This is an attempt at the beginnings of a catalogue of U.S. laws that may directly provide for, or else indirectly implicate, the subject access rights of individuals, organized by the category of individual, e.g., consumer, student, patient, etc. In the next phase, I would also like to explore the various actors, their roles, the rights of the data subject and the processes for, and consequences of, exercising those rights under each of these laws.
Even from this initial assessment, it’s clear that the ability of an individual to access his/her data in the U.S. is an extremely burdensome and complicated undertaking. The same individual, when acting in a different role (e.g., consumer vs. employee) has different rights and different processes for accessing his/her data under the relevant legal framework and only from entities covered by or subject to that law. This is in contrast to other countries, e.g., such as EU member states, where individuals have a general right to access their data as a “data subject” irrespective of the category of data or the sector in which the data controller operates.
And even if the individual could effectively meet all of the distinct requirements to compile as much data as he/she is legally entitled to collect from covered entities under the various laws, what could that individual do with it? How could one build a meaningful personal data store?
Consumers (Citizens?)
-
Fair Credit Reporting Act (15 U.S.C. § 1681 et seq) or "FCRA" - Under the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the FCRA passed in 2003, consumers have the right to receive a free copy of their consumer report from each credit reporting agency once a year. A consumer reporting agency must correct or, as the case may be, delete from a consumer's credit file the information that is found to be inaccurate or can no longer be verified. The consumer reporting agency is not required to remove accurate data from a consumer's file unless it is outdated. In general, negative information that is more than 7 years old (10 years for bankruptcies) must be removed from a consumer's file.
-
Other federal and state consumer protection laws?
-
Private company implementations, see, e.g.:
Employees
- State Laws on Access to Personnel Files, see, e.g:
- California: Cal. Lab. Code § § 1198.5; 432 - Employers affected: All employers subject to wage and hour laws. Employee access to records: Employee or former employee has right to inspect at reasonable intervals any personnel records relating to performance or to a grievance proceeding. Employer need not provide records regarding the investigation of a criminal offense, letters or reference, or certain other records. Employer must comply with only one request per year from former employees. This right ceases while a lawsuit brought by the employee based on a personnel matter is pending against the employer. Written request required: Yes. If employee requests file orally, employer must supply form for making request in writing. Conditions for viewing records: Employer must make records available no more than 30 days after receiving written request. Employee may view records at reasonable times, during break or nonwork hours. If records are kept off-site or employer does not make them available at the workplace, then employee must be allowed to view them at the storage location without loss of pay. Copying records: Employee also has a right to a copy of personnel records, within 30 days after making written request.
Parents
- Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 or "COPPA" - Applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. Covered operators must provide parents with access to their child's personal information and the right to review and/or have the information deleted, and give parents the opportunity to prevent further use or online collection of a child's personal information.
Patients
- Health Insurance Portability and Accountability Act (HIPAA), specifically the HIPAA Privacy Rule, 45 CFR 160 and Subparts A and E of 45 CFR 164, generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.
- Health Information Technology for Economic and Clinical Health Act (HITECH) - Under the HITECH Act, patients have the right to request their health information in electronic form. The Act requires that any fee imposed to provide the electronic copy cannot exceed the labor and supply costs of responding to the request.
Students (note: parents may exercise on behalf of students)
- Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. s. 1232g or "FERPA" - Under FERPA, a school must provide a parent with an opportunity to inspect and review his or her child's education records within 45 days following its receipt of a request. A school is required to provide a parent with copies of education records, or make other arrangements, if a failure to do so would effectively prevent the parent from obtaining access to the records.
- State law implementations and equivalents, e.g.:
Other Categories of Individuals?