On This Page

Guidance when reporting privacy breaches

As of Jan.1, 2018, Health Information Custodians are required to track privacy breach statistics and provide an annual report of these statistics to the Information and Privacy Commissioner of Ontario by March 2019. We reported this new requirement in the September 2017 issue of The Standard. 

The Commissioner has released further guidance on what should be included in these annual reports. You can read the detailed requirements here.

Custodians should also note that, as of Oct. 1, 2017, they are required to notify the Commissioner when personal health information is lost or stolen, or used or disclosed without authority. The exact circumstances when a custodian must notify the Commissioner are detailed in section 6.3 of the regulation under the Personal Health Information Protection Act, 2004. 

Who is a custodian? 

In most cases, a custodian is an employer (such as a hospital, clinic, home care agency, long-term care home or public health unit) and not an individual nurse. However, nurses in independent practice, or those employed in health services in non-health care settings (such as occupational health) may be considered custodians.

If you are unsure if you are a custodian, check the Confidentiality and Privacy: Personal Health Information practice standard or contact the office of the Information and Privacy Commissioner of Ontario.

If you have any questions about the reporting process, contact the office of the Information and Privacy Commissioner of Ontario directly.

Page last reviewed April 13, 2018