The Information and Privacy Commissioner of Ontario (“IPC”) recently released a guidance document explaining when privacy breaches must be reported to the Commissioner. The Guidelines are entitled “Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector” (September 2017). The Guidelines also require custodians to begin tracking statistics on privacy breaches as of January 1, 2018 and to begin filing an annual report with these statistics on March 1, 2019.
When does the requirement to report certain breaches to the IPC take effect?
These reporting requirements come into effect October 1, 2017, via amendments to the PHIPA Regulation.
Health information custodians with custody and control of personal health information.
What is to be reported?
Any of the categories of breaches described in the PHIPA regulation.
In the Guidelines, the IPC breaks down the categories of mandatory privacy breach reports and gives some examples of circumstances that must be reported. There are 7 categories of breaches – but only one category is necessary to trigger the requirement to report. The categories are:
- use or disclosure without authority
- stolen information
- further use or disclosure without authority after a breach
- pattern of similar breaches
- disciplinary action against regulated health professionals
- disciplinary action against non-College members
- significant breach.
These Guidelines apply to reports that must be made to the Commissioner and they are not applicable to notification of individuals whose privacy has been breached.
When should notice be given?
The Guidelines do not specify when notice is to be given; however, it is wise to make such reports as soon as reasonably possible after the breach occurs. The IPC may be able to offer guidance toward mitigating the effects of the breach.
The Guidelines are available here:
Contact us for guidance on when to report privacy breaches or to participate in our Privacy Officer training.