PIPEDA Compliance Framework

Audit - s. 18(1)

If the Commissioner has reasonable grounds to believe that an organization is contravening a provision of Division 1 or is not following a recommendation set out in Schedule 1, the Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization pursuant to subsection 18(1) of PIPEDA.

In order to initiate an audit based on reasonable grounds, the Commissioner must believe, in good faith, and on the basis of some credible evidence, that there is a serious possibility of a contravention of Division 1 or a failure to adhere to a recommendation in Schedule 1. Four criteria are typically applied to determine whether this threshold has been met:

• The Commissioner must exercise this discretionary enforcement authority in an honest and non-abusive manner;
• The Commissioner's discretion must be exercised on the basis of a clear record of facts and analyses which exists at the time the audit is ordered;
• The information must be capable of being believed and the Commissioner must not be aware of any cogent reason for rejecting the information as lacking credibility; and,
• The Commissioner must be able to assert that, at a minimum, the information available is such that it could realistically lead auditors on a focussed train of enquiry which would reveal systemic non-compliance with statutory requirements.

The Framework for Initiating Audits is the document that will guide the decision to audit or not.

In the course of an audit initiated under section 18(1), the auditor has the delegated authority to receive evidence from witnesses (including on oath or by affidavit), may converse in private with any person, may enter premises at any reasonable time, and may examine or obtain copies of records found on the premises.

Where necessary, the Privacy Commissioner or her delegate, may order individuals to appear before her and compel them to give oral or written evidence and to produce any records she considers necessary for the purposes of the audit.

After an audit, the Commissioner shall provide the audited organization with a report that contains the findings of the audit and any recommendations that the Commissioner considers appropriate.

The report may be included in the Commissioner's annual report and/or be disclosed in the public interest.

Public Interest Disclosure - s. 20(2)

The Commissioner may make public any information relating to the personal information management practices of an organization if the Commissioner considers it in the public interest. The Commissioner may decide to disclose publicly in the context of her Annual Report, or at any time. Whether the public interest threshold is met in a given case depends on a number of considerations. The following criteria are typically applied to determine whether this threshold has been met.

• The Commissioner's decision to disclose must be based on a clear record of facts and analyses setting out the Commissioner's assessment of why disclosure is in the public interest;
• The decision should be made on a case-by-case basis, not as a matter of general policy in favour of universal disclosure;
• The Commissioner should be able to articulate how the disclosure of information advances the purposes of PIPEDA - there must be some reason for public disclosure which is rationally connected to the purpose for which the discretion was granted;
• The Commissioner must undertake an explicit bal ancing of competing interests in disclosure and confidentiality, recognizing that there is public interest in both; and,
• The extent of the disclosure should be limited to the information that is necessary to achieve the intended purpose.

Federal Court - sections 14, 15 and 16

After receiving the Commissioner's letter of finding, the complainant has 45 days, or longer with the Court's permission, to apply to the Federal Court for a hearing pursuant to section 14 of PIPEDA. The complainant may apply for a hearing in respect of any matter regarding the complaint or referred to in the Commissioner's letter of finding and that is referred to in:

• Clause 4.1.3, 4.2, 4.3.3., 4.4., 4.6, 4.7 or 4.8 of Schedule 1
• Clause 4.3, 4.5 or 4.9 of Schedule 1 as modified by sections 5-10, or
• subsections 5(3) or 8(6) or 8(7), or section 10 of the Act.

The Commissioner may, in respect of complaints she did not herself initiate, appear before the Court on behalf of the complainant who has applied for a section 14 hearing, or may appear as a party to the proceedings, with leave of the Court. In addition, if the Commissioner has the consent of the complainant, the Commissioner herself may apply to the Court for a hearing under section 15 of PIPEDA in respect of a complaint that she did not initiate.

In respect of Commissioner-initiated complaints, the Commissioner may also apply for a Court hearing. Commissioner-initiated complaints are subject to the same delay of 45 days, and must relate to one of the possible matters referred to above.

Pursuant to either a section 14 or a section 15 application, the Court may, in addition to any other remedies:

• order an organization to correct its practices to comply with sections 5-10;
• order an organization to publish a notice of any action taken or proposed to be taken to correct its practices; and
• award damages to the complainant, including damages for any humiliation that the complainant has suffered.

For more information, see our Fact Sheet regarding Federal Court applications under PIPEDA.

Offences - s.28, s. 20(5)

• Offences under PIPEDA include:
  • Knowingly destroying or otherwise discarding of personal information that is the subject of an access request (s. 8(8));
  • Knowingly retaliating against an employee who, in good faith and on the basis of reasonable belief, has disclosed a potential contravention to the Commissioner, refused to partake in the contravention and/or attempted to avoid the contravention (s. 27.1(1));
  • Obstructing the Commissioner or her delegate in the investigation of a complaint or in conducting an audit (s. 28)
• The Commissioner may disclose to the Attorney General of Canada or of a province information relating to the commission of an offence against any law of Canada or of a province if, in the Commissioner's opinion, there is evidence of an offence on the part of an officer or employee of an organization.