Need to establish procedures for handling access to personal information requests stressed
PIPEDA Case Summary #2007-367
[Principles 4.1.4(c), 4.9, subsections 8(3) and 8(5)]
The complainant had sought access to his personal information from a lawyer who represented a company the complainant was in a dispute with. Although the complainant in this case never received the personal information he requested (the lawyer who held it had left the law firm, taking his files with him), the law firm in question implemented procedures to ensure that when staff members receive requests for access to personal information, the Chief Privacy Officer is informed and the request is processed. The Assistant Privacy Commissioner considered the matter resolved.
The following is a detailed overview of the investigation and the Assistant Commissioner’s deliberations.
Summary of Investigation
The complainant sent an e-mail to a lawyer at the law firm in question, requesting records related to him. In this message, he cited the Personal Information Protection and Electronic Documents Act (the Act). The lawyer in question had represented an organization with which the complainant was engaged in litigation.
Four days later, the lawyer responded, stating that he did not act for the complainant, nor did he have consent from anyone or legal authority to release the information the complainant was seeking.
A few weeks later, the complainant sent a letter to the lawyer, reminding him that he must comply with the request under the Act. Shortly afterward, the lawyer responded, still refusing to provide the information.
The law firm where the lawyer worked only became aware of the complainant’s request after it received notice of complaint served by our Office. The lawyer in question did not forward the complainant’s request to the firm’s privacy officer and had since left the firm, taking all of his client files with him. The law firm stated that it no longer had any files concerning the complainant.
At our Office’s request, the law firm sent a message to all staff reminding them that, if they should receive requests for access to personal information under the Act, to refer them to the firm’s Chief Privacy Officer for processing.
We informed the complainant that he could request access to his personal information from the lawyer’s new firm. To date, the complainant has not yet made such a request.
Issued January 19, 2007
Application: Under Principle 4.1.4(c), organizations shall implement policies and practices to give effect to the principles, including training staff and communicating to staff information about the organization’s policies and practices. Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. Subsection 8(3) stipulates that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Subsection 8(5) states that if the organization fails to respond within the time limit, the organization is deemed to have refused the request.
In making her determinations, the Assistant Commissioner deliberated as follows:
- When the complainant made his request, he made it directly to the lawyer who was representing an organization with which he was involved in litigation. Although the lawyer responded to the request well within the 30 days stipulated in subsection 8(3) of the Act, he did not process the request; instead, he refused outright to provide the complainant with any information at all.
- There may have been legitimate reasons to deny access – the Act outlines exemptions to the obligation to provide access which organizations may apply. However, none were applied in this case because the complainant’s request was not forwarded to the law firm’s Chief Privacy Officer for processing and response. The Assistant Commissioner therefore found the organization in contravention of Principle 4.9.
- The investigation established that the law firm no longer holds any personal information about the complainant, and cannot therefore process his request.
- The law firm in this complaint has reminded its staff that any requests for personal information are to be forwarded to its Chief Privacy Officer for processing. Such a measure, the Assistant Commissioner reasoned, is in keeping with Principle 4.1.4(c), and will help ensure that, in future, the law firm responds to personal information access requests in accordance with its obligations under Principle 4.9.
The Assistant Commissioner concluded that the complaint was resolved.
- Date modified: