Canada's had what has become known in the industry as "data subject access rights" since the 1990s. They weren’t always called DSARs and I think we have California to thank for this acronym and its recent popularity.
I think individuals’ awareness of privacy issues — particularly since the EU General Data Protection Regulation and the legislative movements in California — have made people curious, resulting in requests to access information and more general efforts to exercise rights.
Many of our larger clients have the bandwidth to deal with these requests and invest in systems to automate much of the work that goes into responding to a request. Some small- and medium-sized clients, however, struggle with these requests because they inevitably pull an employee away from their “regular” job and force them to focus on an appropriate response.
In Canada, DSARs aren’t restricted to just access requests. Under current Canadian privacy law, an individual (a data subject) has the following rights with respect to their personal information held by a private sector organization:
- Right to request access.
- Right to request correction.
- Right to withdraw consent.
- Right to file a complaint.
Amendments to Quebec’s private sector privacy legislation will provide individuals within that province the following new rights:
- Right to data portability.
- Right to de-indexation and re-indexation.
- Right to be informed of exclusively automatic decision-making.
These seem like common sense at a certain level, but I still sympathize with the smaller organizations that have to seriously pivot to respond properly. I’m not saying that being a smaller organization is any excuse for not doing privacy properly, but it is a challenge that requires us lawyers/consultants and our clients to be creative and efficient when dealing with these issues.
So, how’s your organization doing when it comes to dealing with DSARs? I’d love to hear your thoughts on their emerging popularity.