PIPEDA Case Summary #2016-007
February 9, 2016
- It is important for employees to follow their organization’s established policies and procedures relating to access requests.
- Organizations should ensure that they maintain records associated with the processing of requests for access to personal information.
A person alleged that a collection agency (the “agency”), despite numerous requests, refused to provide access to the individual’s personal information.
The individual—who disputed the existence of a debt the agency was attempting to collect—faxed a letter to the agency requesting any and all information related to the alleged debt account. Having received no response, the individual contacted the agency by phone a few days later, followed by another fax.
About a month later, someone at the agency called the individual to confirm the correct mailing address; the company stated that the individual refused to do so. Unable to confirm this address, the agency claims that it mailed out the information to the individual at the mailing address it had on file.
The individual then sent the agency two additional written requests ─ several months apart ─ for access to the individual’s personal information. The agency responded to neither.
In total, the individual had sent four written requests for access to personal information, thus complying with subsection 8(1) of PIPEDA, which requires a request for access to be made in writing.
It was not clear during our investigation whether the agency had responded to the original access request within the 30 days required by PIPEDA. However, it was clear that it failed to respond to the additional requests for access from the individual, contravening subsection 8(3) and Principle 4.9 of Schedule 1 of PIPEDA. This amounts to refusing an access request, contravening subsection 8(5) of PIPEDA.
At our request, the agency later sent the information to the individual by registered mail. Although the individual refused to sign for the package, the agency was nonetheless deemed to have ultimately provided access to personal information. Thus, this complaint was determined to be well-founded and resolved.
- Date modified: