Privacy Impact Assessment Summary on the Online Complaint Form
Description of the Project
The Online Complaint Form project pertains to the implementation of a suite of ‘smart’ complaint forms to improve the receipt and filing of complaints and associated supporting information and documents through an online application.
This project will replace the existing web-based portal with a new application as well as automation of filing the resulting complaints and supporting documents in the Office of the Privacy Commissioner’s (OPC’s) document repository and complaint case management system.
In addition, minor modifications will be made to the existing complaint case management system to facilitate the automated transcription of information from the received complaint forms to the system.
This project is in support of the OPC program of investigating privacy complaints against private sector organizations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and against federal government institutions under the Privacy Act.
In the early years of its mandate, the OPC only accepted written complaints from individuals by mail. To improve service to Canadians and simplify complaint handling, in 2012, the OPC began accepting complaints through a simple online portal using effectively ‘static’ forms replicating the already available hard copy forms, as well as accepting the submission of supporting documents.
Currently, the OPC receives a significant volume of complaints, including associated personal information of complainants. In some instances, individuals complain to the OPC on matters that fall outside the Office’s investigation mandate, while in others issues could have been resolved through other avenues. In addition, the OPC receives a significant volume of complaints which can either lack particular information or supporting documents, or where complainants submit much more information than required in order to address the complaint. We identified a need to find a way to help complainants identify the nature of their complaints and the information we require to investigate. This information varies depending on the nature of the specific complaint.
Information received through existing complaint forms is currently manually filed in OPC’s document repository and manually transcribed into OPC’s case management system to complaint processing purposes.
The objective of the Online Complaint Form project is to implement a suite of ‘smart’ complaint forms that further improve service to Canadians, reduce the unnecessary collection of personal information, and reduce the effort required to collect and process necessary information to appropriately address and investigate complaints received.
- Implement ‘smart’ online complaint forms for complaints under PIPEDA and Privacy Act which will:
- guide individuals through self-assessment questions to identify if their complaint likely falls under the OPC’s jurisdiction, and if there are further steps they could consider taking before submitting a completed complaint form. This is to reduce the submission of unnecessary information via the complaint forms; and
- solicit specific information and supporting documents required based on questions answered by the complainant about the nature of their complaint. This is to expedite the complaint intake process by helping complainants identify and provide information required for the treatment of their complaints.
- Implement a convenient online document drop-off form for parties to a complaint (including the complainant, respondent organization, and occasionally other parties to the complaint identified by OPC) to provide information and/or documents to OPC in relation to a specific complaint – after the original complaint has been filed. This is to reduce the burden to parties of using postal mail and to provide a consistent secure method of transmission.
- Automatically file information and documents received through the three forms above in OPC’s document repository and complaint case management system – to facilitate and improve processing and reduce manual errors.
The project will use simple, accessible technology, developed and hosted by OPC, to implement the above goals. Three forms will be developed: a Privacy Act Complaint Form, a PIPEDA Complaint Form, and a Document Drop-off Form.
The purposes for which information will be collected, used and disclosed, as well as the type of personal information that will be collected, used and disclosed remain unchanged from what is currently being collected for the purposes of responding to individuals’ complaints.
Downloadable hard-copy forms will continue to be available for individuals who do not wish to use the online forms, and will be manually processed using current procedures.
Risk Area Identification and Categorization
|A: Type of Program or Activity||Level of risk to privacy|
|Program or activity that does NOT involve a decision about an identifiable individual||1 No|
|Administration of programs/activity and services||2 No|
|Compliance/regulatory investigations and enforcement||3 Yes|
|Criminal investigation and enforcement/national security||4 No|
|B: Type of Personal Information Involved and Context||Level of risk to privacy|
|Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.||1 No|
|Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.||2 No|
|Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.||3 Yes|
|Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.||4 No|
|C: Program or Activity Partners and Private Sector Involvement||Level of risk to privacy|
|Within the institution (amongst one or more programs within the same institution)||1 No|
|With other federal institutions||2 No|
|With other or a combination of federal/provincial and/or municipal government(s)||3 No|
|Private sector organizations or international organizations or foreign governments||4 Yes|
|D: Duration of the Program or Activity||Level of risk to privacy|
|One time program or activity||1 No|
|Short–term program||2 No|
|Long-term program||3 Yes|
|E: Program Population||Level of risk to privacy|
|The program affects certain employees for internal administrative purposes.||1 No|
|The program affects all employees for internal administrative purposes.||2 No|
|The program affects certain individuals for external administrative purposes.||3 Yes|
|The program affects all individuals for external administrative purposes.||4 No|
|F: Technology and Privacy||Level of risk to privacy|
3.1 Enhanced identification methods
3.2 Use of surveillance
3.3 Use of automated personal information analysis, personal information matching and knowledge discovery techniques
|G: Personal Information Transmission||Level of risk to privacy|
|The personal information is used within a closed system.||1 No|
|The personal information is used in a system that has connections to at least one other system.||2 No|
|The personal information is transferred to a portable device or is printed.||3 No|
|The personal information is transmitted using wireless technologies.||4 Yes|
|H: Risk Impact to the Institution||Level of risk to privacy|
|Managerial harm||1 No|
|Organizational harm||2 No|
|Financial harm||3 No|
|Reputation harm, embarrassment, loss of credibility||4 Yes|
|I: Risk Impact to the Individual or Employee||Level of risk to privacy|
|Reputation harm, embarrassment||2 No|
|Financial harm||3 Yes|
|Physical harm||4 No|
Categorization of Risks Using a Common Risk Scale
The following table summarizes the results of the standardized risk assessment above:
|Identified Risk Categories||Aggregate risk rating|
|No. of program characteristics identified as “low” risk (TBS Level 1 or 2)||0|
|No. of program characteristics identified as “moderate” risk (TBS Level 2 or 3)||5|
|No. of program characteristics identified as “elevated” risk (TBS Level 3 or 4)||3|
|No. of unaccounted or other potential privacy risks||0|
|Overall risk rating for the OPC’s Online Complaint Form||Moderate|
Based on a summary analysis of program characteristics, the OPC’s Online Complaint Form, in general, is likely to present a moderate risk to the privacy of individuals.
- Date modified: