Handling a Privacy Incident Under Law 25: A Step-by-Step Guide

Privacy incidents do not happen only at large organizations. A fax sent to the wrong number, a customer file forwarded by mistake, a phishing email that succeeds in compromising an account: these situations are common at every Quebec SME. Under Law 25, what separates an adequate response from a violation is the rigor of the process after the incident is discovered.

Section 3.5 of the Act respecting the protection of personal information in the private sector (Law 25) requires a specific process the moment an incident is identified. That process includes documentation, risk assessment, possible notification to the Commission d'accès à l'information (CAI) and to affected individuals, and updating the incident register.

This guide walks through the seven-step sequence of a privacy incident, the timelines that apply at each step, and the most common mistakes.

What Counts as an Incident Under Law 25

Law 25 defines a privacy incident as:

Unauthorized access to personal information
Unauthorized use of personal information
Unauthorized communication of personal information
Loss of personal information
Any other breach of the protection of personal information

This definition is broad. It covers external attacks (ransomware, successful phishing) as well as internal errors (sending to the wrong recipient, lost device, misconfigured file sharing).

Every incident must be documented in the register, even when it does not trigger a notification obligation. This documentation demonstrates the organization's diligence.

The Seven-Step Sequence

Step 1: Detection and Initial Documentation (T+0)

As soon as an incident is identified, the person who discovers it should be able to report it immediately to a single point of contact in the organization. For an SME, that point of contact is generally the privacy officer or a designated member of management.

At this step, the work involves:

Capturing the exact time and date of discovery
Identifying who discovered the incident and how
Describing what was observed in factual terms
Preserving the evidence (emails, files, access logs)

A one-page internal form is enough. This initial entry does not need to be complete. It needs to happen quickly.

Step 2: Containment (First Hours)

Before analysis, you contain. The goal is to keep the incident from getting worse while you assess it. Actions vary by incident type:

Compromised account: change the password, revoke active sessions, enable or strengthen multi-factor authentication
Misconfigured file share: revoke access, delete public links
Email sent to the wrong recipient: try recall (Outlook, Gmail Workspace), request deletion from the recipient
Lost device: trigger remote wipe if available

Each containment action should be documented with its execution time.

Step 3: Investigation and Assessment (24 to 48 Hours)

The investigation answers a specific set of questions:

What personal information is involved (categories and volumes)?
How many people are affected?
How sensitive is the information (financial, health, government identifiers, basic contact information)?
How did the incident occur?
Was the information accessed, copied, or exfiltrated?
Is there a risk of misuse of the information?

For complex incidents (ransomware, intrusion), bringing in an outside cybersecurity expert is generally recommended. The cost is much lower than a poorly calibrated notification.

Step 4: Risk of Serious Injury Assessment

This is the step that determines what comes next. Law 25 uses the test of "risk that serious injury could be caused" to the affected person. To assess that risk, consider:

The sensitivity of the information (a medical file does not weigh the same as a business email address)
The expected consequences (identity theft, financial fraud, reputational harm, discrimination)
The likelihood that the information will be used to cause harm
Whether the information was recovered or destroyed before use

The assessment should be documented in writing. It is the basis for the decision to notify or not. When in doubt, the cautious approach is to notify.

Step 5: Notification to the CAI (If Applicable)

When you conclude there is a risk of serious injury, you must notify the CAI without delay. Law 25 does not impose a specific deadline (unlike GDPR's 72 hours), but uses the phrase "with diligence."

In practice, the CAI expects to receive notification within a few days of the incident's discovery. Any delay beyond a week needs to be justifiable.

Notification happens through the CAI's online form. It includes:

A description of the incident
The personal information concerned (categories and volumes)
The number of people affected
The measures taken to reduce the risks
The privacy officer's contact information

If some elements are not yet known at the time of the initial notification, you can complete them later.

Step 6: Notification to Affected Individuals (If Applicable)

When the risk of serious injury is confirmed, the affected individuals must also be informed. This notification must be sent to them individually, except in exceptional circumstances.

The notification to individuals generally includes:

The nature of the incident
The personal information involved
The possible consequences
The measures taken by the organization
The measures the person can take to protect themselves
The privacy officer's contact information

The tone should be direct, factual, and useful. A vague or defensive notification often produces more complaints than a clear and complete one.

Step 7: Documentation and Closure in the Register

The incident must be recorded in the incident register, which must be kept for at least five years after it occurred. For each incident, the register should contain:

The date and description of the incident
The information involved
The number of people affected
The conclusions of the risk assessment
The notifications carried out (CAI, affected individuals) or the justification for not notifying
The corrective measures applied
The lessons learned to prevent recurrence

An internal post-mortem after each serious incident adds value. Organizations that do this significantly reduce their recurrence rate.

Timelines: What Law 25 Actually Requires

Unlike the European GDPR, Law 25 does not impose a specific deadline for notifying an incident. The phrase used is "with diligence." The CAI has clarified in public communications that this diligence is measured in days, not weeks.

For simple incidents (such as an email sent to the wrong recipient), 24 to 48 hours are generally enough to assess and notify. For complex incidents (ransomware), several days may be needed for a faithful picture of the scope. Documenting every hour of delay remains essential.

Common Mistakes

Waiting for all the answers before notifying. A partial initial notification, followed by updates, is generally preferable to a late but complete one.
Underestimating the scope. First assessments often report fewer records or fewer affected people than the reality. Reassessment is almost always needed after 72 hours.
Skipping containment. Documenting without containing lets the incident grow and increases the final scope.
Notifying only the easy-to-reach people. All affected people must be notified, including those whose contact information is hard to find.
Forgetting the register for "small" incidents. Every incident must be logged, including those that do not trigger notification.

How Observantia Supports This Work

Observantia centralizes the incident register, guides the privacy officer through the seven steps with structured forms, and keeps the documentation for the five years required. The dashboard provides a clear view of open and closed incidents, and flags the notifications still to complete. Start your 14-day free trial.

This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.