Writing and submitting an access request
What should my request say?
Dos:
-
Your request should have a clear label (e.g., for your email subject line or a heading for your letter, use “access request”);
-
Include the date of your request;
-
Include your name (including any aliases, if relevant);
-
Include any additional information used by the organisation to identify or distinguish you from other individuals (e.g., customer account number or employee number);
-
Include your up-to-date contact details;
-
Include a comprehensive list of what personal information you want to access, based on what you need;
-
Include any details, relevant dates, or search criteria that will help the organisation identify what you want.
Don’ts:
-
Don’t include other information with your request, such as details about a wider customer service complaint;
-
Don’t include a request for all the information the organisation holds on you, unless that is what you want (if an organisation holds a lot of information about you, it could take them an extra 30 days to respond, or make it more difficult for you to locate the specific information you need in their response); or
-
Threatening or offensive language.
Where possible, send your request directly to the individual or team who deal with access requests, such as the designated privacy officer (PO).
Note: Although PIPA doesn’t contain a portability clause, you can tell the organisation how you would like to receive the information (e.g., by email or printed out), but they aren’t obliged to comply with this.
What should my request look like?
You could use our access request letter/email template as a guide, adding exactly what information you are asking for:
[Name and address of the organisation]
[Your name and full postal address]
[Your contact number]
[Your email address]
[The date]
Dear Sir or Madam
Access request
[Include your full name and other relevant details to help identify you].
Please supply the personal information you hold about me, which I am entitled to receive under data protection law, held in:
[Give specific details of where to search for the personal information you want, for example:
-
My personnel file;
-
Emails between ‘person A’ and ‘person B’ (from 1 September 2019 to 1 October 2019)
-
My medical records (between 2019 and 2023) held by ‘Dr C’ at ‘hospital D’;
-
The CCTV camera situated at (‘location E’) on 1 June 2021 between 11am and 5pm; and
-
Financial statements (between 2016 and 2020) held in account number xxxxx.]
If you need any more information, please let me know as soon as possible.
[If relevant, state whether you would prefer to receive the information in a specific electronic format, or printed out].
It may be helpful for you to know that PIPA requires you to respond to a request for personal information within 45 days.
If you do not normally deal with these requests, please pass this letter to your privacy officer or relevant staff member.
If you need advice on dealing with this request, the Office of the Privacy Commissioner for Bermuda can assist you. Their website is privacy.bm, or they can be contacted on 543-7748.
Yours faithfully
[Signature]
Should I use an organisation’s standard form?
Standard forms are not compulsory and are not always provided. However, an organisation may ask you to use their form.
Standard forms can make it easier for an organisation to deal with your access request. They can:
-
structure your request;
-
prompt you to include necessary details and supporting documents; and
-
let you know the best contact point at the organisation.
-
However, you can still choose another method to submit your request.
Can someone else make a request on my behalf?
You can authorise someone else to make an access request for you. However, you should consider whether you want the other person to have access to some or all your personal information.
Examples of individuals making requests for other people include:
-
someone with parental responsibility, or guardianship, asking for information about a child or young person (for further information, please read our Guide to PIPA hyperlink for organisations on requests for information about children);
-
a person appointed by a court to manage someone else’s affairs;
-
a solicitor acting on their client’s instructions; or
-
a relative or friend that the individual feels comfortable asking for help and has authorised to act on their behalf.
An organisation receiving the request needs to be satisfied that the other individual is allowed to represent you. It is the other person’s responsibility to provide this when asked to do so.
They may ask for formal supporting evidence to show this, such as:
-
written authorisation from you; or
-
a more general power of attorney.
Should I keep a record of my request?
Yes. It is strongly recommended that:
-
you keep a copy of any documents or written correspondence for your own records;
-
you keep any proof of postage or delivery (such as a postal reference number), if available; and
-
if using an online submission form, you take a screenshot before sending.
Where relevant documents are not available for you to copy, consider making a written log of your request. This should include key details, for example:
-
the date and time of your request;
-
the location (e.g., if your request was made in person);
-
the contact number or submission form you used;
-
the details of any contacts you have interacted with;
-
notes about any personal information you asked for;
-
any further information that the organisation may have asked you to provide;
-
any reference numbers given to you and other relevant information.
This will provide helpful evidence if you wish to:
-
follow up your request;
-
make a complaint; or
-
complain about an organisation’s response at a later stage.