Did you happen to read last week’s Digest? For many, it — for some unbeknownst reason — was caught by spam filters. I tried hard not to get insulted but worried it was a sign my rants are getting a little too corny. The last thing I want to do is spam you! Ironically, I thought last week’s Digest had some good news in it and that my remarks at the beginning were helpful. If you did miss it, you can catch up by clicking here.
And, if you read last week’s remarks, you’d know that I’m giving privacy training this week here in Ottawa (thanks to Health Canada’s Larry Kennedy for helping to organize and get the space). The class is going well so far (despite the fact that one of the students is a Maple Leafs fan). One of the things we talked about a fair amount was how operationalizing privacy is quite a bit different from knowing privacy. In particular, we spent some time discussing the ever-so-valued privacy right to access one’s personal information. I think time has shown us that we conceptually think this right is crucial and necessary, but, at the same time, we know that operationalizing that right can be a real headache and burden for many organizations.
With this in mind, the story below caught my attention. It’s the one where the folks at Citizen Lab revealed the results of their study of how some organizations handle access requests. Clearly, everyone is doing it quite differently, responding in drastically different ways to the same type of request and charging a huge variety of fees for what is deemed a complicated request. Maybe it’s time that our law provided more prescriptive guidance on this important right (and obligation). At the same time, maybe it’s time to figure out when access requests can be deemed vexatious. What does it mean to make a complicated request that requires fees? What fees are permitted and when? Clarity on these questions would really help. Don’t you agree?
If you want to comment on this post, you need to login.