How to Access Information Collected From Your Digital Accounts

Access My Info’s Logo https://accessmyinfo.org/

Terms and Conditions – TL;DR: Take My Data

Terms and conditions of use often bind users to agreements in unsuspecting ways about the use, storage, sale, transfer, and deletion of their account, data, or identity. Examples include popular software such as Twitter, which stipulates that they can profit from selling your pictures without prior consent, or Google’s ability to track your web search queries to target advertisements towards you.

There is now a solution for Canadian web users to request access to data held by applications and software they commonly use. If these uses of personal data may seem overreaching, or if you want to become more informed as to what data companies collect on you, Canadians are entitled to finding out what personal data is kept on file about them by both public and private corporations, and a tool called Access My Info can make this process easier.

What is Access My Info?

Access My Info (https://accessmyinfo.org/#/) is a website built by The Citizen Lab designed to help Canadians create letters requesting access to personal information and electronic documents held by businesses and telecommunication companies. They focus on three categories of businesses: Dating Apps, Fitness Apps, and Telecommunication Provider Companies, and help Canadians generate request of access letters for each company that a user selects.

Access My Info Homepage

Who is The Citizen Lab?

The Citizen Lab, part of the University of Toronto’s Munk School

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, which focuses on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security. Their research includes: investigating digital espionage against civil society; documenting Internet filtering and other technologies and practices that impact freedom of expression online; analyzing privacy, security, and information controls of popular applications; and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities. Visit their website to find out more at: https://citizenlab.ca/

Why Do Companies Have to Respond to My Request for Information?

In Canada, there are two separate Federal Acts concerning how Canadian information is stored by government (public), and non-government, (private) entities. These laws are enforced by the Office of the Privacy Commissioner of Canada.

The Privacy Act (1983), outlines how the Government of Canada collects, handles, and stores the personal data of Canadians. The six main points of the act are as follows:

A government institution may not collect personal information unless it relates directly to an operating program or activity of the institution (section 4).
With some exceptions, when a government institution collects an individual’s personal information from the individual, it must inform the individual of the purpose for which the information is being collected (section 5(2)).
With some exceptions, personal information under the control of a government institution may be used only for the purpose for which the information was obtained or for a use consistent with that purpose, unless the individual consents (section 7).
With some exceptions, personal information under the control of a government institution may not be disclosed, unless the individual consents (section 8).
Every Canadian citizenor permanent resident has the right to be given access to personal information about the individual under the control of a government institution that is reasonably retrievable by the government institution, and request correction if the information is inaccurate (section 12).
The Privacy Commissioner of Canadareceives and investigates complaints, including complaints that an individual was denied access to his or her personal information held by a government institution (section 29).

The Personal Information Protection and Electronic Documents Act (PIPEDA, 2000), outlines how private sector entities collect, use and disclose personal information in the course of commercial business. The act outlines rights for individuals as well as regulations that private entities must follow when handling or using personal data in Canada.

The law gives individuals the right to:

know why an organization collects, uses or discloses their personal information;
expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
know who in the organization is responsible for protecting their personal information;
expect an organization to protect their personal information by taking appropriate security measures;
expect the personal information an organization holds about them to be accurate, complete and up-to-date;
obtain access to their personal information and ask for corrections if necessary; and
complain about how an organization handles their personal information if they feel their privacy rights have not been respected.

The law requires organizations to:

obtain consent when they collect, use or disclose their personal information;
supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
collect information by fair and lawful means; and
have personal information policies that are clear, understandable and readily available.

However, the Privacy Act and Personal Information Protection and Electronic Documents Act are federal level regulations. In addition to these acts, each province, and some municipalities have their own privacy legislation, such as Ontario’s Freedom of Information and Protection of Privacy Act (1990) and Personal Health Information Protection Act (2004).

How to Make Your Own Request for Access of Information

Go to https://accessmyinfo.org/#/
Select if you want to request information from dating applications, fitness trackers, or telecommunication companies
Select the company that you wish to create a request for access of information letter for
In the checklist, select the type of personal data you wish to access from the company
Enter the personal information that you provided for the company or service that you selected (your username for that company’s service, or the e-mail you used to sign up for that service)
Click ‘Next’ and you will receive a generated letter for the company you selected that you can copy and paste, as well as the contact information of the receiving party so you can easily send your letter of request for access of information!

What’s in the Box? How Do I Know Requests Will Be Answered in Full?

The Privacy Act and Personal Information and Electronic Documents Act provide the rules and grounds for government and private companies to accept or reject received access to information requests. Section 16 of the Privacy Act and Section 9 of the Personal Information and Electronic Documents Act outline the exceptions in which access to information requests can be denied. These exceptions include data protected by ongoing criminal investigations, diplomatic immunity, corporate information confidentiality, solicitor-client privilege and other exceptions.

As well, these Acts outline the fees for these requests. The Privacy Act states that “every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to:

(a) any personal information about the individual contained in a personal information bank; and

(b) any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution.”

However, this statement in the federal Act stating that all Canadians have a right for the access of government-held private information contradicts with provincial legislations for access to information requests, such as Ontario’s Freedom of Information and Protection of Privacy Act (FIPA), which adopts a user-pay principal. This means that requests for access to information held by the government can potentially cost a person upwards of $100 for charges in ‘search time’, ‘record preparation’, ‘computer usage’ and ‘services outside the institution’.

Likewise, Section 8 in the Personal Information and Electronic Documents Act does not limit the maximum amount of money that a private business or organization can charge people to respond to their access to information requests. Section 8 of PIPEDA states:

“Costs for responding

(6) An organization may respond to an individual’s request at a cost to the individual only if

(a) the organization has informed the individual of the approximate cost; and

(b) the individual has advised the organization that the request is not being withdrawn.”

Furthermore, the existence of a ‘Complaints’ section in both the Privacy Act (Section 29) and PIPEDA (Section 11) illustrates the concerning and common occurrence of incomplete responses to requested access to information. The two acts outline the recourse that a person has to complain about refused or incomplete responses to their requests. In requests for both public and private entities, the Office of the Privacy Commissioner of Canada will investigate substantial complaints and report their findings to the individual who filed the complaint originally.

Disclaimer: The views and opinions expressed in this article are those of the author and do not constitute legal or financial advice.