Managing breaches

A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws. All public sector organizations, children’s aid societies and other child and family service providers should have a privacy breach response plan.

Under Ontario’s access and privacy laws, child and family service providers and health information custodians are required to report certain privacy breaches to the IPC.

What to do in case of a breach

 

Contain the breach and notify affected individuals

Contain the breach and notify affected individuals

When faced with a privacy breach, your organization should:

  • identify the scope of the breach and take the steps necessary to contain it
  • notify those affected if the breach poses a real risk of significant harm to the individual

Investigate

Investigate

Your organization should also conduct an internal investigation to:

  • Identify and analyze the events that led to the breach
  • Review policies and practices in protecting personal information, privacy breach response plans and staff training
  • Determine whether the breach was a result of a systemic issue and take corrective action

Notify the IPC

Notify the IPC

The IPC should be notified of significant breaches, such as those involving:

  • sensitive personal information
  • large numbers of affected individuals

Reduce the risk of future breaches

Reduce the risk of future breaches

Steps to prevent privacy breaches include:

  • educate staff about Ontario’s privacy laws
  • educate staff about your organization’s policies and practices governing all aspect of personal information
  • conduct privacy impact assessments
  • seek input from your legal counsel, security unit and FOI coordinator

 

Report a privacy breach at your organization now.

Additional Resources

Privacy Breaches: Guidelines for Public Sector Organizations

Reporting a Privacy Breach to the Information and Privacy Commissioner: Guidelines for Service Providers under Part X of the Child, Youth and Family Services Act

Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector

A Guide to Privacy and Access in Ontario Schools

Review our full list of guidance documents.