Annual Reporting of Privacy Breach Statistics Due March 31, 2021

Institutions operating pursuant to the Freedom of Information and Protection of Privacy Act (FIPPA), the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Part X of the Child, Youth and Family Services Act, 2017 (CYFSA), and/or the Personal Health Information Protection Act, 2004 (PHIPA) are required to report annual statistics to the Information and Privacy Commissioner of Ontario (IPC). As part of this reporting obligation, Health Information Custodians (HICs) under PHIPA as well as child and family service providers under Part X of CYFSA must submit privacy breach statistics. The IPC has mandated that all privacy breaches that occurred during the previous year must be reported by March 31, 2021. Reports are to include information about Personal Health Information (PHI) in the HIC’s custody or control that was: stolen, lost, used without authority, or disclosed without authority. Reports are to be submitted electronically here: https://statistics.ipc.on.ca/web/site/login. The reported information is to include the following: 

• For PHI that was stolen, include: 

  • the total number of incidents;

  • the number of incidents in which PHI was stolen: 

    • by an internal party (i.e. as an employee);

    • a stranger; or

    • through a ransomware attack or another type of cyberattack;

  • the number of incidents involving: 

    • unencrypted portable electronic equipment (such as USB keys or laptops); and

    • paper records; and

  • the number of individuals affected.

• For PHI that was lost, include: 

  • the total number of incidents,

  • the number of incidents in which PHI was lost through a ransomware attack or another type of cyberattack;

  • the number of incidents involving: 

    • unencrypted portable electronic equipment (such as USB keys or laptops); and

    • paper records; and

  • the number of individuals affected.

• For PHI that was used without authority, include: 

  • the total number of incidents;

  • the number of incidents involving: 

    • electronic systems; and

    • paper records; and

  • the number of individuals affected.

• For PHI that was disclosed without authority, include: 

  • the total number of incidents;

  • the number of incidents involving: 

    • misdirected faxes; and

    • misdirected emails; and

  • the number of individuals affected.

HICs and child and family service providers are also required to submit statistics noting all requests for access to information and requests for correction of information that were received in the prior year. If no such requests were received, institutions must indicate as such in their report. The annual reporting of access and correction requests must include the following information: 

• Access requests received in the previous year and the number of times the institution: 

  • Responded within 30 calendar days

  • Extended the deadline to respond by up to 90 days

  • Refused access to all or part of a record

  • Refused the request based on each of the access exceptions under the applicable privacy legislation

• Correction requests received in the previous year and the number of times the institution: 

  • Responded within 30 calendar days

  • Extended the deadline to respond by up to 90 days

  • Refused the request based on each of the access exceptions under the applicable privacy legislation

  • Received a statement of disagreement

For any questions or additional information about reporting obligations or how to report particular incidents, please contact us.