Access to Personal Information

May 2013

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA)

Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

Principle 4.9.1: Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.

Principle 4.9.2: An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

Principle 4.9.3: In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

Principle 4.9.4: An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

Section 8(1): A request under clause 4.9 of Schedule 1 must be made in writing.

Section 8(2): An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

Section 8(3): An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Section 8(4): An organization may extend the time limit (a) for a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or (b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

Section 8(5): If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

Section 8(6): An organization may respond to an individual’s request at a cost to the individual only if (a) the organization has informed the individual of the approximate cost; and (b) the individual has advised the organization that the request is not being withdrawn.

Section 8(7): An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under Part 1 of PIPEDA.

Section 8(8): Despite clause 4.5  of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under Part 1 of PIPEDA that they may have.

Section 9(1)Footnote 1: Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Section 9(3): Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if (a) the information is protected by solicitor-client privilege; (b) to do so would reveal confidential commercial information; (c) to do so could reasonably be expected to threaten the life or security of another individual; (c.1) the information was collected under paragraph 7(1)(b); (d) the information was generated in the course of a formal dispute resolution process; or (e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

However, in the circumstances described in (b) or (c) above, if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Section 9(5): An organization that decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1) shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

II. General Interpretations by the Courts

  1. A request for access to personal information must be made in writing and identify the information requested. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  2. In response to an access to personal information request, organizations need only search for and provide those records related to the conduct of their business, not those sent between employees for personal reasons. (Johnson v. Bell Canada, 2008 FC 1086)
  3. An organization receiving a broad request for access to personal information has two options: (1) it can inquire of the party making the request if the party can be more specific as to the information requested, in which case the requesting party has an obligation to cooperate in defining the request, or (2) it can conduct a reasonable search of information it can reasonably expect to be responsive to the request. Where that latter course is chosen, and absent further evidence, there is no reason to conduct a search for messages falling outside the scope of what the organization reasonably believes it would collect, use and disclose in the course of its business operations. (Johnson v. Bell Canada, 2008 FC 1086)
  4. If the party who made an access request claims that there is other information that has not been produced, the burden lies on the requester to establish at least a prima facie case that the search was inadequate. (Johnson v. Bell Canada, 2008 FC 1086)
  5. “It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information.” (Johnson v. Bell Canada, 2008 FC 1086)
  6. “From a practical and pragmatic standpoint, what subsection 8(8) of PIPEDA requires of an organization is that it retain that information that it has discovered in its search that is or may be responsive to the request, until the person making the request has exhausted all avenues of appeal.” (Johnson v. Bell Canada, 2008 FC 1086)
  7. For purposes of independently verifying claims of solicitor-client privilege invoked by organizations as grounds for refusing access, the Privacy Commissioner may refer the issue to the Federal Court at any point in her investigation, or the Privacy Commissioner may report an impasse over the issue of privilege in her Report of Findings and bring an application to the Federal Court for relief. (Canada (Privacy Commissioner) v. Blood Tribe Department of Health, 2008 SCC 44;  Privacy Commissioner of Canada v. Air Canada, 2010 FC 429)
  8. Merely informing a third party that information has been amended without sending the amended information to the third party is not sufficient to satisfy the requirement set out in clause 4.9.5 of PIPEDA. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  9. Handwritten notes of a doctor taken during an independent medical examination performed at the request of an insurance company may be subject to an access request. (Wyndowe v. Rousseau, 2008 FCA 39)

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its access obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the access principle has been interpreted and applied by the OPC and some of its findings derived from different contexts.

Policies, Practices, and Procedures

Responding to Access Requests

Form

Control

Time Limit

Fees

Exceptions

9(3)(a) – information protected by solicitor-client privilege

9(3)(b) – confidential commercial information

9(3)(c.1) – information collected under paragraph 7(1)(b)Footnote 2

9(3)(d) – information generated in the course of a formal dispute resolution process

Corrections

For more information regarding access to personal information under PIPEDA, see the OPC Fact Sheet on Accessing Personal Information under PIPEDA and related Guidance for Organizations.

Date modified: