An organization's privacy policy and procedures must be implemented effectively
PIPEDA Case Summary #2016-007
February 9, 2016
Lessons Learned
- It is important for employees to follow their organization’s established policies and procedures relating to access requests.
- Organizations should ensure that they maintain records associated with the processing of requests for access to personal information.
A person alleged that a collection agency (the “agency”), despite numerous requests, refused to provide access to the individual’s personal information.
The individual—who disputed the existence of a debt the agency was attempting to collect—faxed a letter to the agency requesting any and all information related to the alleged debt account. Having received no response, the individual contacted the agency by phone a few days later, followed by another fax.
About a month later, someone at the agency called the individual to confirm the correct mailing address; the company stated that the individual refused to do so. Unable to confirm this address, the agency claims that it mailed out the information to the individual at the mailing address it had on file.
The individual then sent the agency two additional written requests ─ several months apart ─ for access to the individual’s personal information. The agency responded to neither.
In total, the individual had sent four written requests for access to personal information, thus complying with subsection 8(1) of PIPEDA, which requires a request for access to be made in writing.
It was not clear during our investigation whether the agency had responded to the original access request within the 30 days required by PIPEDA. However, it was clear that it failed to respond to the additional requests for access from the individual, contravening subsection 8(3) and Principle 4.9 of Schedule 1 of PIPEDA. This amounts to refusing an access request, contravening subsection 8(5) of PIPEDA.
At our request, the agency later sent the information to the individual by registered mail. Although the individual refused to sign for the package, the agency was nonetheless deemed to have ultimately provided access to personal information. Thus, this complaint was determined to be well-founded and resolved.
Lastly, our Office noted that the agency’s privacy policy clearly identifies who is the agency’s designated person for privacy governance issues, even though the individual’s access requests were apparently not routed through that person as they should have been. The agency fully acknowledged that, in this case, it had not followed its own procedures to respond to the access requests. Consequently, the agency sought to revise its procedures and offer refresher training to its employees and management on access requests to personal information matters. Our Office also suggested that, in the future, the agency endeavor to keep clear written records of how and when it complies with access requests it receives.
- Date modified: