The Privacy Commissioner of Canada is an officer of Parliament responsible for investigating violations against the Privacy Act (1983) and the Personal Information Protection and Electronic Documents Act, or PIPEDA (2000).
The Privacy Commissioner and those assisting the Office of the Privacy Commissioner (OPC) act as advocates for Canadians’ privacy rights. The OPC takes and investigates privacy violations and brings citizens’ concerns to the federal government. Like all federal government agencies, the OPC is funded through the Treasury Board Secretariat, which enables it to fulfill its responsibilities under the Privacy Act as well as the PIPEDA.
The OPC is headed by the Privacy Commissioner and two Assistant Commissioners. Canada’s current Privacy Commissioner is Jennifer Stoddart, who oversees investigations and reports directly to the House of Commons and the Senate. The Privacy Commissioner is appointed for a seven-year term. The Privacy Commissioner is assisted by two Assistant Commissioners – Chantal Bernier and Elizabeth Denham, responsible for the Privacy Act and the PIPEDA, respectively.
The OPC is organized into seven branches, whose responsibilities are as outlined below:
- Investigations & Inquiries
- Investigates individual complaints under the Privacy Act and the PIPEDA, as well as complaints not filed under those provisions.
- Assists federal government departments and organizations in preventing violation of privacy legislation.
- Audit & Review
- Conducts audits to assess organizations’ compliance with the Privacy Act and PIPEDA.
- Provides recommendations on privacy impact assessment reports (PIAs).
- Research, Education & Outreach
- Conducts research on privacy and technology concerns and the promotion of protecting personal data.
- Supports policy development, investigation, audit and public education programs.
- Provides strategic advice.
- Supports communication and public education activities.
- Plans and implements public education activities through media monitoring, public opinion polling, media relations, publication and special events.
- Legal Services, Policy & Parliamentary Affairs
- Provides strategic legal and policy expertise and legal advice and support to the OPC.
- Represents the OPC before Canadian and international courts.
- Monitors legislative and government initiatives.
- Human Resources
- Provides strategic advice, management and delivery of HR programs.
- Corporate Services
- Provides advice and administrative services, including corporate planning; resource management; financial management; IT and general administration.
In addition, the OPC regularly consults with an External Advisory Committee, which offers multiple perspectives on public policy and privacy issues. The External Advisory committee is made up of professors, industry association leaders, privacy consultants and other experts.
There is also an Internal Audit Committee, which provides advice and recommendations to the Commissioner regarding the quality and efficacy of the OPC. The Audit Committee oversees core areas of OPC responsibilities and accountability. It takes these findings and integrates them into the OPC strategic planning and priority setting processes. This reinforces the audit regime promoted by the OPC, thus strengthening the independence and accountability of the OPC.
The mission of the OPC is to protect and promote privacy rights of individuals. The OPC is responsible for overseeing compliance with federal privacy legislation: the Privacy ACT and the PIPEDA. Although the OPC reports to the federal government, it functions independently from any other part of the government and often carries out investigations regarding the federal public sector.
The OPC also has the jurisdiction to investigate matters regarding personal data in the private sector, except in provinces that have established substantially similar privacy legislation. These provinces are Quebec, British Columbia, Alberta and, to a certain extent, Ontario. The OPC functions at the federal level, which means it provides advice and recommendations only. Provincial privacy commissioners’ advice is binding.
While the Privacy Commissioner aims to resolve issues through negotiation, mediation and conciliation, the Commissioner also has the authority to summon witnesses, administer oaths and demand evidence, in situations where this would be appropriate, or if cooperation is withheld. The Commissioner also has the authority to take investigations to the Federal Court for resolution.
The Commissioner, supported by the OPC is responsible for carrying out a number of advocacy activities, which include:
- Investigating complaints made under the Privacy Act and PIPEDA.
- Issuing reports in response to federal government departments and private sector organizations.
- Bringing unresolved matters to Federal Court.
- Providing individuals (i.e. citizens, permanent residents, corporations) with access to personal information records under the Access to Information Act.
- Creating new and revise existing privacy impact assessments.
- Engaging with government institutions, industry associations, academia, legal community, professional associations to proactively promote public awareness on privacy issues.
- Partnering with privacy stakeholders throughout Canada and internationally to identify and respond to global privacy issues arising from transborder data flows.
The OPC helps individuals gain access to personal information held by the federal government. One resource is Info Source, a public directory that enables individuals to identify which government agency has personal information, what type of information as well as the contact information for requesting or correcting the personal data. The goal of Info Source is to enable individuals to exercise their rights under the Privacy Act and the Access to Information Act. Using Info Source is part of the procedure for filing formal requests under the Privacy Act.
In order to promote privacy safeguarding practices, the OPC hosts consultations with Canadians on a number of key challenges. The purpose of these consultations is to learn about industry practices, explore privacy implications, learn about Canadians’ privacy expectations and promote discussions on privacy implications that arise as a result of new technological developments. Consultations consist of a series of one-day panel discussions presenting the broadest perspective as possible.
OPC Complaint Process
The Privacy Commissioner has the authority to investigate all complaints made by individuals under the PIPEDA or the Privacy Act. Such complaints may include challenges accessing personal information from an organization or government department, or an individual believing that unnecessary personal data is being collected.
The Investigations & Inquiries branch of the OPC handles thousands of public inquiries annually. Filing a complaint is free for the public and all consultation is provided by the OPC. The Commissioner works independently to investigate potential violations, thus the Commissioner does not act as advocate for personal privacy rights.
The investigation process includes:
- Clarification of complaint.
- Communication with the respondent organization to determine if there have been corrective actions taken or proposed.
- Examination of records and carry out interviews.
- Analysis of information obtained.
- Determine if there is a basis for making findings or recommendations.
If the OPC determines that the complaint is well-founded, then it will make a post-investigation report, which includes:
- Summary of both parties.
- Findings and recommendations
- Determining if an agreement has been reached.
- Request of proposed recommendations and actions to be taken by the organization, if necessary.
- Recourse to the Federal Court, if appropriate.
Areas of Focus
In recent years, there have been a number of notable investigations and areas of focus for the OPC, under the leadership of Commissioner Stoddart. These include:
- Online Social Networking
- Social networking sites, like Facebook, MySpace, or LinkedIn often do not comply with Canadian privacy policies and practices.
- The OPC has conducted numerous public opinion polls and events to raise public awareness regarding the privacy implications of online social networking.
- As a result of OPC investigations, Facebook has agreed to make the appropriate changes to their privacy policies and practices in order to comply with Canadian privacy legislation.
- TJX Data Breach
- TJX is an American retail corporation which operates outlets in Canada as well as Puerto Rico, the UK and Ireland.
- In 2007, the OPC investigated a major data breach involving a network computer intrusion which affected 45 million payment cards worldwide.
- The OPC maintained that every organization in Canada will be held to the principles established in the PIPEDA or other provincial privacy legislation.
- Recommendations from this investigation included: implementing multiple layers of security; keeping up to date with technological advances; and, most importantly, not collecting or retaining personal information unnecessarily.
- Increase private sector awareness
- The OPC has published numerous resources and conducts regular training and education programs to ensure that the private sector is aware of its responsibilities under the PIPEDA.
- One concern is ensuring that small and medium businesses are also kept abreast of privacy policies and practices. The OPC helps support such businesses in complying with privacy legislation by promoting the business benefits of doing so.
- Promote youth privacy online
- OPC research has shown that the majority of Canadian youth ignore the privacy settings and security rules on online social networks.
- As a result, the OPC has launched an online resource to educate youth about privacy practices and to generate discussion regarding the effects of new technologies and social networking tools on their privacy.
This article gives an overview of the role of the Privacy Commissioner of Canada as well as the Office of the Privacy Commissioner (OPC). It introduces the legislation which protects Canadian privacy rights: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC’s responsibilities, services and complaint procedures are also described.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Canadian government and legal system (I.A.a.)
- Office of the Federal Privacy Commissioner (II.B.e.i.1.a.)