Businesses could do a better job at responding to Canadians’ requests to look at the personal data they hold, according a new study from the University of Toronto’s Citizen Lab.
“Given that companies collect, process, and disclose huge amounts of personal information pertaining to their users and subscribers, it is imperative that these same companies improve their existing privacy, transparency, and accountability processes,” it says.
Under the federal Protection of Information and Electronic Documents Act (PIPEDA) Canadians can make data access requests (DARs) to find out how their personal data is collected and is being used by any company — based here or not — that holds their personal information. But after a three-years of volunteers submitting requests to 23 telecommunications companies, fitness trackers and online dating services researchers concluded “processes surrounding DAR-handling and -processing are immature.”
Among the problems were inconsistent responses, large dumps of data that would be hard to understand and charging fees. For example, cellular carrier Fido (owned by Rogers Communiations) charged $100 for each month of detailed SMS and call record data requested; Shaw charged $250 for a list of all outgoing phone calls from a subscriber’s number.
Citizen Lab says companies shouldn’t charge for access to personal information “following the spirit of PIPEDA,” which says access should be provided at free or minimal cost.
All of the telecom service providers (Fido, Koodo, NorthwestTel, Primus, Rogers, TekSavvy, Bell, Shaw and Wind Mobile) charged a fee to access detailed SMS or call records. But while in 2014 TSPs generally didn’t clearly tell participants if their data had been shared with third parties such as government agencies, two years later the majority of telecom providers gave clear responses to the question of third-party data sharing.
Of the fitness trackers (including Apple, Basis, Bellabeat, Fitbit, Garmin, Jawbone, Mio, Withings and Xiaomi), several pointed participants to data download tools. These tools are convenient and relatively secure, the report said, but did not include all requested data. In addition, several fitness tracking companies did not respond at all to requests. Those that did respond either provided data via email or directed participants to data download tools.
As for dating services, (Bumble, Grindr, OkCupid, Tinder and Scruff — all based in the U.S.), requesters had to provide identity verification to get access to data, and when access was provided information included messages, photos, and location history including photos users had deleted.
“Advancing DAR practices and policies requires either private-sector co-ordination to advance individuals’ access to their personal information, or regulatory coordination to clarify how private organizations ought to provide access to the information of which they are stewards,” the report concludes.
The findings call for more clarity in PIPEDA and/or guidance from the Office of the Privacy Commissioner, says Kris Klein, managing director of the Canadian division of the International Association of Privacy Professionals (IAPP) and a founder of the Ottawa law firm nNovation LLP. “Providing a right of access is academically an easy thing to conclude as being a good thing. But operationalizing that concept is very difficult. This is especially so in the private sector where responding to access requests can significantly affect an organization’s bottom line.” By contrast, he noted, government agencies can afford to have large access to information offices.
The fact that so many organizations respond differently to public access reports is symptomatic of a law that is too vague, Klein said. “It’s vagueness makes it difficult to put into practice and I think that’s what the study has really brought to the forefront.”
CitizenLab recommends companies should
• produce data retention schedules that identify specific types of information they collect and the period of time for which they retain it;
• publish government access handbooks that identify the different kinds of personal information they hold, and establish the specific legal powers and processes to be undertaken before the company will disclose a subscriber’s personal information;
• issue transparency reports that disclose the regularity, and rationale for which, government agencies request access to subscriber-related information;
• collaborate within their respective industries to establish common definitions for personal data mini-collections to which common policies are applied, such as subscriber data, metadata, content of communications, etc.;
• not assume they know which communications method their customers would prefer to use when discussing a DAR letter. They should first ask the customer what their preferred method is, and only then pose questions to clarify the requester’s inquiries;
• should publish data inventories describing all the kinds of personal information that they collect, and freely provide copies of a small set of representative examples
of records for each kind of personal information to subscribers upon request.
The report also says either individual organizations or industry groups should communicate with non-corporate stakeholders to help streamline the request process, or to help establish requesters’ expectations. This might involve developing Application Programming Interfaces (APIs) to speed up responses to DAR letters, or working to modify language used by web applications to more accurately reflect the data that might be handled by organizations in the course of commercial activity.
The public should look at DARs as way to understand the kinds of information which are collected, retained, processed, and handled by private companies, says the report. The report also gives chief information and chief privacy officers an idea of how they ought to respond.
For those wanting to create a DAR, Citizen Lab and its partners have operated Access My Info (AMI), a web application that makes it easier for Canadians to create one. As of February over 6,000 requests have been created using the application in Canada.
Citizen Lab is based at the University of Toronto’s Munk School of Global Affairs researching links between information and communication technologies, human rights, and global security.