Guest Post by Robin M. Bayley, Linden Consulting Inc. (Victoria BC).
(A Version of This Article Appeared in Privacy Laws and Business International Report, April 2017).
Companies subject to privacy legislation can do much to prevent a privacy complaint from a customer from becoming a complaint to a privacy commissioner. They can be summarized as: be transparent, receptive, diligent, polite and tell the truth. One might hope those were self-evident and would characterize all privacy complaint processes. Sadly, this is not universally the case.
This post is based on my own experience of lodging privacy complaints to the Office of the Privacy Commissioner (OPC) against companies in Canada, under our Personal Information Protection and Electronic Documents Act (PIPEDA). It refers to the Canadian private sector privacy law, guidance documents and examples, but the lessons learned are universal.
Complaints policies and practices are some of the most-neglected areas of publicly available privacy policies. One might assume, therefore, that internal processes are not well developed either. At most, the average privacy policy will describe a means of contact for questions and complaints. This lack of detail, as well as number of mistakes made in handling complaints reinforces this assumption.
Yet, it is in organization’s interests to develop, codify and train employees to follow their complaints processes because the consequences of not doing so are serious. I commonly add complaints about redress to the original issue in my OPC complaint because the complaint has been handled so poorly, and I am not alone. My survey of Canadian published investigation reports and summaries indicates that when a complaint to the OPC contains a complaint about a redress process, the charge is usually upheld, even if allegations about another substantive matter are not deemed well-founded. That is, an organization that does not comply with PIPEDA’s redress requirements may find itself expending a good deal of time and effort in a regulatory enforcement process that has a good chance of going against it.
Developing and following a comprehensive privacy complaints process, including a feedback loop to your practices, may prevent a complaint to the privacy oversight body, but even if it does not, it may limit the scope of the complaint.
Organizations should be thankful for the requirements of Canadian privacy commissioners that the complainant ought first to exhaust internal grievance or other review procedures before the Commissioner’s office will accept a complaint. Direct complaints from an individual provide valuable feedback about privacy values and an early warning system that internal procedures have failed. Providing individuals with a well-communicated and readily accessed complaints procedure, in which they deal with competent employees and an organization that is willing to admit mistakes, can avoid a more onerous and potentially damaging investigation by the oversight body. Organizations may not realize that a complainant may be satisfied with a resolution that an oversight body might not accept.
In handling a privacy complaint, an organization should consider what would happen if the issue went directly to the oversight body. It should look for similar published cases that might provide satisfactory evidence for the complainant to understand that the complaint is not warranted. Or, if the case could go against the organization, admitting the mistake is the first step to taking corrective measures that could improve an organization’s operations and reduce liability and regulatory risk. Sadly, few organizations are willing to entertain the thought that they not fully complying with privacy legislation or, worse yet, admit that to a complainant.
Redress requirements
PIPEDA’s redress requirements give individuals the right to challenge or complain to organizations about their compliance with the Act. Under Principle 4.10, Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use. One OPC case cites an online privacy policy with a link to a privacy complaint form as an accessible means.
Organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. PIPEDA further requires organizations to investigate all complaints and, if a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.
Each time a complaint proceeds to the OPC, there is a chance that further rules will be established. PIPEDA has no statutory response period for complaints, unlike for access requests, but PIPEDA Case Summary #2010-006 established some precedent. When individuals have questions, challenges or complaints about how the organization collects, uses or discloses their personal information, these must be addressed by the organization’s privacy officer, who should follow established procedures to respond within 30 days. Had this complaint been handled properly in-house, all organizations might not have to adhere to this standard for timeliness.
The office of the Privacy Commissioner of Canada outlines organizations’ responsibilities in providing recourse in its 2015 Privacy Toolkit for Business: A guide to complying with the Personal Information Protection and Electronic Documents Act (The Guide):
- Develop simple and easily accessible complaint procedures.
- Inform complainants of their avenues of recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada.
- Investigate all complaints received.
- Take appropriate measures to correct information handling practices and policies.
How to avoid the Privacy Commissioner’s attention?
Successful OPC recourse cases suggest to me two further measures. Since many of the upheld complaints have boiled down to an inability of a complainant to contact the Chief Privacy Office (CPO) and the inability of the employees who receive complaints to adequately deal with them, organizations can stem complaints to the Commissioner by:
- Publishing contact information of the CPO or equivalent in their website privacy policies, and
- Having that office triage privacy complaints.
The latter would invert the process generally used by large organizations, of starting with generalist staff, and escalating to the CPO from there. OPC decisions recognize that privacy complaints can be difficult to identify, and can arise during the course of other types of complaints. Queries can turn into complaints without an explicit statement to that effect.
In PIPEDA OPC Case Summary #2005-315, which went against the web-centred company who used a generalist staff for privacy complaints. The complainant had specifically requested the name and telephone number of the person to whom she could escalate the matter. It was at that point that the employees who had been dealing with her should have brought the matter to the attention of the company’s privacy officer. The other matters under complaint were not substantiated, or were found to be resolved. Had the organization had a good complaints process in place, even if it had not been able to resolve the original privacy complaint, it would not have had a complaint against it upheld with the oversight body.
In PIPEDA Report of Findings #2016-002, the complainant stated that she was not given an opportunity to view or challenge the accuracy of the information included about her when she learned that she was on a bad tenant list of a landlords’ association. One can only speculate that had she been afforded recourse, the case might not have been made to the Privacy Commissioner, who found that the organization improperly collected and used the personal information without consent.
The OPC Guide provides a step by step process for fulfilling recourse responsibilities, from acknowledging and determining the substance of the complaint; clarifying with the complainant if necessary; assigning the matter to a person with the skills necessary to review it fairly and impartially; notifying complainants of the outcome of investigations clearly and promptly, informing them of any relevant steps taken; and finally modifying policies and procedures based on the outcome, and ensuring that employees are aware of any changes.
Each of these best practices is routinely flouted, but the most serious omissions are in not actually conducting an investigation or modifying practices. Instead, a closed mindset can lead to putting more energy into defending practices than investigating and considering them.
Organizations need to take complaints seriously, assess complaints with an open mind and an attitude that changing their policies and processes is a potential and valid outcome.
How can organizations help themselves?
My own tips for organizations to avoid privacy complaints being escalated to the oversight body are primarily related to attitudes and organizational culture:
- Listen or read complaints thoroughly before responding. Don’t jump to conclusions. Be thorough and consider and respond to each allegation, as you would have to if responding to the oversight body.
- Be open to admitting mistakes – don’t merely pull up the drawbridge. Really consider the input in the complaint and conduct research before responding.
- Find out what your organization really does. Look at things from the viewpoint of an outsider. This takes time and effort.
- Separate any underlying issues from the privacy matter and avoid unreasonable collection and use of a complainant’s personal information already in your possession (such as previous complaints on other matters). They have no bearing.
- Be honest and open.
- Strike the right tone – Be polite, businesslike but not overly formal or legalistic and do not insult the complainant.
While a privacy complaint is a business transaction, it is also personal for the complainant. The complainant feels aggrieved and has taken time to write. Therefore, it is not just what you say, but also how you say it that may placate or alienate. There has usually been a single point when the organization said something in particular that elicited an emotional response and served as a tipping point that led me to complain to a regulator. An individual cannot pursue every instance of non-compliance, and will often accept compromise. Do not create an unnecessarily adversarial relationship in your communications.
As I stated in correspondence with a regulator during a complaint about a major bank: The tone was both paternalistic (in telling me that it had conducted an investigation and then not sharing its findings, but assuring me that it took my concerns seriously) and at the same time adversarial, insulting and inaccurate (as later indicated by your findings). The same employee handled an original dispute, and later, my privacy complaint. He cited the original dispute in what felt like an attempt to undermine my privacy complaint. I saw it as a privacy violation and conflict of interest. I certainly took that case to the Commissioner, with added redress related grounds, and it took years to reach its conclusion.
Of the dozens of complaints I have made to a privacy commissioner, only one was determined to be not well-founded in whole or in part. Yet only one complaint could be seen as potentially affecting the company’s business model or bottom line. Thus, one might have expected the companies to more readily have accepted input and been willing to change. Yet, the predominant attitude seems to be entrenchment and ill-considered defence.
Of course, avoiding privacy complaints in the first place is the best way to ensure that they don’t proceed to the oversight body. Privacy oversight bodies and governmental units responsible for privacy legislation produce compliance guides and bulletins. Follow those, as well as published decisions to learn the lessons other have learned the hard way, and make changes to your organization’s practices if necessary.
Being open and accountable will help avoid formal complaints. Training first-contact staff to answer questions and posting specific, comprehensive and comprehensible privacy policies will go a long way. Ensure that staff members whose duties include responding to privacy complaints have good communication skills, knowledge of applicable legislation and a detailed complaints process to follow. Staff should know when to escalate to the CPO or privacy office. But treating complainants with respect and admitting mistakes may be the best ways to keep a complaint away from the privacy commissioner.