The Commission d’accès à l’information publishes tools for businesses on how to respond to confidentiality incidents

In January 2026, the Commission d’accès à l’information du Québec (CAI), Québec’s regulatory authority responsible for the protection of personal information, published two new tools to assist businesses in preventing, managing and responding to confidentiality incidents. These tools include an explanatory guide and a checklist for businesses.

Although these tools are intended to support businesses in responding to confidentiality incidents, accompanying advice provided by CAI confirms regulatory expectations regarding preventive measures that businesses must implement.

Explanatory guide for businesses

In its explanatory guide¹, CAI reminds businesses that:

• they have an obligation to implement adequate security measures to protect personal information;
• these obligations apply to data controllers and processors; and
• the definition of a confidentiality incident is broad and includes situations such as information disclosed when sent to the wrong recipient, internal and external “gossip” by employees and unauthorized use.

The guide also provides businesses with a seven-step strategy for assessing the measures necessary to protect personal information and IT security. These steps include compiling a detailed inventory of the personal information held, along with a list of questions to help structure the inventory. The inventory should include a description of the type of personal information, the “scope” of the information involved, the nature of the information (i.e., degree of sensitivity), the reasons for its collection and use, the categories and number of people likely to have access to it (internally and externally), how access to the information is granted, and the period and manner of retaining and destroying the information.

CAI also suggests multiple administrative, operational, physical and technical measures for protecting information. Among these measures, CAI recommends that organizations create an “information security and personal information protection committee” comprising of individuals who play a strategic role within the organization and report to senior management. CAI specifies that there must be periodic reporting to senior management. These recommendations may suggest CAI’s expectation of active involvement by senior management in cybersecurity and data protection issues.

Checklist for companies

CAI also provides a seven-step checklist which goes into greater depth on ways in which corporations can limit the risk of confidentiality breaches. The list, which can be found on CAI’s website, will serve as a practical roadmap for corporate programs.

Practical considerations for businesses

To ensure that their practices comply with CAI’s expectations, companies should consider the following measures:

• Clearly document the delegation of responsibility for cybersecurity and privacy, and how the committee or line of business in charge reports to senior management and the board of directors.
• Document personal information inventories. Companies may also consider linking existing privacy impact assessment processes to an inventory update process when new tools, systems and types of data are added to company records.
• Review the company’s data classification system to assess whether it considers the different levels of sensitivity of the personal information held.