Privacy Principle 7: Individual Participation Principle

Individuals have the right to request from organizations a verification of whether or not the organization has information about him or her. Additionally, organization should provide to individuals, upon their request, a copy of their corresponding personal information in an easy-to-understand format, within a reasonable period of time from the request.

Question: Do you tell individuals, upon their request, if you have personal information about them and provide access to that data in a timely manner? Have you defined and documented exceptions for limited circumstances?

Discussion: Allowing individuals access to their personal information is a requirement in most international privacy laws, such as in Europe, Canada and Asia, as well as in several U.S. federal and state level laws. Organization should strive to respond to these requests in a timely manner, and provide data in a format that is easy to understand.

Some organizations may be tempted to just print out a copy of the raw file images or database records for a person making a request. This will not be easy for the individual to understand, and should not be done. Instead, procedures should be followed to put the information in an easy to understand format.

Different laws have differing requirements for how quickly organizations must respond to requests for access to their corresponding personal information. Policies should define the time commitment for responding to requests based on the organization's capabilities, the cost and specific regulatory requirements. Under HIPAA, for example, an organization must respond to personal information requests within 60 days.

If there are certain circumstances where these requests will not be honored, the conditions should be defined and documented in a separate procedure. For example, some types of medical data (test results, research group participation data, etc.) may not be appropriate to provide. Also, if providing access to PII would enable ancillary access to another person's PII then it should not be allowed.

Suggested Policy: Company X must implement procedures to answer customer requests for access to their personal information and provide means to give them secure access to the information in a format that is easy to understand.

Read the assessment for Privacy Principle 6: Openness Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment within the Toolkit contains a complete assessment.

Our Products News Regulatory Compliance Solutions About Information Shield Home page Contact Us