Browse Skills

Law 25 — Confidentiality Incident (Breach)

    Quebec Law 25 Bill 64 CAI Breach Confidentiality Incident Canada
    Get Started with This Skill

    Overview

    Confidentiality incident notification and response under Quebec Law 25 and the CAI: risk of serious injury, notify CAI and individuals, register. Validation for required content and no personal data in CAI notification.

    Getting Started

    Add your source materials to the project workspace, then activate the Law 25 — Confidentiality Incident (Breach) skill. The agent will guide you through the process step by step.

    Example conversation

    You: We had a confidentiality incident—an ex-employee may have accessed client contact lists. We need to assess risk of serious injury, decide whether to notify the CAI and the individuals, and draft the notification and register entry.

    Agent: I’ll use the Law 25 breach reference. I need: nature of the incident, what data was concerned (e.g. names, emails), how many people, and any mitigating factors. I’ll assess “risk of serious injury” (sensitivity, anticipated consequences, likelihood of injurious use). If there is such a risk, I’ll draft the CAI notification and the notice to individuals—without including personal data of affected individuals in the CAI text—and the register entry. I’ll run the validation tool on the CAI draft to check required content and warn if personal data appears in the text.

    Output excerpt

    Confidentiality incident — risk assessment (excerpt)
    2. Risk of serious injury assessment
    Conclusion: The incident presents a risk of serious injury. We will notify the CAI and affected individuals promptly. Rationale: Contact lists (names, emails) could be used for phishing or harassment; ex-employee context increases likelihood of misuse.

    4. Notification
    CAI notified: Yes — [date]. Affected individuals notified: Yes — [date].

    Draft for CAI: include description, data concerned, risk assessment, and measures taken. Do not include personal data of affected individuals in the CAI notification.

    References and validation

    • references/law25-breach-requirements.md — Definition of confidentiality incident (s. 3.6); risk of serious injury; duties (reduce risk, prevent recurrence, notify CAI and individuals, register); CAI notification; register.
    • assets/breach_risk_rating_law25.md — Optional template to record risk assessment and rationale.
    • validate_law25_breach_notification — Validates the CAI notification or incident record draft: required content (description of incident, data concerned, risk assessment, decision on CAI notification, decision on individual notification), placeholders (e.g. TBD, TODO), and warns if the text appears to contain personal data. Do not include personal data of affected individuals in the CAI notification. Use after drafting; fix any missing elements and remove personal data from the CAI draft before submission.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started