Regulatory Compliance and Enforcement

Printed version PDF 143 KB

How to use this tool:

  • This tool is designed for IM specialists to use with relevant business areas when identifying information resources of business value (IRBV) and retention specifications.
  • The IRBV and retention specifications contained in this document are recommendations only and should be customized to apply in each institutional context. The complete document should be read before using any recommendations.
  • This Generic Valuation Tool does not provide Government of Canada institutions with the authority to dispose of information. Generic Valuation Tools (GVT) are not Records Disposition Authorities (RDA) and do not replace the Multi-Institutional Disposition Authorities (MIDA).

Validation: The business processes and IRBV of this GVT have been validated by subject matter experts from the following departments: Compliance and Enforcement Community of Practice of the Community of Federal Regulators, including employees from the Canadian Nuclear Safety Commission, the Canadian Food Inspection Agency, Health Canada, the Public Health Agency of Canada, and Human Resources and Skills Development Canada.

Defining the Activity

Regulatory compliance and enforcement is a common operational activity carried out by Government of Canada (GC) institutions as part of the broader regulatory process. It involves actions that encourage and compel compliance with a regulatory framework. Footnote1

Regulatory compliance and enforcement excludes the establishment of the rules, which vary from acts and regulations Footnote2 to voluntary instruments. They include documents that set out requirements and those that provide guidance on requirements. This GVT addresses enforcement of all types of instruments within the regulatory framework.

Based on a review of multiple institutions that perform this activity, GC institutions do not consistently use the terms “regulation,” “enforcement” or “compliance” in their Program Activity Architectures (PAAs). Most often, program activities are expressed in terms of the desired outcome of the regulatory activity, and not in terms of the activities performed by government to achieve this outcome. Regulatory responsibilities are described at both the program activity and sub-activity levels. In this document, “regulatory compliance and enforcement” is defined as an activity. It includes the authorization or approval of activities within the regulatory framework, as well as activities to ensure compliance through verification and compel compliance through enforcement. Terms used in this GVT are defined below.

Regulation: defined by the Treasury Board Secretariat (TBS) as “government intervention through a set of rules identifying permissible and impermissible activity on the part of individuals, firms, or government departments and agencies.” Footnote3

Compliance: the state of conformity with regulatory requirements including, but not limited to, legislative provisions, regulations, rules, standards, and orders. Footnote4

Enforcement: actions taken to induce, encourage, or compel compliance with regulatory requirements. Footnote5 For the purpose of remaining generic, in this GVT the sub-activity of “enforcement” is described as “responding to non-compliance.”

Authorization: any action taken to grant a licence, certificate, permit, registration, or any other authorization tool that either allow a regulated party to perform a relevant activity, or approve the sale or use of a product, process, or service. One form of enforcement is the removal or modification of authorization. The activity and associated business processes for granting authorization are addressed in the Authorization GVT.

Regulatory compliance and enforcement is prescribed for some federal institutions, but not across the GC . Despite the lack of prescription, regulatory compliance and enforcement is conducted in a predictable manner regardless of the regulatory framework being enforced. Recommendations in this GVT are based on the legislation, policies and guidelines of multiple GC institutions that carry out regulatory compliance and enforcement.

This GVT does not include other activities undertaken in support of GC regulation, such as scientific and policy research, policy development, or the creation of acts and/or regulations.

Regulatory compliance and enforcement may involve Alternative Dispute Resolution (ADR) activities, including mediation, conciliation, and negotiation. ADR is employed as a measure to resolve disputes without formal adjudication. Due to the informal and confidential nature of ADR, these information resources do not have business value.

Relationship to Other GVT

Business processes and activities often overlap. When the IRBV from an activity is identified in another GVT, there is a note in the table of IRBV and retention recommendations (below) to direct the user to the proper tool.

The regulatory compliance and enforcement activity is related to many other common GC-wide activities and business processes, so this GVT should be applied in conjunction with other GVTs.

Legal Services: The creation of acts and regulations is addressed in the Legal Services GVT.

Management and Oversight: The development of all regulatory compliance and enforcement policies, standards, guidelines, and similar documents that set out requirements or provide guidance is addressed in the Management and Oversight GVT.

Communications Services: Many of the processes and information resources created for the promoting compliance sub-activity are subject to the Communications Policy of the Government of Canada. These processes are addressed in the Communications Services GVT.

Human Resources Management: All processes and sub-activities related to training and certifying compliance officers and other employees responsible for administering regulatory compliance and enforcement are addressed in the Human Resources Management GVT; external training activities that occur within the regulatory compliance and enforcement activity are addressed in the Regulatory Compliance and Enforcement GVT.

Authorization: Authorization activities such as licensing and certification may occur within a regulatory framework, but the business processes are distinct from those of enforcement. Licencing and certification activities provide the authorization within the regulatory framework, while regulatory compliance and enforcement activities measure and encourage compliance with rules within that framework. The revocation of a licence or certificate may be a business process within the responding to non-compliance sub-activity, but all business processes and information resources related to granting or issuing licences or certificates are addressed in the Authorization GVT.

Investigating: The relationship between regulating and investigating is complex and the Investigating GVT should be used in conjunction with the Regulatory Compliance and Enforcement GVT for institutions that regulate. Put simply, investigating is often a process within the regulating activity. Enforcement of regulations consists of activities such as inspections to verify compliance, investigations of violations and various responses to non-compliance. For the purposes of this GVT, the distinction between inspection and investigation is that inspections are routinely undertaken to verify and ensure compliance with legislation, whereas investigations into regulatory non-compliance are conducted for the determination of penal liability. Footnote6 Regulatory activities such as promotion, inspection, and measures to compel compliance are addressed by the Regulatory Compliance and Enforcement GVT. Responses to non-compliance such as fines or sanctions are also addressed by the Regulatory Compliance and Enforcement GVT. For responses to non-compliance that require investigations, refer to the Investigating GVT.

Adjudication: Adjudication may occur at the end of the regulatory compliance and enforcement activity as a result of non-compliance; it is one of many measures to respond to non-compliance, and may occur only once other possibilities are exhausted.  Adjudication may also occur as a result of a recourse mechanism. That is, if the regulated party disagrees with the enforcement option, he or she may opt for an appeal. The business processes and IRBVs of adjudication are addressed in the Adjudication GVT.

Science and Technology Activities: Some of the business processes associated with regulatory compliance and enforcement may include a research component. All research activities done in support of regulatory compliance and enforcement are covered by the Regulatory Compliance and Enforcement GVT, and not the Science and Technology Activities GVT.

Business Processes

The Cabinet Directive on Streamlining Regulation (2007) and its related frameworks and documents (provided by the Regulatory Affairs Sector of TBS) do not prescribe or define the sub-activities or business processes involved in regulatory compliance and enforcement. They are focused on other processes related to regulation that are out of scope of this GVT, including the choice of appropriate instrument and the creation of regulations. Despite this lack of prescription, however, regulatory compliance and enforcement is conducted in a predictable manner regardless of the type of regulation or area being regulated. The regulatory compliance and enforcement activity involves the following three sub-activities: promoting compliance; monitoring and assessing compliance; and responding to non-compliance. These three sub-activities together form a continuum, containing a variety of methods, increasing in severity, to achieve compliance with the regulatory framework. While the components of regulatory compliance and enforcement may be described differently by different institutions, they generally align with the three sub-activities described in this GVT. Footnote7 Many possible variations in business processes exist because of the wide range of regulatory regimes.

The regulatory compliance and enforcement activity has three sub-activities, with a number of associated business processes. Each sub-activity is carried out in order to achieve compliance.  These sub-activities are not necessarily carried out in the order in which they are presented.

1. Promoting Compliance:

Also referred to as “educating,” it includes processes to encourage, promote, and educate about compliance. Footnote8This includes the creation of published and unpublished information resources, participation in conferences and events, and media relations, all of which are processes covered by the Communications Policy of the Government of Canada. Promoting compliance can also include other activities such as offering advice about compliance, and providing training and workshops. For all business processes related to promoting compliance addressed in the Communications Policy of the Government of Canada, please refer to the Communications Services GVT. All other business processes related to promoting compliance are addressed in this GVT.

2. Monitoring and Assessing Compliance:

Also referred to as “verification,” it involves a wide variety of processes that allow an institution to ensure regulations are being met and to identify cases of non-compliance. This may happen through a variety of potential processes, including general monitoring, inspections, surveillance, or through self-reporting from regulated bodies. It may include activities such as safety audits, sampling, analyses, and testing. This also involves responding to queries, complaints, and/or specific incidents.

3. Responding to Non-Compliance:

Also referred to as “enforcement.” Once a case of non-compliance has been identified, the appropriate course of action is taken to ensure compliance. Responses to non-compliance vary greatly based on the level of severity of the case. Enforcement options may include, but are not limited to, administrative monetary penalties (AMPs), the amendment or revocation of an authorization, or seizure, detainment, or recall. Alternative dispute resolution, including mediation and counselling, may be part of the response to non-compliance. Reponses to non-compliance may also involve an investigation or adjudication. These processes are covered by the Investigating and Adjudication GVTs. Finally, a response to non-compliance may result in legal proceedings at a provincial or federal level.

Retention

Recommended retention specifications in GVTs are determined based on traditional or best practices, a review of government-wide legislation and policy, and validation with subject matter experts. Retention periods are suggestions only; departments must take into account their own legislative requirements and business needs.

Due to the varied and complex nature of the regulatory framework, it is not always possible to apply generic recommendations. For those business processes that are more generic (e.g., outreach and advocacy), retention recommendations have been indicated. For those business processes for which risk is more context-specific (e.g., inspections and safety audits), each institution should set its own retention specifications based on operational requirements.

Business Value and Retention Recommendations

1. Promoting Compliance

Business Processes Recommendations: Information Resources of Business Value (IRBVs) Recommendations: Retention Period
Creating communication resources for public education (e.g., guidelines) For IRBV please see Communications Services GVT For retention please see Communications Services GVT

Outreach and advocating compliance

Giving presentations and briefings, holding town hall meetings

Liaising, consulting, or creating partnerships with stakeholders, including interest groups

Substantive drafts and final copies including:

Briefing documents
Reports
Presentation decks

3 years based on traditional practice

Outreach and advocating compliance

Delivering external training

Substantive drafts and final copies including:

Training plans
Standard exams
Participant lists
Evaluation notifications to students
Course evaluations

2 years after last administrative use or event completed or abandoned – information resources  (IR) that do not contain personal information, based on traditional practice

2 years (minimum) after event – IR that contain personal information, based on Privacy Regulations, s. 4

Substantive drafts and final copies of:

Curricula material

5 years after superseded, based on traditional practice applied to policy and procedure IR within the context of common administrative activities
Providing advice and guidance

Queries

Responses
5 years, based on traditional practice applied to policy and procedure IR within the context of common administrative activities

2. Monitoring and Assessing Compliance

Business Processes Recommendations: Information Resources of Business Value (IRBVs) Recommendations: Retention Period
Conducting inspections and safety audits

Inspection plans or schedules

Inspection or audit reports

Detection notice forms

Performance indicators

Test results

Sample results

Case files

Inspection notes

Databases of statistics from inspections

Photographs
Generically applicable retention recommendations are unavailable for information resources generated by these business processes

Audit templates

Inspection checklists
5 years after superseded, based on traditional practice applied to policy and procedure IR within the context of common administrative activities
Receiving documentation from regulated parties to demonstrate compliance

Reports

Detection notice forms

Performance indicators and results
Generically applicable retention recommendations are unavailable for information resources generated by these business processes
Conducting surveillance

Reports

Detection notice forms

Performance indicators and results
Generically applicable retention recommendations are unavailable for information resources generated by these business processes
Reporting results to regulated parties

Correspondence

Reports
Generically applicable retention recommendations are unavailable for information resources generated by these business processes

Consulting with regulated parties and other GC institutions re. compliance and enforcement

Providing recommendations to other regulating agencies

Correspondence

Reports

Memoranda of understanding (MOUs)

5  years after agreement is superseded or terminated, based on traditional practice applied within the context of common administrative activities, except:

6 years after superseded or terminated – where the agreement contains financial elements, based on traditional practice applied within the context of Finance Management
Responding to complaints

Complaints from public, or other sources (e.g., letters, email, telephone message logs)

Responses to complainant (e.g., letters, email, telephone message logs)
5 years after superseded, based on traditional practice applied to policy and procedure IR within the context of common administrative activities
Maintaining registries of regulated parties

Completed registration forms

Note: Many departments use electronic systems to gather and organize all information resources related to a registry.  In this case, the entire system has business value.

2 years after superseded or obsolete, based on Privacy Regulations, s. 4

3. Responding to Non-Compliance

Business Processes Recommendations: Information Resources of Business Value (IRBVs) Recommendations: Retention Period
Advising regulated parties of non-compliance

Case files

Letters (e.g., information letters, warning letters, letters of concern)

Inspection reports

Notices (e.g., notices of non-compliance, detention notices)

Summaries of meetings with regulated parties

Responses from regulated parties
Generically applicable retention recommendations are unavailable for information resources generated by these business processes
Alternative Dispute Resolution (mediation, negotiation, conciliation, counseling) No IRBV are created Not Applicable
Issuing orders or directives

Orders/directions (e.g., payment orders, ministerial orders, stop work orders)

Emergency directives
5 years after superseded, based on traditional practice applied to policy and procedure IR within the context of common administrative activities
Applying monetary penalties (e.g., the Administrative Monetary Penalty, or AMP)

Documentation regarding implementation of penalty, including:

Notices of violation (e.g., violations with penalty)
Responses from regulated parties

5 years after last administrative action, based on:

Agriculture and Agri-Food Administrative Monetary Penalties Act, s. 23;
Canada Shipping Act, s. 239;
Environmental Violations Administrative Monetary Penalties Act, s. 27 (2); and
Industry Canada – Measurement Canada – Regulatory Proposal for Administrative Monetary Penalties

Note: consult also the Customs Act and the Administrative Monetary Penalties Regulations for retention obligations specified for different record types.
Action to modify an authorization (e.g., a license)

Documentation regarding the implementation of penalties, including:

Notices of modifications to authorization (e.g., licence removals)
Notices of suspension of business activities
Responses from regulated parties

Generically applicable retention recommendations are unavailable for information resources generated by these business processes
Seizing and detaining (goods, etc.)

Documentation regarding implementation of penalties, including:

Notification letters
Seizure forms
Orders (e.g., detention orders, disposal orders, orders to stop sales)
Seizure reports
Responses from regulated parties

Generically applicable retention recommendations are unavailable for information resources generated by these business processes
Liaising with regulated parties to ensure that enforcement conditions are fulfilled

Correspondence

Press releases

Test results
Generically applicable retention recommendations are unavailable for information resources generated by these business processes
Transferring a case to another authority for investigation, alternative dispute resolution, or court proceedings

Correspondence with Department of Justice

Correspondence with other GC institutions or regulating institutions or authorities

Court orders, decisions, plea bargain statements

Retain until the institution to which the case was transferred advises that the case is closed.

Note: institutions should always consult with their Legal Services to determine the amount of time to retain the information resources produced by this sub-activity.
Communicating regulatory non-compliance to the public For IRBV please see Communications Services GVT For retention please see Communications Services GVT
Investigating For IRBV please see Investigating GVT For retention please see Investigating GVT
Adjudication For IRBV please see Adjudication GVT For retention please see Adjudication GVT
Date modified: