OIPC has established an Audit and Compliance Program to assess the extent to which public bodies are protecting personal information and complying with access provisions under ATIPPA, 2015.
An audit provides an assessment of whether a public body is following good personal information protection, access, and correction practices. A public body being reviewed under the Audit and Compliance Program may be assessed on any aspect of its ATIPPA, 2015 obligations with regard to access, collection, use, disclosure, protection, retention, or disposal of personal information.
As OIPC is not able to audit every public body on an ongoing basis, we will consider such factors as the number of individuals potentially affected, the nature and sensitivity of the personal information being processed, and the nature and extent of any likely damage or distress caused by non-compliance when identifying subjects and entities for audit.
Completed assessments will be published for their value as an education tool for all public bodies. Audits will identify areas where a public body may excel with regard to compliance, safeguards, and overall access or privacy management. They will also highlight, importantly, areas where improvements are needed in order to comply with legislation and guidelines.