Accountability

April 2012

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined over time.

The Meaning of “Accountability”

I. Relevant Statutory Provisions

Principle 4.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles in Schedule 1 to PIPEDA.

Principle 4.1.1 states that accountability rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).

Principle 4.1.2 requires that the identity of the designated individual(s) shall be made known upon request.

Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. Organizations must use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party.

Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles in Schedule 1 to PIPEDA, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures.

II. General Interpretations by the Courts

  1. Organizations will be held accountable for their failure to comply with obligations under Schedule 1 of the Act.  It is no defence to claim adherence to industry standards if those standards fall below the requirements of PIPEDA. Neither will a defence of practical necessity absolve an organization from its obligations under the Act. (Nammo v. Transunion of Canada Inc., 2010 FC 1284)
  2. An organization can be held accountable for the wrongful actions of its employees contrary to PIPEDA, especially where the employee tries to cover up his or her wrongful conduct. (Landry v. Royal Bank of Canada, 2011 FC 687)

III. Application by the OPC in Different Contexts 

Whether an organization can be said to meet its accountability obligations under the Act will vary depending on the facts of each complaint investigation. The following examples illustrate how the accountability principle has been interpreted and applied by the OPC and some of its general findings derived from different contexts.

Policies, Practices and Procedures

Employee Training

Third-party Service Providers

Independent Third-party Audits

For more information on Accountability, see also:

Date modified: