The Information Access Commission (CAI) has finally settled in: it now publishes the list of organizations that have made declarations of confidentiality incidents four times a year, on its website.
Since last September, the Privacy Act obliges Quebec organizations to report all confidentiality incidents that have affected them to the Commission. But the organization changed its tune twice on whether to make public the list of those who made such communications.
Following requests for access to information or to its media service, the Commission has sent us five times lists of organizations that have made statements. Then in April, we suffered a first refusal.
“Experience shows that disclosing details about an incident and sometimes simply confirming the existence of a confidentiality incident can harm the handling of the incident by a company or a public body”, argued CAI Communications Director Jorge Passalacqua in an email to The Press.
List made public
This decision came after the publication of articles in The Press disclosing the names of companies and public entities that have experienced problems with the personal data they handle.
The article shook up personal intelligence experts and put pressure on the Commission to speed up its reflection on the level of detail it would make public about these statements.
Questioned about their incident reports to the Commission, most of the organizations concerned provided explanations. Others, like the Royal Bank, refused to provide any information.
Change of direction
On May 25, the CAI finally decided to systematically post the list of organizations that declared incidents on a page of its website.
“In this sub-section, the Commission will systematically disseminate information relating to confidentiality incidents that are declared to it,” explains Jorge Passalacqua. The Commission will thus publish, in chronological order from 22 September 2022, the names of the organizations having made a declaration of confidentiality incident and the date of receipt of the declaration by the Commission. »
Since last fall, 134 organizations have reported confidentiality incidents to the CAI.