Accessing your personal information – businesses
Revised: July 2019
Canada has two federal privacy laws—the Privacy Act, which applies to federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to many private-sector organizations. Both give people a right to access their personal information held by organizations.
On this page
- How to access your personal information held by businesses
- How do I ask for my personal information?
- Does it cost anything to access my personal information?
- Can I get a paper copy of my personal information?
- How long should I expect the process to take?
- What if I find an error in my personal information?
- Can I obtain access to the personal information of someone else?
- Can a company deny my request for access to my personal information?
- What can I do if the organization denies part of, or my entire access request?
How to access your personal information held by businesses
Three provinces—Alberta, British Columbia, and Quebec—have private-sector privacy legislation that may apply instead of PIPEDA.
How do I ask for my personal information?
You need to put your request to the organization in writing.
- Under PIPEDA, you need to make your access request in writing. The following sample provides a suggested starting point for drafting a letter or email requesting access to your personal information.
Sample letter/email to make your request:
Dear Privacy Officer,
Under section 4.9 of Schedule 1 of Canada’s federal privacy legislation — The Personal Information Protection and Electronic Documents Act — I am requesting a copy of my personal information described below.
[Provide a detailed list of the personal information you are seeking. Providing a clear, narrow request (for example, relating to a specific topic, or using date ranges) can result in a quicker response.]
In general, PIPEDA requires organizations to provide individuals with access to their personal information at free or minimal cost within 30 days. For details about organizations' responsibilities under PIPEDA's access provision see the Office of the Privacy Commissioner's guidance at priv.gc.ca: What businesses need to know.
If you do not normally handle these types of requests, please forward this letter to the person in your organization responsible for privacy compliance.
Please contact me at [your daytime phone number and/or your email address] if you require additional information from me before you proceed.
Here is information that may help you identify my records:
Account number [if applicable]:
What types of personal information can I ask for?
Under PIPEDA, "personal information" means information about an identifiable individual. This includes any factual or subjective information about that individual, for example:
- Opinions about the individual
- Birth date
- Physical description
- Medical history
- Political affiliations and beliefs
- Visual images such as photographs, and videotape where individuals may be identified
Does it cost anything to access my personal information?
It should cost you little or nothing to access your personal information. The law requires an organization to respond to your request at minimal or no cost to you.
An organization may only charge you a minimal fee for responding if it has informed you of the approximate cost up front and you agree to proceed with the request at that cost.
If you feel that an organization is attempting to charge an unreasonable fee, you have the right to file a complaint with us.
Can I get a paper copy of my personal information?
While you could receive a paper copy of the documents containing your personal information, the organization does not have to give you a copy under the law. It is required to provide you with access to your personal information. In some cases, you may be invited to the organization’s premises and view the material on site.
Tip: If you have a disability that requires a format other than paper or prevents you from accessing the material on site, you should advise the organization at the time of your access request.
How long should I expect the process to take?
The organization is supposed to give you access to your personal information within 30 calendar days. If they don’t have it, they must advise you of that fact within 30 days.
There are some very specific circumstances under which the organization may require an extension of up to 30 additional days. An organization may extend the time limit for a maximum of thirty days if:
- meeting the time limit would unreasonably interfere with the activities of the organization
- the time required to undertake consultations necessary to respond to the request would make it impractical to meet the time limit
The organization can also extend the time limit for the length of time required to convert the personal information into an alternative format.
In these cases, the organization must advise you of the delay within the first 30 days and explain the reason for it.
What if I find an error in my personal information?
You may request a correction to any factual errors or omissions. You would typically have to provide some evidence to back up your claim. Under the law, an organization must amend the information, as required, if you successfully demonstrate that it’s incomplete or inaccurate.
If you and the organization can’t agree on changing the information, you have the right to have your concerns recorded.
Example: You can add a consumer statement to your credit report at no cost.
A consumer statement is a brief statement added to your credit report explaining your position.
Lenders and others who review your credit report may consider your consumer statement when they make their decisions.
If the organization has previously shared incorrect information with third parties, it must, where appropriate, forward the amended information (or the record of the unresolved challenge) to those parties, so that they too can correct their records.
Can I obtain access to the personal information of someone else?
Ordinarily, you may only request access to information about yourself. Organizations may withhold information that relates to a third party, such as a family member, or sever it from other personal information that relates to you.
If, however, the family member consents in writing to the release of the information or if you need the information because an individual’s life, health or security is threatened, then you may be entitled to access it.
Can a company deny my request for access to my personal information?
Yes. The law sets out a number of exceptions to your general right of access to your personal information.
There are, for example, circumstances under which the organization may choose to withhold some or all of the information. There are also circumstances under which organizations are forbidden by law from releasing the information.
What can I do if the organization denies part of, or my entire access request?If you feel that the organization is withholding more information than it should, you have a right to file a complaint with us.
However, before doing so, you should try to resolve the matter with the organization directly. Sometimes the problem stems from a simple misunderstanding that can be easily corrected.
Report a problem or mistake on this page
- Date modified: