Skip to content

DATA SUBJECT ACCESS REQUEST (DSAR) PROCEDURE

Purpose

This procedure outlines how [Company Name] responds to employee requests for access to their personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Scope

This procedure applies to all requests from current or former employees seeking access to their personal information held by the organization.

Procedure

1. Request Intake

  • Employee DSAR requests may be submitted via email to [designated email address] or in writing to [designated person/role].
  • Upon receipt, the designated contact will acknowledge the request within 2 business days and log it in [tracking method - e.g., shared spreadsheet, email folder].
  • The acknowledgment will confirm receipt and advise the employee that a response will be provided within 30 calendar days.

2. Identity Verification

  • Verify the requester's identity before proceeding. Acceptable methods include:
  • Confirmation via company email address, or
  • Verification by direct supervisor or HR personnel, or
  • Government-issued photo identification for former employees
  • If identity cannot be verified, contact the requester to establish verification before proceeding.

3. Information Retrieval

  • Employee personal information is primarily maintained in [HR system name/type].
  • Retrieve the employee's complete record from the system, including:
  • Employment and compensation information
  • Performance records
  • Benefits enrollment
  • Any other personal information maintained by the organization
  • Check for any personal information outside the HR system (e.g., email correspondence, project files, training records) that may contain the employee's personal information.

4. Review and Preparation

  • Review retrieved information for:
  • Third-party personal information that must be redacted (e.g., references to other employees' performance or personal matters)
  • Legally privileged information that may be exempt from disclosure
  • Information that could reasonably threaten the life or security of another individual
  • Prepare information in a format that is understandable and accessible to the requester.

5. Response to Requester

  • Provide the compiled information to the employee within 30 calendar days of the original request.
  • The response must include:
  • Confirmation of what personal information is held
  • How the information has been or is being used
  • List of any third parties to whom the information has been disclosed (if applicable)
  • Information on how to request corrections if the employee believes information is inaccurate or incomplete
  • Inform the employee of their right to file a complaint with the Office of the Privacy Commissioner of Canada if they are dissatisfied with the response.

6. Time Extensions (if necessary)

  • If the 30-day deadline cannot reasonably be met, notify the employee before the deadline expires.
  • Provide a new deadline (maximum additional 30 days) and explain the reason for the extension.
  • Inform the employee of their right to complain to the Privacy Commissioner.

7. Documentation

  • Maintain a log of all DSAR requests including:
  • Date request received
  • Requestor name
  • Date acknowledgment sent
  • Date response provided
  • Any extensions granted
  • Retain request documentation for [retention period - suggest minimum 2 years] in accordance with organizational record retention policies.

Responsibilities

  • [Role/Person]: Receives and acknowledges requests, coordinates response
  • [HR Role/Person]: Retrieves information from HR system, prepares response
  • [Management/Legal]: Reviews for exemptions or redactions if needed

Contact for Questions

Employees with questions about this procedure or their privacy rights should contact [designated privacy contact].

Document Control

  • Version: 1.0
  • Effective Date: [Date]
  • Next Review: [Date - suggest annually]
  • Owner: [Role]