← Back to Blog
Privacy Law

Ontario Privacy Commissioner: IPC Complaints, PHIPA, and FIPPA Guide

The Ontario Information and Privacy Commissioner (IPC) oversees health privacy compliance under PHIPA and access to information under FIPPA and MFIPPA. For Ontario lawyers advising health information custodians, public sector institutions, or individuals seeking access to government records, understanding the IPC's jurisdiction, complaint process, and enforcement powers is essential.

The IPC's Role and Jurisdiction

The Information and Privacy Commissioner of Ontario is an independent officer of the Legislative Assembly with jurisdiction under three statutes:

  • Freedom of Information and Protection of Privacy Act, RSO 1990, c F.31 (FIPPA) — covering Ontario provincial government institutions (ministries, agencies, boards, commissions, and universities)
  • Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c M.56 (MFIPPA) — covering Ontario municipalities, school boards, conservation authorities, police services boards, and other local institutions
  • Personal Health Information Protection Act, 2004, SO 2004, c 3 (PHIPA) — governing the collection, use, and disclosure of personal health information (PHI) by health information custodians (HICs)

PHIPA: Health Privacy in Ontario

Health Information Custodians

PHIPA applies to "health information custodians" — a defined list that includes health care practitioners regulated by Ontario health regulatory colleges (physicians, nurses, pharmacists, physiotherapists, etc.), hospitals, long-term care homes, psychiatric facilities, independent health facilities, pharmacies, and laboratories.

HICs must:

  • Collect PHI only if necessary for a lawful purpose
  • Use and disclose PHI only with the individual's consent or as authorized by PHIPA
  • Implement administrative, technical, and physical safeguards appropriate to the sensitivity of the PHI and the risks of unauthorized access
  • Provide individuals with access to their own PHI on request, subject to limited exceptions
  • Correct PHI that is inaccurate or incomplete

Mandatory Breach Reporting

Since October 1, 2017, PHIPA requires HICs to notify the IPC of privacy breaches where PHI has been stolen, lost, or accessed without authority and it is "reasonably possible" that the PHI was used or disclosed without authority. The same threshold triggers notification to affected individuals.

The IPC has published guidelines on breach reporting, including what constitutes a reportable breach and the timeline for notification. Failure to report a prescribed breach is an offence under PHIPA (s. 72).

PHIPA Complaints and Investigations

An individual who believes a HIC has contravened PHIPA may file a complaint with the IPC. The IPC complaint process involves:

  1. Intake — the IPC reviews whether the complaint is within jurisdiction and not frivolous or vexatious
  2. Early resolution — the IPC may attempt early resolution between the complainant and the HIC without a formal investigation
  3. Investigation — if early resolution fails, the IPC investigates; the IPC may require production of records, access to premises, and sworn testimony
  4. Review (adjudication) — the IPC holds a hearing and issues a binding order if appropriate

FIPPA and MFIPPA: Access to Information

The Right of Access

FIPPA (s. 10) and MFIPPA (s. 4) give every person the right to access records held by an Ontario provincial or municipal institution, subject to limited exemptions. The institution must respond within 30 days (with possible extensions) and must provide the requested records or give written reasons for any refusal.

Common exemptions include:

  • Solicitor-client privilege (FIPPA s. 19; MFIPPA s. 12)
  • Law enforcement (FIPPA s. 14; MFIPPA s. 8) — ongoing investigations
  • Cabinet records and policy advice (FIPPA s. 12-13)
  • Personal privacy — third-party personal information that would constitute an unjustified invasion of privacy (FIPPA s. 21; MFIPPA s. 14)
  • Third-party commercial information (FIPPA s. 17; MFIPPA s. 10)

IPC Review Process Under FIPPA/MFIPPA

A person who is refused access, receives a fee estimate they believe is unreasonable, or believes an institution has not properly handled their personal information may request a review by the IPC within 30 days of receiving the institution's decision (FIPPA s. 50; MFIPPA s. 39).

The IPC review process:

  1. Mediation — the IPC mediator works with the requester and institution to resolve the dispute; most files are resolved at this stage
  2. Adjudication — if mediation fails, an adjudicator conducts a paper-based or oral hearing; parties file representations
  3. Order — the IPC issues a binding order that may direct disclosure, correction, or other remedies

Privacy Complaints Under FIPPA/MFIPPA

In addition to access complaints, individuals may file complaints with the IPC about how their personal information was collected, used, or disclosed by a public institution. The IPC investigates and may issue orders requiring institutions to correct their practices.

IPC Orders and Judicial Review

IPC orders are binding on Ontario public institutions and HICs. Orders may be enforced by application to the Superior Court (Divisional Court). IPC orders may be appealed by way of judicial review:

  • Standard of review: following Canada (Minister of Citizenship and Immigration) v Vavilov [2019] 4 SCR 653, IPC orders on substantive questions of law are reviewed on a reasonableness standard; pure questions of central importance to the legal system may attract correctness review
  • Procedural fairness: the IPC is bound by procedural fairness obligations — notice, opportunity to be heard, and reasons for decisions

Privacy Tort Claims Alongside IPC Complaints

In addition to filing an IPC complaint, an individual whose PHI was improperly disclosed may have a tort claim for intrusion upon seclusion (recognized by the Ontario Court of Appeal in Jones v Tsige 2012 ONCA 32) or for breach of confidence. Damages awards in privacy tort cases have ranged from nominal ($1,000-$5,000 for data breaches without significant harm) to significant awards where the breach caused identifiable harm.

How Atticus Helps Ontario Lawyers with Privacy Files

Privacy compliance, breach response, and IPC proceedings involve strict timelines (30-day access response, breach reporting obligations), large volumes of records review, and multi-party regulatory proceedings. Atticus supports Ontario privacy lawyers with:

  • Deadline tracking — AI extracts statutory deadlines from IPC correspondence, access request decisions, and breach notification timelines
  • Document analysis — AI reviews IPC orders, PHIPA compliance policies, and breach investigation reports to surface key findings and required remedies
  • Matter management — track IPC complaint stages, mediation outcomes, and adjudication schedules for privacy files
  • LSO-compliant trust accounting — manage retainers for privacy litigation and regulatory defence files

Ontario-Built Practice Management for Privacy Lawyers

Atticus helps Ontario privacy and health law lawyers manage IPC complaint timelines, document analysis, and client files — with LSO-compliant trust accounting built in. $149 CAD per lawyer per month.

Start Free Trial

Related Resources

Ontario Privacy Law for LawyersOntario Privacy Breach GuideOntario Technology LawOntario Administrative Law