The Access My Info tool makes it simple to create a request for access to your personal information. It includes a database of many companies, their privacy contacts, and pre-written request letters written by privacy scholars that allow you to quickly generate a letter.
It’s your responsibility to send the generated letter to the the institution in question and to directly engage with the institution throughout the entirety of the request process.
Additional steps may be involved
The institution may not simply provide you with a satisfactory result after the mandated time frame. They may contact you to confirm your identity, solicit more information about your request, discuss the possibility of a fee for access, or attempt to dissuade you from making your request. They might also not respond to your request at all, or ask for an extension.
AMI provides resources for how to handle such situations. You can choose to get an email 30 days after creating your request that will advise you on next steps, but it is your responsibility to stand up for your rights and communicate directly with the organization.
What should I do if…
…they ask for a fee?
In Canada, PIPEDA states that companies should be provide access for free or at a minimal cost. What is reasonable is up for interpretation, but we’ve found that companies which do try to charge a fee usually say something like, “It will take X hours at $Y/hour to retrieve those records”. If something like this happens, you should make note of the fee that was quoted, and share this incident with our research team. If you do not wish to pay the quoted fee, you can respond to the company by quoting PIPEDA. You might write something like this:
PIPEDA states that access should be provided “at minimal or no cost”. I do not feel that the quoted fee is in line with the spirit of the law. Given that your organization should, by law, have established “procedures to receive and respond to complaints and inquiries”, I feel that this procedure puts an inordinate burden on the inquirer.
If you do not wish to negotiate on price, another cost-saving strategy to pursue is to request a sample of your data from the organization, instead of a complete record. Such a request will still allow you to better understand the general character of the data that the company holds on you but won’t get you a complete historical record of all the information held about you. Practically speaking, this might amount to records about a single month’s activities, instead of all activities.
Given the cost your organization has associated with my records request, I would like to modify my original request to a sample of one month’s records, and request that the fee be waived for this minimal request.
… I don’t get a response?
If you haven’t received a response within the legally-mandated time frame of 30 days, we recommend that you send a reminder email or letter to the organization, and include a copy of your original request. This reminder should be polite yet firm and let the organization know that you are aware of your legal rights and expect the organization to fulfill its obligations and provide you with a complete response.
I am writing in regards to my request dated _______ for access to my personal information held by your organization. I have yet to receive a response. I would like to remind you of your legal obligation to respond to my request within 30 days, or to inform me of the need for a 30 day extension. I am also aware of my right to lodge a complaint with the Office of the Privacy Commissioner of Canada should I not receive a response within the timeframe.
Please provide me with a response within the next 30 days.
Thank you for your co-operation.
… I’m not satisfied with what I get back?
If you receive an incomplete response or are otherwise unsatisfied (such as with high costs or an adversarial tone), you may wish to write to the organization to express such feelings. You can also file a complaint to the Office of the Privacy Commissioner. This complaint should include the following components:
- Your name
- The organization to which you issued your request
- A timeline of interactions you had with the organization: Date of original request, and any other communications, with notes as need be.
- Any general comments.
… The data contains errors?
You have the right to ensure that the personal data organizations hold on your is up-to-date and accurate. If you find incorrect information in the response to your access request, you may want to contact the organization in order to fix the errors. When doing so, your letter or email should:
- Include your name and contact information;
- Be addressed to the organization’s privacy officer;
- Mention that you wish to exercise your right to correct your personal information, and;
- Include a clear list of data you wish corrected. Each list item should include the type of data, the incorrect data, and the requested correction, which might look like this:
- Telephone number: Incorrect: 555-123-1234; Correct: 555-234-2345
After your request
After you’ve gotten a response, or otherwise terminated your request, we invite you to share feedback about your experience using the AMI tool and your experience dealing with the institution to whom you requested your data. Your input will help to improving AMI, as well as help researchers analyze trends in institutional responses to right to information requests.