Skip to primary content
Skip to main menu
Skip to section menu (if applicable)

Chapter 8 – The Privacy Officer, the Commissioner and the Board

This chapter explains the main functions of your agency’s contact person, often called the “Privacy Officer”; the Office of the Information and Privacy Commissioner of Ontario (Commissioner), which oversees compliance with PHIPA; and the Consent and Capacity Board (Board). It also gives you information about how your agency should handle complaints about your privacy practices, and what to expect if someone makes a complaint about you to the Commissioner.

Key Point

You should be familiar with the roles of the PHIPA contact person in your agency, the Information and Privacy Commissioner who oversees compliance with PHIPA, and the Consent and Capacity Board, which hears certain applications under the Act.

Privacy Officer

The Privacy Officer is the public face of privacy of your agency, and will answer questions about your privacy and information practices from clients and the public. The Privacy Officer is a resource to you, and should do his/her best to make sure that everyone in your agency is aware of their duties under PHIPA. He/she will also respond to and investigate any complaints about your privacy practices.

PHIPA does not give any guidance about how a Privacy Officer should handle complaints about your agency’s privacy practices. Here are some suggested guidelines for your agency to follow if someone makes a complaint:

  • If the complaint is made by way of a letter, send a written acknowledgement that the complaint has been received and when the person who complained can expect a reply.
  • Open a file for each complaint that you receive.
  • Investigate the complaint by speaking with those in your agency who are best able to give you information about the substance of the complaint.
  • Assess whether the situation the person complained about is ongoing (even if it does not affect that person). If it is, take steps to rectify the situation.
  • Provide a reply to the person who complained.
  • Give a general notice to anyone involved in the investigation about how the matter was resolved.
  • Prepare a summary of the incident in general terms to report to the senior management of the agency. To the extent possible, the summary should not divulge personal information about anyone involved in the complaint.
  • Assess whether any steps should be taken to reinforce the importance of privacy and information protections within your agency (for example, training with a particular group of health care professionals, or the adoption of additional security safeguards).

The Privacy Officer should also be familiar with the rights a client has under PHIPA and when clients must be told about these rights or their ability to make a complaint to the Commissioner. A helpful list of issues that may be of concern to clients is provided in Chapter 9.

Breaches of PHIPA

If there is a breach of PHIPA, it is important that the Privacy Officer (or someone else in the agency) contact the person whose information has been lost, stolen, or accessed inappropriately.

See Chapter 2 for more information about security safeguards and responding to breaches.

The Information and Privacy Commissioner

The Commissioner’s role

Under PHIPA, the Information and Privacy Commissioner has a number of roles, including the following:

  • To provide education and information to custodians, clients and the general public, as well as to hear the public’s comments about PHIPA
  • To oversee custodians’ compliance with PHIPA
  • To deal with complaints from clients and the public
  • Upon request, to offer comments on a custodian’s actual or proposed information practices
  • To engage in or support research on matters related to PHIPA
  • To assist his/her counterparts in other jurisdictions in their investigations (including the federal Privacy Commissioner)
  • To conduct his/her own review of a custodian’s practices

Commissioner’s powers

The Commissioner has broad powers to investigate possible breaches of PHIPA. These include inspection and review powers, such as the ability to require a custodian to provide the Commissioner with documents and other materials, and the right to enter the custodian’s premises (although a warrant is required if the premises are also someone’s home). Custodians must take care not to obstruct the Commissioner or the Commissioner’s staff in these investigations.

Whistleblower protection

If someone complains about you to the Commissioner, or the Commissioner has any other reason to investigate your practices, the following information about the complaints process may be helpful:

  • An intake analyst from the Commissioner’s office will gather information about the complaint from the person who made it, and from you. This may be done in writing as well as by telephone. This may include questions about what steps the person who is complaining has taken, and the responses you have made, in the course of the complaint.
  • The intake analyst will then prepare a report and ask both sides to review it. Throughout the process, the Commissioner’s staff will attempt to have you and the person who complained settle the matter.
  • The complaint may move on to “mediation.” A mediator will also try to effect a settlement between the parties.
  • If the complaint is not resolved at the mediation stage, it may move on to a Commissioner’s review. However, the Commissioner may decide not to review a matter if:
    • the complaint could more appropriately have been dealt with through a different procedure,
    • the time between when the matter being complained about happened and the time the complaint was made is such that ruling on the matter would inappropriately prejudice someone,
    • the person complaining does not have a direct enough interest in the complaint, or
    • the complaint is frivolous, vexatious or made in bad faith.

In the months since PHIPA became law, the Commissioner and the Commissioner’s staff have been working closely with those in the health sector to raise awareness about PHIPA. A public commitment to “not name names” until November 1, 2005 has also been made, which means that any findings that the Commissioner makes prior to that time will not identify specific custodians. This does not mean that you do not have to comply with PHIPA, or that someone cannot make a complaint about you. However, it does give custodians an opportunity to continue to improve their practices in the meantime, without concerns about attracting public attention.

The Consent and Capacity Board

The Consent and Capacity Board is an independent body that conducts hearings under a number of laws, including PHIPA. Board members are psychiatrists, lawyers or members of the general public. The Board sits with one, three, or five members. Hearings are usually recorded in case a transcript is required.

The Board has the authority under PHIPA to

  • review a finding of incapacity to consent to the collection, use or disclosure of PHI,
  • consider the appointment of a representative for a person incapable to consent to the collection, use or disclosure of PHI, and
  • review a substitute decision-maker’s compliance with PHIPA’s rules for substitute decision-making.

There are several new forms under the Personal Health Information Protection Actthat you should be aware of:

Form P1 – Application to the Board to Review a Finding of Incapacity to Consent to the Collection, Use or Disclosure of Personal Health Information under Subsection 22(3) of the Act

Form P2 – Application to the Board to Determine Compliance under Subsection 24(2) of the Act

Form P3 – Application to the Board to Appoint a Representative under Subsection 27(1) of the Act

Form P4 – Application to the Board to Appoint a Representative under Subsection 27(2) of the Act

These forms are available online at