Privacy Complaints Process
When an individual feels that his or her personal information has been collected, used or disclosed by a government institution in contravention of privacy and access laws, he or she should call, write or visit the government office that has possession of the information to try to resolve the matter. If they can’t resolve it directly, they may file a privacy complaint directly with our office.
Under the Freedom of Information and Protection of Privacy Act (FIPPA), and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), The IPC has jurisdiction over access to information and privacy concerns related to:
- all provincial ministries
- most provincial agencies, boards and commissions
- universities and colleges of applied arts and technology
- local government institutions, such as municipalities, police, library, health and school boards, and transit commissions
Under the Personal Health Information Protection Act (PHIPA), the IPC has jurisdiction concerning the collection, use and disclosure of personal health information by hospitals and other health care providers.
Privacy complaint files are reviewed by the IPC Registrar and a team of analysts, who will ensure that the complaint falls within IPC’s jurisdiction. If it doesn’t, the complaint may be screened-out at the Intake stage. A complaint may be screened out for other reasons.
Before deciding if a file should be screened out, the analyst will:
- contact the complainant to clarify the details of the privacy complaint
- explain the IPC procedures
- contact the institution to discuss the complaint and gather additional information
Some privacy complaints can be resolved quickly without having to go through a formal investigation. In these cases, the Registrar will refer the case to an intake analyst who will work on an informal settlement with the parties involved.
If the privacy complaint is not dismissed or settled through Intake Resolution, it will be assigned to an investigator. The investigator will clarify the complaint, contact the parties, gather information, and attempt a settlement. If a settlement is not possible, the investigator may issue a Draft Privacy Complaint Report to the parties.
After reviewing the facts, an investigator may send a Draft Privacy Complaint Report to the parties, which includes:
- a summary of the complaint
- a discussion of the information collected as part of the investigation
- the investigator’s conclusions and recommendations (if any) to the parties
The parties can comment on any factual errors and/or omissions in the Draft Privacy Complaint Report.
At the end of the investigation, the investigator will send the finalized Privacy Complaint Report to the parties under his/her signature, with the endorsement of the Assistant Commissioner or Commissioner.
The investigator will also follow-up with the institution to ensure that any recommendations have been implemented.