A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws. All public sector organizations, health information custodians, children’s aid societies and other child and family service providers should have a privacy breach response plan.
Under Ontario’s access and privacy laws, child and family service providers and health information custodians are required to report certain privacy breaches to the IPC.
What to do in case of a breach
Contain the breach and notify affected individuals
Contain the breach and notify affected individuals
When faced with a privacy breach, your organization should:
identify the scope of the breach and take the steps necessary to contain it
notify those affected if required by law or if the breach poses a real risk of significant harm to the individual
Investigate
Investigate
Your organization should also conduct an internal investigation to:
Identify and analyze the events that led to the breach
Review policies and practices in protecting personal information, privacy breach response plans and staff training
Determine whether the breach was a result of a systemic issue and take corrective action
Notify the IPC
Notify the IPC
If your organization is a health information custodian, it must report breaches to the IPC under the circumstances set out in the PHIPA regulation.
If your organization is not a health information custodian, it should notify the IPC of significant breaches, such as those involving:
sensitive personal information
large numbers of affected individuals
Reduce the risk of future breaches
Reduce the risk of future breaches
Steps to prevent privacy breaches include:
educate staff about Ontario’s privacy laws
educate staff about your organization’s policies and practices governing all aspect of personal information
conduct privacy impact assessments
seek input from your legal counsel, security unit and FOI coordinator
Report a privacy breach at your organization now.
Additional Resources
Privacy Breaches: Guidelines for Public Sector Organizations
Responding to a Health Privacy Breach: Guidelines for the Health Sector
Reporting a Privacy Breach to the Information and Privacy Commissioner: Guidelines for Service Providers under Part X of the Child, Youth and Family Services Act
Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector
A Guide to Privacy and Access in Ontario Schools
Review our full list of guidance documents .
This post is also available in: French