Guidance and Information

Organizations' Guide to Complaint Investigations under the Personal Information Protection and Electronic Documents Act

An individual has filed a complaint against your organization with the Office of the Privacy Commissioner of Canada.

What happens now?

Our Investigations and Inquiries Branch will review the complaint and an investigator will be assigned to the case.

What is the investigator's role?

The investigator's job is to gather the facts related to the complaint and make recommendations to the Commissioner. These recommendations are based on an analysis of the facts within the framework of the Personal Information Protection and Electronic Documents Act.

What is the purpose of the investigation?

The investigation will serve to establish whether individuals' privacy rights have been contravened or whether individuals have been given their right of access to their personal information. The investigation will be conducted in an objective, fair, and impartial manner.

If there have been contraventions, the investigation process seeks to resolve complaints and to prevent contraventions from recurring.

A fair, timely and resolution-oriented complaint process benefits complainants and organizations subject to the Act. It is important to bear in mind that, as an ombudsman, the Commissioner takes a cooperative and conciliatory approach to investigating complaints whenever possible and encourages resolution through mediation, negotiation and persuasion. The investigator assists in this process.

The investigation process

The investigator will write to your organization, outlining the substance of the complaint. You will be asked to provide the name of the representative who will be responsible for handling the complaint for your organization. You will also be asked to respond to the allegations.

The investigator will contact your representative to discuss the investigation.

The investigator will request documentation. This may include policies, records, or logs, to name a few. We may also ask to review company files.

The investigator will conduct interviews, either in person or by telephone.

Normally, the investigator will deal with your organization's responsible official. However, the investigator may also interview one or several employees. You will be informed beforehand if an interview is required.

For example, if an employee of a company is alleged to have disclosed a complainant's personal information without consent, the investigator will want to speak to the employee. If a manager also interacted with the complainant and the employee, the investigator will want to interview the manager as well.

It should be stressed that, to be impartial, we must conduct our own investigations and speak directly with the individual(s) involved. We cannot rely on third-hand information. This approach will ensure that both the complainant and your organization are treated fairly.

The investigator will ask a lot of questions. It is important to keep in mind that the investigator knows the privacy business, but not yours.

If issues that you feel are relevant are not being pursued, you are encouraged to raise the matter with the investigator. You are encouraged to contact the investigator at any time during the course of the investigation with questions, concerns, representations or submissions that you may have.

In order for us to deal with the complaint as thoroughly and expeditiously as possible, it is in everyone's best interest if your organization is forthcoming with information and actively involved in the investigation process.

What are the investigator's powers?

Through the Privacy Commissioner, the investigator has the authority to receive evidence, enter premises where appropriate, and examine or obtain copies of records found on any premises.

What happens after the investigation is completed?

The investigator will contact you and review the facts gathered during the course of the investigation. The investigator will also tell you what he or she will be recommending, based on the facts, to the Commissioner. At this point, you may make further representations.

The Commissioner reviews the file and comes to an opinion regarding the recommendation(s). This point is key: it is not the investigator who decides — it is the Commissioner.

The Commissioner sends letters of finding to the complainant and to you. Each of these letters outlines the basis of the complaint, the findings of fact relevant to making a finding and recommendation concerning that complaint, and the Commissioner's analysis in relation to PIPEDA. The possible outcomes are:

Not Well-Founded: There is no evidence to lead the Commissioner to conclude that the complainant's rights under the Act have been contravened.

Well-Founded: The organization failed to respect a provision of the Act.

Resolved: The allegations raised in the complaint were substantiated by the investigation, but the organization agreed to take corrective measures to rectify the problem, to the satisfaction of this Office.

Discontinued: Investigation is terminated before all the allegations have been fully investigated, for example when the complainant is no longer interested in pursuing the matter, or can no longer be located to provide additional information that is critical to reaching a conclusion.

The Commissioner may make recommendations to you and may ask you to respond in writing, within a particular timeframe, outlining your organization's plans for implementing them.

In the letter of finding, the Commissioner informs the complainant of his or her rights of recourse to the Federal Court.

We post case summaries of some of the complaints we receive on our Web site. These are anonymized and are published for educational purposes. Very rarely, and only when the Commissioner deems it in the public interest to do so, we may name an organization in a summary.

We would invite you to review the case summaries as they contain information that may be helpful to your organization.

Are there alternative means of resolving privacy disputes?

Starting January 1, 2004 , the Office of the Privy Commissioner of Canada introduced two new means of helping organizations and individuals resolve privacy disputes.

On occasion, a complaint may be resolved before we undertake an investigation. For example, if an individual files a complaint about an issue that the Office has already investigated and found to be compliant under the Personal Information Protection and Electronic Documents Act, we would explain this to the individual. Another example might be if an organization, upon learning of an individual's allegations, addresses the matter immediately and to the satisfaction of the complainant and the Office. This approach is entitled "early resolution", and no formal findings are issued.

In some cases, it makes sense for the Office to propose a solution to the dispute during the investigation. If this satisfies all the parties — the complainant, the organization, and the Commissioner — the case is considered settled, and no formal findings are issued.

Other frequently asked questions about the investigation

Can organizations be fined for contravening the Act?

The Commissioner cannot impose fines for contraventions. However, the Federal Court, which is the next level of review, has the power to award damages to a complainant.

There is also an offence provision under the Act with fines for obstructing the Commissioner in an investigation, destroying personal information after an access request has been made for it, and disciplining a whistleblower.

Must I show the documentation to the investigator?

Yes. If you choose not to, the Commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence. In rare instances, we have resorted to these measures.

However, the Commissioner prefers to resolve complaints through negotiation and persuasion. Full cooperation with the investigator is always in everyone's best interests. A positive relationship between you and our Office will help your organization's privacy practices and will go a long way to addressing your clients' privacy needs and concerns.

Will you keep my organization's information confidential?

This is a common concern among many organizations, especially when access to information complaints are involved. The answer, in general, is yes.

There are, however, times when certain information that you provide us must be discussed with the complainant in order to conduct the investigation or establish the grounds for findings and recommendations.

What this means is that we will provide the complainant with your organization's position regarding the incident or practice that prompted the complaint. We will not reveal information that is outside of the scope of the complaint.

How long will the investigation take?

The time required varies according to the complexity of the issues raised. Under the Act, the Commissioner has one year to issue a report of findings.

What are some of the common types of complaints that the OPC receives?

An individual may complain about any matter specified in sections 5 to 10 of the Act or in Schedule 1. The following are some of the more typical examples of complaints we receive:

Denial of Access: An individual requests that an organization provide her with her personal information. When she receives no response, she complains to our Office that the organization has denied her access to her personal information.

Time Limits: An individual makes an access request and receives his personal information. However, he complains to us that the organization took longer than the 30-day time limit prescribed under the Act to respond to his access request.

Improper Collection, Use or Disclosure: An individual complains that an organization improperly collected her social insurance number.

Inaccurate Information: An individual is denied a loan. After reviewing his credit report, he notices that there is inaccurate information on his file and files a complaint with our Office.

Inadequate Safeguards: An individual is the victim of identity theft. She suspects that an employee of an organization is responsible and files a complaint with our Office.

For more examples of the types of complaints we receive, please see case summaries of findings on the OPC Web site.