Access My Info logo

What Is Access My Info?

What do companies know about you? How do they handle your data? And who do they share it with?

Access My Info (AMI) is a project that can help answer these questions by assisting you in making data access requests to companies. AMI includes a web application that helps users send companies data access requests, and a research methodology designed to understand the responses companies make to these requests. Past AMI projects have shed light on how companies treat user data and contribute to digital privacy reforms around the world.

What are data access requests?

A data access request is a letter you can send to any company with products/services that you use. The request asks that the company disclose all the information it has about you and whether or not it has shared your data with any third-parties. If the place where you live has data protection laws that include the right to data access then companies may be legally obligated to respond.

What we've discovered

Illustration of a person have an idea with a light bulb over their raised index finger

AMI has made personal data requests in jurisdictions around the world and found common patterns.

  1. There are significant gaps between data access laws on paper and the law in practice;
  2. People have consistently encountered barriers to accessing their data.

Together with our partners in each jurisdiction, we have used Access My Info to set off a dialog between users, civil society, regulators, and companies.

Case studies

๐Ÿ‡จ๐Ÿ‡ฆ Canada

Industry: Telecommunications, fitness trackers, online dating services

People who made data access requests encountered a range of barriers including: costs charged for access, identity verification procedures, and data transmission procedures. Based on these results recommendations were made for reducing barriers to access.

Learn more

๐Ÿ‡ฆ๐Ÿ‡บ Australia

Industry: Telecommunications

Many companies failed to respond to requests. Companies that did reply often provided inconsistent information and guidance to users.

Learn more

๐Ÿ‡ญ๐Ÿ‡ฐ Hong Kong

Industry: telecommunications

Companies argued that IP addresses and geolocation records were not personal data and therefore that the companies were not required to give users access to this data. With these findings researchers opened a dialog with the Privacy Commissioner of Hong Kong about what constitutes personal data; this led to the Commissioner publicly asserting that IP address and geolocation information constituted personal data.

Learn more

๐Ÿ‡ฐ๐Ÿ‡ท South Korea

Industry: telecommunications

South Korea has one of the most robust data protection regime in the world. However, researchers discovered very superficial compliance to data requests from companies. As a result a lawsuit was filed against a major Korean telecommunications company for failing to adequately respond to requests. As a result, Open Net Korea filed a lawsuit against Korea Telecom. On December 5, 2018, the trial court ruled in favor of Open Net Korea stating that the company must provide incoming call records to customers. Other data such as IP address logs were given during the course of the lawsuit.

Learn more

๐Ÿ‡ฎ๐Ÿ‡ฉ Indonesia

Industry: Telecommunications

Indonesia currently lacks specific regulations on data protection. Few companies responded to personal data requests and those which did provided very limited information. These results demonstrate the importance of introducing data protection legislation with robust data access rights for individuals.

Learn more

๐Ÿ‡ฒ๐Ÿ‡พ Malaysia

Industry: telecommunications

Data protection legislation has been in place in Malaysia since 2013, but researchers found that telecommunication companies in Malaysia are not yet ready to fully respond to data access requests. The results provide an important educational opportunity for policymakers and industry to better understand the requirements of Malaysiaโ€™s Personal Data Protection Act.

Learn more

Illustration of one person reading from a stack of printouts, one person typing on a laptop

Running your own AMI project

Illustration of different tools: checklist, laptop, coffee, microphone

Here's how a typical AMI project plays out:

1
Research privacy, data protection & access laws
โŒ›๏ธ 2-4 weeks
2
Localize & setup AMI web application
โŒ›๏ธ 2-4 weeks
3
Evangelize project & file data access requests
โŒ›๏ธ 2+ months
4
Collate results & write research report
โŒ›๏ธ 1-2 months
5
Publicize findings & advocate for reform
โŒ›๏ธ Variable
While AMI can technically be run by one, full-time person over the course of 3-6 months, weโ€™ve found that most past projects tend to involve a team of 3-4 researchers/advocates with the ongoing support of 1 technologist/system administrator.
Illustration of a person driving a half-eggshell vehicle with two robots trailing behind them

Additional Resources

For a full walkthrough on how to develop and deploy your own Access My Info project, download our PDF playbook.
GitHub logo
For more technical details, visit our GitHub repos for the AMI web application.