The Citizen Lab has released a new report, “Approaching Access: A look at consumer personal data requests in Canada,” which was written by myself and my colleagues, Andrew Hilts and Masashi Crete-Nishihata. The report examines how different industries respond to Canadians’ requests to access their personal information. Such requests empower individuals to better understand what data is collected about them, the ways in which is it used, and to whom it is subsequently disclosed. While privacy policies or terms of service can be vague, the intent behind such laws is that they will let individuals understand specifically how their personal information is used.
Without knowing who is collecting personal data, for what purpose, or for how long, or the grounds under which they share it, a consumer cannot exercise their rights nor evaluate whether an organization is appropriately handling their data. Canada’s commercial privacy legislation, the Protection of Personal Information and Electronic Documents Act (PIPEDA), empowers Canadians to issue legally-binding Data Access Requests (DARs) to private companies to answer exactly these kinds of questions. This report is the result of a three year study of DARs in Canada that shows what happens when telecommunications companies, fitness trackers, and online dating services are asked by consumers to provide transparency into their data privacy practices and policies.
Between 2014-2016 we recruited participants to systematically issue DARs to telecommunications companies, fitness trackers, and online dating services used by Canadians to evaluate a series of research questions:
- What proportion of companies contacted would respond to DARs at all?
- What proportion of companies that did respond to DARs would respond in a relatively complete manner to all questions asked?
- What proportion of companies that did respond to DARs would provide individuals with copies of their personal information at no or minimal cost?
- What commonalities or differences would be found in responses to individuals in each industry group studied, and across industries?
- To what extent would individuals who received responses be satisfied with the information they received and what, if anything, might be done to improve organizations’ disclosures to enhance individuals’ satisfaction?
Inconsistent Responses across Companies and Industries
Participants received responses from companies but the information provided varied widely across companies and industries. Variations included:
- the specificity with which requester questions are answered;
- what types of data are returned;
- whether or not data retention periods are published; and
- clarity about data disclosures to third parties, including government authorities.
Barriers to Access
Participants also encountered barriers to accessing the private information that companies retained about them. These barriers included:
- identity verification procedures;
- secure data transfer requirements;
- costs offloaded to requesters; and
- push-back by some non-Canadian companies as to whether their services to Canadian consumers in Canada are, in fact, bound by Canadian privacy law.
Towards Improved Data Access in Canada
Our report concludes with recommendations for how businesses can improve their DAR processes and related data transparency efforts, and allow citizens to more effectively exercise stewardship over their personal data.
We make seven key recommendations:.
- Companies should prepare and produce data retention schedules that identify specific types of information they collect and the period of time for which they retain it.
- Companies should prepare and publish government access handbooks that identify the different kinds of personal information they hold, and establish the specific legal powers and processes to be undertaken before the company will disclose a subscriber’s personal information.
- Companies should prepare transparency reports that disclosure the regularity, and rationale for which, government agencies request access to subscriber-related information.
- Companies should collaborate within their respective industries to establish common definitions for personal data mini-collections to which common policies are applied, such as subscriber data, metadata, content of communications, etc.
- Companies should not assume they know which communications method their customers would prefer to use when discussing a DAR letter. They should first ask the customer what their preferred method is, and only then pose questions to clarify the requester’s inquiries.
- Companies should publish data inventories describing all the kinds of personal information that they collect, and freely provide copies of a small set of representative examples of records for each kind of personal information to subscribers upon request.
- Either individual organizations or industry groups should communicate with non-corporate stakeholders to help streamline the request process, or to help establish requesters’ expectations. This effort might involve developing Application Programming Interfaces (APIs) to expedite the issuance and response to DAR letters, or working to modify language used by web applications to more accurately reflect the data that might be handled by organizations in the course of commercial activity.
DARs provide a valuable method for understanding the kinds of information which are collected, retained, processed, and handled by private companies. This report provides a look at how companies respond to these access rights and which also draws lessons from both within specific industry groupings and across industries. Given the amounts of digital information that individuals confide to third parties on a daily basis it is imperative that they can gain access to such information upon request, especially when companies do not publish clear guidance as to their broader data collection, retention, handling, or disclosure practices.
Our report showcases how DARs can provide insight into corporate practices. But, at present processes surrounding DAR-handling and -processing are immature. Advancing DAR practices and policies requires either private-sector coordination to advance individuals’ access to their personal information, or regulatory coordination to clarify how private organizations ought to provide access to the information of which they are stewards.
This research is led by the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The project was funded via Open Effect by CIRA’s 2015-16 Community Investment Program. Additional funding was provided by the Office of the Privacy Commissioner of Canada through its Contributions Program.
Thank you to Adam Senft and Bram Abramson for review and copyediting. We are grateful to Ron Deibert for research guidance and supervision. This research would not have been possible without the Access My Info users who participated in this study.
Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently a Research Associate at the Citizen Lab at the Munk School of Global Affairs as well as the Managing Director of the Telecom Transparency Project at the Citizen Lab.
Andrew Hilts is a Senior Researcher and Developer at the Citizen Lab at the Munk School of Global Affairs, University of Toronto. His research and software development focuses on empowering citizens to exercise their digital rights online.
Masashi Crete-Nishihata is Research Director at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He researchers the socio-political impact of information controls