Two distinct obligations not to confuse
Law 25 creates two obligations related to privacy incidents, but they do not apply under the same circumstances. Confusing them is one of the most common compliance errors.
The first obligation is to log: every incident must be recorded in a registry, without exception.
The second obligation is to notify: the Commission d'accès à l'information (CAI) and affected individuals must be informed, but only when the incident presents a risk of serious harm.
These two obligations apply independently of each other. An incident without a risk of serious harm must still be logged.
What is a privacy incident?
The law defines a privacy incident as any unauthorized access to, use of, or communication of personal information, as well as any loss of personal information or any other breach of its protection.
In practical terms, this includes:
- an email sent by mistake to the wrong person
- a lost laptop containing unencrypted data
- a successful phishing attempt giving access to personal data
- access to a file by an employee who was not authorized
- physical documents disposed of without shredding
If you are uncertain whether an event constitutes an incident, the precautionary principle applies: log it, then assess.
Assessing the risk of serious harm
Not all incidents carry the same level of risk for affected individuals. The law only requires notification when there is a risk of serious harm. The assessment must consider several factors:
The sensitivity of the information: financial, medical, biometric, or private-life information presents higher risk than general professional information.
The extent of the disclosure: how many people potentially had access to the information? Was it an accidental single-recipient email or a leak to a malicious actor?
The circumstances of the incident: accidental access with no evidence of data use differs from a targeted intrusion aimed at exploiting the data.
The possible consequences: could the information lead to fraud, harassment, discrimination, or other harm to the individual?
This assessment must be documented, even if the conclusion is that there is no risk of serious harm. The reasoning matters as much as the decision.
The 72-hour notification obligation
When the assessment concludes there is a risk of serious harm, the CAI must be notified with due diligence. The law specifies a reasonable timeframe given the circumstances, and the CAI's guidelines reference 72 hours as a benchmark.
The notification to the CAI must include:
- the nature of the incident
- the information involved (categories and approximate number of individuals)
- the circumstances of the incident
- the measures taken or planned to address the situation
Affected individuals must also be notified within a timeframe that allows them to take protective measures.
What the registry must contain
Even for incidents without a mandatory notification, the registry must contain enough information to demonstrate that the organization handled the incident rigorously. The essential elements:
- the date of the incident and the date it was discovered
- the nature of the incident (unauthorized access, loss, erroneous communication, etc.)
- the information involved and the categories of affected individuals
- the known circumstances
- the risk of serious harm assessment, with the rationale
- the measures taken to contain the incident and prevent recurrence
- if applicable, the details of notification to the CAI and affected individuals
Common mistakes
Only logging notifiable incidents: this is the most common confusion. The registry must contain all incidents, including those assessed as not presenting a risk of serious harm.
Not documenting the rationale: recording only "no serious risk" without explaining why creates a problem in the event of an investigation. The registry must show that you actually assessed the situation.
Underestimating the scope of the incident: in the initial moments, information is often incomplete. It is better to log an incident and reassess as you learn more, rather than waiting until you have the full picture.
Treating the registry as a formality: a well-maintained registry is a risk management tool. It helps identify patterns (recurring incident type, same system involved), improve processes, and train staff accordingly.
A registry, not a list
The difference between a useful registry and an empty list comes down to documentation quality. Each entry should tell the story of what happened, how the organization responded, and what was done to prevent recurrence.
Observantia includes an incident management module that guides the risk assessment, tracks notification deadlines, and generates registry entries in the format expected by the CAI.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.