Managing breaches

Public sector organizations should develop a process for managing privacy breaches.

Containment and notification

Containment and notification

When faced with a privacy breach, your organization should:

  • identify the scope of the breach and take the steps necessary to contain it
  • notify those affected if the breach poses a real risk of significant harm to the individual

Investigate

Investigate

Your organization should also conduct an internal investigation to:

  • Identify and analyze the events that led to the breach
  • Review policies and practices in protecting personal information, privacy breach response plans and staff training
  • Determine whether the breach was a result of a systemic issue and take corrective action

Notify the IPC

Notify the IPC

The IPC should be notified of significant breaches, such as those involving:

  • sensitive personal information
  • large numbers of affected individuals

Reduce the risk of future breaches

Reduce the risk of future breaches

Steps to prevent privacy breaches include:

  • educate staff about Ontario’s privacy laws
  • educate staff about your organization’s policies and practices governing all aspect of personal information
  • conduct privacy impact assessments
  • seek input from your legal counsel, security unit and FOI coordinator

Report a privacy breach at your organization  now.

Review our full list of guidance documents.