Fees and the role of a medical practitioner considered in denial of access complaint
PIPEDA Case Summary #2006-341
(Principle 4.9, 4.9.1, and 4.9.4; subsection 8(3))
The complainant in this case objected to an insurance company charging flat fees (plus photocopying fees) to obtain a copy of his personal information. He also objected to the company providing him with access to some of his medical information through his physician. He believed that he should be provided with access directly and not through an intermediary.
The Assistant Privacy Commissioner, however, agreed with the company that it was acceptable to provide access through a physician. As for the flat fee, during the investigation, the company ceased its practice of charging one. The question, however, of charging photocopying fees is one that the Office is concerned about. To that end, it is currently reviewing the issue with a view to providing guidance to organizations.
The following is a detailed overview of the investigation and the Assistant Commissioner’s findings.
Summary of Investigation
In response to the complainant’s written request for access to his personal information, the insurance company asked him to fill out a form, specifying what information he was seeking. The company also indicated that on receipt of the information, the complainant would be required to pay a minimum charge of $25 for photocopying file material, with an additional charge of $0.25 per page for requested materials in excess of 50 pages. Although the complainant stated that he filled out the form and sent it back to the company, the company indicated that it did not receive a completed form. While the complainant believed that he had faxed it, he could not provide any proof that would confirm the date he sent it. Following notification of the complaint from the Office, the insurance company acted on the request.
The company was of the view that the rate it was charging was reasonable and in compliance with the Act. The Office, however, pointed out that, in a previous finding, the Privacy Commissioner viewed the practice of charging flat fees, before determining the type of request being made, to contradict the spirit of the Act. Given that the Act entitles an individual to request his or her own personal information, and fees are not to be used by organizations to discourage requests, an organization should only consider charging fees for processing a request when the request is exceptional, and then only at minimal cost. The organization should then notify the individual of the cost and proceed only with the individual’s consent.
After discussing this matter with the Office, the insurance company modified its policy. Instead of charging a flat fee, it is charging photocopying fees of $0.30 a page (anything under $5 will not be charged). The company stated that it was basing this amount on the recommendations of Quebec’s Information Commissioner’s Office, which considers photocopying fees of $0.31 a page to be reasonable. (It should be noted that Quebec’s law provides that access to personal information is free.)
In this case, the complainant did not pay any fees to obtain his information. Since the personal information held by the company primarily concerned medical information, the company asked the complainant for the name of his treating physician in order to send the information to him/her. Given the nature of the information in question, the company believed that it should be sent to a physician for interpretation. The complainant, however, disagreed and believed that medical documentation should be sent directly to him and not through an intermediary. As he did not give the company the name of his treating physician, the insurance company could not transmit these documents.
The complainant also noted that he did not receive a copy of stubs for payments made in 1999 and that he did not receive a copy of the insurance policy. The insurance company stated that it retains pay stub information for a period of two years; consequently, it did not have a copy of the pay stub for 1999. As for the insurance policy, the company sent the complainant a copy of its long-term disability coverage policy nearly a year after he first wrote to the company.
Issued July 20, 2006
Application: Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request; Principle 4.9 provides that, upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate; Principle 4.9.1 clarifies that if the personal information concerns sensitive medical information, the organization may choose to make it available through a medical practitioner; and Principle 4.9.4 stipulates that an organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- On the matter of time limits, the investigation could not establish with certainty that the insurance company had exceeded the time limits imposed on organizations under subsection 8(3). The complainant could not indicate for certain the date that he sent in the request form, and the company claimed that it did not receive the form.
Accordingly, the Assistant Commissioner concluded that the time limits allegation was not well-founded.
- With respect to the denial of access allegation, a response was sent to the complainant following the Office’s notification of a complaint. While the complainant felt that the medical information should be provided to him directly, the Assistant Commissioner was of the view that the company could provide him with access to such information via his treating physician, as per Principle 4.9.1.
- The Assistant Commissioner was also satisfied that the insurance company, at the Office’s request, had conducted a thorough search for stubs that would have been issued to the complainant in 1999. These could not be found given that they are only retained for two years and then destroyed. Noting that the Personal Information Protection and Electronic Documents Act does not demand that organizations retain personal information indefinitely, and in fact encourages them to destroy personal information they no longer need, the Assistant Commissioner determined that the complainant had been provided with access to all of the personal information to which he was entitled, in accordance with Principle 4.9.
She therefore concluded that the denial of access allegation was resolved.
- As for fees, the Assistant Commissioner noted that any fees charged should be token, as per Principle 4.9.4, which states that access must be provided at “minimal or no cost.”
- During the investigation, the insurance company changed its policy in order to better meet the expectations of this Principle and no longer charges a flat fee. In this case, the respondent provided the complainant with some of his personal information at no charge and offered to provide the medical information through his physician, again at no charge.
The Assistant Commissioner therefore concluded that the fees complaint was resolved.
The Assistant Commissioner noted that the question of charging fees for copies of personal information is of concern to the Office. Consequently, the Office is currently examining the matter with a view to providing guidance to organizations on this matter.
- Date modified: