Skip to content
discover Hilo Intelligence
Law 25 Guide

Confidentiality incident notification

Step-by-step procedure for a confidentiality incident — risk-of-serious-harm assessment, notification to the CAI and affected individuals, incident register, timelines and responsibilities.

Updated April 20, 20267 min readWritten by Pascal Dupuisincidentbreachs. 3.5-3.8CAIPPIPSA

Since September 22, 2022, every Quebec enterprise must notify confidentiality incidents to the Commission d'accès à l'information (CAI) and to the affected persons when the incident presents a risk of serious harm. Failing to notify is itself a violation of the Act, regardless of the underlying incident.

This chapter walks through the procedure step by step, with the timelines and the tooling to have ready before an incident happens.

What is a confidentiality incident?

Section 3.6 of the PPIPSA defines a confidentiality incident as:

access not authorized by law to personal information, use not authorized by law of such information, communication not authorized by law of such information or loss of personal information or any other breach of the protection of such information.

Concrete examples we see regularly:

  • Stolen laptop with unencrypted client files.
  • Lost USB stick with HR exports.
  • Email sent to the wrong person carrying an attachment with personal information.
  • Unauthorized access to a Microsoft 365 mailbox after password compromise.
  • Ransomware that exfiltrated data before encrypting it.
  • Mis-shared SharePoint files (public link instead of private).
  • Employee browsing files they're not entitled to (curiosity, for a third party).

An incident exists even when the information has not been used — the mere fact that it was exposed is enough to trigger the obligations.

The "risk of serious harm" test

Section 3.5 requires notification only when the incident presents a risk of serious harm. A documented assessment must therefore be performed immediately upon discovery.

The three factors to evaluate (s. 3.7):

  1. Sensitivity of the information — health, financial, biometric or identity information (SIN, driver's licence) carries a higher risk than a simple business email address.
  2. Anticipated consequences — identity theft, financial fraud, psychological harm, reputational damage, loss of employment, discrimination.
  3. Likelihood of malicious use — accidental incident (email misrouted to a trusted colleague who is reached and asked to delete) vs. malicious incident (theft, ransomware, publication online).

The test is cumulative and qualitative: a single very high factor can be enough. There is no numeric threshold.

Example assessment

An encrypted laptop disappears from a vehicle. Encryption is valid, no password written on the device, police report filed.

  • Sensitivity: high (HR data for 120 employees).
  • Consequences: possible identity theft.
  • Likelihood: low (encryption intact — the CAI recognizes adequate encryption as a determining mitigator).

Conclusion: the incident is logged in the register but does not trigger notification. Had encryption been absent or weak, the conclusion would have been the opposite.

Notifying the CAI

When a risk of serious harm is retained, the enterprise must notify the CAI as soon as possible (the Act sets no fixed number of hours, but the CAI expects notification in the order of a few days, not weeks).

Notification is made via the CAI online form and must contain:

  1. Description of the incident (date, location, nature, number of persons affected).
  2. Circumstances (how, why, who discovered it).
  3. Date or period the incident occurred.
  4. Description of the information involved.
  5. Measures taken or contemplated to mitigate harm.
  6. Measures to prevent recurrence.
  7. Contact details for a person the CAI can reach.

Important: a preliminary notification can be sent with the information available, then supplemented as the investigation progresses. Do not wait for full information before notifying.

Notifying affected persons

Each person whose information is affected must be notified, subject to exceptions (e.g. where it would compromise an ongoing criminal investigation, s. 3.5 in fine).

The notice must contain:

  • The date or period of the incident.
  • The information affected.
  • The mitigation measures taken.
  • The measures the individual can take themselves (change their password, monitor their credit, etc.).
  • The name and contact details of a person at your enterprise they can reach for more information.

The channel must fit the situation: email if known, postal mail for older files, public notice (website + press release) when volume is too large or contact details are unknown.

The incident register (s. 3.8)

The enterprise must keep a register of confidentiality incidents for all incidents, including those that do not trigger notification. This register must be made available to the CAI on request.

Minimum fields to record for each incident:

Field Example
Date and time of discovery 2026-04-20 08:14
Date and time of incident (if known) 2026-04-18 between 10 pm and 11 pm
Description Theft of bag containing work laptop
Categories of information Credentials + HR files
Number of persons affected ~120
Sensitivity level High
Risk-of-serious-harm assessment Low (AES-256 encryption active, password not written down)
CAI notification No
Persons notification No
Measures taken Police report, access revocation, Entra ID audit
Preventive measures Refresher training, encryption verified across fleet
File owner Pascal Dupuis (privacy officer)

The register can live in a secured Excel sheet, a dedicated GRC tool or a HaloPSA / ServiceNow module — what matters is accessibility, traceability and immutability of historical entries.

The procedure to have ready (before the incident)

Worst-case scenario: an incident happens Friday at 5 pm and nobody knows what to do. A written, tested, known procedure is the difference between an hour of clean management and three days of panic.

Template procedure (adapt to your reality)

Hour 0 — Detection: who reports? To whom? Through what channel (dedicated phone line, dedicated address, EDR alert)?

Hour 0 to +2 h — Containment:

  • Isolate the affected endpoint / account / network.
  • Immediately rotate passwords for at-risk accounts.
  • Preserve traces (Entra ID, NinjaOne, Defender, Bitdefender logs).

Hour +2 h to +24 h — Assessment:

  • Who: privacy officer + IT (internal or Hilo Tech) + leadership + lawyer.
  • What: which information, how many people, what sensitivity, what likelihood of use.
  • Document: risk-of-serious-harm assessment sheet.

Hour +24 h to +72 h — Decisions:

  • Notify the CAI? (online form)
  • Notify affected persons? (channel, wording)
  • Police? (physical theft, ransomware, threat)
  • Cyber insurance?

Day +3 to +30 — Execution and follow-up:

  • Send notifications.
  • Corrective measures (technical + organizational).
  • Register entry.
  • Post-mortem with the team.

Our role on the IT side

At Hilo Tech, we contribute to preparation (writing the IT playbook, configuring detection tools, running simulation drills) and to execution (containment, log preservation, restoration, post-incident audit). The decision to notify and the wording of the official notices are made by the client and their lawyer — we provide the technical facts that support the decision.

Quick checklist

  • We have a written procedure for confidentiality incidents.
  • The procedure includes 24/7 contact details for the privacy officer and the IT provider.
  • We maintain an incident register, available to the CAI on request.
  • Our laptops, phones and USB sticks are encrypted.
  • Microsoft 365 / Entra ID / EDR logs are retained at least 6 months.
  • We have a template notice to affected persons, validated by our lawyer.
  • Our team knows who to call first at the first sign of suspicion.

Common mistakes

  • "We'll wait until we understand before notifying the CAI." — The Act requires notification as soon as possible. A preliminary notification, even incomplete, is expected.
  • "It's not a big deal, it was just an email misrouted to a colleague." — Still an incident that must be logged in the register. The risk assessment may conclude no notification is required, but the analysis must exist.
  • "We don't have a written procedure, we'll figure it out when it happens." — When it happens, it's Friday evening. A prepared procedure is the most cost-effective investment.
  • Not documenting encryption. — If an encrypted laptop is stolen, you must be able to prove encryption was active (BitLocker + Intune policy). Without proof, the CAI may treat the incident as if no encryption existed.
  • Which version of the affected-person notice template fits our sector?
  • In what circumstances can we delay notification to avoid compromising a police investigation?
  • Must we also notify other authorities (federal PIPEDA, U.S. authorities if non-Quebec customers are affected)?
  • What is our exposure to the civil remedy under s. 93.1 ($1,000 minimum punitive damages) in case of a leak?
PreviousConsentNextPerson in charge of the protection of personal information
Back to collection overview Law 25 Guide

Question about this guide?

Pascal and Jérémie can answer directly by email or during a discovery call.

Get in touch