Language selection

Accessing your personal information – businesses

Revised: July 2019

Overview

Canada has two federal privacy laws—the Privacy Act, which applies to federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to many private-sector organizations. Both give people a right to access their personal information held by organizations.

On this page

How to access your personal information held by businesses

The Personal Information Protection and Electronic Documents Act (PIPEDA) gives people a general right to access their personal information held by businesses subject to this law.

Three provinces—Alberta, British Columbia, and Quebec—have private-sector privacy legislation that may apply instead of PIPEDA.

How do I ask for my personal information?

You need to put your request to the organization in writing.

  • Under PIPEDA, you need to make your access request in writing. The following sample provides a suggested starting point for drafting a letter or email requesting access to your personal information.
  • Try to send your letter/email to the address the organization has designated for access requests or privacy issues if there is one (can often be found in a privacy policy in the footer of the organization’s website).

Sample letter/email to make your request:

Dear Privacy Officer,

Under section 4.9 of Schedule 1 of Canada’s federal privacy legislation — The Personal Information Protection and Electronic Documents Act — I am requesting a copy of my personal information described below.

[Provide a detailed list of the personal information you are seeking. Providing a clear, narrow request (for example, relating to a specific topic, or using date ranges) can result in a quicker response.]

In general, PIPEDA requires organizations to provide individuals with access to their personal information at free or minimal cost within 30 days. For details about organizations' responsibilities under PIPEDA's access provision see the Office of the Privacy Commissioner's guidance at priv.gc.ca: What businesses need to know.

If you do not normally handle these types of requests, please forward this letter to the person in your organization responsible for privacy compliance.

Please contact me at [your daytime phone number and/or your email address] if you require additional information from me before you proceed.

Here is information that may help you identify my records:

Full Name:

Address:

Account number [if applicable]:

What types of personal information can I ask for?

Under PIPEDA, "personal information" means information about an identifiable individual. This includes any factual or subjective information about that individual, for example:

  • Name
  • Opinions about the individual
  • Birth date
  • Income
  • Physical description
  • Medical history
  • Gender
  • Religion
  • Address
  • Political affiliations and beliefs
  • Education
  • Employment
  • Visual images such as photographs, and videotape where individuals may be identified

Does it cost anything to access my personal information?

It should cost you little or nothing to access your personal information. The law requires an organization to respond to your request at minimal or no cost to you.

An organization may only charge you a minimal fee for responding if it has informed you of the approximate cost up front and you agree to proceed with the request at that cost.

If you feel that an organization is attempting to charge an unreasonable fee, you have the right to file a complaint with us.

Can I get a paper copy of my personal information?

While you could receive a paper copy of the documents containing your personal information, the organization does not have to give you a copy under the law. It is required to provide you with access to your personal information. In some cases, you may be invited to the organization’s premises and view the material on site.

Tip: If you have a disability that requires a format other than paper or prevents you from accessing the material on site, you should advise the organization at the time of your access request.

How long should I expect the process to take?

The organization is supposed to give you access to your personal information within 30 calendar days. If they don’t have it, they must advise you of that fact within 30 days.

There are some very specific circumstances under which the organization may require an extension of up to 30 additional days. An organization may extend the time limit for a maximum of thirty days if:

  • meeting the time limit would unreasonably interfere with the activities of the organization
  • the time required to undertake consultations necessary to respond to the request would make it impractical to meet the time limit

The organization can also extend the time limit for the length of time required to convert the personal information into an alternative format.

In these cases, the organization must advise you of the delay within the first 30 days and explain the reason for it.

What if I find an error in my personal information?

You may request a correction to any factual errors or omissions. You would typically have to provide some evidence to back up your claim. Under the law, an organization must amend the information, as required, if you successfully demonstrate that it’s incomplete or inaccurate.

If you and the organization can’t agree on changing the information, you have the right to have your concerns recorded.

Example: You can add a consumer statement to your credit report at no cost.

A consumer statement is a brief statement added to your credit report explaining your position.

Lenders and others who review your credit report may consider your consumer statement when they make their decisions.

If the organization has previously shared incorrect information with third parties, it must, where appropriate, forward the amended information (or the record of the unresolved challenge) to those parties, so that they too can correct their records.

Can I obtain access to the personal information of someone else?

Ordinarily, you may only request access to information about yourself. Organizations may withhold information that relates to a third party, such as a family member, or sever it from other personal information that relates to you.

If, however, the family member consents in writing to the release of the information or if you need the information because an individual’s life, health or security is threatened, then you may be entitled to access it.

Can a company deny my request for access to my personal information?

Yes. The law sets out a number of exceptions to your general right of access to your personal information.

There are, for example, circumstances under which the organization may choose to withhold some or all of the information. There are also circumstances under which organizations are forbidden by law from releasing the information.

What can I do if the organization denies part of, or my entire access request?

If you feel that the organization is withholding more information than it should, you have a right to file a complaint with us.

However, before doing so, you should try to resolve the matter with the organization directly. Sometimes the problem stems from a simple misunderstanding that can be easily corrected.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: