Part X of the CYFSA: Responding to Privacy Breaches

A privacy breach occurs when personal information is stolen or lost or is collected, used or disclosed without authority.

In the event of a privacy breach, you should immediately notify the relevant staff in your organization and then identify the scope of the breach and take the steps necessary to contain it. We recommend that you have a privacy breach protocol in place detailing the steps to take in response to a breach, in what order, and by whom.

You should take the following steps to contain a privacy breach:

  • retrieve and secure any personal information that has been collected, used or disclosed without authority
  • ensure that no copies, including digital copies, have been made or retained by the individual who was not authorized to receive or use the information
  • determine whether the breach would allow unauthorized access to any other personal information – for example on an electronic information system – and take necessary steps to prevent a further breach, such as changing passwords or temporarily shutting down your system

You must notify individuals at the first reasonable opportunity of any breach in which their personal information in your custody or control was lost, stolen or used or disclosed without authority.84 This notice must:

  • provide a general description of the breach in easy-to-understand language
  • inform the individual of any steps you have taken to:
    • mitigate adverse effects on the individual and
    • prevent a similar breach from happening
  • provide contact information for one of your employees who can provide additional information and
  • advise the individual of their right to complain to the IPC
  • direct notification is the standard form of notice that health information custodians, institutions, and service providers should provide to individuals impacted by a privacy breach. However, there are exceptional circumstances where indirect notification may be appropriate. There are circumstances in which an organization may consider using indirect notification, what information should be included in the indirect notice, and how it should be distributed.
  • notification to affected individuals should occur as soon as possible following the breach, even if using an indirect method.  

You must also notify the IPC and the Minister of Children, Community and Social Services of any privacy breach that meets certain criteria.85 This includes any breach you determine to be significant based on the sensitivity and volume of the information breached, the number of service providers involved and the number of people affected.

These types of privacy breaches must also be reported to the IPC:

  • those involving stolen personal information
  • breaches in which personal information was used or disclosed by someone who knew or should have known they were doing so without authority
  • breaches where it is likely personal information has or will be further used or disclosed again without authority
  • a privacy breach that is part of a pattern of similar breaches
  • a breach that results in an employee being terminated, suspended or disciplined, or resigning

Breach reports can be submitted to the IPC by mail or online. The IPC will review the information you provide, including a description of the breach and your response to it and may, in some cases, decide to conduct an investigation

To minimize the risk of further breaches, you should review your existing policies, procedures, training programs and safeguards and consider whether you need to make changes. You should also keep a record of all breaches. Statistics about breaches involving a theft, loss, or unauthorized use or disclosure of personal information must be submitted to the IPC as part of your annual statistical report.

 

A youth worker informs their supervisor that they mistakenly sent correspondence containing a client’s personal information to the wrong person.

The supervisor notifies the organization’s privacy officer, and together with the worker they take the following steps:

  • contain the breach by ensuring the person who received the letter in error has returned it or disposed of it securely
  • notify the individual whose privacy was breached (including the required information in the notice)
  • make a record of the breach
  • take action to prevent similar breaches – in this case, by sending all staff a reminder of privacy policies and tips for avoiding a similar mistake

If the breach was accidental, isolated, and limited in scope, they are not required to report it to the Minister of Children, Community and Social Services or IPC.

 

84. CYFSA, s. 308(2); O. Reg. 191/18, s. 8
85. While this guide provides a simplified summary, you should review the full list of criteria set out in section 9 of O. Reg. 191/18, to determine whether a specific privacy breach should be reported to the IPC and Minister.
Indirect notification to affected individuals

If your organization is considering indirect notification, you should consult with the IPC. You should be prepared to explain why you believe indirect notice is reasonable in the circumstances and your plans for it. This includes the content of your proposed notice and your strategies for distribution.  

Indirect notice to individuals may be considered by your organization where one or more of these exceptional circumstances apply:

  • The breach affects a significantly large number of individuals, making notifying the affected individuals directly impractical.  
  • The risk of harm to affected individuals has reasonably been determined to be low. 
  • You are unable to determine the identities of affected parties despite taking reasonable steps to do so.  
  • There are questions as to the reliability/accuracy of contact information.  
    • Note: Outdated contact information for a portion of the affected parties does not mean that all the affected parties should be notified indirectly. In cases involving a mix of outdated and current contact information, a hybrid approach to notification involving both direct and indirect elements may be appropriate. 
  • Direct notification would unreasonably and significantly interfere with the operations of your organization.  
    • Note: All breach notification processes will involve the expenditure of time and resources. It is only when the time and resources required to provide direct notice cause unreasonable and significant interference with your operations that indirect notice may be an option.
  • Direct notification would be reasonably likely to be harmful or detrimental to the affected individuals. 
Content of an indirect notice (also applies to direct notices)

After assessing the specific circumstances of the breach and determining in consultation with the IPC that indirect notice is a reasonable approach, the notice should:

  • Be written in plain language.
  • Provide enough information to enable someone reading the notice to easily understand how they may have been impacted by the breach.
  • Describe the circumstances of the breach.
  • Describe the cause of the breach, if known.
  • Indicate the date or period when the breach occurred.
  • Note the date when your institution became aware of the breach.
  • Describe the personal information/personal health information that is impacted in as much detail as possible.  
  • Describe how the personal information/personal health information was affected by the breach (for example accessed, encrypted, exfiltrated, posted online, etc.).  
  • Describe the risk of harm to affected individuals, if known.
  • Identify steps your institution has taken to contain the breach and reduce/mitigate the risk of harm to affected individuals.
  • Identify additional steps individuals can take to further reduce/mitigate the risk of harm.  
  • Inform affected individuals that they can file a complaint with the Information and Privacy Commissioner of Ontario (as required under PHIPA and CYFSA and as of July 1, 2025, FIPPA) and provide a link to the IPC’s website.  
  • Provide contact information of an individual within the institution who can answer questions and provide additional information about the breach.
  • State whether you have reported the matter to the IPC and other appropriate regulatory bodies, as applicable.  
Distribution of an indirect notice

The indirect notice must be distributed in a way that could reasonably be expected to reach the affected individuals.

Thought and care should be put into deciding what strategy will be most effective to reach affected individuals. Multiple methods of public notification are generally most effective and are considered a best practice.  

A multi-channel public notice strategy should include a combination of some, or all, of the following methods to bring the notice to the attention of the affected individuals:  

  • A prominent notice on your organization’s website or a dedicated website containing details about the breach.  
    • If you are using your organization’s website to provide notice, ensure the notice or a link to the notice is displayed prominently on the main page of your organizations’ website and that it is clearly visible without the need for scrolling or searching.
    • If you are using a dedicated breach website to provide notice, you should place a link to the breach website on the main page of your organization’s website so it is clearly visible, and visitors can click through to access the breach website.
    • All digital notices should remain posted for a reasonable period that will allow affected parties to read the notice.  
  • Ensure you take reasonable steps to bring the digital notice to the attention of affected parties. Affected parties may be unlikely to visit your website or breach notice unless specifically prompted to go there by media announcements, social media posts, or other means.  
  • Other public outreach activities to bring the notice to the attention of the affected individuals such as:
    • Posting notices or posters in high traffic areas of your facility for a length of time that will allow affected parties to read the notice.  
    • Placing notices in national or local newspapers.  
    • Creating social media posts on relevant platforms.
    • Purchasing radio and/or TV announcements and advertising targeted to affected individuals.
    • Issuing news releases and community notices targeted to affected individuals.
    • Hosting town halls and/or webinars to provide information.
    • Any other case-specific public communication strategies that would be effective for reaching individuals affected by the breach.  
Help us improve our website. Was this page helpful?

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.