Compliance with Act
11.—(1)  In meeting its responsibilities under this Act, an organisation must consider what a reasonable person would consider appropriate in the circumstances.
(2)  An organisation is responsible for personal data in its possession or under its control.
(3)  An organisation must designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.
(4)  An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation.
(5)  An organisation must make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).
(5A)  Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner.
[40/2020]
(6)  The designation of an individual by an organisation under subsection (3) does not relieve the organisation of any of its obligations under this Act.
Policies and practices
12.  An organisation must —
(a)develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
(b)develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
(c)communicate to its staff information about the organisation’s policies and practices mentioned in paragraph (a); and
(d)make information available on request about —
(i)the policies and practices mentioned in paragraph (a); and
(ii)the complaint process mentioned in paragraph (b).