Québec's privacy legislation is the Act to modernize legislative provisions respecting the protection of personal information ("Québec Act")
What is a privacy breach?
A confidentiality incident is an unauthorized access, use or communication of personal information, loss of personal information, or other breach in the protection of such information.
Who needs to notify whom?
The principal organization having control of the personal information must notify the affected individuals and the relevant privacy regulators.
Commission d'accès à l'information du Québec (the "CAI")
When is notification mandatory?
When a confidentiality incident presents a risk of serious injury. Whether a particular incident presents a "risk of serious injury" depends on the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes.