Protecting Personal Information

Privacy breaches happen when personal information is collected, retained, used or disclosed in ways that don’t follow the rules set out in the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).

If a person believes that a provincial or municipal government institution has failed to comply with one or more of the acts, and that their privacy has been compromised as a result, they can file a complaint with our office.

If the IPC learns of a possible privacy breach, we can initiate a complaint without an individual complainant. We will investigate to see if there was a privacy breach, make recommendations and help the institution take whatever steps are necessary to prevent future breaches.



Whether you work for a small rural municipality or a large provincial ministry with thousands of employees, you must develop a privacy program. The principles are the same, regardless of the size of your institution. To develop a good privacy program, you must:

  • Appoint a privacy officer, who will lead the development of the privacy program and be responsible for its implementation and day-to-day operation.
  • Build a framework for the program that describes who are your stakeholders and what personal information will be collected, used, retained, disclosed, secured and disposed of by your institution.
  • Identify any requirements under the FIPPA and MFIPPA, and any potential risks and impacts on privacy.
  • Identify how you will reduce or eliminate any privacy risks and how you will address them if they happen.
  • Ensure approval and buy-in from all senior leadership in your institution.

Review the full list of IPC guidance documents.

Privacy by Design
Privacy by Design (PbD) is a set of seven principles that the Information and Privacy Commissioner of Ontario developed during the 1990s, which became a globally recognised framework for the protection of privacy.  PbD seeks to proactively embed privacy into the design specifications of information technologies, organizational practices, and networked system architectures.  The PbD framework can help institutions plan for compliance with the Freedom of Information and Protection of Privacy ...
Situation Tables
A situation table involves representatives from various organizations (such as police and other emergency service providers, health care providers and community agencies) meeting to identify, discuss and address individual cases that raise significant risks of serious bodily harm. While this practice may help to ensure safer communities, it also poses risks to personal privacy. Our office is committed to helping situation tables across Ontario comply with privacy legislation as they work to r...