The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #4: Responding to Data Subject Requests the Right Way
The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #4: Responding to Data Subject Requests the Right Way
Under Canadian privacy laws, individuals have certain rights with respect to their personal information (“PI”). Depending on the privacy law(s) that apply in a particular circumstance, these may include the right to:
- request information about whether an organization holds PI about them and, if so, to access that PI;
- ask questions or request information about how their PI is processed by the organization, such as an explanation of the purposes for which their PI is being or has been used;
- request information about how and with whom their PI has been shared, such as a list of organizations to which their PI has been (or may have been) disclosed;
- challenge the accuracy or completeness of their PI, and request that it be corrected or updated;
- withdraw their consent to the continued collection, use or disclosure of their PI; or
- make a complaint about an organization’s collection, use or disclosure of their PI.
Quebec’s Act respecting the protection of personal information in the private sector (the “Quebec Act”) also contains several unique rights for individuals, including (without limitation):
- a right to be informed of, request certain information about and submit observations regarding the use of PI to render a decision about them based exclusively on the automated processing of their PI;
- a limited right to request that an enterprise cease disseminating their PI or de-index or re-index a hyperlink that provides access to PI attached to their name that provides PI by a technological means; and
- effective September 22, 2024, a limited right to data portability (e.g., to request that computerized PI collected from them be communicated to them or to any person or body in a structured, commonly used technological format).
In some cases, applicable privacy laws stipulate pre-conditions, exceptions or limitations to data subjects’ rights, as well as the timeline within which an organization must respond, the contents of that response and/or the format in which access to PI must be granted.
Organizations are also generally required to provide individuals with information about how they can exercise their rights. For example, under PIPEDA, an organization is required to establish procedures to receive and respond to privacy-related complaints and inquiries, and to make available the name or title and address of the person to whom complaints or inquiries can be forwarded and the means of gaining access to PI held by the organization. Similar requirements exist in other jurisdictions, such as under British Columbia’s Personal Information Protection Act (“BC PIPA”), which requires an organization to develop a process to respond to complaints that may arise respecting the application of BC PIPA, and to make information about this complaint process available on request.
The Quebec Act also requires a person carrying on an enterprise to establish and implement governance policies and practices regarding PI, including a process for dealing with complaints regarding the protection of PI. Such policies and practices must be proportionate to the nature and scope of the enterprise’s activities, approved by the enterprise’s person in charge of the protection of PI, and published in simple and clear language on the enterprise’s website (or, if there is no website, made available by other appropriate means).
Policies and procedures regarding responding to data subject requests must also include appropriate identity verification processes, as failing to verify the legitimacy of such a request may lead to a reportable privacy breach if access to PI is provided to an unauthorized person. Authentication processes must be carefully designed and implemented on a case-by-case basis to respect requirements under Canadian privacy laws and regulatory guidance. For example, although Canadian privacy regulators generally disapprove of the collection of additional, sensitive PI (such as copies of government identification) for the sole purpose of verifying identity in connection with an access request, doing so may be appropriate in some contexts.
Failing to respond to a data subject’s request in a timely or legally compliant manner may give rise to a variety of risks for businesses, including eroding relationships with customers or clients. Many complaints submitted to Canadian privacy regulators are related to the alleged mishandling of data subjects’ requests. Such complaints can lead to regulatory investigations, requiring expensive and time-consuming responses. It is therefore imperative that organizations have effective policies and practices in place to respond to data subjects’ requests appropriately, and to document such responses to demonstrate compliance if challenged.
Action Items
Master efficient and legally compliant responses to requests from data subject to exercise their rights by: (1) familiarizing yourself with the rights available to data subjects in the jurisdiction(s) where your organization operates, and the exceptions to such rights; (2) ensuring that your organization’s privacy policies, notices and consent language advise individuals as to how they can exercise their rights as data subjects; (3) developing clear and detailed internal policies and procedures regarding receiving, documenting, escalating and responding to data subject requests, including outlining identity verification processes and relevant timelines; (4) reviewing and updating existing policies and procedures regarding data subject requests to take into account recent and forthcoming changes to Canadian privacy laws and regulatory guidance; (5) where required by the Quebec Act, developing and publishing your organization’s process for dealing with complaints regarding the protection of PI; (6) ensuring that contracts with third parties (such as vendors and affiliates) appropriately address how data subject requests are to be handled; and (7) providing regular, role-specific training to employees about your organization’s policies and procedures for handling data subject requests.
McMillan’s Privacy and Data Protection team can help your organization to implement the action items outlined above. Contact your McMillan representative to obtain the support your organization needs to ensure compliance with this critical privacy compliance issue.
by Lyndsay Wasser and Kristen Pennington
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Insights (5 Posts)View More
Back to School Homework – Key Highlights and Takeaways from the 2024 OSC Registration, Inspections and Examinations Division Summary Report
Providing insights on the OSC Staff Notice 33-756 – Summary Report for Dealers, Advisers and Investment Fund Managers.
Conference – Expropriation 2.0: Navigating the New Rules
Take a practical look at the recent changes to Quebec's expropriation rules.
Deadlines Approaching: Government of Canada Launches Series of Consultations on Canada’s Trade Future
The Government has launched an unprecedented series of public consultations on trade policy covering economic security, certain products from China, and CUSMA.
The United States Challenges Canada’s Digital Services Tax
On August 30, 2024, the United States challenged Canada’s Digital Services Tax under CUSMA. The dispute implicates billions of dollars in Canada-US trade.
Get updates delivered right to your inbox. You can unsubscribe at any time.