Full name of person you are addressing
Dear name of the person you are addressing:
Re: Request for Personal Information
In accordance with the personal Information Protection Act (PIPA), Section 23, andPersonal Information Protection and Electronic Documents Act (PIPEDA), I am formallyrequesting all my personal information in the company's possession.
Specifically I am requesting:
- all my personal information under the company's control, including any electronic documentation
- information regarding the ways in which my information has been/or is be used by your company
- the names of the individuals and organizations to whom my personal information has been disclosed and for what purpose.
In consideration of specific time lines as set out by PIPA and PIPEDA, your prompt attention in this matter is appreciated.
Your full name
You may have to change some details pertaining to actual provincial acts depending on the province you reside in.
Don't forget to list your cc's, to keep copies for yourself and don't forget to take the red out!
So you wanna see what they really have on file about you?
Requesting your personal information through privacy legislation
Alright, so you've decided to make a request to access to your personal information, either to your company, a company, or a government institution. There are a few things you should know first. Believe me, it is not all cotton candy and popcorn when it comes down to it.
First off, in Canada there are two bits of legislation that are relevant. Depending on which province you reside in. There is the federal version of privacy legislature, and in BC (PIPA), Alberta (FOIP) and Quebec (An Act respecting the protection of personal information in the private sector) there are also provincial versions. So which one do I use you ask? Well the answer is - both.
In most cases, the provincial version of privacy legislature is a derivation of the federal version. Of course the federal version supersedes provincial. There are also specific cases where federal privacy legislation is used. The test is whether the organization carries out business across provincial borders. So organizations such as big banks, railroad companies, airlines, and some major freight carriers would be great examples of organizations that would fall directly under federal privacy law (PIPEDA).
In a situation where perhaps one bit of legislation does not cover the issue at hand, the other will. So look at both bits of privacy legislation as two blankets. Two blankets that cover you as a citizen. Over and above whatever contracts you may have in place between you and an employer as well. Both bits of legislation must be adhered to.
In some cases, a company, union, or government agency may attempt to give you advice with respect to what your privacy rights actually are. I would certainly beware of this. Although most organizations will have policies in place, they should be compared to the actual legislation to see if it fits within the guidelines. Your best bet - if you have questions with respect to privacy law pertaining to your specific situation - is to fire off your question to your provincial or the federal privacy commissioners' offices. You can't go wrong when you hear your answer from the horse's mouth.
Be aware also that if you are requesting this from an employer directly, it could potentially make your working life a bit difficult. But hey, who said it was going to be easy standing up for your statutory rights and exercising them? Also keep in mind the corporate structure of the organization you are making the request to. The bigger the organization, the more potential levels may have dealt with your personal information in any number of forms. For example, let's say you work for a retail chain. How many stores in the chain have you worked for? Does your personal file get transferred with you? Even if there is only one personal file at the retail store level, typically there is still a head office file on you too. Make sure you get access to both.
It's also great to compare the two if that is your situation. In my experience I have found the two to contain vastly different information. There are usually similarities too though.
When drafting your request, keep in mind that personal information can be collected in may forms. Not just paper documentation. You could have had video taken of you, or perhaps emails between different levels that were passing on personal information from one source to another. Remember, your personal information includes everything that is considered personal and privileged information. Typically you could cover requests for email, video etc.... under the terminology "electronic documentation". So make sure you make reference to this.
The next thing you need to know is some of the basic rules.
Some basic rules
Personal information requests under the privacy legislation, have very specific time lines associated with them. After a request has been made, the respondent has 30 business days to reply with your information. This works out to be about six weeks. If you feel the organization you are making the request to is lax then you may want to reference this specific time line.
Now under privacy legislation, all information that is sent back to you must be in formats that are decipherable to you at a basic level. So the organization is obligated to convert formats of storage (electronic to paper, or encoded media to consumer level encoded media such as VHS for video etc... ). This is great for you because it means the organization just can't send you any ole' mumbo-jumbo fuzzy tape and claim it is your personal information!
The main issues that you are going to quote in your request are the following:
- Who holds your personal information, and how secure is it
- For what purpose has it been collected
- For what purpose is it being used
- For what purpose is it being retained
- Who has access to your personal information
- To whom has your personal information been disclosed?
- You would like to assess the correctness of the information
- This will be complete and entire content of your personal information in their possession
Don't be surprised if you don't get a reply on time. It may take more than one request to get the organization to send out the information you have requested. In fact you might even have to push it to the point of referring the issue to a privacy commish. Hopefully you will not have to take it that far though. I am aware of situations where both have happened. I should also take the time here too, to mention that this information is sent out at the expense of the organization.
Coming to another point, Organizations can only collect, retain, and disclose your personal information under very specific circumstances. Using disclosure as an example, your personal information can be disclosed to a third party if your life is in danger, someone else's life is in danger and your information is relevant, or if your personal information is needed pertaining to matters involving the criminal code of Canada. Be vigilant about where, when and to whom you volunteer your personal information.
Alrighty, now that you know some of the basic rules, lets see if we can help you draft a request.
Drafting your request
First off, who do you want to send it to? Well, if you are a member of a union, certainly send a "cc" to your union rep (business agent). Send one off to the company organization of course too. Be sure to address it personally to a higher-up in the food chain. If you really want to lay the smack, then write a short howdy do to the privacy commish and give the administration a "cc" of your request as well. Be sure to clarify that you want your requested information sent DIRECTLY to you at your residence. Do not have it sent to a union rep, and do not have it sent to your place of employment. This is something of a sensitive nature and should be treated with care.
Now you certainly do not need to have a lawyer draft something up for you. All you need is a bit of your own time to draft a short, concise letter outlining your rights under the applicable legislation. Where and when you expect a reply, and the main points as mentioned in the previous section (basic rules).
Be sure to use a proper letter format, you want your request to look professional. Word processing applications typically have templates or wizards you can use to put together your letter structure. Personally sign all copies that you have sent out including the cc's. You mean business, make the letter look like you mean business.
Now after you have drafted your letter, print it out. Have a read over it. Here is a quick checklist of what to look for:
- Is it clear?
- Is it to the point?
- Spelling checked?
- Have you spelled the names of individuals correctly?
- Is the letter dated appropriately?
- Have you mentioned all the main points?
- Have you referred time lines for a reply?
- Have you explicitly asked where you want the information sent to?
Okay, so you made it through the checklist with flying colors huh? Then give yourself some well deserved credit for taking the time to draft up your request, put that baby in an envelope, affix the appropriate postage, drop that honey of a letter into the Canada Post drop box and start the waiting game! No need to fuss over it at this point, but keep it in the back of your mind when you sent it.
Receiving or not Receiving your information
If you received your information, inspect it carefully. On this task in particular you might have to learn how read between the lines. Check the dates of the different documents, compare this to the actual chain of events. Are there things in your package that are not there that should be? Or maybe there are things in your package that are there and shouldn't be. Maybe even there are issues that are blatantly incorrect contained in your file.
Or maybe in the juicy case, the organization was stepping on your constitutional rights period. There could be a number of tidbits that are colored outside of the lines. Challenge, challenge, challenge. That is all I have got to say with respect to that. You will now have almost enough paper to fight a war with! Okay, not a war, but you should have enough ammunition to make a stand with. Whatever the case may be in your particular situation, stand up for your rights as a citizen and empower yourself by challenging the things that are out of line.
If you haven't received your information within the specified time frame, fire off another letter but this time make sure you "cc" it to a privacy commish. Keep at it on a regular basis. Eventually if the request is ignored, somebody at the privacy commissioner's administration will step in. I can almost guarantee you that this is not a situation that an organization will want to be put in. However, if that is what it takes to get your information then don't hesitate to take it to that level. Remember, this is your right as a citizen. Exercise your right.
Keep in mind that organizations may not have to like the fact that you have made this request but they have to respect it. It is law. Now that you know the process and some basic rules to go by, get out there! Go get your personal information and begin to manage it more strictly!