- Guidance for Organizations
- Access to information
- Protection of privacy
- Health privacy
- Policy Consultations
Managing breaches
A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws. All public sector organizations, health information custodians, children’s aid societies and other child and family service providers should have a privacy breach response plan.
Under Ontario's access and privacy laws, child and family service providers and health information custodians are required to report certain privacy breaches to the IPC.
Report a privacy breach at your organization
What to do in case of a breach
Contain the breach and notify affected individuals
Contain the breach and notify affected individuals
When faced with a privacy breach, your organization should:
- identify the scope of the breach and take the steps necessary to contain it
- notify those affected if required by law or if the breach poses a real risk of significant harm to the individual
Investigate
Your organization should also conduct an internal investigation to:
- Identify and analyze the events that led to the breach
- Review policies and practices in protecting personal information, privacy breach response plans and staff training
- Determine whether the breach was a result of a systemic issue and take corrective action
Notify the IPC
If your organization is a health information custodian, it must report breaches to the IPC under the circumstances set out in the PHIPA regulation.
If your organization is not a health information custodian, it should notify the IPC of significant breaches, such as those involving:
- sensitive personal information
- large numbers of affected individuals
Reduce the risk of future breaches
Reduce the risk of future breaches
Steps to prevent privacy breaches include:
- educate staff about Ontario’s privacy laws
- educate staff about your organization’s policies and practices governing all aspect of personal information
- conduct privacy impact assessments
- seek input from your legal counsel, security unit and FOI coordinator
Additional Resources
- Privacy Breaches: Guidelines for Public Sector Organizations
- Responding to a Health Privacy Breach: Guidelines for the Health Sector
- Reporting a Privacy Breach to the Information and Privacy Commissioner: Guidelines for Service Providers under Part X of the Child, Youth and Family Services Act
- Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector, types of breaches that need to be reported to the IPC at the first reasonable opportunity
- A Guide to Privacy and Access in Ontario Schools
- Review our full list of guidance documents.