On January 30, 2026, Quebec’s privacy regulator, the Commission d’accès à l’information (“CAI”), published fresh guidance aimed at strengthening how organizations prevent confidentiality incidents involving personal information.
Confidentiality incidents are one of the most significant privacy risks facing organizations today.
In Quebec, these incidents are governed by several laws, including the Act respecting the protection of personal information in the private sector and the Act respecting access to documents held by public bodies and the Protection of Personal Information, which not only impose obligations on organizations to both prevent and respond to such events, but issues fines where organizations’ measures are found to be lacking.
The CAI’s guidance aligns with broader trends in privacy regulation, which increasingly expect organizations to take proactive steps to understand and mitigate privacy risks before an incident occurs. As the regulatory environment evolves under Quebec’s privacy laws, this guidance can help businesses:
- Minimize the likelihood and impact of confidentiality incidents
- Demonstrate due diligence and accountability in privacy practices
- Strengthen trust with customers, employees, and partners
This new release includes two practical tools:
- a step-by-step Guide
- a Checklist designed to help businesses operationalize a proactive approach to the protection of personal information.
The Guide
The Guide outlines a structured approach for organizations. It starts with defining what constitutes a confidentiality incident under Quebec law:
- unauthorized access, use, or communication of personal information;
- sending personal information to an incorrect recipient;
- loss of personal information due to human error or a cyberattack.
The Guide emphasizes that all organizations that collect, use, or hold personal information, whether directly or indirectly (such as through service providers) are at risk and must implement appropriate protection measures.
The CAI’s Guide walks the reader through key prevention measures:
- Understanding organizations’ obligations under Quebec’s privacy framework;
- Identifying and inventorying personal information held by organizations;
- Identifying risks, potential consequences, and appropriate preventive measures;
- Training staff on recognizing potential incidents;
- Integrating privacy awareness into operational and governance processes;
- Evaluating and monitoring the effectiveness of prevention efforts;
- Assessing and updating security, and privacy controls regularly.
The Checklist
Complementing the Guide, the Checklist offers actionable items that organizations can use to assess their readiness and preventive posture:
- verify that internal policies and procedures align with legal requirements;
- confirm that roles and responsibilities for privacy protection are assigned;
- evaluate administrative, technical and organizational safeguards;
- ensure monitoring and review processes are in place.
With increasing threats and growing regulatory expectations, the CAI’s new guidance helps translate legal obligations into practical steps businesses can take to reduce risk, protect individuals’ personal information, and show compliance. Organizations should integrate these tools into their privacy and information security programs.
