How to Report a Privacy Breach

Note: Individuals should not use this webpage. Individuals may Request a Review / File a Complaint.

For Organizations, Health Custodians and Public Bodies

A privacy breach (or breach) means a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.

To report a privacy breach to the OIPC, use the following documents:

There are more resources on privacy breach response, reporting and notification.

Note: The Office of the Information and Privacy Commissioner is revising its procedures for processing breach notifications received under the Personal Information Protection Act (PIPA).  The new process for processing breach notifications will take effect on April 1, 2024. At that time, a new form will be provided for notifications of breaches under PIPA, but if submitting a notification of a breach under HIA or FOIP, the original form will apply until further notice. Read more here.

Requirement to Report a Breach to the Commissioner

Personal Information Protection Act (PIPA) 

It is mandatory for an organization with personal information under its control to notify the Commissioner of a privacy breach where "a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure" (section 34.1).

Organizations are required to notify the Commissioner of reportable breaches without unreasonable delay (section 34.1).

Health Information Act (HIA)

It is mandatory for a custodian having individually identifying health information in its custody or control to notify the Commissioner of a privacy breach if the custodian determines "there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure" (section 60.1(2)).

Custodians are required to notify the Commissioner of reportable breaches as soon as practicable (section 60.1(2)).

In addition to notifying the Commissioner of the privacy breach, the custodian is also required by section 60.1(3) of HIA to notify the Minister of Health and the affected individuals of the privacy breach.

Freedom of Information and Protection of Privacy Act (FOIP)

Public bodies are not required by law to notify the Commissioner of a privacy breach. The OIPC encourages public bodies to voluntarily report privacy breaches.