The Office of the Privacy Commissioner of Canada recently released a fact sheet entitled, “Accessing Personal Information under the Personal Information Protection and Electronic Documents Act” along with an FAQ for individuals and a guide for businesses as to their responsibilities.
With some exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to provide individuals with a method of requesting disclosure regarding the personal information collected about those individuals as well as a means for correcting that information.
Subject to certain exceptions:
- Access requests must be responded to within 30 days.
- Individuals must be told what information has been collected, how it has been used and to whom it has been disclosed.
- Individuals must be provided with the opportunity to review the personal information collected about them at minimal or no cost.
- Records must be corrected if it is factually inaccurate or incomplete.
It is critically important that staff are trained to recognize personal information access requests. These requests do not always come through the “official channels” that have been set up by organizations, such as an address for the Privacy Officer. Although the request will be made in writing, it may come to front-line staff. In addition, organizations should consider developing a protocol for responding to these requests with a check-list for ensuring that all relevant sources of data are reviewed. Access is not limited to documents such as printed records or electronic word-based files. Personal information can include photographs and videos as well as electronic information that is held in multiple locations. A robust records retention policy can assist organizations in locating records as well as ensuring that they are appropriately destroyed to limit retention and, therefore, burdensome access requests.