Incident Notification

Under Law 25, a confidentiality incident is the unauthorized access, use, or communication of personal information, as well as the loss of personal information or any other breach of its protection.

Notification to the CAI is required promptly if a confidentiality incident presents a risk of serious injury to the individuals whose personal information is concerned. Tools like WatchDog Security's Compliance Center can help teams track notification triggers, attach decision evidence, and maintain an auditable timeline of actions taken.

Assessing the risk of serious injury requires considering the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that such information will be used for injurious purposes, in consultation with the privacy officer.

A government regulation determines the specific content and terms of the notices, generally requiring a description of the breach, the personal information involved, the measures taken to contain it, and the risk assessment findings.

The law states that organizations must promptly notify the CAI and affected individuals when a risk of serious injury is identified, meaning organizations must act without undue delay. Tools like WatchDog Security's Compliance Center can help standardize notification workflows, capture approvals, and preserve timestamps that support a defensible “without undue delay” narrative.

If the incident does not present a risk of serious injury, proactive notification to the CAI and individuals is not legally mandated by section 3.5, though the incident must still be recorded internally.

Organizations must keep a detailed register of all confidentiality incidents, regardless of whether they present a risk of serious injury, and must provide a copy of this register to the Commission upon request. Tools like WatchDog Security's Risk Register can help maintain structured incident records with ownership, status, and linked remediation evidence for easier retrieval and reporting.

While the primary requirement is direct notification to affected individuals, the law allows the government to determine the terms of notices by regulation, which may permit public notices if direct notification is impossible or poses undue hardship.

Organizations must take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature, such as patching vulnerabilities or securing exposed data.

Both Law 25 and PIPEDA require reporting breaches that pose a real risk of significant harm or serious injury, prompt notification to authorities and individuals, and the maintenance of an incident register for all breaches regardless of the harm threshold.

Quebec Law 25 requires prompt decisions, consistent notices, and auditable records when an incident risks serious injury. Tools like WatchDog Security's Compliance Center can centralize the control requirements, collect and link supporting evidence (e.g., notification drafts, approvals, timestamps), and highlight gaps so teams can demonstrate timely, repeatable execution during reviews.

A confidentiality incident register needs consistent fields, ownership, and easy retrieval when regulators request it. Tools like WatchDog Security's Risk Register can structure incidents and outcomes (including risk-of-serious-injury determinations), tie them to remediation actions, and maintain an audit trail that supports internal governance and external requests.