Managing breaches

A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws. All public sector organizations, health information custodians, children’s aid societies and other child and family service providers should have a privacy breach response plan.

Under Ontario’s access and privacy laws, child and family service providers and health information custodians are required to report certain privacy breaches to the IPC.

What to do in case of a breach

Contain the breach and notify affected individuals

When faced with a privacy breach, your organization should:

identify the scope of the breach and take the steps necessary to contain it
notify those affected if required by law or if the breach poses a real risk of significant harm to the individual

Investigate

Your organization should also conduct an internal investigation to:

Identify and analyze the events that led to the breach
Review policies and practices in protecting personal information, privacy breach response plans and staff training
Determine whether the breach was a result of a systemic issue and take corrective action

Notify the IPC

If your organization is a health information custodian, it must report breaches to the IPC under the circumstances set out in the PHIPA regulation.

If your organization is not a health information custodian, it should notify the IPC of significant breaches, such as those involving:

sensitive personal information
large numbers of affected individuals

Reduce the risk of future breaches

Steps to prevent privacy breaches include:

educate staff about Ontario’s privacy laws
educate staff about your organization’s policies and practices governing all aspect of personal information
conduct privacy impact assessments
seek input from your legal counsel, security unit and FOI coordinator

Report a privacy breach at your organization now.