You are now in the main content area

Privacy Incident Management

If you become aware of an internal privacy incident involving the possible unauthorized access or sharing of personal information, please follow the procedure set out in TMU's Privacy Incident Notification Process.

  • A privacy breach (an unauthorized disclosure of personal information) either happens or is suspected of happening.
  • Staff must notify the Privacy Office immediately by using the "Report a Privacy Incident" link at the bottom of the page. They must also advise their chair or manager.
  • Staff must provide the following information:
    • Nature of incident (misdirected email or mail, theft or lost asset like a laptop, inadequate protection, etc.
    • What kind of personal information was involved (name, email address, etc.)
    • How many people were impacted
  • The Privacy Office determines whether a breach has occured.
    • If not, no further action is required.
    • If yes, the Privacy Office commences an investigation and guides department responsible for the breach through the process. The Privacy Office will review procedures, determine whether a significant risk of harm is present, and advises department whether they should notify the affected individuals. The Privacy Office may recommend changes to the department's procedures.

The Privacy Office has the discretion to notify the Information and Privacy Commissioner of Ontario ("IPC"). The IPC conducts investigations to ensure that breaches are contained, affected individuals are notified, and that institutions have preventative measures in place. The IPC may issue a public report.

If you have any questions or concerns, please contact the Privacy Office at