Any individual can ask if your business holds personal information about them. That person is exercising their right of access. There are a few things your business should know and act upon right away to avoid related privacy or data protection issues with laws and regulations.
What is the right of access anyway?
Depending on the jurisdiction it may be referred to as ‘subject access’. The right of access is pretty straight forward.
- It gives individuals the right to obtain a copy of their personal information and other supplementary information about the personal information that your business holds about them.
- It helps individuals to understand how and why you are using their personal information. Also, to check that you are doing it lawfully.
Why is this important?
Your business will be helping individuals exercise their fundamental privacy or data protection rights and freedoms. Because you show fairness, you earn more trust from people. It gives your brand a competitive edge.
What happens if we don’t respond to access requests?
You could incur thousands or hundreds of thousands of dollars in fines if you do not respond to the request or provide the information requested within a specified timeframe required by law.
Which states or countries require that we comply?
Just about everywhere – it seems. It’s best to check specific privacy and data protection laws and regulations in each jurisdiction where your business activities include collecting personal information from individuals. Get the help of a privacy attorney.
Here are the basics
- You shouldn’t put this off. Respond to their requests ASAP.
- Provide information they need without charging them
Remember that Individuals have the right to access their personal data. Individuals have the right to know
- what personal information your business knows about them
- how that information is being used
- why that information is being used
- where that personal information came from
- who can see their personal information
More on those rights
- Individuals can make an access request verbally or in writing
- Individuals may also make an access request on behalf of others
- You may have up to one month to respond or fulfill an access request. It depends on the jurisdiction you’re dealing with
Understand their requests. Ask questions and confirm what the individual needs or that the individual is making an access request
Before you reply or respond you must check the identity of the requester
Can we ask an individual for ID?
Yes. You should always ask for authenticate the individual to avoid giving personal information to the wrong person. Ask for more information about the person making the request but don’t ask for more than is necessary to properly identify them.
Depending on the regulation or law, the clock begins to tick as soon as you receive information to confirm the individual’s identity.
- confirm that you are processing their personal information
- provide a copy of personal information
- provide details of how their personal information is collected, used, stored, and disposed of
- Depending on the request prepare to provide the requested information electronically, but you may provide a hard copy – such as a printout or photocopy if the requester prefers this format
- Explain the information you provide them especially if it’s coded and difficult to understand
Your response should be:
- crystal clear – being open or transparent makes it easier to fulfill the request
- written in clear, plain or understandable language
- in an easily accessible format
*Be ready to remove or correct any data that does not relate to them if the individual identifies an error within the personal information you hold
What supplemental information do we need to provide?
In addition to providing a copy of their personal information, you should also provide individuals with information including:
- the purposes of your processing;
- the categories of personal data concerned (for example, financial, contact, social, tracking, preferences, health, or physical characteristics, etc);
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint enforcement authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organization.
*You may be providing much of this information already in your privacy notice. It’s important to check.
Can we say ‘no’ to access requests?
You may deny access request
- if the personal information contains legal advice
- if the information relates to another person
Here’s a ‘To Do’ List to Help You Prepare
- Train your staff especially those employees that handle emails or communication with customers and with other employees. They should be able to recognize an access request even if the individual requesting access does not refer to the request as an access request
- Have an email address that points individuals to access request intake
- Have a policy on how to document verbal requests
- Have information your staff will provide when you decline an individual’s access request
- Have processes in place to ensure that you respond to an access request without undue delay and within the time limit specified by laws and regulations
- Identify circumstances when you can extend the time limit to respond to a request
- If other people’s personal information appear in the record(s) requested, scrub the record to protect other individuals’ privacy rights
- Get help from a privacy or data protection consultant
Photo courtesy: RawPixel, Kelsey Knight, Studio Republic, and Capturing-The-Human (unsplash)
- January 2019 (1)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- September 2018 (1)
- August 2018 (1)
- July 2018 (1)
- June 2018 (1)
- May 2018 (1)
- April 2018 (1)
- March 2018 (1)
- February 2018 (1)
- January 2018 (1)
- June 2017 (1)
- May 2017 (1)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (1)
- June 2016 (1)
- May 2016 (1)
- April 2016 (1)
- March 2016 (1)
- February 2016 (1)
- January 2016 (1)
- December 2015 (1)
- November 2015 (1)