PIPEDA Fair Information Principle 9 – Individual Access
More about Individual Access
Generally speaking, individuals have a right to access the personal information that an organization holds about them.
Your responsibilities as a business
- Comply with all 10 of the principles of Schedule 1.
- When requested, inform individuals if you have any personal information about them.
- Explain how it is or has been used and provide a list of any organizations to which it has been disclosed.
- Give individuals access to their information.
- Correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.
- Provide a copy of the information requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act. (See Exceptions to the Access Principle.)
- An organization should note any disagreement on the file and advise third parties where appropriate.
How to fulfill these responsibilities
- Provide any help the individual needs to prepare a request for access to personal information.
- Your organization may ask the requestor to supply enough information to enable you to account for the existence, use and disclosure of personal information.
- Respond to the request as quickly as possible, and no later than 30 days after receipt of the request.
- The normal 30-day response time limit may be extended for a maximum of 30 additional days, according to specific criteria set out at Subsection 8(4) of the Act:
- if responding to the request within the original 30 days would unreasonably interfere with activities of your organization
- if additional time is necessary to conduct consultations
- if additional time is necessary to convert personal information to an alternate format.
- If your organization extends the time, you must notify the individual making the request within 30 days of receiving the request, and of his or her right to complain to the Privacy Commissioner of Canada.
- Give access at minimal or no cost to the individual.
- Notify the requestor of the approximate costs before processing the request and confirm that the individual still wants to proceed with the request.
- Make sure the requested information is understandable. Explain acronyms, abbreviations and codes.
- Send any information that has been amended, where appropriate, to any third parties that have access to the information.
- Inform the individual in writing when refusing to give access, setting out the reasons and any recourse available.
- Keep a record of where the information can be found to make retrieval easier.
- Ensure you conduct a thorough search in all of the places where personal information may be stored — both physically and electronically.
- Never disclose personal information unless you are sure of the identity of the requestor and that person's right of access.
- Record the date that you received the request for the information.
- Ensure that your staff members know how to identify an access request and to whom it should be referred within your organization.
Exceptions to the Access Principle
While organizations have a general obligation under PIPEDA to provide access to personal information upon request, there are specific exceptions to this obligation.
PIPEDA sets out both mandatory and discretionary exceptions to providing access to personal information upon request.
In terms of mandatory exceptions, organizations must refuse an individual access to personal information:
- if it would reveal personal information about another individual* unless there is consent or a life-threatening situation; or
- if an individual requests that he or she be informed of information disclosed to a government institution in certain specified cases, or for access to the information itself, and the government institution objects to the institution complying with the access request. In such cases, your organization must refuse the request and notify the Privacy Commissioner of Canada. As well, your organization cannot inform the individual of the disclosure to the government institution, that the institution was notified of the request, or that the Privacy Commissioner of Canada was notified of the refusal.
In terms of discretionary exceptions, organizations may refuse access to personal information if the information:
- is protected by solicitor-client privilege;
- would reveal confidential commercial information;Footnote *
- would reasonably be expected to harm an individual's life or security;Footnote **
- was collected without the individual's knowledge or consent to ensure its availability and accuracy, and the collection was required to investigate a breach of an agreement or violation of a federal or provincial law (the Privacy Commissioner of Canada must be notified);
- was generated in the course of a formal dispute resolution process; or
- was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or a related investigation.
- Date modified: