Chapter 4: Information Management and Privacy Risk Management
Responding to User Requests and Consumer Rights
Many federal and state laws grant rights of control: access, correction, deletion, portability, against automated decision-making, and nondiscrimination. Requests have defined response periods and often a right to appeal; FCRA, HIPAA, and the GDPR grant specific access/correction rights.
Right to access
Right to correction (rectification)
Right to delete
Right to portability
Right against automated decision-making
Right to nondiscrimination
Individuals exercise rights by request to a business or agency, which has a defined response period. A denial may trigger a right to appeal; a dissatisfied individual may complain to a regulator. Specific access rights exist under FCRA (credit reports plus rectification), HIPAA (medical records, with disputed entries noted), the Judicial Redress Act of 2015 (for qualifying non-U.S. individuals against a U.S. agency), and the GDPR in the EU. Where no statute requires access, it appears in fair information practices like the OECD Guidelines and APEC Principles.
Key terms - quick answers
What is “Right to access”?
The right of an individual to obtain the PI an organization holds about them (e.g., credit reports under FCRA, medical records under HIPAA).
What is “Right to appeal”?
The right to request reconsideration if a rights request is denied; dissatisfied individuals may complain to a regulator.
What is “Judicial Redress Act of 2015”?
U.S. law extending a right to civil action against a U.S. agency for qualifying non-U.S. individuals to access and rectify covered records.