Interpretation Bulletin: Accountability

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined over time.

The Meaning of “Accountability”

I. Relevant Statutory Provisions

Principle 4.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles in Schedule 1 to PIPEDA.

Principle 4.1.1 states that accountability rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).

Principle 4.1.2 requires that the identity of the designated individual(s) shall be made known upon request.

Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. Organizations must use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party.

Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles in Schedule 1 to PIPEDA, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures.

II. General Interpretations by the Courts

1. Organizations will be held accountable for their failure to comply with obligations under Schedule 1 of the Act.  It is no defence to claim adherence to industry standards if those standards fall below the requirements of PIPEDA. Neither will a defence of practical necessity absolve an organization from its obligations under the Act. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
2. An organization can be held accountable for the wrongful actions of its employees contrary to PIPEDA, especially where the employee tries to cover up his or her wrongful conduct. (Landry v. Royal Bank of Canada, 2011 FC 687)

III. Application by the OPC in Different Contexts 

Whether an organization can be said to meet its accountability obligations under the Act will vary depending on the facts of each complaint investigation. The following examples illustrate how the accountability principle has been interpreted and applied by the OPC and some of its general findings derived from different contexts.

Policies, Practices and Procedures

• The purpose of the accountability principle is not to limit accountability to a small number of individuals in an organization, but rather to make an organization responsible and accountable as a whole.
  • PIPEDA Case Summary #27 - Man objects on principle to bank's identification program Privacy Commissioner of Canada
• Organizations need to implement appropriate and effective measures to put into effect the principles and obligations of the Act, including effective compliance and training programs. This is an essential part of ensuring that organizations remain accountable for the personal information they collect, use or disclose.
  • PIPEDA Report of Findings #2011-001 - Google Inc. WiFi Data Collection
• In respect of a complaint against a federal work, undertaking or business, (in this case a telecommunications company), the Privacy Commissioner noted that the organization is responsible for all personal information under its control, including client and employee personal information. Accordingly, the organization has a responsibility to implement policies and practices specific to the handling of employee personal information.
  • PIPEDA Case Summary #191 - Company’s collection and disclosure of employee sick leave information
• An organization should develop and implement a privacy policy that is available to both employees and customers. A privacy policy is a key component in the protection of customers’ personal information, in that it provides guidance to employees and information to customers concerning the company’s personal information handling practices.
  • PIPEDA Case Summary #366 - Auto body shop implements privacy policy and undertakes changes to privacy practices
• The nature of an organization’s structure can be relevant in determining its compliance with the accountability principle. For example, it was found to be acceptable for a web-centered company to rely on online reference material and e-mail to address complaints and inquiries.
  • PIPEDA Case Summary #315 - Web-centred company’s safeguards and handling of access request and privacy complaint questioned
• An organization was not accountable for the collection, use and disclosure of individuals’ personal information by third-parties where (a) individuals voluntarily chose to participate in a third-party’s offers or program, and (b) that choice authorized the organization to provide the individual’s personal information to the third-parties. In those instances, it is the policies and practices of the third-parties that applied, not those of the organization.
  • PIPEDA Case Summary #388 - Ticketmaster Canada Limited revised its policies and practices with respect to PIPEDA to protect customers' personal information

Employee Training

• An organization should ensure that its privacy policy is disseminated to all employees, and that it provides staff with privacy training regarding privacy policies and practices.
  • PIPEDA Case Summary #346 - E-mail message raises questions about purposes, credibility and accountability
• An organization’s employees should be able to state the reason for the collection of personal information and should be able to provide individuals with information on how to obtain the organization’s privacy policy.
  • PIPEDA Case Summary #304 - Movie theatre chain strengthens personal information handling practices

Third-party Service Providers

• An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. PIPEDA requires organizations to use contractual or other means when using third-party service providers, to ensure a comparable level of protection of personal information.
  • PIPEDA Case Summary #394 - Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers;
  • PIPEDA Case Summary #365 - Responsibility of Canadian financial institutions in SWIFT's disclosure of personal information to US authorities considered;
  • PIPEDA Case Summary #333 - Canadian-based company shares customer personal information with U.S. parent; and
  • PIPEDA Case Summary #313 - Bank’s notification to customers triggers PATRIOT Act concerns.  
• Organizations can meet their obligations under Principle 4.1.3 of the Act by having contracts in place with third-party service providers that provide guarantees of confidentiality and security of personal information and allow for oversight, monitoring, and auditing of the services being provided.
  • PIPEDA Case Summary #394 - Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers;
  • PIPEDA Case Summary #313 - Bank’s notification to customers triggers PATRIOT Act concerns;
  • PIPEDA Case Summary #262 – Airline agrees to amend privacy policy;
  • PIPEDA Case summary #168 – Bank accused of non-consensual disclosure to debtor’s employer; and
  • PIPEDA Case Summary #42 - Air Canada allows 1% of Aeroplan membership to "opt out" of information sharing practices.
• Even with an appropriate outsourcing contract in place, an organization may be in contravention of Principle 4.1.3 if it cannot confirm what happens to personal information after it is provided to a third-party service provider.
  • PIPEDA Case Summary #386 - Credit card information printed on paper airline tickets not a proper safeguard; transfer of personal information to travel wholesaler questioned; and
  • PIPEDA Case Summary #377 – Law firm’s shoddy privacy practices result in missing personal information; request for access denied.
• If a third-party wishes to sub-contract all or part of the services it has undertaken to provide to an organization, the agreement between the organization and the third-party setting out obligations and expectations in respect of how personal information will be handled should also include specific provisions to address sub-contracting.
  • PIPEDA Case Summary #35 - Bank customer objects to being surveyed by private firm
• The “other means” used by an organization to provide a comparable level of protection when outsourcing may include non-contractual oversight and auditing mechanisms.
  • PIPEDA Case Summary #365 - Responsibility of Canadian financial institutions in SWIFT's disclosure of personal information to US authorities considered
• In circumstances of cross-border outsourcing between a parent and an affiliate, a separate contract between the two organizations is not necessary. What is required is that both companies adhere to the same level of data protection.
  • PIPEDA Case Summary #333 - Canadian-based company shares customer personal information with U.S. parent
• It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of personal information when it is transferred to third-party service providers operating outside of Canada.
  • PIPEDA Case Summary #394 - Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers
• Organizations must be transparent about their privacy practices. Organizations that outsource personal information to a foreign-based service provider should notify individuals that the information may be available to the government of that country or its agencies under a lawful order made in that country.
  • PIPEDA Case Summary #394 - Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers;
  • PIPEDA Case Summary #365 - Responsibility of Canadian financial institutions in SWIFT's disclosure of personal information to US authorities considered; and
  • PIPEDA Case Summary #313 - Bank’s notification to customers triggers PATRIOT Act concerns.

Independent Third-party Audits

• In appropriate cases, the Commissioner will recommend that an organization undertake an independent third-party audit to demonstrate that the organization has brought its personal information management practices into compliance with PIPEDA and is held accountable therefore.
  • PIPEDA Report of Findings #2011-001 - Google Inc. WiFi Data Collection; and
  • Staples Customers’ Personal Information Remains at Risk Following Privacy Breaches, Audit Finds.

For more information on Accountability, see also:

• Getting Accountability Right with a Privacy Management Program