Law 25 gives every person the right to know whether an organization holds personal information about them, to access it, and to request corrections. This right is not new, but organizations without a process to handle it risk missed deadlines, complaints to the Commission d'accès à l'information (CAI), and potential fines.
The 30-Day Window
When a person submits a valid access request, you have 30 calendar days to respond. This deadline can be extended by an additional 30 days if the request is complex or involves a large volume of information, provided you notify the requester before the first deadline expires.
If you do not respond in time, the person can file a complaint with the CAI, which can then order disclosure and impose sanctions.
What a Valid Request Looks Like
There is no mandatory form. An access request can arrive by email, by mail, or even verbally. To be valid, it simply needs to:
- Identify the person making the request (sufficiently to allow identity verification)
- Indicate the information being sought, or request general access to all information held
The request does not need to cite Law 25 or use precise legal language. If someone writes "I would like to know what information you have about me," that is an access request.
What You Can and Cannot Refuse
You can refuse to communicate information in specific cases:
- The information concerns another identifiable person and cannot be separated
- Disclosure would harm an ongoing investigation by a law enforcement body
- The information is protected by professional secrecy (for example, legal opinions)
- The request is clearly abusive (repetitive, vexatious)
You cannot refuse a request simply because it is inconvenient, because the information is voluminous, or because you have not yet set up a structured registry.
Verifying the Requester's Identity
Before communicating sensitive information, you must ensure the person is who they claim to be. Common methods include:
- A copy of a photo identification document
- Confirmation of a piece of information only that person should know
- A signature on the request compared to an existing document in the file
Avoid asking for more than is necessary to verify identity. Verification should be proportional to the sensitivity of the information requested.
What Your Response Must Include
Your written response must indicate:
- What information you hold (or confirm that you hold none)
- The source of that information, if known
- Third parties to whom you communicated it during the previous year
- The purposes for which it is used
- If you are refusing access in whole or in part, the reasons for refusal and the available recourse (filing a complaint with the CAI)
Communication is generally in writing, in the format requested if reasonable (paper or digital).
Setting Up an Internal Process
Without a defined process, access requests fall through the cracks. Here are the essential elements:
Designate a clear point of contact. The person responsible for personal information protection in your organization should be the reception and processing point for requests. Their name and contact information must be visible on your website.
Create a request registry. For each request received, record the date received, the requester's identity, the subject of the request, the actions taken, and the response date. This registry is your proof of compliance in the event of a complaint.
Define who does what. In a small business, one person may manage the entire process. In a larger organization, you need to define how different departments receive and transmit relevant information to the person responsible.
Set reminders. The 30-day deadline can pass quickly if a request arrives during a busy period. An automatic reminder system (shared calendar, task management tool) prevents oversights.
Rectification Requests
In addition to access requests, individuals can request the correction of inaccurate or incomplete information. You also have 30 days to respond. If you accept the correction, you must notify the third parties to whom you communicated the information, if it is reasonable to do so. If you refuse, you must explain why and allow the requester to attach their comments to the file.
Observantia includes an access request management module that centralizes incoming requests, tracks deadlines automatically, and generates the required communications so nothing gets missed.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.