Please note: As a precautionary measure to keep the public and IPC staff safe during the COVID-19 outbreak, the Office of the Information and Privacy Commissioner of Ontario is physically closed. We continue to provide services to the public, public sector organizations, and the health and child and family services sectors. Despite our best efforts, there may be some delay in getting back to you. We will continue to evaluate the evolving situation and provide updates here and on Twitter @IPCinfoprivacy. You can also reach us at info@ipc.on.ca.

Report a privacy breach at your organization

For use by the following organizations reporting a theft, loss or unauthorized use or disclosure (or unauthorized collection by means of the EHR) of personal information or personal health information (as applicable) to the Information and Privacy Commissioner of Ontario (IPC):

  • Health information custodians and coroners under the Personal Health Information Protection Act, 2004
  • Institutions under the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act
  • Child and family service providers under the Child, Youth and Family Services Act, 2017


Important Note: Do not include any personal information or personal health information with this form.

The IPC recognizes that the investigation, containment, and remediation of this privacy breach may not be complete at the time this form is submitted. Please provide as much of the requested information as is presently known.

The IPC may request additional information after reviewing this form.

Date of this Report (required)

(MM/DD/YYYY)

Type of organization: (required)

Health information custodian - you are reporting a breach as required under subsection 12(3) or clause 55.5(7)(b) of the Personal Health Information Protection Act, 2004 and Ontario Regulation 329/04 made pursuant to that actCoroner - you are reporting a breach as required under subsection 18.10(1) or clause 18.10(4)(b) of Ontario Regulation 329/04Institution (ministry, municipality, etc.) - you are reporting a breach under the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy ActChild and family service provider - you are reporting a breach under the Child, Youth and Family Services Act, 2017


Description of the privacy breach

Please describe the circumstances of the privacy breach, including

  • What happened?
  • Describe how personal information/personal health information (as applicable) came to be stolen or lost or used or disclosed without authority (or collected without authority by means of the EHR)
  • Date (or date range) of theft(s), loss(es) or unauthorized use(s) or disclosure(s) (or unauthorized collection(s) by means of the EHR) of personal information /personal health information
  • Date privacy breach was discovered by the reporting organization
  • How this privacy breach was discovered by the reporting organization
  • Were other organizations (health information custodians/service providers/institutions) involved in this privacy breach? Please explain.
  • Describe the nature of the personal information /personal health information that was stolen or lost or used or disclosed without authority (or collected without authority by means of the EHR)
  • The number of individuals whose personal information /personal health information was stolen or lost or used or disclosed without authority (or collected without authority by means of the EHR)

Containment

Please describe the steps that have been taken to contain the privacy breach, the date that such steps were taken, and the outcome of these steps (including whether these steps were successful in containing the privacy breach).

Notification (required)

Were the individuals whose personal information or personal health information was stolen or lost or used or disclosed (or collected without authority by means of the EHR) without authority notified of this privacy breach?
YesNo

If yes, on what date was notification provided?
(MM/DD/YYYY)

Investigation/Remediation

What steps have you taken to investigate this privacy breach?

What steps remain to be taken to investigate this privacy breach?

What steps have you taken to remediate and prevent a future privacy breach?

What steps remain to be taken to remediate and prevent a future privacy breach?

Attach Documents: (10MB maximum)

Submit the :

Option 1:   Send this now

captcha
Type in the code above (required)


Option 2:   Print the and email to: reportabreach@ipc.on.ca or mail to:

Registrar
Information and Privacy Commissioner of Ontario
1400-2 Bloor Street East
Toronto, Ontario
M4W 1A8

What happens next? Someone from our intake team will you to discuss your breach report.

Find out more about managing privacy breaches.
You can also our office by email at info@ipc.on.ca, by phone at 416-326-3333, toll-free at 1-800-387-0073 if you have questions.

Print or Save

This post is also available in: French