Poor response to customer’s access requests causes unnecessary deletion of his personal information
PIPEDA Case Summary #2010-003
[Principles 4.5, 4.9 and 4.9.4; Subsections 8(3), 8(4) and 8(8)]
- When receiving an individual’s request, the organization should determine as quickly as possible whether it will be able to complete the request within the initial time limit allowed by the Act. Requests are time sensitive.
- If it believes it has insufficient time and requires an extension, the organization must so advise the complainant in writing no later than 30 days after the date of the access request, advising them of the new time limit, the reasons for extending the initial limit (i.e., reasons mentioned in Subsection 8(4)) and the complainant’s right to make a complaint to the Commissioner with regard to the extension.
- For personal information contained within a specific access request, organizations should consider, and where necessary, override their regular deletion/retention practices until such time as the individual has exhausted any recourse under the Act to get access to that information. Note that this longer retention can also affect any audio/video recordings that may contain the individual’s personal information.
A customer’s first request to access his personal information was ignored by the organization His second, several months later, required an extension to complete, although he was not properly advised of the extension within the time limits allowed by the Act. He also permanently lost access to some of his personal information when it was deleted by the organization in accordance with its standard retention policies, which did not take into account the lag between his first and second access requests.
The Assistant Commissioner obtained commitments from the organization to improve its policies and practices concerning customer access requests, and to make allowances in its information retention policy for personal information that is part of an unresolved access request.
The following is an overview of the investigation and the Assistant Commissioner’s findings.
Summary of Investigation
A request that an individual made to access his personal information held by a major telecommunications firm went unanswered despite his numerous follow-up emails over several months. According to the firm, his first request was misdirected and mishandled by one of its offices. The individual was thus invited to make the request again, which he did seven months after the first one—this time specifically addressing it to the Chief Privacy Officer (CPO).
Both times, he requested all notes and recorded conversations relating to his several accounts, some dating back thirteen years.
Yet the firm did not respond to his second request within the 30-day time limit, as required by the Act. However, five weeks after he sent it, the firm did call the customer, seeking his permission to extend the limit because of the volume of information he was seeking.
More than 70 days after the date of his second request, the firm sent the complainant copies of all his account notes. The longer delay was partially caused by the necessary decoding and transcribing of some of the information from a data format no longer used by the firm’s current computer system.
The client’s call recordings for his accounts were not included in the information he received. The firm advised us that it had erased all audio recordings more than six months old, prior to the date of his second complaint, in accordance with its six-month retention policy.
While it had in its possession recordings of the customer’s calls dating back to six months before his first (mishandled) request, these had since been destroyed in accordance with its usual retention policy.
Issued (September 28, 2010)
Application: Principle 4.9 states that an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information.
Subsection 8(3) requires that an organization respond to a request with due diligence and in any case not later than 30 days after receipt of the request.
Subsection 8(4) stipulates that an organization may extend the time limit for a maximum of 30 days if meeting the time limit would unreasonably interfere with the activities of the organization, or if the time required for consultations necessary to respond to the request would make the time limit impracticable to meet. When an organization needs to convert the personal information into an alternative format (i.e. a format that allows a person with a sensory disability to read or listen to the information), it may extend the time limit for a period required for the conversion.
Also pursuant to subsection 8(4), the organization is required to send a notice of extension to the individual, no later than 30 days after the date of the request, advising them of the new time limit, the reasons for extending the limit and their right to make a complaint to the Commissioner about the extension.
Subsection 8(8) states that, despite Principle 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under Part 1 of the Act.
Principle 4.9.4 states that an organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.
In making her determinations, the Assistant Commissioner deliberated as follows:
- The customer’s original request was disregarded by the firm as were his follow-up inquiries to it.
- Although it was given a second chance, the organization failed in its obligation to notify within 30 days of the second request’s date that more time would be needed to complete it. It also failed to provide reasons, as well as other required information, in accordance with subsection 8(4). The Assistant Commissioner noted that when it did contact the customer about the delay, it was by telephone and not in writing.
- However, the organization eventually provided the complainant with his personal information that it still had in its possession, and made it available to the complainant in an understandable format, thus upholding Principles 4.9 and 4.9.4.
- Missing were call recordings that had been erased by the firm as a result of its six-month retention policy for audio recordings and its failure to respond to the complainant’s first complaint, received eight months before. The firm thereby violated subsection 8(8), which required the firm to retain any personal information subject to a particular request for as long as necessary to exhaust any recourse under the Act for access.
- The Assistant Commissioner noted that this erasure is unfortunate and irreversible. It could have been avoided had the firm properly processed the complainants’ first access request, or had at least replied to his ensuing messages, if it was unsure about it.
As a result of this Office’s involvement in the matter, the firm agreed to revise its procedures so that client service staff and their managers are vigilant of the time limits to respond to customer access requests and that they uphold all the provisions of subsection 8(4) regarding extensions. The firm’s revised procedures will also require that staff seek clarification from customers for all access requests that are unclear, and that they also consult with the CPO in a timely manner whenever there is doubt. Lastly, the firm assured us that upon receipt of an access request, any telephone recordings relating to the file will not be deleted until such time as the access request has been complied with and a suitable period for a response has been allowed for.
The Assistant Commissioner concluded that both the complaint concerning time limits and the complaint concerning access were well-founded and resolved.
- Date modified: