Report a privacy breach

To strengthen the privacy protection of personal health information, the Ontario government has amended the Personal Health Information Protection Act (the act). Under section 12(3) of the act and its related regulation, custodians must notify the Information and Privacy Commissioner of Ontario (the Commissioner) about certain privacy breaches. This law took effect October 1, 2017.

As a custodian, you must report breaches to the Commissioner in seven categories described in the regulation and summarized below. The categories are not mutually exclusive; more than one can apply to a single privacy breach. If at least one of the situations applies, you must report it. The following is a summary — for the complete wording of the regulation, see the appendix at the end of this document.

It is important to remember that even if you do not need to notify the Commissioner, you have a separate duty to notify individuals whose privacy has been breached under section 12(2) of the act.

Situations where you must notify the Commissioner of a privacy breach

Annual report to the Commissioner

By March 1, custodians are required to provide the Commissioner with an annual report of the previous calendar year’s statistics.

Report a privacy breach now


This post is also available in: French