The less transparent organizations are about their privacy practices, the more difficult it is for a data subject to make a decision about who to trust with their personal information. By being transparent about informational privacy practices in legislation, the data subject can make more informed decisions about who and when to release their own information.
Organizations that collect personal information benefit as well; in Ontario, for example, where legislative enforcement is generally complaint based, having a happy customer means a customer who does not register complaints with enforcement bodies (either the IPC or the OPC). Increasing complaints and inquiries can generally be considered to reflect misunderstandings between the data subject and the organization.
Complaints under the Privacy Act
In 2009 under the Privacy Act (Canada’s oldest privacy legislation), which governs federal Government privacy practices (including the management of employee personal information), there were 2,572 inquiries and 665 complaints received. The next year, inquiries dropped to 1,944 and complaints rose to 708. For 2011, inquiries dropped again to 1,310, while complaints rose again to 986. Over the 2012-2013 reporting period, there were 2,599 inquiries (almost double) while complaints increased to 1,458. Historical data is provided below:
Inquiries and Compliants under Canada’s Public Sector Privacy Legislation (Office of the Privacy Commissioner of Canada, 1984, 1985, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2003a, 1986, 2004, 2005b, 2006b, 2007b, 2008b, 2009b, 2010b, 2011b, 2012b, 2013b, 1987, 1988, 1989, 1990, 1991, 1992, 1993).
The notable spike in complaints in 2003-2004 was notably the result of over 500 complaints filed from First Nations groups with Health Canada over a consent form. The form was subsequently changed.
Complaints under FIPPA
Specific data on complaints filed under FIPPA in first five years of reporting is not published. The significant decrease from the 1995 through 1998 period was due to a process change; much of what was previously handled as a formal privacy compliant was resolved informally at the intake stage beginning in 1997. By the time the 25 year report was issued, 2,139 complaints had been processed. An overview:
Compliants under Ontario’s Provincial Public Sector Privacy Legislation (Information and Privacy Commissioner / Ontario, 1996, 1997, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005)
Complaints under MFIPPA
Complaints under municipal legislation were not recorded until 1991, and specific data was not made public until 1994. By the time the 25 year report was issued (2012), 1,766 complaints had been processed. An overview is provided below:
Complaints under Ontario’s Municipal Public Sector Privacy Legislation (Information and Privacy Commissioner / Ontario, 1996, 1997, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005)
Complaints under PIPEDA
Under PIPEDA, the number of complaints has remained relative steady over time in recent years. In 2009, there were a total of 231 new complaints opened and 5,095 inquiries from the public received. In 2010, the numbers decreased slightly to 207 complaints and 4,793 inquiries. In 2011, they rose to 5,236 information requests and 281 new complaints accepted. A decrease was evident again in 2012 in new complaints filed (total of 220), 4474 information requests were received and 33 breach notifications filed (made publicly available for the first year). Historical data is provided:
Inquiries and Compliants under Canada’s Private Sector Privacy Legislation (Office of the Privacy Commissioner of Canada, 2001, 2003a, 2003b, 2004, 2005a, 2006a, 2007a, 2008a, 2009a, 2010a, 2011a, 2012a, 2013a)
The office also publishes findings and relevant sections of the Act. A brief review of available data, the majority of complaints are based on the consent principle of the legislation; in other words, data subjects are expressing unhappiness with how organizations are managing their data as stated in consent forms.
Complaints under PHIPA
During the first full year under PHIPA, 177 new complaints were opened and 108 were closed. 59% of those new complaints involved access or correction to existing records of personal health information (PHI). 23% were breaches (19% self-reported, 4% initiated by the regulatory office) and 26% regarded the collection, use and / or disclosure of PHI. Over the past 9 years, the overall numbers have steadily increased. By 2013, 126 access and correction complaints were opened (7% down from the previous year). Self-reported breaches by organizations were down 3% to 184, while officially initiated breach investigations were up 21%. New individual complaints rose 7% over 2012. Historical data:
Compliants under Ontario’s Health Privacy Legislation (Information and Privacy Commissioner / Ontario, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014)