Chapter 12: Privacy Complaints, Breaches and Investigations
The IPC has authority under the legislation to investigate matters related to an institution’s collection, use, disclosure, retention, security, disposal and destruction of personal information.
When an individual believes an institution has collected, used or disclosed personal information in a manner not consistent with the legislation, they may file a privacy complaint with the IPC.
Institutions may also self-report privacy breaches where the institution has discovered personal information has been accessed by an unauthorized individual or was disclosed in a manner not consistent with the legislation, either intentionally or in error.
In rare cases, an IPC initiated privacy complaint may be opened. This could involve a matter that the IPC considers worthy of investigation but where there is no complainant.
This chapter outlines the IPC’s approach to investigating privacy complaints and breaches.
Individuals have the right to complain to the IPC when they believe that an institution has not complied with the privacy rules on the collection, use, disclosure, retention, security, disposal and destruction of their personal information.
Privacy complaints are usually the result of a privacy breach, which is an incident where personal information is collected, retained, used, disclosed or disposed of in ways that do not comply with the provisions of the legislation.
Individuals are encouraged to attempt to resolve privacy complaints directly with institutions. Institutions have an obligation to work with individuals in addressing privacy concerns.
If an individual believes an institution has not adequately addressed their concerns, the individual may file a privacy complaint with the IPC. The IPC requires the individual to complete a form outlining the following information:
- The individual’s own contact information (name, address, telephone);
- The institution’s name;
- Details of the nature of the complaint; and
- Details of how the complaint should be resolved.
The privacy complaint form should be filed with the IPC’s Registrar.
Institution Reported Privacy Breaches
Institutions may also self-report privacy breaches and incidents to the IPC. While the legislation does not require institutions to report privacy breaches to the IPC, it is best practice for institutions to self-report substantial breaches to the IPC.
Reporting substantial privacy breaches allows the IPC to understand the nature of the breach and steps being taken to contain and respond to the breach. Proactively sharing information gathered from the institution’s own internal investigation and details about how the institution is responding to the breach assists the IPC in determining if further investigation or remedial action is required.
Privacy Investigation Process
The IPC has broader authority in the context of privacy investigations. A privacy breach is likely the most common reason for an investigation. In addition, the IPC may also comment on the privacy protection implications of proposed legislative schemes or government programs.
As a result of an investigation, the IPC can order an institution to cease a collection of personal information practice, and destroy a collection of personal information that contravenes the legislation.
The IPC can handle privacy investigations informally and formally. In either case, the institution needs to provide information and participate in discussions and meetings with the IPC.
A privacy complaint can be handled informally when the complainant and institution can agree on an approach to resolve the issue. This usually involves information sharing to achieve an understanding of what happened or why the information was used in a certain way.
In these cases, the IPC may confirm the resolution by writing a letter to the institution rather than publishing a formal investigation report. If the complaint is not resolved in a mutually satisfactory way, a formal privacy investigation will follow. There are also times when the individual who submitted the complaint is not satisfied, but the IPC dismisses the complaint at an early stage based on the information presented to it. If the complaint is not resolved or dismissed at an early stage, a formal investigation may proceed.
In a formal privacy investigation, the IPC follows the main steps outlined below:
Notice and request for information: The IPC notifies the institution that a complaint has been received and requests information relating to the institution’s position on the matter.
Investigation: The investigation may require a personal visit to the institution by the investigator and/or meetings with key program staff. Copies of relevant documents must be provided.
Draft report: The IPC may conclude with a letter in straightforward matters. In other cases, the matter will proceed with a draft report. Where a privacy breach has occurred, the draft report may include recommendations to prevent future breaches.
Both the institution and the individual who submitted the complaint are asked to comment on errors or omissions in the draft report.
Final report: Formal investigations may result in a formal public report, usually if the matter is of interest to the public. Where recommendations have been made, the IPC will request evidence of implementation of the recommendations within six months of the date of the final report.
Evidence can be in the form of a letter and supporting documentation, such as a copy of a new policy or notice form.
Follow-up: Within six months, the IPC will contact the institution to find out the status of recommendations, and if nothing has been done, the reason why.