Privacy

The OIPC has authority to conduct an investigation of a breach of privacy under both the Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015) and the Personal Health Information Act (PHIA). An individual who believes that there has been an improper collection, use or disclosure of his or her personal information by a public body may file a complaint PDF document opens in new window PDF document (1,006 KB) with the OIPC under ATIPPA, 2015. A complaint PDF document opens in new window PDF document (992 KB) of an improper collection, use or disclosure of personal health information by a health custodian may be made to the OIPC under PHIA.

Privacy Complaint

A privacy complaint under the ATIPPA, 2015 must be filed with the OIPC in writing PDF document opens in new window PDF document (1,006 KB) and within one year after the complainant becomes aware of the improper collection use or disclosure of his or her personal information. (The OIPC may allow a longer period of time for filing a complaint in appropriate circumstances.)

PHIA allows for the filing of a privacy complaint where the health custodian has improperly collected, used or disclosed the complainant’s personal health information. The privacy complaint must be made within one year of the complainant’s discovery of the improper, use or disclosure of his or her personal information. (The OIPC may allow a longer period of time for filing a privacy complaint in appropriate circumstances.)

There is no cost for filing a privacy complaint under either of the Acts.

Investigation Process under ATIPPA, 2015

On January 16, 2008 the protection of privacy provisions (Part IV) of the ATIPPA, 2015 were proclaimed into force. These provisions limit the extent and means by which public bodies can collect personal information, as well as the extent to which public bodies can use and disclose that information. Part IV requires public bodies to make every reasonable effort to ensure that personal information is accurate and complete, to make reasonable security arrangements against unauthorized access, collection, use, disclosure or disposal of personal information, and to retain certain personal information about an individual in order to allow that individual a reasonable opportunity to obtain access to the information.

"Personal information" is defined in the ATIPPA, 2015 as "recorded information about an identifiable individual." It includes, but is not limited to:

If you believe that your personal information, in the custody or under the control of a public body, has been improperly collected, used or disclosed, is not correct, accurate or complete, has not been adequately protected, or has not been retained for the minimum period, you may file a complaint with this Office by completing our Privacy Complaint Form PDF document opens in new window PDF document (1,006 KB).

Complaints may be mailed, dropped off, or sent by fax or email. Those sent by e-mail must contain a scanned copy of a signed and dated complaint form otherwise they will not be accepted. If you have any questions or concerns regarding this process please contact our Office and we will assist you. There is no cost to file a complaint with this Office.

Once the OIPC has determined that the privacy complaint has merit and that the OIPC has authority to investigate the complaint, a copy of the privacy complaint is sent to the public body alleged to have committed the privacy breach by improperly collecting, using or disclosing the personal information. The OIPC will ask the public body involved to provide a response to the allegation of the complainant and will require the public body to provide all relevant records in relation to the complaint.

The OIPC will take any steps considered appropriate to informally resolve the complaint to the satisfaction of the complainant and the public body. If both the complainant and the public body are satisfied with the informal resolution, then that is the end of the complaint process and the file will be closed.

If the complaint is not resolved within a reasonable period of time, then the OIPC will conduct a formal investigation and complete a written report containing the Commissioner’s findings and any necessary recommendations. The formal investigation process is required to be conducted within an appropriate period of time taking into account the complexity of the matter under investigation.

The OIPC has authority to refuse to investigate a privacy complaint under specified circumstances; for example, where the OIPC is satisfied that the public body has responded adequately to the complaint or that the privacy complaint could be more appropriately dealt with by another process.

The Report from the OIPC may contain recommendations that the public body cease an improper collection, use or disclosure of personal information or that the public body implement proper information management and protection policies. The Report with the findings and recommendations will be provided to the public body and the person who made the privacy complaint.

The public body against whom the complaint has been made is required to respond to the recommendations in the Report within 10 days of receiving the Report. The response to the recommendations must be provided to the OIPC and to the person who filed the complaint. If the public body decides not to comply with the recommendations of the OIPC, then the public body must apply to the Trial Division of the Supreme Court of Newfoundland and Labrador for a declaration that the public body is not required to comply with the recommendations. There are certain circumstances where the OIPC may file an order in the Trial Division requiring the public body to stop collecting, using, or disclosing personal information in contravention of the Act or requiring the public body to destroy personal information collected in contravention of the ATIPPA, 2015.

The types of recommendations that can be made by the OIPC following a privacy complaint investigation are set out in the ATIPPA, 2015. The Act does not give the OIPC any authority to make recommendations regarding such matters as the dismissal of an employee by a public body, the payment of a fine by a public body or the awarding of any compensation to the person who has filed a privacy complaint.

Investigation Process under PHIA

PHIA allows for a privacy complaint to be filed by a person who believes on reasonable grounds that a custodian has breached a provision of the Act in respect of his or her personal health information or the personal health information of another. The complaint must be in writing PDF document opens in new window PDF document (992 KB) and filed with the OIPC within one year of the complainant becoming aware of the violation of the Act. (The OIPC may allow for a longer time in appropriate circumstances.)

Once the OIPC has determined that the privacy complaint has merit and that the OIPC has authority to investigate the complaint, a copy of the privacy complaint is sent to the custodian alleged to have committed the privacy breach. The OIPC will ask the custodian to provide a response to the allegations of the complainant and will request the custodian to provide all relevant records in relation to the complaint. (The custodian is legally obligated to provide the information requested by the OIPC.)

The OIPC will take any steps considered appropriate to informally resolve the complaint to the satisfaction of the complainant and the custodian. If both the complainant and the custodian are satisfied with the informal resolution, then that is the end of the complaint process and the file will be closed.

If the complaint is not resolved within 60 days, then the OIPC will conduct a review of the subject matter of the complaint. The review must be conducted within 120 days of receiving the complaint and following the review the OIPC is required to prepare a report of its findings and recommendations.

The OIPC has authority to decide not to conduct a review under specified circumstances; for example, where the OIPC is satisfied that the custodian has responded adequately to the complaint or that the privacy complaint could be more appropriately dealt with by another procedure or proceeding.

The Report from the OIPC may contain recommendations that the custodian cease an improper collection, use or disclosure of personal health information or that the custodian implement a necessary information practice. The Report with the findings and recommendations will be provided to the custodian and the person who made the privacy complaint.

The custodian against whom the complaint has been made is required to respond to the recommendations in the Report within 15 days of receiving the Report. The custodian’s response to the recommendations must be provided to the OIPC and to the person who filed the complaint.

The types of recommendations that can be made by the OIPC following a privacy complaint investigation are set out in the PHIA. The Act does not give the OIPC any authority to make recommendations regarding such matters as the dismissal of an employee, the payment of a fine or the awarding of any compensation to the person who has filed a privacy complaint.

Commissioner's Reports