How to Handle DSARs in Canada: A Complete Guide

A Data Subject Access Request (DSAR) is a formal request from an individual to access, correct, or delete their personal information held by an organization. In Canada, DSAR rights are protected under multiple laws: Federal Level: • PIPEDA (Personal Information Protection and Electronic Documents Act) applies to private sector organizations across Canada Provincial Level: • Québec's Law 25 (the most comprehensive provincial law) • Alberta's PIPA • British Columbia's PIPA Key Principle: If you collect personal information about Canadians, you must have a process to handle their requests to access, correct, or delete that information.

DSARs can arrive through many channels and in various forms: Common Channels: • Email to general inbox or privacy contact • Web forms • Phone calls • Mail • In-person requests • Social media messages What Makes a Valid DSAR: • The request doesn't need to mention "DSAR" or cite specific legislation • It doesn't need to be in writing (though you can request written confirmation) • Any clear expression of wanting to access, correct, or delete personal data qualifies Train Your Team to Recognize: • "I want to know what data you have on me" • "Please delete my information" • "I need a copy of my file" • "What information are you storing about me?" • "I want to update my records" All of these are valid DSARs that trigger your legal obligations.

Once you identify a DSAR, immediately log it and acknowledge receipt: Log These Details: • Date and time received • Channel it came through • Requester's name and contact information • Type of request (access, deletion, correction, portability) • Assigned case ID Acknowledge Receipt: • Send confirmation within 1-2 business days • Provide the case ID for reference • Explain next steps and timeline • Request any additional information needed for verification Sample Acknowledgment: "Thank you for your request regarding your personal information. We have logged your request with reference number [ID] and will respond within 30 days as required by law. If we need to verify your identity, we will contact you within the next few days."

Before disclosing personal information, you must confirm you're responding to the right person: Verification Methods: • Knowledge-based authentication (questions about their account or history) • Existing login credentials • Government ID (use data minimization — only collect what's necessary) • Two-factor authentication via registered phone/email Best Practices: • Match verification rigor to data sensitivity • Don't create unnecessary barriers • Document your verification process • Never request more information than necessary What If You Can't Verify? If identity cannot be confirmed, explain why you cannot process the request and give the requester an opportunity to provide additional verification.

Conduct a thorough search across all systems where personal data may be stored: Common Data Locations: • CRM systems • Email servers and archives • HR systems (for employee data) • Marketing platforms • Customer support ticketing systems • Backup systems • Paper files • Third-party processors Create a Data Map: Document all locations where personal data is stored. This makes future DSARs faster and ensures completeness. Search Tips: • Search by name, email, phone, account number • Check aliases and previous names if applicable • Include structured and unstructured data • Don't forget metadata Third-Party Data: If you've shared data with processors or partners, contact them for any relevant information they hold.

Before disclosing data, review it for exemptions and third-party information: What to Redact: • Information about other individuals • Legally privileged communications • Confidential commercial information • Information that could harm ongoing investigations What You Cannot Withhold: • Data simply because it's unflattering • Information that's "inconvenient" to provide • Data you'd rather the person didn't see Document Your Decisions: For anything you redact or withhold, document: • What was redacted • The legal basis for redaction • Who made the decision • When the decision was made

Compile a comprehensive, understandable response: Include: • All personal information found (or confirm none exists) • Sources of the information • Purposes for which it's used • Who it's been shared with • Retention periods • Information about automated decision-making, if applicable Format: • Use clear, plain language • Organize logically (by system, category, or date) • Provide data in accessible format • For portability requests, use machine-readable formats (CSV, JSON) Response Letter: Include a cover letter explaining: • What's included • How to interpret the data • Any redactions made and why • Their right to complain if dissatisfied

Deliver the response through secure channels: Secure Delivery Options: • Encrypted email • Secure download portal with expiring links • Password-protected files (share password separately) • Registered mail for physical documents What to Avoid: • Unencrypted email with sensitive data • Public file sharing links • Leaving voicemails with personal information Confirm Receipt: Request confirmation that the requester received the response, especially for sensitive data.

For deletion (erasure) requests, follow these steps: Verify the Request is Valid: Deletion may not apply if: • Legal obligations require retention • Data is needed for ongoing services • Public interest or research purposes apply Execute the Deletion: • Delete from all active systems • Delete from backups (or implement deletion upon restore) • Notify third parties who received the data • Document what was deleted and when Respond to the Requester: • Confirm deletion was completed • List any data retained and why • Explain their right to complain if dissatisfied

Maintain comprehensive records of every DSAR: Document: • Complete timeline of the request • All communications • Search efforts and results • Verification steps taken • Review and redaction decisions • Final response sent • Delivery confirmation Retention: Keep DSAR records for at least 2-3 years to demonstrate compliance if questioned by regulators. Close the Case: • Mark as complete in your tracking system • Conduct any follow-up if needed • Update your data map if you discovered new data locations

Missing the Deadline The 30-day clock starts when you receive the request, not when you verify identity. Track deadlines carefully. Incomplete Searches Not checking all systems leads to incomplete responses and potential complaints. Over-Redacting Redacting information without valid legal basis can be seen as non-compliance. No Documentation Without records, you can't prove you handled the request properly if challenged. Charging Fees Inappropriately Most first requests must be free. Only charge for excessive or repeated requests, and explain the fee upfront. Ignoring the Request Never ignore a DSAR, even if you think it's invalid. Respond explaining why you cannot process it.