Summary statement of OPC’s enforcement practices, policies and activities
The Office of the Privacy Commissioner of Canada provided this information in support of its application to join the Global Cooperation Arrangement for Privacy Enforcement (CAPE):
Participant name: Office of the Privacy Commissioner of Canada
Jurisdiction: Canada
Website address: www.priv.gc.ca
Key law(s) enforced by the Participant:
General sectors/jurisdictions regulated by Participant:
The Privacy Act applies to the collection, use or disclosure of personal information by federal government institutions.
PIPEDA applies generally to the collection, use or disclosure of personal information by organizations engaged in commercial activities, in all sectors of the economy and in all provinces and territories.
PIPEDA also applies to federal works undertakings and businesses (FWUBs) -throughout Canada. FWUBs include for example, banks, cross-border transportation companies and telecommunications as well as broadcasting companies. The Act also applies to other organizations engaged in commercial activities except in three provinces, Quebec, British Columbia and Alberta, to the extent that the information is collected, used or disclosed and remains within each of those provinces. In addition to these three provinces, PIPEDA does not apply to health information custodians in Ontario. All of these provinces have enacted legislation that has been declared substantially similar to PIPEDA.
The Act applies to all personal information collected, used and disclosed across borders by organizations engaged in commercial activities.
PIPEDA only applies to employee information when it is collected, used or disclosed in connection with the operation of a FWUB.
Approach to investigation / resolution of enforcement matters:
Under PIPEDA, the Commissioner receives complaints from individuals alleging a violation of the Act and investigates these complaints. The Commissioner can also initiate a complaint if he is satisfied that there are reasonable grounds to investigate.
The Commissioner is required to investigate all complaints unless he is of the opinion that: the complainant ought first to exhaust other grievance or review procedures; the complaint could be more appropriately dealt with through other means or procedures provided for under the law; or the complaint was not filed within a reasonable period of time.
The Commissioner may discontinue an investigation if he is of the opinion that: there is insufficient evidence to pursue an investigation; the complaint is trivial, frivolous or vexatious or is made in bad faith; the organization has provided a fair and reasonable response to the complaint; the matter is the object of a compliance agreement entered into (see below); the matter is already the object of an ongoing investigation under the Act; the matter has already been the subject of a report by the Commissioner; any of the circumstances under which he can refuse to investigate apply; the matter has already been the subject of a report by the Commissioner or the matter is being or has already been addressed under other grievance or review procedures or through other means or procedure provided for under the law.
In the conduct of an investigation, the Commissioner has the power to summon individuals’ appearance, compel evidence and the production of records. He may also administer oaths, accept and receive evidence and enter premises. He can conduct inquiries within those premises, as well as converse with individuals and examine records found on those premises.
The Commissioner has the power to enter into a compliance agreement with an organization to ensure compliance with PIPEDA if the Commissioner believes on reasonable grounds that the organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of the Act or a failure to follow a recommendation set out in Schedule 1 of the law. A compliance agreement may contain any terms that the Commissioner considers necessary to ensure compliance with PIPEDA.
The Commissioner is required to issue a report of findings at the conclusion of an investigation. The report is to contain: the Commissioners findings and recommendations; any settlement reached by parties; if appropriate, a request that the organization notify the Commissioner of any action taken or proposed to implement recommendations in the report, or reasons for which no action has been or is proposed to be taken.
The Commissioner cannot order an organization to change its practices, however he may attempt to resolve disputes through dispute resolution mechanisms such as mediation and conciliation.
A complainant has the right to apply to the Federal Court of Canada for a hearing once the Commissioner has completed the investigation and issued his report. The Privacy Commissioner also has the option to take a matter to court.
A court review is not an appeal of the Commissioner’s report, since the Commissioner issues findings rather than formal “decisions.” The court looks at the matter afresh; it conducts a “de novo” hearing.
In addition, the Commissioner can conduct audits/reviews of the information handling practices of organizations when he has “reasonable grounds to believe” that the organization is contravening a provision of the Act.
Prioritization policies:
While every complaint is carefully reviewed and, as applicable, investigated, the OPC Canada has a process for assigning a priority to certain complaints. In deciding whether to assign a complaint a higher priority the OPC would consider matters such as whether:
- the allegation involves egregious conduct or would have serious consequences;
- there has been broader public interest in the matter;
- the issue has been raised in Parliament;
- the issue aligns with one of the OPC Canada’s strategic priorities;
- it is a Commissioner-initiated complaint; or
- the same or a similar issue has already been investigated.
Other relevant information:
The Commissioner or any person acting on his behalf is prohibited from disclosing any information that comes to their knowledge as a result of the performance or exercise of the Commissioner’s duties or powers.
However, there are exceptions to this prohibition. The Commissioner may disclose information that in his opinion is necessary to conduct an investigation or audit or is necessary to establish grounds for findings and recommendations.
The Commissioner may disclose in the course of a hearing under PIPEDA or an appeal before the Federal Court, a judicial review in relation to the Commissioner’s exercise of his duties and powers. The Commissioner may also disclose information in the course of a prosecution for an offence under PIPEDA or an office for perjury under the Criminal Code of Canada; or to the Attorney General of Canada or of a province in respect of an offence against any law of Canada or a province. The Commissioner may also make information public if he considers that it is in the public interest to do so.
PIPEDA allows the Privacy Commissioner of Canada to share information, under specific circumstances, with foreign counterparts that have duties and functions similar to those of the OPC with respect to the protection of personal information or to foreign counterparts with responsibilities relating to conduct that is substantially similar to conduct that would be in contravention of PIPEDA.
The Commissioner is only authorized to disclose information that he believes would be:
- relevant to an ongoing or potential investigation or proceeding in respect of a contravention of the laws of a foreign state that address conduct that is substantially similar to conduct that would be in contravention of the Act; or
- necessary to disclose in order to obtain from the foreign counterpart, information that may be useful to an ongoing or potential investigation or audit under PIPEDA.
The Commissioner may only disclose information if he has entered into a written arrangement and if the arrangement:
- limits the information to be disclosed to that which is necessary for the permitted purposes;
- restricts the use of the information to the purpose for which it was originally shared; and
- stipulates that the information be treated in a confidential manner and not be further disclosed without the express consent of the Commissioner.
- Date modified: