Woman making a frame around the sun with her hands at sunrise
Woman making a frame around the sun with her hands at sunrise
Woman making a frame around the sun with her hands at sunrise

Privacy Alert: Proliferation of Access Requests as New Tools Automate Request Generation and Distribution

June 2016 Privacy Bulletin 3 minutes read

Last summer, issue #8 of McMillan’s Privacy Basics article series flagged the importance of organizations and institutions understanding their legal obligations upon receipt of an access request under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or substantially similar provincial legislation. As a reminder, Canadians generally have a right to access their own personal information and request information about its collection, use and disclosure by private sector entities.Although the underlying statutory obligations have not changed in the past 12 months, we expect there to be an increased frequency of such requests due to a recent expansion in the quality and availability of plain language and user-friendly online literature and tools. These tools help facilitate the preparation of personal information access requests by individuals. In the case of one tool that went live in mid-June, a graphical interface allows individuals to select a target industry (currently, fitness trackers, telecommunications companies, dating applications, and select federal government bodies) and drill down to a specific service provider. By entering certain personal details, the tool will generate a complete and detailed access request letter for the user, providing post and email contact details to facilitate submission.

While it is a positive development to see innovation enabling individuals to more readily access statutorily provided rights, private sector organizations should nonetheless be conscious of the fact that these requests are getting easier, and that they may see an increase in the number of access requests they receive going forward—starting in the above mentioned industries, but likely expanding over time. This is particularly true in the near term, as the newer tools and related literature gain media attention. Accordingly, it may be an opportune time for all organizations to review their internal policies and ensure they are prepared to respond. In particular, it would be worthwhile for every organization to:

  • review and be ready to act in accordance with the step-by-step guide of best practices for responding to access requests, published by the Office of The Privacy Commissioner or similar provincially prepared guidance materials;
  • review the actual use and collection of personal information by that organization, with a view to ensuring it actually matches the use and collection described in their privacy policy; and
  • work with their privacy officer and train customer service staff so that the organization can respond to access requests in a timely manner, particularly in the event that the volume of such requests does in fact increase. Under PIPEDA, organizations generally have thirty days to respond to an access request.

As a reminder, “personal information” is broadly defined as “information about an identifiable individual”, an intentionally-broad definition that can include information contained in documents, photographs, videos, audio recordings, and biometric information. Subject to certain exceptions, an individual’s right of access to his or her personal information generally includes the right to:

  • be informed of whether the organization holds information about the individual;
  • receive an explanation of how personal information is being or has been used;
  • receive a list of organizations to which the personal information has been (or may have been) disclosed; and
  • access personal information in a form that is generally understandable and accommodates any sensory disabilities.

Organizations are required to search all locations and files in their control for requested personal information (not simply the most obvious potential sources of data). Further, individuals also have the right to challenge the accuracy or completeness of personal information held by organizations and to have it amended if the information is inaccurate.

For a more comprehensive discussion of access requests, we invite you to read issue #8 of McMillan’s privacy basics series.

by Lyndsay A. Wasser, Ryan J. Black and Rohan Hill

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2016

Related Publications (5 Posts)

Featured Insight

Commercial Leases During the COVID-19 Lockdown: Where are we Headed?

Commercial Leases During the COVID-19 Lockdown

Read More
May 17, 2021
Featured Insight

The Canadian Capital Market is Psyched: An Update on the Growing Wave in the Psychedelics Industry

This bulletin provides an overview of the regulations surrounding psychedelics in Canada and psychedelics companies in the Canadian capital markets.

Read More
May 12, 2021
Featured Insight

Stopping a Slippery Slope: Ontario Divisional Court Clarifies that Auto Insurance Coverage Applies Only to Direct Causes of Injuries

Ontario Divisional Court clarifies that automobile insurance only applies to direct causes of injury under the Statutory Accidents Benefits Schedule.

Read More
May 12, 2021
Featured Insight

What Are You Suing Me For? I Had No Control: Lessor Fleet Liability

The decision in Barz concerns the interplay between Alberta’s Workers’ Compensation Act and Traffic Safety Act.

Read More
May 12, 2021
Featured Insight

Paid COVID-19 Sick Leave for British Columbia Employees

The British Columbia government has announced proposed amendments to the Employment Standards Act to provide for paid sick leave.

Read More
May 12, 2021