The Office of the Privacy Commissioner of Canada (OPC) recently hosted a knowledge session to stakeholders to discuss its recent investigation against Compu-Finder. This was the first investigation by the OPC involving the address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). See our post summarizing the findings and the OPC’s full report here.
While the OPC could not disclose details of its investigation, the OPC provided attendees with information about its interpretation of its investigative powers, its approach to the investigation and tips for organizations.
Unlike its complaint-driven investigations, this investigation was an intelligence-driven case under the address harvesting provisions that were added to PIPEDA by Canada’s Anti-Spam Legislation (CASL). After significant intelligence gathering to meet its reasonable grounds burden, a Commissioner-initiated investigation was commenced allowing the OPC to collect further intelligence from Compu-Finder, affected individuals and third parties, including by affidavits. The OPC highlighted it applied a cross-functional investigation, using numerous departments and tools, including extensive use of the OPC technology LAB.
It is important to note that unlike the Canadian Radio-television and Telecommunications Commission (CRTC), which is the regulator with main responsibility for enforcement of CASL, the OPC must have reasonable grounds to start an investigation that has not been filed by an individual. The CRTC does not have to discharge that burden before commencing an investigation.
“The truth is in your records”. The OPC stressed the importance of record keeping. This has become a consistent theme regarding PIPEDA and CASL. (See our post on the CRTC’s guidance here.) The OPC highlighted that record-keeping was a fundamental issue in its investigation. Organizations must be able to meet their due diligence obligations and prove they have consent for the personal information they collect and use, and for every e-mail they send under CASL. The OPC found that Compu-Finder’s records were inadequate or in some cases may have contradicted their position.
Other lessons offered were:
- Exercise care when crafting responses to the OPC during investigation
- An established privacy compliance program can greatly assist you in demonstrating accountability
- Part of due diligence involves following up, double checking and auditing your policies and procedures
Stakeholders undoubtedly appreciated the OPC’s proactive gesture in providing this opportunity to learn more.…