Managing breaches

Contain the breach and notify affected individuals

When faced with a privacy breach, your organization should:

• identify the scope of the breach and take the steps necessary to contain it
• notify those affected if required by law or if the breach poses a real risk of significant harm to the individual

Direct notification to affected individuals

Direct notification, such as notification completed by telephone, letter, email or in person, is the standard form of notice that health information custodians should provide to individuals impacted by a privacy breach. However, there are exceptional circumstances where custodians may consider providing indirect notification to affected individuals.  

Notification to affected individuals should occur as soon as possible following the breach, even if providing indirect notice.

Indirect notification to affected individuals

If your organization is considering indirect notification, you should consult with the IPC. You should be prepared to explain why you believe indirect notice is reasonable in the circumstances and your plans for it. This includes the content of your proposed notice and your strategies for distribution.  

Indirect notice to individuals may be considered by your organization where one or more of these exceptional circumstances apply:

• The breach affects a significantly large number of individuals, making notifying the affected individuals directly impractical.  
• The risk of harm to affected individuals has reasonably been determined to be low.
• You are unable to determine the identities of affected parties despite taking reasonable steps to do so.  
• There are questions as to the reliability/accuracy of contact information.  
  • Note: Outdated contact information for a portion of the affected parties does not mean that all the affected parties should be notified indirectly. In cases involving a mix of outdated and current contact information, a hybrid approach to notification involving both direct and indirect elements may be appropriate.
• Direct notification would unreasonably and significantly interfere with the operations of your organization.  
  • Note: All breach notification processes will involve the expenditure of time and resources. It is only when the time and resources required to provide direct notice cause unreasonable and significant interference with your operations that indirect notice may be an option.
• Direct notification would be reasonably likely to be harmful or detrimental to the affected individuals.

Content of an indirect notice (also applies to direct notices)

After assessing the specific circumstances of the breach and determining in consultation with the IPC that indirect notice is a reasonable approach, the notice should:

• Be written in plain language.
• Provide enough information to enable someone reading the notice to easily understand how they may have been impacted by the breach.
• Describe the circumstances of the breach.
• Describe the cause of the breach, if known.
• Indicate the date or period when the breach occurred.
• Note the date when your institution became aware of the breach.
• Describe the personal information/personal health information that is impacted in as much detail as possible.  
• Describe how the personal information/personal health information was affected by the breach (for example accessed, encrypted, exfiltrated, posted online, etc.).  
• Describe the risk of harm to affected individuals, if known.
• Identify steps your institution has taken to contain the breach and reduce/mitigate the risk of harm to affected individuals.
• Identify additional steps individuals can take to further reduce/mitigate the risk of harm.  
• Inform affected individuals that they can file a complaint with the Information and Privacy Commissioner of Ontario (as required under PHIPA and CYFSA and as of July 1, 2025, FIPPA) and provide a link to the IPC’s website.  
• Provide contact information of an individual within the institution who can answer questions and provide additional information about the breach.
• State whether you have reported the matter to the IPC and other appropriate regulatory bodies, as applicable.  

Distribution of an indirect notice

The indirect notice must be distributed in a way that could reasonably be expected to reach the affected individuals.

Thought and care should be put into deciding what strategy will be most effective to reach affected individuals. Multiple methods of public notification are generally most effective and are considered a best practice.  

A multi-channel public notice strategy should include a combination of some, or all, of the following methods to bring the notice to the attention of the affected individuals:  

• A prominent notice on your organization’s website or a dedicated website containing details about the breach.  
  • If you are using your organization’s website to provide notice, ensure the notice or a link to the notice is displayed prominently on the main page of your organizations’ website and that it is clearly visible without the need for scrolling or searching.
  • If you are using a dedicated breach website to provide notice, you should place a link to the breach website on the main page of your organization’s website so it is clearly visible, and visitors can click through to access the breach website.
  • All digital notices should remain posted for a reasonable period that will allow affected parties to read the notice.  
• Ensure you take reasonable steps to bring the digital notice to the attention of affected parties. Affected parties may be unlikely to visit your website or breach notice unless specifically prompted to go there by media announcements, social media posts, or other means.  
• Other public outreach activities to bring the notice to the attention of the affected individuals such as:
  • Posting notices or posters in high traffic areas of your facility for a length of time that will allow affected parties to read the notice.  
  • Placing notices in national or local newspapers.  
  • Creating social media posts on relevant platforms.
  • Purchasing radio and/or TV announcements and advertising targeted to affected individuals.
  • Issuing news releases and community notices targeted to affected individuals.
  • Hosting town halls and/or webinars to provide information.
  • Any other case-specific public communication strategies that would be effective for reaching individuals affected by the breach.

Your organization should also conduct an internal investigation to:

• Identify and analyze the events that led to the breach
• Review policies and practices in protecting personal information, privacy breach response plans and staff training
• Determine whether the breach was a result of a systemic issue and take corrective action

If your organization is a health information custodian, it must report breaches to the IPC under the circumstances set out in the PHIPA regulation.

If your organization is not a health information custodian, it should notify the IPC of significant breaches, such as those involving:

• sensitive personal information
• large numbers of affected individuals

Reduce the risk of future breaches

Steps to prevent privacy breaches include:

• educate staff about Ontario’s privacy laws
• educate staff about your organization’s policies and practices governing all aspect of personal information
• conduct privacy impact assessments
• seek input from your legal counsel, security unit and FOI coordinator