Québec — municipal breach notification
Law 25 (Loi 25) substantially strengthened privacy obligations for public bodies and private organizations in Québec, including municipalities.
Promptly — Law 25 imposes notification for confidentiality incidents posing risk of serious injury.
- Designate a Privacy Officer (Responsable de la protection des renseignements personnels).
- Maintain a register of confidentiality incidents — CAI may request it.
What this means for a Québec municipality
Canadian municipalities sit under a provincial public-sector privacy framework — for Québec, that means the Commission d'accès à l'information (CAI) is your primary regulator. The trigger for notification is generally a real risk of significant harm to affected residents, evaluated on probability of misuse, sensitivity of the data, and the population reached.
Most small and mid-sized Québec municipalities also have to weigh federal coordination through the Canadian Centre for Cyber Security, vendor obligations under PIPEDA, and — for any cross-border data — US state breach statutes that apply by residency of the affected individual, not by the location of the municipality. The HackFirstAid triage walks through those layers in plain language and produces a printable summary you can hand to your CAO and council.
If you're reading this during a live incident, open the free triage first; if you're reading it on a quiet Tuesday, run it as a tabletop with your clerk, IT lead, and one council member. Most Québec municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.