Responding to Personal Information Access Requests

One of a privacy officer’s main responsibilities is to respond to personal information access requests.

A personal information access request allows an individual the right to view or obtain a copy of some types of personal information that your organization has collected. Before releasing personal information, it is important to verify the identity of the individual and only charge nominal fees whenever acceptable.

Policies and Procedures

Your organization may already have policies and procedures in place to ensure that personal information access requests are dealt with appropriately. If not, it will be your privacy officer’s responsibility to create and follow them in accordance with privacy legislation.

Verifying an Individual’s Identity

It is important to have strong identity verification procedures before releasing personal information. Releasing personal information to the wrong individual is a privacy breach and can cause dire consequences for your organization.

It is important to follow industry best practices at a bare minimum when releasing personal information, especially if it sensitive.

Personal information usually used for verification purposes (e.g. name, date of birth, address, maiden name, SIN/SSN number) can usually be obtained easily. Your organization should show due diligence verifying an individual’s identity in relation to the sensitivity of personal information being released.

Fees

Depending on the scope and time required to produce personal information, your organization may choose to charge individuals for an access request.

Some legislation — such as Canada’s PIPEDA — suggests that fees must be minimal or at no cost to the individual making the request. An organization cannot use fees as a way to make profit.

It is important to consult privacy legislation or any available regulations when deciding to charge fees for access requests.