Guidance documents for organizations

The Office of the Information and Privacy Commissioner publishes guidance documents to promote compliance with Ontario’s access and privacy laws. New materials are posted on an ongoing basis. If you are looking for a guidance on a topic that is not listed here, please contact us.

Search

Topic:

Type

Sort By:

Showing 15 of 245 results

Title	Topic	Type	Date
Interpretation Bulletin: Danger to Safety or Health	Access Privacy and Transparency in a Modern Government	Interpretation Bulletins	Oct 17, 2024	Download	Read moreExpand
This interpretation bulletin discusses the threat to safety or health exemption, as set out in section 20 of the Freedom of Information and Protection of Privacy Act (FIPPA) and section 13 of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). It outlines factors to consider in determining whether the threat to safety or health exemption applies. Learn More
Interpretation Bulletin: Information Available to the Public	Access Privacy and Transparency in a Modern Government	Interpretation Bulletins	Sep 19, 2024	Download	Read moreExpand
This interpretation bulletin outlines the elements to consider when determining if a record falls under the published information or information available to the public exemption, as set out in section 22 of the Freedom of Information and Protection of Privacy Act (FIPPA) and section 15 of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). Learn More
Interpretation Bulletin: Solicitor-Client Privilege	Access Privacy and Transparency in a Modern Government	Interpretation Bulletins	Sep 19, 2024	Download	Read moreExpand
This interpretation bulletin addresses the solicitor-client privilege exemption, as set out in section 19 of the Freedom of Information and Protection of Privacy Act (FIPPA) and section 12 of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). This document outlines the types of records that are exempted, specifically records subject to common law solicitor-client privilege (referred to as “branch one”) and those records that fall under statutory privilege (referred to as “branch two”). Learn More
Code of Procedure for Appeals Under FIPPA and MFIPPA	Access Appeal Process	Professional Guidelines	Sep 9, 2024	Download	Read moreExpand
The updated Code of Procedure for appeals under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act took effect on September 9, 2024. The IPC has also updated its Practice Directions under the new code which also take effect on the same date. For more information, please see our Code of Procedure section. Learn More
Reported Breach HR23-00282	Health Technology and Security Trust in Digital Health	Case of Note , Letters	Aug 14, 2024	Download	Read moreExpand
A prescribed person under the Personal Health Information Protection Act reported a breach to the IPC regarding a cyberattack that involved the unauthorized copying of approximately 3.4 million individuals’ personal health information from the prescribed person’s secure file transfer server. The threat actors gained unauthorized access to the server by exploiting a zero-day vulnerability in the file transfer software, MOVEit, that was installed on this server. Learn More
Practice Direction #7 - Sharing of Representations	Access Appeal Process	Practice Directions	Aug 9, 2024	Download	Read moreExpand
In effect September 9, 2024. Learn More
Practice Direction #6 - Affidavit and Other Evidence	Access Appeal Process	Practice Directions	Aug 9, 2024	Download	Read moreExpand
In effect September 9, 2024. Learn More
Practice Direction #5 - Direction to Institutions When Making Representations	Access Appeal Process	Practice Directions	Aug 9, 2024	Download	Read moreExpand
In effect September 9, 2024. Learn More
Fact Sheet: Guidelines for Parties Whose Commercial or Business Information is at Issue in an Appeal	Access Appeal Process	Fact Sheets	Aug 9, 2024	Download	Read moreExpand
Formerly Practice Direction #4. Repealed as of September 9, 2024. Learn More
Fact Sheet: Guidelines for Individuals Whose Personal Information is at Issue in an Appeal	Access Appeal Process	Fact Sheets	Aug 9, 2024	Download	Read moreExpand
Formerly Practice Direction #3. Repealed as of September 9, 2024. Learn More
Practice Direction #2 - Participating in a Written FIPPA or MFIPPA Inquiry	Access Appeal Process	Practice Directions	Aug 9, 2024	Download	Read moreExpand
In effect September 9, 2024. Learn More
Practice Direction #1 - Providing Records to the IPC During an Appeal	Access Appeal Process	Practice Directions	Aug 9, 2024	Download	Read moreExpand
In effect September 9, 2024. Learn More
Cyberattack response: Duty to notify individuals under PHIPA and CYFSA	Health Trust in Digital Health	Case of Note	Aug 2, 2024		Read moreExpand
Background The following decisions involved different cyberattacks against four different organizations. Three involved health information custodians (HICs) subject to the Personal Health Information Protection Act (PHIPA), and the fourth involved a Children’s Aid Society subject to Part X of the Child, Youth and Family Services Act (CYFSA). In all four cases, the organizations took the position that there was no duty to notify affected individuals because there was no evidence that personal health information or personal information was taken (or exfiltrated) from their systems. The Office of... Learn More
Ensuring health data privacy: Insights from the UTOPIAN case	Health Trust in Digital Health	Case of Note	Jul 29, 2024		Read moreExpand
Case of Note: PHIPA Decision 243 Introduction Health information research plays a vital role in improving medical treatments and the quality of care. To conduct health research, researchers require access to personal health information, the collection and use of which is regulated under health privacy laws. However, health researchers in Ontario, dealing with this sensitive personal health information, must ensure that they adhere to the requirements of the Personal Health Information Protection Act (PHIPA). These requirements exist to protect such health information, while also allowing... Learn More
Ransomware reality: Case study in health care cybersecurity and recovery	Health Technology and Security Trust in Digital Health	Case of Note	Jul 18, 2024		Read moreExpand
Case of Note: PHIPA Decision 249 Introduction Unfortunately, ransomware attacks are not an uncommon occurrence, especially in this era of rapidly advancing technologies. Bad actors use ransomware attacks to extract money and cause harm to others. As these types of attacks become increasingly common, health information custodians (HICs) should ensure that they have strong preventative measures in place to help minimize and prevent the risks of cybersecurity attacks. Background Following detection of unusual activity on its systems in December 2022, a medical imaging clinic (the clinic) determined... Learn More

Help us improve our website. Was this page helpful?

Yes

No

How did this page help you?

The information is incorrect or needs to be updated.

The information was too hard to understand.

The information wasn’t relevant.

I didn’t find what I was looking for.

Other

Note:

You will not receive a direct reply. For further enquiries, please contact us at @email
Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
For more information about this tool, please see our Privacy Policy.