Register of Confidentiality Incidents

Under Quebec Law 25, a confidentiality incident is the unauthorized access to, use of, or communication of personal information, as well as its loss or any other breach of its protection.

Yes, organizations must log every incident in the Loi 25 registre des incidents de confidentialité, even minor ones that do not pose a risk of serious injury and do not require external notification.

While the exact content is determined by government regulation, a confidentiality incident register typically includes the date, a description of the incident, the personal information involved, the risk assessment outcome, and the mitigation measures applied.

The law does not mandate a specific software or format, but the registre des incidents de confidentialité modèle must be structured enough to capture all required regulatory details and be easily exportable for the CAI. Tools like WatchDog Security's Compliance Center can help standardize required fields and produce consistent exports for audits or regulator requests.

Quebec Law 25 regulations specify retention periods for the confidentiality incident records, requiring organizations to keep them for at least five years after the date the organization becomes aware of the incident.

You must proactively notify the CAI if the confidentiality incident presents a risk of serious injury to the affected individuals.

An organization must provide a copy of confidentiality incidents register Commission d'accès à l'information (CAI) promptly upon their formal request, which typically occurs during audits or investigations. Tools like WatchDog Security's Secure File Sharing can help package and share the requested copy with access controls and audit logs while limiting distribution to authorized recipients only.

The person in charge of the protection of personal information, commonly the privacy officer, is responsible for overseeing the Loi 25 incident register requirements CAI compliance and ensuring it is accurate.

A key Loi 25 privacy breach log vs incident register distinction is that the register is an internal, comprehensive log of all incidents regardless of severity, while a breach notification is a formal report sent to the CAI and individuals only for high-risk incidents.

These steps should be recorded directly in the confidentiality incidents register, detailing the immediate actions taken to stop the breach and the long-term changes made to prevent recurrence.

A confidentiality incident register needs consistent fields, access controls, and an easy way to export a complete record when regulators request it. Tools like WatchDog Security's Compliance Center can centralize control ownership, track evidence and status over time, and help generate an audit-ready view of the register and related incident-response artifacts.

Because the register can include sensitive details, organizations should restrict who can view and edit entries and preserve a reliable change history for accountability. Tools like WatchDog Security's Secure File Sharing can help enforce encrypted access, strong verification, and detailed audit logs when sharing register extracts internally or preparing a copy for the CAI upon request.