Responding to a Privacy Breach


A privacy breach occurs when Ontario’s Personal Health Information Protection Act (PHIPA) has been contravened, for example, where personal health information is stolen, lost or if it is used or disclosed without authority.

PHIPA requires that, as a health information custodian (custodian), you must take reasonable steps to ensure that personal health information in your custody or control is protected against theft, loss and unauthorized use and disclosure, and that the records containing the information are protected against unauthorized copying, modification or disposal. You must also take reasonable steps to ensure that personal health information is not collected without authority, and that records of personal health information are retained, transferred and disposed of in a secure manner.

As a custodian, you may become aware of a privacy breach in a number of ways, including:

  • During the normal course of business.
  • An individual makes a complaint to you.
  • Notification from the IPC when a formal complaint has been filed with our office.
  • The IPC initiates its own investigation.

Privacy Breach Protocol
The IPC strongly recommends that you develop a privacy breach protocol. As a custodian, you must take immediate action upon learning of a privacy breach. The following steps may need to be carried out simultaneously and in quick succession in the event of a privacy breach. STEP 1: IMMEDIATELY IMPLEMENT PRIVACY BREACH PROTOCOL Notify all relevant staff of the breach, including your Chief Privacy Officer or PHIPA contact person, and determine who else from within your organization should be i...
Potential Consequences of a Breach under PHIPA
WHAT ARE THE CONSEQUENCES FOR COMMITTING AN OFFENCE UNDER PHIPA? An individual found guilty of committing an offence under PHIPA can be liable for a fine of up to $100,000, while an organization or institution can be liable for a fine of up to $500,000. If a corporation commits an offence under PHIPA, every officer, member, employee or agent of that corporation found to have authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained fr...