information.

Requirement: Record retention

5 years after the date the
organization became aware of the incident.

2 years after the breach has
occurred.

Privilege and transactional considerations

Notably, the draft Regulation would require organizations to
describe the elements that lead it to conclude the “risk of
serious injury” threshold for mandatory reporting was met.
This is similar to the Alberta regime, but is not a federal
requirement. This may pose strategic challenges for organizations
that wish to err on the side of caution in reporting incidents that
do not clearly meet the threshold, while minimizing litigation and
reputational risk. Businesses will need to carefully craft their
breach reports to meet this requirement without waiving privilege
over legal advice that informed the reporting assessment, and
without creating admissions that may be used against them in
litigation relating to the incident.

Similarly, business should consider privilege when creating
internal records of confidentiality incidents and should keep legal
advice in a separate file from the factual summaries contained in
their breach records. Companies engaged in transactions should
expect to be asked to provide their breach records in the course of
due diligence, which emphasizes the need to ensure they do not
contain privileged legal and risk assessments.

Preparation

The Québec government proposed that the regulation will
take effect on September 22, 2022 for the private sector.
Organizations should review their breach response policies,
regulatory report, individual notification and breach record
templates, breach record retention periods, and privilege protocols
to ensure they align with the Québec requirements.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Canada

Cybersecurity, Privacy And Data Protection V

McCarthy Tétrault LLP

In this series of blogs, we will share the sections of employee privacy and components of a privacy program from one of the chapters, Cybersecurity, Privacy and Data Protection of our publications…



Source link

Related posts

Coercive control reforms – new bill introduced into Queensland Parliament – Crime

Registering a charity in Australia – Charities & Non-Profits

Italy: Bank Of Italy's Communication On The Use Of DLT In Finance And Crypto-assets – Carotenuto Studio Legale