Last summer, issue #8 of McMillan's Privacy Basics article series flagged the importance of organizations and institutions understanding their legal obligations upon receipt of an access request under the Personal Information Protection and Electronic Documents Act ("PIPEDA") or substantially similar provincial legislation. As a reminder, Canadians generally have a right to access their own personal information and request information about its collection, use and disclosure by private sector entities.
Although the underlying statutory obligations have not changed in the past 12 months, we expect there to be an increased frequency of such requests due to a recent expansion in the quality and availability of plain language and user-friendly online literature and tools. These tools help facilitate the preparation of personal information access requests by individuals. In the case of one tool that went live in mid-June, a graphical interface allows individuals to select a target industry (currently, fitness trackers, telecommunications companies, dating applications, and select federal government bodies) and drill down to a specific service provider. By entering certain personal details, the tool will generate a complete and detailed access request letter for the user, providing post and email contact details to facilitate submission.
While it is a positive development to see innovation enabling individuals to more readily access statutorily provided rights, private sector organizations should nonetheless be conscious of the fact that these requests are getting easier, and that they may see an increase in the number of access requests they receive going forward—starting in the above mentioned industries, but likely expanding over time. This is particularly true in the near term, as the newer tools and related literature gain media attention. Accordingly, it may be an opportune time for all organizations to review their internal policies and ensure they are prepared to respond. In particular, it would be worthwhile for every organization to:
- review and be ready to act in accordance with the step-by-step guide of best practices for responding to access requests, published by the Office of The Privacy Commissioner or similar provincially prepared guidance materials;
- work with their privacy officer and train customer service staff so that the organization can respond to access requests in a timely manner, particularly in the event that the volume of such requests does in fact increase. Under PIPEDA, organizations generally have thirty days to respond to an access request.
As a reminder, "personal information" is broadly defined as "information about an identifiable individual", an intentionally-broad definition that can include information contained in documents, photographs, videos, audio recordings, and biometric information. Subject to certain exceptions, an individual's right of access to his or her personal information generally includes the right to:
- be informed of whether the organization holds information about the individual;
- receive an explanation of how personal information is being or has been used;
- receive a list of organizations to which the personal information has been (or may have been) disclosed; and
- access personal information in a form that is generally understandable and accommodates any sensory disabilities.
Organizations are required to search all locations and files in their control for requested personal information (not simply the most obvious potential sources of data). Further, individuals also have the right to challenge the accuracy or completeness of personal information held by organizations and to have it amended if the information is inaccurate.