top of page

Responsibility and Compliance

           In a seashell

Section 5, Responsibility and compliance, states that:

  1. Every organisation shall adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in this Act.

  2. The measures and policies in subsection (1) shall be designed to take into account the nature, scope, context, and purposes of the use of personal information and the risk to individuals by the use of the personal information.

  3. Where an organisation engages (by contract or otherwise) the services of a third party in      connection with the use of personal information, the organisation remains responsible for  ensuring compliance with this Act at all times.

  4. An organisation shall designate a representative (“privacy officer”) for the purposes of compliance with this Act who will have primary responsibility for communicating with the Commissioner.

  5. A group of organisations under common ownership or control may appoint a single privacy officer provided that a privacy officer is accessible from each organisation.

  6. A privacy officer designated under subsection (4) may delegate his duties to one or more individuals.

  7. In meeting its responsibilities under this Act, an organisation shall act in a reasonable manner.


Organisations may use personal information in many ways and for many different purposes, which means that there is no “one-size-fits-all” approach.


“Suitable measures and policies” therefore entail something different for each of the different organisations: as such, they require a tailored approach.

Organisations should implement measures and policies that cover the following programmatic elements:

  • Conducting an inventory and classifying (or “mapping”) of what personal information is used;

  • Documenting personal information use practices in policies and procedures;

  • Providing appropriate training and awareness to staff or others with access to personal information;

  • Analysing the privacy risk in context, utilizing tools such as “Privacy Impact Assessments,” and identifying protective measures;

  • Developing an action plan to respond to incidents or potential breach of security;

  • Developing procedures to respond to PIPA Rights Requests.


The exact nature of these may differ, and the depth or intensity with which an organisation executes them will vary based on the particular circumstances.  By having “suitable measures and policies” in place, organisations demonstrate that they understand the nature, scope, context and purpose of the personal information they use, and the potential risk posed to individuals by their use of the personal information.


Note that organisations are responsible for all uses of personal information, including transfers of personal information to overseas third parties.


See section Transfer of personal information to an overseas third party.

bottom of page