OIPC Policies & Jurisdiction

Welcome to the second installment in a series all about the OIPC. In this series, I will take you through the essential elements of the OIPC, covering key topics such as governing legislation, jurisdiction, the complaint review process, requests for personal information reviews, and the protocol for responding to privacy breaches. Stay tuned to learn all about the OIPC!

This post focuses on the OIPC’s jurisdiction and its governing policies.

OIPC Policies can be found on the policy section of the OIPC website and have last been updated November 2021 at the time of writing. There are also guidance documents available in plain language so organizations can best understand how OIPC policies affect their business practices. The policies outline the process for:

• Complaints
• Requests for review
• Inquiries
• Requests for review of deemed refusals
• Requests for authorization to disregard access requests
• Requests for authorization to indirectly collect personal information (FIPPA only)
• Requests to contact potential study participants for health research (FIPPA only)

There is also an OIPC Unreasonable Behaviour Policy for vexatious or abusive litigants. You will find a section for each of these processes further down in this memo.

The Commissioner oversees the information and privacy practices of organizations that collect, use, or disclose personal information. This can include companies located in the province but headquartered elsewhere. The organization must be the subject of provincial regulation for the OIPC to have jurisdiction. For example, the provincial Commissioner does not have jurisdiction over federal entities like banks, airlines, and telecommunications.

The Commissioner has the power to:

• Investigate, mediate and resolve appeals concerning access to information disputes, including issuing binding orders;
• Investigate and resolve privacy complaints;
• Initiate Commissioner-led investigations and audits of organizations, if there are reasonable grounds of non-compliance or if it is in the public interest;
• Comment on the access and privacy implications of proposed legislation, programs or policies;
• Comment on the privacy implications of new technologies and/or data matching schemes;
• Conduct research into anything affecting access and privacy rights; and
• Educate and inform the public about their access and privacy rights and the relevant laws.

In summary, the OIPC is essential in overseeing information and privacy practices within its jurisdiction. Its comprehensive policies and guidance documents help organizations navigate privacy issues effectively. With the Commissioner’s authority to investigate, mediate, and educate, the OIPC is committed to safeguarding access and privacy rights in an increasingly digital world.

If you have questions about the topics discussed in this post, or any other related questions, please get in touch with Jaeda Lee or any other member of our Privacy and Data Protection group.