Digital Brain
digital brain
digital brain

Privacy Alert: Proliferation of Access Requests as New Tools Automate Request Generation and Distribution

June 2016 Privacy Bulletin 3 minutes read

Last summer, issue #8 of McMillan’s Privacy Basics article series flagged the importance of organizations and institutions understanding their legal obligations upon receipt of an access request under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or substantially similar provincial legislation. As a reminder, Canadians generally have a right to access their own personal information and request information about its collection, use and disclosure by private sector entities.Although the underlying statutory obligations have not changed in the past 12 months, we expect there to be an increased frequency of such requests due to a recent expansion in the quality and availability of plain language and user-friendly online literature and tools. These tools help facilitate the preparation of personal information access requests by individuals. In the case of one tool that went live in mid-June, a graphical interface allows individuals to select a target industry (currently, fitness trackers, telecommunications companies, dating applications, and select federal government bodies) and drill down to a specific service provider. By entering certain personal details, the tool will generate a complete and detailed access request letter for the user, providing post and email contact details to facilitate submission.

While it is a positive development to see innovation enabling individuals to more readily access statutorily provided rights, private sector organizations should nonetheless be conscious of the fact that these requests are getting easier, and that they may see an increase in the number of access requests they receive going forward—starting in the above mentioned industries, but likely expanding over time. This is particularly true in the near term, as the newer tools and related literature gain media attention. Accordingly, it may be an opportune time for all organizations to review their internal policies and ensure they are prepared to respond. In particular, it would be worthwhile for every organization to:

  • review and be ready to act in accordance with the step-by-step guide of best practices for responding to access requests, published by the Office of The Privacy Commissioner or similar provincially prepared guidance materials;
  • review the actual use and collection of personal information by that organization, with a view to ensuring it actually matches the use and collection described in their privacy policy; and
  • work with their privacy officer and train customer service staff so that the organization can respond to access requests in a timely manner, particularly in the event that the volume of such requests does in fact increase. Under PIPEDA, organizations generally have thirty days to respond to an access request.

As a reminder, “personal information” is broadly defined as “information about an identifiable individual”, an intentionally-broad definition that can include information contained in documents, photographs, videos, audio recordings, and biometric information. Subject to certain exceptions, an individual’s right of access to his or her personal information generally includes the right to:

  • be informed of whether the organization holds information about the individual;
  • receive an explanation of how personal information is being or has been used;
  • receive a list of organizations to which the personal information has been (or may have been) disclosed; and
  • access personal information in a form that is generally understandable and accommodates any sensory disabilities.

Organizations are required to search all locations and files in their control for requested personal information (not simply the most obvious potential sources of data). Further, individuals also have the right to challenge the accuracy or completeness of personal information held by organizations and to have it amended if the information is inaccurate.

For a more comprehensive discussion of access requests, we invite you to read issue #8 of McMillan’s privacy basics series.

by Lyndsay A. Wasser, Ryan J. Black and Rohan Hill

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2016

Related Publications (5 Posts)

Featured Insight

Bill 64 Enacted: Québec’s Modern Privacy Regime

An in-depth analysis of Quebec's 2021 modernization of its private-sector privacy legislation.

Read More
Oct 15, 2021
Featured Insight

China’s Arduous Path to CPTPP Accession – A Myriad of Obstacles with an Improbable Outcome

On September 16, 2021, China submitted its request to accede to the Comprehensive and Progressive Trans-Pacific Partnership (“CPTPP”).

Read More
Oct 13, 2021
Featured Insight

Privacy Implications of an Open Banking System in Canada

Canada’s Advisory Committee on Open Banking's final report- the privacy and data security implications of an open banking system in Canada.

Read More
Oct 12, 2021
Featured Insight

Vaccination Mandates in the Construction Industry – What You Need to Know

An overview of vaccination mandates in the Construction industry and what you need to know.

Read More
Oct 12, 2021
Featured Insight

Mandatory Vaccinations for Public Service and Health Care Visitors

Mandatory vaccinations for public service and health care visitors in British Columbia.

Read More
Oct 8, 2021