Privacy Breach Letter Template for Public Institutions

Today’s article presents a letter template that Ontario public sector organizations can use when notifying individuals affected by a privacy breach.

A Letter Template for Ontario’s Public Institutions

The letter template above is intended to comply with the requirements set out in the Information and Privacy Commissioner of Ontario (IPCO) guidance document Privacy Breaches Guidelines for Public Sector Organizations, published September 2019. This guidance, and by extension, the letter template, is intended for public sector institutions in Ontario who fall under the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), including Ontario municipalities, police services, provincial ministries, agencies, boards and commissions, universities and colleges, school boards, and other provincial and municipal institutions.

The letter template is not intended for private organizations, businesses or non-governmental organizations who are covered by PIPEDA or other privacy legislation. Likewise, the template is not intended for breaches involving health information, for which IPCO has published a separate guidance document, Responding to a Health Privacy Breach: Guidelines for the Health Sector.

Using the Letter Template

In Privacy Breaches Guidelines for Public Sector Organizations, IPCO explains that Ontario’s public sector organizations are expected to notify individuals who are affected by a privacy breach if there is a “real risk of significant harm to the individual”:

You should notify those affected as soon as reasonably possible if you determine that the breach poses a real risk of significant harm to the individual, taking into consideration the sensitivity of the information and whether it is likely to be misused.

If law enforcement is involved, ensure that notification will not interfere with any investigations.

In terms of how the affected individuals are to be notified, the guidance states that notification should be “direct”, such as by telephone, letter, email or in person, although “indirect notification can be used in situations where direct notification is not possible or reasonably practical, for instance, when contact information is unknown or the breach affects a large number of people.”

In practice, institutions tend to notify affected individuals either by letter or email. Although IPCO also permits notification by telephone or in person, these methods tend to be less reliable, more expensive, and make it more difficult to keep reliable records about the notification provided to the affected individuals.

According to the IPCO guidance document, notifications by public sector organizations to affected individuals are expected to include: 

• details of the extent of the breach and the specifics of the personal information that was compromised
• the steps taken and planned to address the breach, both immediate and long-term
• a suggestion, if financial information or information from government-issued documents is involved, to:
  • contact their bank, credit card company, and appropriate government departments to advise them of the breach
  • monitor and verify all bank account, credit card and other financial transaction statements for any suspicious activity
  • obtain a copy of their credit report from a credit reporting bureau
• contact information for someone within your organization who can provide additional information and assistance, and answer questions
• a statement that they have a right to make a complaint to the IPC and how to do so

Although IPCO has set out the notification requirements above, IPCO does not provide any ‘official’ letter template for notifying individuals affected by a privacy breach.

Public sector institutions in Ontario who fall under FIPPA or MFIPPA may therefore find it helpful to use the letter template provided here as a starting point when notifying individuals affected by a privacy breach. Using this letter template can help ensure you are in compliance with IPCO’s requrements for privacy breach notifications.

I hope you find this letter template helpful in your freedom of information and privacy practice.

Additional Resources

For more information on dealing with privacy breaches, I highly recommend reading the IPCO guidance document in its entirety: Privacy Breaches Guidelines for Public Sector Organizations. You may also wish to review these recent articles from the FOI Assist Knowledge Base for more insights and links to additional resources:

• FOIPN Presentation: Privacy Breaches and Best Practices (with slides from my recent presentation to the Freedom of Information Police Network)
• The Privacy Breach Management Toolkit (a Federal Government resource that can be of great help when responding to a privacy breach)

The FOI Assist Software

At FOI Assist, our mission is to Make Freedom of Information Easy^TM for Ontario’s public institutions.

You wouldn’t use a typewriter to draft letters. So why are you still processing FOI requests manually? The FOI Assist software tracks deadlines, calculates fees, guides you through the process, and prepares ready-to-go correspondence in both official languages, all in full compliance with Ontario’s FOI legislation.

Designed by an Ontario lawyer with experience running a provincial Freedom of Information program, the FOI Assist software will save you time and relieve the stress of meeting Ontario’s tight FOI deadlines.

Your IT team will love it too, because it runs securely in the cloud. There’s no need to install anything. Instead, the FOI Assist software is accessed via a web browser, like the FOI Assist Knowledge Base you are reading right now.

It’s time to see what it can do! To request a demo, just click the link: I would like a demonstration of the FOI Assist software.