Managing breaches

A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws. All public sector organizations, health information custodians, children’s aid societies and other child and family service providers should have a privacy breach response plan.

Under Ontario's access and privacy laws, child and family service providers and health information custodians are required to report certain privacy breaches to the IPC.

Report a privacy breach at your organization

What to do in case of a breach

Contain the breach and notify affected individuals

Contain the breach and notify affected individuals

When faced with a privacy breach, your organization should:

  • identify the scope of the breach and take the steps necessary to contain it
  • notify those affected if required by law or if the breach poses a real risk of significant harm to the individual

Your organization should also conduct an internal investigation to:

  • Identify and analyze the events that led to the breach
  • Review policies and practices in protecting personal information, privacy breach response plans and staff training
  • Determine whether the breach was a result of a systemic issue and take corrective action
Notify the IPC

If your organization is a health information custodian, it must report breaches to the IPC under the circumstances set out in the PHIPA regulation.

If your organization is not a health information custodian, it should notify the IPC of significant breaches, such as those involving:

  • sensitive personal information
  • large numbers of affected individuals
Reduce the risk of future breaches

Reduce the risk of future breaches

Steps to prevent privacy breaches include:

  • educate staff about Ontario’s privacy laws
  • educate staff about your organization’s policies and practices governing all aspect of personal information
  • conduct privacy impact assessments
  • seek input from your legal counsel, security unit and FOI coordinator

Additional Resources

Help us improve our website. Was this page helpful?
When information is not found


  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.