63.8. A public body that has cause to believe that a confidentiality incident involving personal information it holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.
If the incident presents a risk of serious injury, the public body must promptly notify the Commission. It must also notify any person whose personal information is concerned by the incident, failing which the Commission may order it to do so. It may also notify any person or body that could reduce the risk, by releasing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the release of the information.
Despite the second paragraph, a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.
A government regulation may determine the content and terms of the notices provided for in this section.
2021, c. 252021, c. 25, s. 151.