As a former senior privacy and access regulator, I would like to share some thoughts with you about how to effectively work with a regulator.
As a starting point, remember that like any administrative tribunal, information and privacy
commissioners are given broad discretion in deciding what matters they will choose to
investigate, and in how they make procedural and substantive decisions under their legislation. If you understand the scope of this discretion, and what factors can influence these outcomes, you have a better chance of achieving the result that’s in your best interest.
The commissioner will exercise discretion when receiving a complaint. If the commissioner
decides to open an investigation, he or she has wide discretion in how to proceed, and what the proper outcome should be. For example, the commissioner may decide the matter can be resolved informally, without the need for a public report or order. In deciding the substantive issues, the commissioner also has broad discretion. In both instances, the commissioner may take into account its perception of your organization as a good faith actor, which can tip the balance in your favour.
One illustration of this last point is in the context of a privacy breach. Most of these cases come down to the commissioner deciding whether your organization took “reasonable measures” to protect privacy and security. This is a flexible term, and can take into account not only factual findings, but the less concrete notion of whether the organization acted diligently and in good faith.
How do you develop such a positive relationship? One approach that can work is simply to reach out to senior people in the organization and invite them to have a chat over the phone, or meet for coffee. You can take this opportunity to introduce yourself, explain what your organization does and how it operates, and share your thoughts on some of the privacy
challenges you face. In turn, the regulator can share its thoughts about these issues. This can help to build a valuable rapport and a sense of trust. It can also inform your own decision- making, and give you a chance to demonstrate your knowledge and respect for the law.
Who should you approach? Probably best to contact someone senior with the regulator, who has the ability to influence how things are handled. Reaching out to the commissioner him or herself is probably not ideal, unless you already have a prior relationship with that person. When should you make this approach? Better to do this before any matters involving your organization arise with the commissioner, as opposed to after. The commissioner may be reluctant to have that kind of discussion with you when there’s an ongoing matter.
If you want to seek the commissioner’s advice on a particular matter, outside the scope of an
investigation or potential investigation, I recommend that you do your homework and come
prepared. Get to know the commissioner’s relevant law and strategic priorities. This will help
you develop tailored, informed questions for the commissioner that will be better received
compared to vague requests for advice or approval. And early forays to the commissioner are usually better than those that can be considered “late in the day”, when the commissioner’s suggestions may be to difficult or expensive to implement.
Need help? As ex-Assistant Commissioner, I am available to help guide your approach.