Privacy complaints are concerns or allegations raised by an individual about how personal information or personal health information (theirs or someone else’s) has been handled while in the custody or control of the University. 

Privacy Breaches are suspected or confirmed instances where personal information has been mishandled, including but not limited to unauthorized collection, access, use or disclosure.   

For guidances see this resource: EXAMPLES: Privacy and Confidentiality Complaints, Incidents and Breaches

All University employees, faculty, students, members of governing bodies, and members of the University community must promptly report any privacy complaint or suspected breach involving personal information directly to the Privacy Office using the Privacy Complaint and Breach Form. 

Complaints may be submitted anonymously or with identifying information, however, anonymous complaints may limit the University’s ability to fully investigate or resolve the issue. When a complaint or breach is submitted with the complainant’s identity, their information will be treated with the strictest confidentiality and will not be shared except as required by law. For reference, examples of reportable privacy complaints or breaches are provided in the document Examples – Privacy and Confidentiality Complaints, Incidents or Breaches. This is not an exhaustive list. Everyone is encouraged to contact the Privacy Office with any concerns, complaints, or questions, even when unsure whether the issue involves a privacy complaint or breach.

The Privacy Office manages the intake, investigation, and responding to privacy complaints and breaches.When a complaint is received, the Privacy Office will assess the issue to determine whether a breach has occurred. If a privacy breach is suspected, the Privacy Office may recommend immediate actions to contain the issue and investigate further, gathering facts, consulting with relevant University units, and applying applicable laws and policies. Investigations aim to be completed within 30 calendar days, handled confidentially and in good faith.

If the investigation confirms that a privacy breach has occurred, corrective actions will be recommended to address or prevent recurrence, which may include policy updates, training, disciplinary action, or system improvements. Furthermore, affected individuals and the Information and Privacy Commissioner of Ontario may be notified, depending on the severity of the event in accordance with FIPPA requirements. All findings, actions, and communications are documented and securely retained by the Privacy Office in accordance with University policy and legislative requirements.