OIPC Logo
  • Contact Us
  • Site Map
  • Privacy Policy

How to Report a Privacy Breach

Note: Individuals should not use this webpage.

Individuals who believe their personal or health information has been lost or improperly collected, used, disclosed or accessed by an organization, custodian or public body may file a complaint with the OIPC, please click here.

As of August, 31, 2018, under the Health Information Act, it is mandatory for a custodian having individually identifying health information in its custody or control to notify the Commissioner, as soon as practicable, of a privacy breach if the custodian determines "there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure" (section 60.1(2)).

For Organizations, Health Custodians and Public Bodies

For the purposes of this webpage and related items, a privacy breach (or breach) means a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.

The OIPC has resources available to assist in reporting a privacy breach, including the:

  • Privacy Breach Report Form, to be used when reporting a privacy breach to the Commissioner
  • Reporting a Breach to the Commissioner practice note, which is designed to assist organizations and custodians in meeting the requirements under section 19 of the Personal Information Protection Act Regulation and section 8.2(2) of the Health Information Regulation when reporting a breach to the Commissioner

Public bodies are encouraged to use the above resources when reporting a breach to the Commissioner. The OIPC may be able to provide general advice or guidance for responding to the privacy breach and ensuring steps taken comply with obligations under privacy legislation.

Requirement to Report a Breach to the Commissioner

Personal Information Protection Act (PIPA) 

It is mandatory for an organization with personal information under its control, to notify the Commissioner, without reasonable delay, of a privacy breach where:

a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure (section 34.1).

Organizations are required to notify the Commissioner of reportable breaches without unreasonable delay (section 34.1).

Health Information Act (HIA)

It is mandatory for a custodian having individually identifying health information in its custody or control to notify the Commissioner, as soon as practicable, of a privacy breach if the custodian determines:

there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure (section 60.1(2)).

In addition to notifying the Commissioner of the privacy breach, the custodian is also required by section 60.1(2) of HIA to notify the Minister of Health and the affected individuals of the privacy breach.

Custodians are required to notify the Commissioner of reportable breaches as soon as practicable (section 60.1(2)).

Freedom of Information and Protection of Privacy Act (FOIP Act)

Public bodies are not required by law to notify the Commissioner of a privacy breach; however, the OIPC advises public bodies to voluntarily report privacy breaches to the Commissioner.

Using the Privacy Beach Report Form will help a public body provide the right information to the Commissioner so that the OIPC may provide guidance to the public body for responding to the breach.