Chapter 4
Data Protection Officers
PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the obligations under the respective statutes.
As of September 22, 2022, the Quebec Privacy Act, as modified by Bill 64, requires organizations to appoint a person responsible for the protection of personal information, who is in charge of ensuring compliance with privacy laws within the organization. By default, the person with the highest authority within the organization will be the person responsible for the protection of personal information, however this function can be delegated to any person, including a person outside of the organization.
This person’s responsibilities are broadly defined in the law and include:
- Approval of the organization’s privacy policy and practices
- Mandatory privacy assessments
- Responding to and reporting security breaches, and
- Responding to and enacting access and rectification rights
The contact information of the person responsible for the protection of personal information must be published online on the website of the organization.
Failure to comply and appoint an individual and implement the broadly defined processes may be identified as a criminal act. Companies can be fined under respective data laws applicable in each province. As this is expressly required individuals can also raise and pursue a claim against the organization.