HackFirstAidEducation
Regulatory grid

State overlay · ON

Ontario

MFIPPA + Education Act + PHIPA (where applicable)

Ontario school boards are institutions under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). Student records are governed by the Education Act and the Ontario Student Record (OSR) Guideline. Board-operated health programs may also trigger PHIPA.

Notification window

MFIPPA requires notice to the Information and Privacy Commissioner of Ontario (IPC) and affected individuals at the first reasonable opportunity where there is a real risk of significant harm.

Regulators

Information and Privacy Commissioner of Ontario (IPC)

ipc.on.ca breach reporting form; phone 1-800-387-0073.

Ontario Ministry of Education

Notify your board's Director of Education and the Ministry's Privacy Unit.

Canadian Centre for Cyber Security (CCCS)

contact@cyber.gc.ca — free incident support for public-sector orgs.

Unique gotchas

  • OSR records have their own retention and disclosure rules — a ransomware event touching the OSR is reportable separately to the Ministry.
  • French-language boards (CSC / CEPEO etc.) require bilingual family notification.

Testing authority

Education Quality and Accountability Office (EQAO)