Home
Contact us
Site map
Québec.ca
FAQ
Français
Ministère de l'Emploi et de la Solidarité sociale
Advanced search
Consolidated Statutes and Regulations
Consolidated Statutes
Consolidated Regulations
Annual Statutes and Regulations
Annual Statutes
Annual Regulations
Additional information
Québec Official Publisher
What’s new?
Information note
Policy of the Minister of Justice
Laws: Amendments
Laws: Provisions not in force
Laws: Provisions brought into force
Annual Statutes: PDF versions since 1996
Regulations: Amendments
Annual Regulations: PDF versions since 1996
Court Decisions
G-1.03, r. 1
- Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises
Table of contents
Occurrences
0
Current Version
Full text
Updated to 29 June 2022
This document has official status.
not in force
chapter
G-1.03, r. 1
Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises
GOVERNANCE AND MANAGEMENT — SECTIONS 12.2 TO 12.4
Act respecting the governance and management of the information resources of public bodies and government enterprises
(chapter G-1.03, s. 22.1.1)
.
G-1.03
06
June
29
2022
07
July
28
2022
DIVISION
I
INTRODUCTORY
1296-2022, Div. I
O.C. 1296-2022, Div. I
.
1
.
In this Regulation,
(
1
)
“
security event
”
means any form of breach, present or apprehended, such as a cyber attack or a threat to the confidentiality, integrity or availability of information or an information resource under the responsibility of a public body;
(
2
)
“
cybersecurity practitioner
”
means the government chief information security officer, the deputy chief information security officer or a public body’s personnel member assigned to functions in the field of cybersecurity;
(
3
)
“
Act
”
means the Act respecting the governance and management of the information resources of public bodies and government enterprises (
chapter G-1.03
);
(
4
)
“
Minister
”
means the Minister of Cybersecurity and Digital Technology;
(
5
)
“
administrative unit specialized in information security
”
means the Centre gouvernemental de cyberdéfense referred to in section 12.5 of the Act or a cyber defence operations center referred to in section 9 of the Directive gouvernementale sur la sécurité de l’information (D. 1514-2021, 2021-12-08).
1296-2022
O.C. 1296-2022
,
s.
1
.
2
.
This Regulation applies to the public bodies listed in section 2 of the Act.
1296-2022
O.C. 1296-2022
,
s.
2
.
DIVISION
II
INFORMATION SECURITY OBLIGATIONS
1296-2022, Div. II
O.C. 1296-2022, Div. II
.
3
.
A public body must manage effectively the security of information resources and information it holds, in particular by putting in place cybersecurity measures, including cyber defence mechanisms, to ensure the diligent taking charge of security events.
A public body must also follow good practices in information security in order to reduce risks of a breach to an acceptable level.
1296-2022
O.C. 1296-2022
,
s.
3
.
4
.
A proactive cyber defence team must be established and maintained within an administrative unit specialized in information security. Such a team is charged with testing applicable cybersecurity measures, including cyber defence mechanisms, and seeing to the handling of security events related to cybersecurity.
1296-2022
O.C. 1296-2022
,
s.
4
.
5
.
The Centre gouvernemental de cyberdéfense referred to in section 12.5 of the Act may provide its services to another administrative unit specialized in information security or a public body to carry out cybersecurity activities, such as penetration tests.
1296-2022
O.C. 1296-2022
,
s.
5
.
6
.
A public body must, during each security event, assess the risk of such an event by taking into consideration the sensitivity of the information resource or information concerned, the apprehended consequences of its use and the probability that it be used in particular for harmful purposes.
1296-2022
O.C. 1296-2022
,
s.
6
.
DIVISION
III
COMMUNICATIONS BETWEEN CYBERSECURITY PRACTITIONERS
1296-2022, Div. III
O.C. 1296-2022, Div. III
.
7
.
The communications provided for in the third paragraph of section 12.2 and section 12.3 of the Act must be made by any means that provides proper protection. They may be made using automated systems in the form, for example, of bulletins or warnings.
Where a security event is related to cybersecurity, the activities allowing the communications referred to in the first paragraph are carried out by cybersecurity practitioners as part of their respective responsibilities.
For such an event, the communications referred to in the first paragraph must be based on the obligation to take cybersecurity measures to follow good practices generally recognized by international benchmarks, such as ISO standards or the National Institute of Standards and Technology (NIST) benchmark.
1296-2022
O.C. 1296-2022
,
s.
7
.
8
.
The information that is the subject of the communications referred to in section 7 may include personal information.
Where personal information may be communicated in a form that does not allow the direct identification of the person concerned, it must be communicated in that form.
The second paragraph does not apply where there are grounds to believe that there is urgency to act in a matter of cybersecurity or that there is a risk that irreparable harm may be caused to an information resource or information under the responsibility of a public body. In that case, public bodies share the personal information concerned through their cybersecurity practitioners, by applying measures that ensure the confidentiality of such information.
There is urgency where the impact of a security event must be corrected or risks due in particular to the severity of the apprehended consequences must be reduced. A malicious software, phishing or an information leak may be a cause of the urgency.
1296-2022
O.C. 1296-2022
,
s.
8
.
9
.
The communications referred to in this Division are for the benefit of the public body responsible for ensuring the security of its information resources and information it holds or for the benefit of the person concerned by the personal information that is the subject of a breach or a risk of a breach.
1296-2022
O.C. 1296-2022
,
s.
9
.
DIVISION
IV
COMMUNICATIONS OUTSIDE QUÉBEC
1296-2022, Div. IV
O.C. 1296-2022, Div. IV
.
10
.
An agreement referred to in section 12.4 of the Act, concerning the communication of information outside Québec, must
(
1
)
identify the representatives authorized to make the communications between the parties;
(
2
)
limit access to the information only to authorized representatives, where the information is necessary in the performance of their duties;
(
3
)
include protection and security measures to ensure the protection of the information to be communicated;
(
4
)
provide for obligations related to the preservation and destruction of the information;
(
5
)
provide that the Minister is to be immediately notified of any violation of or attempt to violate any of the obligations set out in the agreement by any person and of any event likely to affect the confidentiality of the information.
1296-2022
O.C. 1296-2022
,
s.
10
.
DIVISION
V
MISCELLANEOUS AND FINAL
1296-2022, Div. V
O.C. 1296-2022, Div. V
.
11
.
Any agreement referred to in section 12.4 of the Act, entered into with any person or body in Canada or abroad before 28 July 2022 and approved by an order in council made under the first paragraph of section 3.8 of the Act respecting the Ministère du Conseil exécutif (
chapter M-30
), is deemed to fulfil the conditions set out in section 10.
1296-2022
O.C. 1296-2022
,
s.
11
.
12
.
(Omitted).
1296-2022
O.C. 1296-2022
,
s.
12
.
REFERENCES
O.C. 1296-2022, 2022 G.O. 2, 2529
Copy
Select this element
Select parent element
Unselect all
Copy to Drafting
Copy to LAW
Copy to Clipboard
×
To copy : Ctrl+C
0
Contact us
Site map
Québec.ca
Accessibility
Privacy policy
© Gouvernement du Québec
Selections
×
Show
Selections in current document
All selections in the collection
Selected elements
Delete all selections
Show selections
Cyberlex
×
Version 2.2.4.0