Monday, March 07, 2022

Video: Individual access requests under PIPEDA

New on my YouTube Channel.

Intro

Today I am going to be speaking about individual personal information access requests. If you're from Europe, you probably have heard the term data subject access requests, which is essentially the same concept.

This is where an individual gets to ask a business what information they have about them, expects a copy of it and perhaps disputes its accuracy.

I remember when our federal privacy law was being debated and phased in, many businesses were concerned they would be overrun with individual access requests. They were particularly concerned with frivolous or vexatious ones. We really haven’t seen that in practice.

But the right exists and any organization that does business in Canada needs to know about it and should be able to manage it.

Today, I am only going to be talking about Canada's personal information protection and electronic documents act. This law includes a general rule that individuals have an access right. Like most rules, this is not absolute and there are some exceptions. I plan to cover many of these exceptions in this discussion.

While this discussion is limited to Canada's personal information protection and electronic documents act, you should probably know that every single Canadian privacy law includes an access right.

Most of our public sector laws are divided between freedom of information and protection of privacy. In the federal public sector, there is a separate Privacy Act and an Access to Information Act. Many provinces also have health privacy laws, all of which include an individual access right.

Though I am talking about the federal private sector law, you should know that some of the details can differ from law to law.

If you have followed any of these discussions, you will know that the Personal Information Protection and Electronic Documents Act is weird. This federal law is based on the general principles of the Canadian Standards Association Model Code for the Protection of Personal Information. In fact, this standard of Canada is appended as a schedule to the law.

If you read it, you will see that it is written as a general list of principles, not like most of our laws. The general rules are in the schedule but there are exceptions in the body of the statute. The body of the law and the Schedule have to be read together.

The General Principle of Access

So we will be looking at Principle 9 from the CSA Model Code and then sections 8 through 10 of the Act.

Of course, we have to start with the general rule of access. This is in Principle 9, entitled “individual access”. It says…

“Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.”

This talks about access to the information itself. It also refers to access to information about how it has been used. And the individual also gets to challenge the accuracy and completeness of that information.

There are some sub-principles that elaborate on this. Sub principle 9.1 says…

“9.1 Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. … In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.”

The business should answer the question about whether they even have information about the individual, and should be able to tell them where that information came from.

They also should be able to tell the individual how that information has been used and to whom it has been disclosed. Businesses are sometimes surprised to discover that they have to keep information about their information in order to satisfy this requirement.

Because a business cannot disclose personal information about somebody without their consent, and the information contained in an individual access request is pretty all-encompassing, it makes sense that the business can require the individual to prove that they are the person they purport to be. It also makes sense that the individual should cooperate in helping the business identify what information may be about them.

That includes “how do we know you are who you say you are?” And “where should we look to find information about you?”

Information provided in that particular context can only be used for that purpose.

To whom has the information been disclosed?

I mentioned that businesses have to keep information about their information. In sub-principle 9.3, individual access rights include a right to know to whom a person’s personal information may have been disclosed. The principle reads:

“9.3 In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.”

At the end of the day, organizations need to know where the data they control goes and need to be able to tell people when they ask.

Timelines to respond

The timelines to respond are a good example of the difference between the very general language of the principles and some of the specifics in the statute. The sub-principle 9. 3 says it has to be provided “within a reasonable time”. We’ll see when we flip to section 8 that that really means no later than 30 days in most cases.

The sub-principle also says it has to be at minimal or no cost to the individual.

My general advice is to not charge people for this. But there are cases where individuals will repeatedly make requests and there is no mechanism to say “no” to frivolous or vexatious requests. Attaching a cost may make sense. For example, in any twelve month period the first request is free.

I think Google had the right idea when it started providing users with the ability to download their account information. A self-serve individual access right. Since then, many large data driven companies have followed suit allowing individuals to easily access their own data for free.

This sub-principle also says “The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.”

This makes sense. If a person can’t parse a JSON file or decipher technical abbreviations, the person really isn’t able to access the information. I know of some healthcare providers who will provide a nurse or a records clerk to walk through the records with a patient who asks for it.

Finally, you’ll note that this doesn’t go so far as to give a “data portability” right. We expect this to be added when PIPEDA is updated in the coming year or so.

Disputes about accuracy

PIPEDA contains an accuracy principle, which requires that “Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.”

The individual has the right to dispute the accuracy of any personal information a company may have, and sub-principles 9.5 and 9.6 address how this is to be dealt with. It is pretty straightforward:

“9.5 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.”

But what happens if the company doesn’t agree that the information is inaccurate? Sub-principle 9.6 addresses this:

9.6 When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

How to make a request

So those are the relevant provisions in the Schedule from the CSA Model Code. Let’s now turn to some of the specifics in the body of the statute itself.

Subsection (1) of Section 8 of PIPEDA says that these requests have to be in writing. This can, of course, be electronic. Note that the wording says “must”. This implies that a request that is not in writing doesn’t trigger the formalities of the Act, but can still be responded to.

Duty to assist

Subsection (2) of Section 8 places an obligation on the organization to assist the individual to make a request if they say they need help.

This makes sense.

Timing

I mentioned earlier that the general language about timing in the principles is firmed up in the body of the statute. Specifically, it says “An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.”

Extension of time limit

This isn’t absolute, however. In some cases, the organization can extend the time but has to let the individual know about the extension, the reason for it and of their right to complain to the Privacy Commissioner.

The first circumstance is if “meeting the time limit would unreasonably interfere with the activities of the organization”.

This would be if the request is complex or would require a lot of resources, who would be taken away from their usual tasks and it would “unreasonably interfere with the activities of the organization.” What “unreasonably interfere” means is unclear. In this case, the timeline can be extended for a second thirty days.

The second circumstance is if the organization needs more time to carry out consultations necessary to respond to the request. For example, some of the information may have been generated in litigation or in contemplation of litigation, and the organization needs to determine if the privilege exception applies and to decide whether to waive it. In this case as well, the timeline can be extended for a second thirty days.

The third scenario is more open ended and allows time to convert the personal information into an alternative format. This may be to accommodate a disability.

Deemed refusal

Subsection (5) of Section 8 says that if the organization fails to respond to an access request within the timelines imposed by the Act, that is a deemed refusal and the individual thus has the right to complain to the Privacy Commissioner.

Costs for responding

You’ll recall that the principles say that access requests have to be “at minimal or no cost to the individual.”

Subsection (6) of Section 8 says that you can only charge the individual if they are advised of the approximate cost and the individual then tells the organization that the request is not being withdrawn.

Notably, there is no other guidance on costs or whether the cost has to be reasonable. That’s likely implied.

Reasons for refusals

If the organization refuses an individual’s request – and I’ll get into the exceptions that can justify a refusal shortly – this refusal has to be in writing. It has to tell them the reasons for the refusal and to tell them they have the right to complain to the Privacy Commissioner.

It also says that the organization essentially must preserve and retain the information at issue for as long as is necessary to allow the individual to exhaust any recourse that they may have.

That makes sense. If it was an unjustified refusal, and the end result is a recommendation from the Commissioner or an order from the court to hand it over, that would be thwarted if the information were deleted in the meantime.

Mandatory refusals

The Act contains a number of circumstances where access either can be refused or where it must be refused.

In subsection (1) of section 9, it says that you have to refuse to provide access if doing so would disclose personal information of a third party. If that personal information can be severed from the disclosure, then you must do the severing and provide the balance of the information. If the third party consents, then access can be granted.

Interestingly, subsection (2) allows giving access even if it would disclose third party personal information if the “individual needs the information because an individual’s life, health or security is threatened.”

Notably, it is not just if the applicant’s life health or security is threatened

That is a real outlier of a scenario and if you encounter that, get immediate advice from an experienced privacy lawyer.

A second scenario where access must be refused is if the personal information that is the subject of the access request has previously been requested by law enforcement, national security or other government agencies. If this is the case: get immediate advice from an experienced privacy lawyer.

The Act sets out a whole routine of consulting with the government agency, seeking their input or direction. If they say don’t disclose it, you can’t disclose it. And you probably can’t tell the individual why and you also have to give notice to the Privacy Commissioner.

The legislators have created a real minefield for organizations if this comes up, so proceed with caution and with good advice.

Discretionary refusals

Subsection (3) of Section 9 sets out a number of circumstances where an organization can choose to refuse access. It doesn’t have to provide it, but it can.

The first is if the information is protected by legal advice or litigation privilege. This comes up a lot because individuals often use the access right under PIPEDA as a pre-litigation discovery tool. If there’s any doubt about whether information fits in this category, seek advice. And of course be aware that this would amount to a waiver of privilege.

The second is if providing access would reveal confidential commercial information, but if that information can be severed, it has to be and the balance of the information must be provided.

The third is if disclosing the information could reasonably be expected to threaten the life or security of another individual. As with confidential commercial information, if that information can be severed, it has to be and the balance of the information must be provided.

The fourth is if the information was collected under paragraph 7(1)(b), which is if it was collected without the knowledge or consent of the individual in connection with an investigation related to a breach of an agreement or a contravention of the laws of Canada or a province. If you refuse on this basis, you have to notify the Privacy Commissioner and include in the notice to the individual whatever information that the Commissioner may specify.

The fifth is if the information was generated in the course of a formal dispute resolution process. This would be in addition to litigation privilege, referred to in paragraph (a).

The sixth scenario where access can be refused is if the information relates to an investigation under the Public Servants Disclosure Protection Act. This rarely arises.

Conclusion

At the end of the day, Canadians are generally not frequent users of the individual access right that they have in the Personal Information Protection and Electronic Documents Act.

But businesses need to understand that this right exists and should have processes and procedures to manage it. Hopefully this has provided information on the general rules that apply to this, and the exceptions to the general right of access.

Thank you very much for tuning in. If you have any comments on this video or any suggestions for topics you’d like to see covered in the future, please leave them in the comments below.

If you find this sort of content to be interesting or informative, please subscribe. If you also click the bell, you’ll be notified of new videos as they are posted.

No comments: