PIPEDA Fair Information Principle 9 – Individual Access
Revised: May 2019
Generally speaking, individuals have a right to access the personal information that an organization holds about them. They also have the right to challenge the accuracy and completeness of the information, and have that information amended as appropriate.
- When asked, advise people about the personal information about them your organization holds.
- Explain where the information was obtained.
- Explain how that information is or has been used and to whom it has been disclosed.
- Give people access to their information at minimal or no cost, or explain your reasons for not providing access. Providing access can take different forms. For example, you may provide a written or electronic copy of the information, or allow the individual to view the information or listen to a recording of the information.
- Correct or amend personal information in cases where accuracy and completeness is deficient.
- Note any disputes on the file and advise third parties where appropriate.
How to fulfill these responsibilities
- Help people prepare their request for access to personal information. (For example, your organization may ask the requestor to supply enough information to enable you to locate personal information and determine how it has been used or disclosed.)
- Respond to the request as quickly as possible, and no later than 30 days after receiving it.
- The normal 30-day response time limit for access requests may be extended for a maximum of 30 additional days, if:
- responding to the request within the original 30 days would unreasonably interfere with the activities of your organization;
- your organization needs additional time to conduct consultations; or
- your organization needs additional time to convert personal information to an alternate format.
- If your organization extends this response time, it must notify the person making the request within 30 days of receiving the request, and advise them of their right to complain to the OPC.
- Provide access at minimal or no cost to the individual, and notify the requestor of the approximate costs before processing the request. Confirm that the individual still wants to proceed with the request.
- Make sure the requested information is understandable. Explain acronyms, abbreviations and codes.
- If you make amendments, send the revised information to any third parties that have access to the information in cases where doing so is appropriate.
- If you refuse to grant access to personal information, explain in writing the reasons and inform the requestor of any recourse available to them. Recourse includes the option to complain to the OPC.
- If your organization holds no personal information on the requestor, tell them so.
- Keep a record of where personal information can be found.
- Conduct a thorough search for personal information. This includes both physical and electronic searches.
- Never disclose personal information unless you are certain of the identity of the requestor and that person's right of access.
- Record the date you received the request for the information.
- Ensure your staff members know how to handle an access request.
- The legal standard to be met for withholding information as “confidential commercial information” is high. Be ready to justify such a claim before refusing access.
Report a problem or mistake on this page
- Date modified: