Ontario β municipal breach notification
MFIPPA governs municipal records. IPC published Municipal Breach Response Guidance and expects significant breaches to be reported.
Promptly for significant breaches; no fixed statutory clock for municipalities (yet).
- IPC will publish findings β most municipal breach orders are public.
- Affected individuals must be notified directly where reasonable.
What this means for a Ontario municipality
Canadian municipalities sit under a provincial public-sector privacy framework β for Ontario, that means the Information and Privacy Commissioner of Ontario (IPC) is your primary regulator. The trigger for notification is generally a real risk of significant harm to affected residents, evaluated on probability of misuse, sensitivity of the data, and the population reached.
Most small and mid-sized Ontario municipalities also have to weigh federal coordination through the Canadian Centre for Cyber Security, vendor obligations under PIPEDA, and β for any cross-border data β US state breach statutes that apply by residency of the affected individual, not by the location of the municipality. The HackFirstAid triage walks through those layers in plain language and produces a printable summary you can hand to your CAO and council.
If you're reading this during a live incident, open the free triage first; if you're reading it on a quiet Tuesday, run it as a tabletop with your clerk, IT lead, and one council member. Most Ontario municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.