Accessing Personal Information under PIPEDA
What businesses need to know
If you are an organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), you are responsible for responding to requests to access personal information in accordance with the Act.
For their part, the individuals you interact with (customers/clients and, in the case of federal works, undertakings or businesses, employees) have a right under this private-sector privacy law to request access to the personal information you hold about them. They may also ask you to correct any information you have that is incomplete or wrong.
This guidance document explains what PIPEDA says about access to personal information, how it works and what you need to do to comply with this aspect of the law.
Central to providing access is an understanding of what personal information is. Personal information is broadly defined under PIPEDA. For example, financial transaction histories; credit histories; other people’s opinions about an individual; photographs of an individual; an individual’s fingerprints, voice prints or blood type; video or audio footage where an individual appears or is heard – these are a few examples of information that can be considered personal information. While the primary focus of this document is on providing access to personal information that is held in written form, the right of access applies equally to personal information held in other formats. For more information on what personal information can be, please see our Interpretation Bulletin on Personal Information.
The guidance can also help individuals understand their privacy rights and what they can expect organizations to do in order to give full effect to their rights.
For more information on which organizations are covered by PIPEDA, and how the legislation works in general, please refer to Your Privacy Responsibilities: A Guide for Businesses and Organizations.
A general right of access
PIPEDA contains 10 Fair Information Principles, one of which (Principle 4.9) relates to individuals’ right to access personal information you hold about them.
In general, the Act obliges you to give individuals access to their personal information on request. You have to do this in a complete and timely way, at little or no cost to the requester.
The Act also allows requesters to challenge the accuracy and completeness of the personal information you hold, and to have the information amended if they successfully show that it is inaccurate or incomplete. Where appropriate, they also have the right to have the amended information sent on to any parties to whom you may have disclosed the original information.
There are some exceptions to this general right of access. In certain circumstances, for instance, you may have discretion as to whether to provide some or all of the requested information. In other circumstances, you are prohibited by law from releasing the information.
Both categories of exemptions are described later in this document.
The Access Principle
PIPEDA requires you to respond in specific ways when you receive an individual’s request for personal information. Subject only to the exemptions described in the next section, you must:
- Inform individual requesters if you have the personal information about them that they are asking for;
- Explain how it is or has been used, and provide a list of any organizations to which it has been disclosed on request;
- Be prepared to give individuals access to their personal information, at minimal or no cost, in a form that is generally understandable and that accommodates sensory disabilities;
- Respond to requests within 30 calendar days, although there are specific circumstances (described later in this document) that allow you to take more time;
- Correct or amend any personal information that is shown to be factually inaccurate or incomplete, and, when appropriate, transmit the amended information to any parties to whom you may have sent the original information;
- If you do not agree that the information was inaccurate or incomplete, retain a record of the unresolved challenge and, when appropriate, transmit this record to any third party to whom you may have disclosed the original information.
PIPEDA only allows organizations to deny access to personal information in certain circumstances. Specifically, an organization is required to give access to personal information unless:
- Disclosure would reveal personal information about someone else (subsection 9(1)). However, if the information that relates to the third party can be severed or blacked out, you are required to provide the information to the requester with such information on third parties stricken or removed.
This exemption does not apply if the third party consents to you releasing this information, or if the individual needs the information because somebody’s life, health or security is threatened (subsection 9(2)).
- The information is protected by solicitor-client privilege (paragraph 9(3)(a)).
- Disclosure of the information would reveal confidential commercial information. (paragraph 9(3)(b)). If you can, however, address this problem by striking or severing portions of the information, you must give the requester access to the rest of his or her personal information.
- Disclosure of the information could reasonably be expected to threaten the life or security of another individual (paragraph 9(3)(c)). Again, if you can address this problem by severing this information, you must give the requester access to the rest of his or her personal information.
- The information was collected for purposes related to an investigation of a breach of an agreement or a contravention of the laws of Canada or a province, and it would be reasonable to expect that the individual’s knowledge of or consent for the collection would compromise the availability or accuracy of the information (paragraph 9(3)(c.1)).
- The information was generated in the course of a formal dispute-resolution process (paragraph 9(3)(d)).
- The information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act (commonly referred to as the whistleblower law), or in the course of an investigation into a disclosure under that Act (paragraph 9(3)(e)).
There may be exceptional times when you are required to disclose personal information, without an individual’s consent, in order to comply with a subpoena, warrant or court order. Similarly, you may disclose personal information without consent to a government institution or an investigative body for a purpose such as national security, national defence or the deterrence of terrorism, law enforcement, or in relation to a suspected money-laundering offence (paragraph 7(3)(c); sub-paragraph 7(3)(c.1)(i) or (ii) or paragraphs 7(3)(c.2) or (d)).
It is possible that the individual concerned may request access to information related to this disclosure. If you receive a request for such information, you must notify the institution to which you disclosed the personal information that you have received this request. The institution has 30 days to respond to you.
You may not respond to the individual’s access request before either hearing back from the institution or until 30 days has passed since you notified it; whichever occurs first.
If the institution objects to the release of the information to the individual based on permissible grounds, you must withhold it. Moreover, you may not reveal that you communicated with the institution, or that it objected to the disclosure (subsections 9(2.1) to 9(2.4)).
You must also immediately notify the Privacy Commissioner of Canada, in writing, about your refusal to release the information.
Responding to access requests
After many years of experience with PIPEDA, our Office has developed this step-by-step guide of best practices to help you respond to requests for access to personal information.
1. Getting started
- A request has to be in writing. You may need to ask the individual for more information in order to verify his or her identity or to locate the information.
- Some people may need help in preparing their request. You are required to help them if they ask, and you may ask them for further information to facilitate this process.
- Record the date you received the request.
- Review the request and contact the individual if you need to clarify anything.
2. Analyze the request
- Analyze the request to make sure you know what is being sought.
- Identify all sources and records that may hold the personal information that the individual is requesting.
- Retrieve and review the identified records to confirm that they actually contain the personal information requested.
- Photocopy the documents if they are on paper, and number them. Sequentially numbering the entire file is a good idea because it enables the requester to see whether any documents have been severed or exempted from disclosure.
- Access should be free or at minimal cost. If a fee is being contemplated, give the individual an estimate of the cost and make sure you have his or her agreement before going further.
- As described in the section on exemptions to the access rules, there are circumstances in which PIPEDA requires that you notify a government institution about a request for access to personal information. You must do so, in writing, at this step.
3. Apply exemptions
- At this stage, you should identify any personal information that you are withholding under the exemptions described above.
- If information that is exempt from access can be severed, remove it and give the requester access to the rest of the requested information.
- If you apply any of the exemptions recognized in the Act, you must give the requester a written explanation of your decision, set out the reasons and inform the individual of his or her right to complain to the Privacy Commissioner.
- If you decide not to give access to an individual’s personal information on the grounds set out in paragraph 9(3)(c.1), you must inform the individual of the reason and notify the Privacy Commissioner.
- As outlined above, there may be exceptional circumstances in which you shall not provide an individual with any information about a past disclosure made about them for national security, national defence, deterrence of terrorism, law enforcement or in relation to a suspected money-laundering offence. In such cases, however, you must notify the Privacy Commissioner of Canada in writing and without delay of the refusal.
4. Provide access to the information
- When you are ready to give the requester the information (with any necessary deletions or redactions looked after), photocopy the documents that are to be disclosed and make sure the copies are clear and readable.
- In cases where a large number of documents are involved, you may consider inviting the requester to simply look at the documents at your premises. Some requesters don’t want to receive stacks of paper. Some know exactly what they’re looking for, and don’t need all the documents.
- If you have used acronyms, abbreviations, and codes, you should ensure the meaning is clear. To accommodate a disability, some people may ask to receive their personal information in alternate formats, such as audio files for individuals with visual impairment. You should fulfill this request if the information already exists in the alternate format, or if conversion to that format is reasonable and necessary for an individual to exercise rights under PIPEDA.
- Upon request, you should also explain how the personal information was used by your organization. If it was shared with third parties, provide a list of them. If that is not feasible, indicate the organizations with which it may have been shared.
- If the personal information in question is of a sensitive medical nature, you may consider providing access through the requester’s medical practitioner, such as a physician or a psychiatrist.
- If information in a document is retained in a format different from the one in which it was initially collected, then it is permissible simply to provide access in this alternative format. For instance, if a telephone call was taped, you may provide access to a log of the phone conversation. You may also be able to disclose a disc of the recording.
- Include the name and contact information of someone in your organization who can respond to any questions the individual may have.
- Keep a copy of any documents as they were sent, subject to appropriate retention policies.
- You will also need to retain the original personal information that was the subject of the request for as long as necessary for individuals to exercise their rights under PIPEDA.
- You should inform individuals that they have a right to complain to the Privacy Commissioner about issues related to their request.
5. Time limit extensions
- You are obliged to respond to the request for personal information within 30 calendar days of receipt of a request for it. Specifically, if you have the information, you must provide it within that time period, or advise the individual if you do not have it. You cannot simply acknowledge within 30 days that you received the request, and then take more time to actually deal with it.
- PIPEDA only allows for an extension of that 30-day time limit under these specific circumstances:
- If responding to the access request would interfere to an unreasonable degree with your organization’s activities;
- If responding to the request would require you to undertake consultations that would make it impracticable to meet the 30-day deadline;
- If an individual requires the information in an alternate format and it would take significant amounts of time to convert it.
- In such instances, you may take up to 30 additional days or the period of time necessary to convert the personal information into an alternative format to respond. You must, however, contact the individual within the first 30 days to explain the reason for the delay, and to advise the individual of his or her right to complain to the Privacy Commissioner about the delay.
6. Correct errors
- Upon receipt of the information, the requester may be able to demonstrate that the personal information in your files is incomplete or factually wrong. If that is the case, correct or amend the record.
- If the inaccurate personal information had previously been shared with third parties, it may be necessary to advise them immediately of the correction to prevent them from acting on incorrect information.
- If you and the requester cannot agree on the need for amendments, make a record of the unresolved challenge and, where appropriate, transmit this information to any third party to whom you may have disclosed the original information.
For more information please contact:
Office of the Privacy Commissioner of Canada
112 Kent Street, 3rd Floor
Ottawa, ON, K1A 1H3
Phone: (613) 947-1698
Fax: (613) 947-6850
TTY: (613) 992-9190