Develop a Privacy Complaints Process
Last updated on March 31, 2016As part of your organization’s privacy policy, you must establish procedures to receive and respond to your customer’s privacy complaints. Developing a responsive complaints process will help your organization to:
- Address complaints quickly and effectively
- Identify and address any systemic or ongoing compliance problems
- Increase consumer confidence in your organization's privacy procedures
- Strengthen the good reputation of your organization
- Avoid complaints moving to the Information and Privacy Commissioner
What to Include
Your privacy complaint process must address:
- Who will receive and handle complaints
- How you’ll handle complaints
- How you’ll accept complaints
- How you’ll inform customers about the process
- How you’ll document complaints
- How you’ll ensure the process is impartial
- How you’ll correct any issues identified in the complaint
Who will receive and handle complaints
When a privacy complaint is received by your organization, immediately forward it to your privacy officer. It’s easier and more efficient for both customers and employees if the same individual responsible for ensuring privacy compliance is also responsible for receiving and responding to outside complaints.
How you’ll handle complaints
Ensure that for all privacy complaints your organization will:
- Investigate
- Acknowledge receipt promptly
- Contact the individual to clarify the complaint, if required
- Follow a fair, impartial and confidential process
How you’ll accept complaints
If you deal mainly with your customers in writing, you may choose to accept complaints in writing. If most customer interactions are verbal, you may choose to accept verbal complaints. Whatever you decide, your procedure must be adaptable where appropriate to ensure accessibility.
How you’ll inform customers about the process
If asked, your employees must be able to explain your organization’s privacy complaint process and identify who customers can contact to file a complaint. Employees must also inform customers of their right to contact the Information and Privacy Commissioner if he or she is not satisfied with your organization's response to the complaint.
How you’ll document complaints
Document all privacy complaints and always include the date you received them. Consider developing a form to help your customers file their complaint. This approach can make it easier to collect the information you need to investigate and respond. If the complaint was received verbally, record the details immediately.
How you’ll ensure the process is impartial
The person assigned to investigate the complaint must be able to conduct it fairly and impartially. Don’t assign the investigation to a person who is the subject of the complaint. The investigator must have access to all relevant records, employees or other individuals who handled the personal information involved.
How you’ll correct any issues identified in the complaint
Your organization must work to rectify the situation, including correcting practices and policies where necessary and communicating those changes to employees. Be sure to document every decision made as the result of an investigation. You must notify the complainant of the outcome of your investigation and explain any corrections and preventative steps you’ve taken. Verify that any required changes to policies, procedures or practices have occurred.
The Office of the Information and Privacy Commissioner offers a number of tools and resources for private organizations.
Contact information
250 356-1851