Under the Accountability Principle, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires, since its adoption in 2000, that organizations “designate an individual or individuals who are accountable for the organization’s compliance with the following [protection of information] principles.” The respective British Columbia and Alberta Personal Information Protection Act contain the same requirement. Yet, the jolt of Bill 64, the Québec Act to modernize legislative provisions as regards the protection of personal information (Bill 64), creating heavy fines and very specific duties for what we will call a Privacy Officer, brings to the fore the obligation and the challenge of designating the right person in that role. To guide organizations in that decision, we summarize here the specific legal requirements regarding the designation of a “Privacy Officer”, the particularities of Bill 64, the expectations of regulators in that regard, the best models to meet the legal requirements, and those to avoid, and we offer some guideposts to designate the right person as Privacy Officer.

  1. The legal requirements

PIPEDA, under the Accountability Principle at 4.1 of Schedule 1, vests accountability for an organization’s compliance with privacy law in the individual(s) designated as Privacy Officer. The identify of the Privacy Officer must be made known upon request. The required measures for internal compliance define the Privacy Officer`s duties. The Privacy Officer must ensure that :

  • Policies and practices are implemented to give effect to legal requirements under privacy law to protect personal information, receive and respond to requests, complaints and inquiries, train staff and communicate information about the organization’s policies and practices;
  • Outward facing privacy polices are developed and made public to explain the organization’s policies and procedures with respect to personal information;
  • Contractual or other means are adopted to ensure service providers receiving personal information through a service agreement provide that information a comparable level of protection.

The related provisions of the British Columbia and the Alberta PIPA are substantively similar.

  1. The particularities of Bill 64

Until the passing of Bill 64 last September 22, 2021, Québec had the only private sector privacy legislation in Canada that did not create obligations with respect to the designation of a Privacy Officer. It now does, with new sections 3.1 and 3.2 creating the obligation to designate a Privacy Officer by September 22, 2022. Bill 64’s provisions are similar to the provisions in PIPEDA with the following distinctions, Bill 64:

  • Vests accountability for ensuring and organization’s compliance with Bill 64 in the person “exercising the highest authority” in the organization;
  • Allows delegation of that function, entirely or in part, in writing, while keeping accountability with the person in highest authority;
  • Specifies that the governance policies and practices adopted to ensure internal compliance must be “proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.”;
  • Mandates specific functions for the Privacy Officer such as the review of Privacy Impact Assessments (section 3.3) – which are mandatory with respect to certain operations-, advise on assessment of “risk of serious injury” in the case of a security breach, (s.3.7), receive information on any violation of the Act and verify it (s.18.3), attest of the cessation of dissemination of personal information to the individual who requested it (s. 28.1) , address changes in parental authority (s. 30.1) or respond to individual rights requests and provide reasons for refusal ((s. 32 and 34).

The upshot is that, with Bill 64, legal requirements around the duties of the Privacy Officer have increased and become more specific. This forces renewed attention as to who an organization should designate as Privacy Officer.

  1. The regulators’ expectations

In Getting Accountability Right with a Privacy Management Program, the Office of the Privacy Commissioner of Canada, the British Columbia Information and Privacy Commissioner, and the Alberta Information and Privacy Commissioner include guidance on the designation of a Privacy Officer:

  • The obligation to designate a Privacy Officer applies whatever the size of the organization;
  • The Privacy Officer is responsible for the implementation of the organization’s privacy management program which means “structuring, designing and managing the program, including all procedures, training, monitoring/auditing, documenting, evaluating, and follow-up”;
  • Organizations should dedicate resources to training the Privacy Officer and to support the fulfilment of the role, with both financial and human resources;
  • The Privacy Officer should “establish a program that demonstrates compliance by mapping the program to applicable legislation” ;
  • It is important to be able to “show how the program is being managed throughout the organization.” So documentation is part of accountability.

Specifically, the Privacy Officer is expected to:

  • establish and implement program controls;
  • coordinate with other appropriate persons responsible for related disciplines and functions within the organization;
  • be responsible for the ongoing assessment and revision of program controls;
  • represent the organization in the event of a complaint investigation by a privacy commissioner’s office; and
  • advocate privacy within the organization itself.

Summarizing the “building blocks” of a Privacy Program, the regulators look for a Program where :

  • The Privacy Officer’s “Role exists and is fundamental to business decision-making process.”
  • It is “clearly identified and communicated throughout the organization.”
  • It includes responsibility for “the development and implementation of the program controls and their ongoing assessment and revision.”

Different Privacy Officer models work best for different organizations.

  1. Best models to comply with legal requirements

Organizations comply with the requirement to designate a Privacy Office differently, depending on their size and structure:

  • Appointing the COO or CFO as Privacy Officer. Small organizations that do not have a General Counsel (GC) usually appoint the Chief Operations Officer (COO) or the Chief Financial Officer (CFO) as Privacy Officer because both play a central, cross-cutting role in the organization and have general compliance assurance obligations. In very small organizations the CEO is also the Privacy Officer. These models comply with legal requirements because the Privacy Officer is vested in a function that generally entails a compliance assurance role, is high enough in the organization to carry the necessary authority to obtain compliance, and is independent from the actual execution of the privacy program, which occurs under each business line, critically, under the Chief Information Officer (CIO), Chief Technology Officer (CTO) or Chief information Security Officer (CISO). The challenge for this model to be effective is to properly support the Privacy Officer, taking into account that the person has expertise quite foreign to privacy law. This type of Privacy Officer usually requires assistance to ensure privacy issues are fully identified to be addressed. Ongoing training of the Privacy Officer will assist in developing the ability to identify privacy issues and alignment with specialized external counsel for relevant legal advice will ensure they are addressed, as needed.
  • Appointing the GC as Privacy Officer. Medium size organizations and some large organizations that have a GC often choose to appoint the GC as Privacy Officer. As a lawyer, the GC is responsible for legal compliance in general which includes the privacy regulatory framework. The extension of the GC role to encompass that of Privacy Officer is quite natural. This model also complies with legal requirements because of the level and nature of authority of the GC to obtain compliance, and because of its independence from the execution of the privacy program. That being said, the GC must attend to all compliance issues in the organization and is usually not a specialized privacy lawyer. In this model as well, alignment with specialized external counsel is necessary, to be brought in as needed.
  • Appointing a dedicated Privacy Officer. Large organizations often have both a GC and a Chief Privacy Officer. This model responds to the level of work inherent to privacy compliance in the organization. For example, several global financial institutions choose to have a dedicated Chief Privacy Officer in view of the sensitivity and volume of personal information they process and transfer around the world. Of course, this model also corresponds to legal requirements because it addresses the organization’s actual challenge in implementing a privacy program. Privacy law expertise resides in-house and specialized external counsel is only brought in under exceptional circumstances, such as litigation or organizational transformation in response to new legislation.

The characteristics of these models that respond to legal requirements may be summarized as:

  • Independence of the Privacy Officer that allows compliance assurance;
  • The level of authority of the Privacy Officer that elicits compliance and that facilitates reporting on compliance to the highest level of authority;
  • Proportionality of the Privacy Officer’s role to the actual privacy risk exposure of the organization.
  1. The models to avoid
  • Appointing the CIO, CTO or CISO as Privacy Officer. There is certainly a logic to appointing the CIO, or CTO or CISO as Privacy Officer, each being responsible for security of information, which is where the greatest risk resides. However, it jeopardizes compliance with privacy law with two main structural flaws.
    • First, it confuses security of information and protection of privacy. Security of information is only one obligation under privacy law. Protecting privacy also includes ensuring that consent is validly obtained, that privacy policies are truthful and comprehensive, that personal information is never used for purposes not consistent with the purposes for which it was provided or that individual rights of access, correction or complaints are fulfilled. The development of policies to ensure the fulfillment of these rights goes beyond the purview of the CIO, CTO or CISO.
    • Second, and most importantly, this model creates a conflict of interest by vesting in the same person the responsibility for execution of privacy protection and for verification of such execution. The conflict of interest is particularly apparent in relation to security incidents. The Privacy Officer will be responsible to advise the CEO on the legal obligations arising from the breach, which depend upon its gravity, namely whether it creates a real risk of significant harm or serious injury. The CIO, CTO or CISO, being in charge of the systems breached, may not have the impartiality to make the proper assessment.
  • Appointing a Privacy Officer at a low level in the organization. Beyond the issue of lack of authority to elicit compliance or influence senior management, choosing a low level employee to single-handedly oversee compliance with privacy law in the organization demonstrates a lack of accountability in that regard. Demonstration of accountability is both required by law and necessary to create a culture of privacy compliance in the organization, critical to its realization. This model also usually includes insufficient resources to actually fulfil the role and certainly against the regulators expectation in Getting Accountability Right that the Privacy Officer “advocate privacy within the organization itself.”
  1. Some guideposts

Bill 64 has raised the bar for the role of the Privacy Officer; training of the Privacy Officer, allocating financial and human resources to meet the new workload, and aligning it with external resources to assist on a scalable basis. Some factors are key to effectiveness of the Privacy Officer:

  • Support from the top, demonstrated by the designation of an individual at a hierarchical level sufficient to elicit compliance across the organization and make recommendations to the highest authority in the organization;
  • A clear governance structure that defines the scope of the role of the Privacy Officer as well as the process to consult the Privacy Officer as required by law, socialized throughout the organization to generate compliance;
  • Resourcing that actually allows realization of the role;
  • Independence from the execution of the policies and practices to exercise a challenge a function;
  • Training of the Privacy Officer to at least identify privacy issues, whether to resolve them or to seek external counsel to resolve them.

What ever the model chosen, it must result from careful consideration, in light of the actual privacy risk exposure of the organization.

This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.