Insights Header image
Insights Header image
Insights Header image

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #4: Responding to Data Subject Requests the Right Way

September 10, 2024 Privacy & Data Protection Bulletin 4 minute read

Under Canadian privacy laws, individuals have certain rights with respect to their personal information (“PI”). Depending on the privacy law(s) that apply in a particular circumstance, these may include the right to:

  • request information about whether an organization holds PI about them and, if so, to access that PI;
  • ask questions or request information about how their PI is processed by the organization, such as an explanation of the purposes for which their PI is being or has been used;
  • request information about how and with whom their PI has been shared, such as a list of organizations to which their PI has been (or may have been) disclosed;
  • challenge the accuracy or completeness of their PI, and request that it be corrected or updated;
  • withdraw their consent to the continued collection, use or disclosure of their PI; or
  • make a complaint about an organization’s collection, use or disclosure of their PI.

Quebec’s Act respecting the protection of personal information in the private sector (the “Quebec Act”) also contains several unique rights for individuals, including (without limitation):

  • a right to be informed of, request certain information about and submit observations regarding the use of PI to render a decision about them based exclusively on the automated processing of their PI;
  • a limited right to request that an enterprise cease disseminating their PI or de-index or re-index a hyperlink that provides access to PI attached to their name that provides PI by a technological means; and
  • effective September 22, 2024, a limited right to data portability (e.g., to request that computerized PI collected from them be communicated to them or to any person or body in a structured, commonly used technological format).

In some cases, applicable privacy laws stipulate pre-conditions, exceptions or limitations to data subjects’ rights, as well as the timeline within which an organization must respond, the contents of that response and/or the format in which access to PI must be granted.

Organizations are also generally required to provide individuals with information about how they can exercise their rights. For example, under PIPEDA, an organization is required to establish procedures to receive and respond to privacy-related complaints and inquiries, and to make available the name or title and address of the person to whom complaints or inquiries can be forwarded and the means of gaining access to PI held by the organization. Similar requirements exist in other jurisdictions, such as under British Columbia’s Personal Information Protection Act (“BC PIPA”), which requires an organization to develop a process to respond to complaints that may arise respecting the application of BC PIPA, and to make information about this complaint process available on request.

The Quebec Act also requires a person carrying on an enterprise to establish and implement governance policies and practices regarding PI, including a process for dealing with complaints regarding the protection of PI.  Such policies and practices must be proportionate to the nature and scope of the enterprise’s activities, approved by the enterprise’s person in charge of the protection of PI, and published in simple and clear language on the enterprise’s website (or, if there is no website, made available by other appropriate means).

Policies and procedures regarding responding to data subject requests must also include appropriate identity verification processes, as failing to verify the legitimacy of such a request may lead to a reportable privacy breach if access to PI is provided to an unauthorized person. Authentication processes must be carefully designed and implemented on a case-by-case basis to respect requirements under Canadian privacy laws and regulatory guidance. For example, although Canadian privacy regulators generally disapprove of the collection of additional, sensitive PI (such as copies of government identification) for the sole purpose of verifying identity in connection with an access request, doing so may be appropriate in some contexts.

Failing to respond to a data subject’s request in a timely or legally compliant manner may give rise to a variety of risks for businesses, including eroding relationships with customers or clients. Many complaints submitted to Canadian privacy regulators are related to the alleged mishandling of data subjects’ requests. Such complaints can lead to regulatory investigations, requiring expensive and time-consuming responses. It is therefore imperative that organizations have effective policies and practices in place to respond to data subjects’ requests appropriately, and to document such responses to demonstrate compliance if challenged.

Action Items

Master efficient and legally compliant responses to requests from data subject to exercise their rights by: (1) familiarizing yourself with the rights available to data subjects in the jurisdiction(s) where your organization operates, and the exceptions to such rights; (2) ensuring that your organization’s privacy policies, notices and consent language advise individuals as to how they can exercise their rights as data subjects; (3) developing clear and detailed internal policies and procedures regarding receiving, documenting, escalating and responding to data subject requests, including outlining identity verification processes and relevant timelines; (4) reviewing and updating existing policies and procedures regarding data subject requests to take into account recent and forthcoming changes to Canadian privacy laws and regulatory guidance; (5) where required by the Quebec Act, developing and publishing your organization’s process for dealing with complaints regarding the protection of PI; (6) ensuring that contracts with third parties (such as vendors and affiliates) appropriately address how data subject requests are to be handled; and (7) providing regular, role-specific training to employees about your organization’s policies and procedures for handling data subject requests.

McMillan’s Privacy and Data Protection team can help your organization to implement the action items outlined above. Contact your McMillan representative to obtain the support your organization needs to ensure compliance with this critical privacy compliance issue.

by Lyndsay Wasser and Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Capital Gains Confusion: The Reporting Conundrum for Investment Funds

Considerations when determining whether to complete T3 returns on the basis of the proposed capital gains tax changes that have yet to be enacted.

Read More
Jan 10, 2025
Featured Insight

Know What You Are Leasing: Case Comment on Augusta Studios Inc. v 8699011 Canada Inc., 2024 ONSC 1905

A case comment on carefully describing areas that are or are not intended to be leased, and when a landlord ought to know about a subtenancy.

Read More
Jan 9, 2025
Featured Insight

Beyond Borders: BC Court issues seminal ruling on the jurisdictional application of the Personal Information Protection Act

In Clearview v. OIPC, the BC Supreme Court provided clear guidance on the application of BC PIPA to foreign companies: the real and substantial connection test.

Read More
Jan 8, 2025
Featured Insight

Motor Vehicle Protection Products in Alberta: New Guidance on What Constitutes Insurance

Overview of Alberta insurance regulator bulletins released on December 23, 2024 on the treatment of vehicle protection products and what constitutes insurance.

Read More
Jan 7, 2025
Featured Insight

Sale of Light-duty Combustion Vehicles Prohibited in Québec Starting in 2035

The Québec government adopted final regulations in December to prohibit the sale of passenger and other light-duty combustion vehicles in the province in 2035.

Read More
Jan 4, 2025