The Personal Information Protection Act (PIPA) requires organizations to have a process in place that individuals can use to make complaints about the organization's compliance with the Act. As well, PIPA permits the Information and Privacy Commissioner to refer an individual's complaint against an organization back to the organization if he is not satisfied that the individual attempted to first resolve the complaint with the organization.
Having an accessible and effective complaint handling process is an important part of managing privacy risks within your organization because it helps you to:
- address complaints in a timely manner
- identify and address systemic or ongoing compliance problems;
- increase consumer confidence in your privacy procedures; and,
- demonstrate your commitment to privacy and build a good reputation for your organization.
REMEMBER...
The more accessible and responsive your organization's complaint-handling process is, the more effectively you can contain a potentially explosive situation and better preserve or restore customer or client confidence in your organization. |
Setting up an Accessible and Responsive Complaint-Handling Process
1. Decide who in your organization will be responsible for receiving and handling complaints about the organization's compliance with the Act.
Although different individuals within the organization may be called upon to help investigate complaints, it is a good idea to have one department or individual responsible for receiving all complaints to ensure that they are responded to in a timely way. It is probably simplest for both customers and staff if the individual that is responsible for ensuring the organization complies with the Act (e.g., the Privacy Officer) is the same individual responsible for receiving and responding to complaints.
2. Develop and implement a complaint procedure that is easily accessible, understandable and simple to use.
3. The procedure on handling and responding to privacy complaints should be written and communicated to both staff (so they know what to do if they receive a complaint) and customers (so they know what to expect if they make a complaint). Such a procedure should address the following points.
4. Decide in what format you will accept complaints (e.g., verbal, in writing, by email). If you deal mainly with your customers in writing, you may wish to only accept complaints in writing. On the other hand, if most of your interactions with your customers are verbal, you may also wish to accept verbal complaints. Whatever you decide, your procedure should be adaptable where appropriate (i.e., it may not be reasonable to expect someone who cannot write - due to language or other difficulties - to make a complaint in writing).
FOR CONVENIENCE...
You may wish to develop a complaint form (or adapt an existing form) to assist complainants in documenting their complaint. This approach may also make it easier for your organization to collect the information you need to investigate and respond to the complaint. |
5. When a privacy complaint is received by the organization, it should immediately be forwarded to the individual or department responsible for responding to privacy complaints (e.g., the Privacy Officer).
6. Staff, upon request, should be able to inform an individual of the procedure for making a complaint and who to contact within the organization about the complaint. A complainant should also be informed of the right to complain to the Information and Privacy Commissioner if he or she is not satisfied with the organization's response to the complaint.
7. When the complaint is received by the Privacy Officer (or other individual responsible for responding to privacy complaints), the date the complaint was received should be recorded.
8. If the complaint was received verbally, the nature of the complaint (e.g. delays in responding to a request, incomplete or inaccurate responses, or improper collection, use, disclosure or retention) should be recorded.
9. Acknowledge receipt of the complaint promptly.
10. Contact the individual to clarify the complaint, if necessary.
11. Investigate all complaints received.
12. Ensure your complaint process is fair, impartial and confidential.
TO BE FAIR...
The investigation of a complaint should be assigned to a person with the skills necessary to conduct it fairly and impartially. Only in extenuating circumstances (e.g., sole proprietorship) should the complaint be assigned to a person who is the subject of the individual's complaint. |
13. Give the investigator access to all relevant records, employees or others who handled the personal information or access request.
14. Where the complaint is justified, take appropriate measures to rectify the situation, including correcting information handling practices and policies where necessary and communicating those changes to relevant staff.
15. Notify individuals of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.
16. Record all decisions to ensure consistency in applying the Act.
17. Follow up to verify that required changes to policies, procedures or practices have been undertaken.
This page was last updated January 19, 2004.
|
