The sixth principle of the Generally Accepted Privacy Principles (GAPP), Access, requires that the entity provide individuals with access to their personal information for review and update.
This fair information practice acknowledges the right of individuals to access their personal information held by an entity and to be provided with the means to review, update, or block further use of that information.
A corresponding obligation is imposed on the entity to facilitate the individual's right on request. In this regard, exceptions can occur when the burden or expense of providing access would be disproportionate to the risks to the individual's privacy or when the rights of persons other than the individual would be violated. In such cases, the individual should be provided an explanation for being denied access. Specifically, the criteria outlined in GAPP indicate that an entity should do the following:
· Design privacy policies that address providing individuals with access to their personal information (see Criterion 6.1.0)
· Communicate to individuals how they may obtain access to their personal information to review, update, and correct that information (see Criterion 6.1.1)
· Design procedures and controls to ensure that individuals are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information (see Criterion 6.2.1)
· Design procedures and controls to ensure the confirmation of individuals' identity before they are given access to that information (see Criterion 6.2.2)
· Design procedures and controls to ensure that personal information is provided to the individual in an understandable form, in a reasonable time frame, and at a reasonable cost, if any (see Criterion 6.2.3)
· Design procedures and controls to ensure that individuals are informed, in writing, of the reason for denial of access (see Criterion 6.2.4)
· Design procedures and controls to ensure that individuals are able to update or correct personal information held by the entity. If practical and economically feasible to do so, the entity provides such updated or corrected information to third parties that previously were provided with the individual's personal information (see Criterion 6.2.5)
· Design procedures and controls to ensure that individuals are informed, in writing, about the reason a request for correction of personal information was denied, and how they may appeal (see Criterion 6.2.6)
· Design procedures and controls to ensure that complaints and other disputes are escalated until they are resolved (see Criterion 6.2.7)
Typically, the individual's request should be documented and an entity should provide assistance, as needed, in preparing the request. A fee may be charged only if the entity has informed the individual of the approximate cost and the individual does not withdraw the request. In addition, an entity should respond to a request with due diligence and, in any case, usually not later than 30 days after receiving the request.
An entity that responds within the time limit and refuses a request should inform the individual in writing of the refusal, setting out the reasons and any recourse available. An entity must also retain information for as long as necessary to allow the individual to exhaust any recourse available.
In certain situations, an entity may not be able to provide access to all the personal information it holds about an individual. The reasons for denying access should be provided to the individual, on request. Exceptions may include information that is prohibitively costly to provide; contains references to other individuals; cannot be disclosed for legal, security, or commercial proprietary reasons; or is subject to solicitor-client or litigation privilege.
In certain circumstances, a request for access can be legally denied, for example, if giving an individual access to personal information would reveal personal information about a third party. If that information is severable, the entity should delete the information about the third party from the copy provided to the individual. This would not apply if the third party consents to the access or the individual needs that information because an individual's life, health, or security is threatened.
The disclosure of personal information may also be restricted because of any of the following:
· It relates to investigations of offences or national security.
· The information is protected by solicitor-client privilege.
· To do so would reveal confidential commercial information.
· To do so could reasonably be expected to threaten the life or security of another individual.
· The information was collected with respect to investigating a breach of an agreement or a contravention of a law.
· The information was generated in the course of a formal dispute resolution process.