Preventing confidentiality incidents: New CAI guidance for businesses

The Commission d'accès à l'information (CAI) recently published two practical resources to assist businesses in preventing confidentiality incidents involving personal information: a comprehensive explanatory guide and a corresponding checklist (in French only).

These publications arrive at an opportune time, as organizations continue to face increasing cybersecurity threats and regulatory expectations under Quebec's privacy legislation.

What is a confidentiality incident?

Under Quebec's Act respecting the protection of personal information in the private sector, a confidentiality incident is any incident involving unauthorized access, use, communication, loss, or other breach of personal information. Examples include unauthorized extraction or disclosure of data, misdirected communications, information leaks through workplace errors, and cybersecurity incidents such as phishing or ransomware. The CAI emphasizes it is highly probable, even certain, that every organization will be affected by a confidentiality incident at some point. It is therefore essential for organizations handling personal information to adopt concrete preventive measures.

Seven-step prevention framework

The CAI proposes a structured seven-step approach to prevent confidentiality incidents or mitigate their consequences.

Step 1 - Know Your Obligations. Organizations must understand and comply with their obligations regarding the protection of personal information, which reduces vulnerability to incidents.

Step 2 - Inventory Personal Information. Organizations should document the personal information held, including its sensitivity, purpose, quantity, distribution, and storage medium. Having an updated inventory enables more targeted protection measures. In carrying out a personal information inventory exercise, the CAI suggests answering six key questions:

• What? Identify the type of information collected.
• Why? Specify the reasons why this collection is necessary.
• Who? Define the categories of individuals authorized to access it.
• How? Describe the context of use and the medium involved.
• Where? Indicate the location where the information is stored.
• When? Determine when the information must be destroyed.

Step 3 - Identify and Assess Risks. Organizations must identify potential threats, analyze their causes, evaluate the likelihood of occurrence, and assess the potential consequences for affected individuals.

Step 4 - Determine Appropriate Measures. Based on the results of the risk assessment, organizations should implement administrative, physical, and technical security measures. On the administrative front, this includes adopting governance policies, staff training, and restricted access rights. On the physical front, this notably includes controlling access to premises and secure storage areas. Finally, on the technical front, using strong passwords, data encryption, and network perimeter defense may also be appropriate measures. Effective protection depends on the coherent integration of these three components.

Step 5 - Deploy Security Measures. Implementation requires a coordinated action plan and clear communication strategy to ensure staff understanding and adherence.

Step 6 - Measure Effectiveness. Businesses should assess the performance of their security measures through tools such as satisfaction surveys, log analysis, and vulnerability testing.

Step 7 - Monitor and Revise. Security measures must be continuously monitored and updated to address emerging risks and organizational changes.

Key takeaways for organizations

The CAI reminds organizations that privacy protection and IT security are complementary but distinct concepts - strong cybersecurity measures alone do not guarantee compliance with privacy principles. In the event of a confidentiality incident presenting a risk of serious injury, organizations are required to notify the CAI and affected individuals and keep a register of the incident.

As the CAI emphasizes, prevention is the best defense. Implementing the recommendations is, however, a complex exercise that requires both legal and technical expertise. Our team regularly assists organizations in developing and implementing privacy and cybersecurity compliance programs tailored to their operational realities. Whether the goal is to conduct an inventory of the personal information in an organization's care, assess various cybersecurity risks, or to strengthen security measures, our team is equipped to provide the necessary support.