Develop a Privacy Complaints Process
- Address complaints quickly and effectively
- Identify and address any systemic or ongoing compliance problems
- Increase consumer confidence in your organization's privacy procedures
- Strengthen the good reputation of your organization
- Avoid complaints moving to the Information and Privacy Commissioner
What to Include
Your privacy complaint process must address:
- Who will receive and handle complaints
- How you’ll handle complaints
- How you’ll accept complaints
- How you’ll inform customers about the process
- How you’ll document complaints
- How you’ll ensure the process is impartial
- How you’ll correct any issues identified in the complaint
When a privacy complaint is received by your organization, immediately forward it to your privacy officer. It’s easier and more efficient for both customers and employees if the same individual responsible for ensuring privacy compliance is also responsible for receiving and responding to outside complaints.
Ensure that for all privacy complaints your organization will:
- Acknowledge receipt promptly
- Contact the individual to clarify the complaint, if required
- Follow a fair, impartial and confidential process
If you deal mainly with your customers in writing, you may choose to accept complaints in writing. If most customer interactions are verbal, you may choose to accept verbal complaints. Whatever you decide, your procedure must be adaptable where appropriate to ensure accessibility.
If asked, your employees must be able to explain your organization’s privacy complaint process and identify who customers can contact to file a complaint. Employees must also inform customers of their right to contact the Information and Privacy Commissioner if he or she is not satisfied with your organization's response to the complaint.
Document all privacy complaints and always include the date you received them. Consider developing a form to help your customers file their complaint. This approach can make it easier to collect the information you need to investigate and respond. If the complaint was received verbally, record the details immediately.
The person assigned to investigate the complaint must be able to conduct it fairly and impartially. Don’t assign the investigation to a person who is the subject of the complaint. The investigator must have access to all relevant records, employees or other individuals who handled the personal information involved.
Your organization must work to rectify the situation, including correcting practices and policies where necessary and communicating those changes to employees. Be sure to document every decision made as the result of an investigation. You must notify the complainant of the outcome of your investigation and explain any corrections and preventative steps you’ve taken. Verify that any required changes to policies, procedures or practices have occurred.