Responding to a privacy breach

What is a privacy breach?

A privacy breach occurs when Ontario’s Personal Health Information Protection Act (PHIPA) has been contravened, for example, where personal health information is stolen, lost or if it is used or disclosed without authority.

PHIPA requires that, as a health information custodian (custodian), you must take reasonable steps to ensure that personal health information in your custody or control is protected against theft, loss, and unauthorized use and disclosure, and that the records containing the information are protected against unauthorized copying, modification or disposal. You must also take reasonable steps to ensure that personal health information is not collected without authority, and that records of personal health information are retained, transferred and disposed of in a secure manner.

As a custodian, you may become aware of a privacy breach in a number of ways, including:

  • during the normal course of business
  • an individual makes a complaint to you
  • notification from the IPC when a formal complaint has been filed with our office
  • the IPC initiates its own investigation
Help us improve our website. Was this page helpful?
When information is not found


  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.