Access to Personal Information
One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.
In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.
I. Relevant Statutory Provisions
Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Principle 4.9.1: Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
Principle 4.9.2: An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.
Principle 4.9.3: In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.
Principle 4.9.4: An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.
Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.
Section 8(1): A request under clause 4.9 of Schedule 1 must be made in writing.
Section 8(2): An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.
Section 8(3): An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.
Section 8(4): An organization may extend the time limit (a) for a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or (b) for the period that is necessary in order to be able to convert the personal information into an alternative format.
In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.
Section 8(5): If the organization fails to respond within the time limit, the organization is deemed to have refused the request.
Section 8(6): An organization may respond to an individual’s request at a cost to the individual only if (a) the organization has informed the individual of the approximate cost; and (b) the individual has advised the organization that the request is not being withdrawn.
Section 8(7): An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under Part 1 of PIPEDA.
Section 8(8): Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under Part 1 of PIPEDA that they may have.
Section 9(1)Footnote 1: Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
Section 9(3): Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if (a) the information is protected by solicitor-client privilege; (b) to do so would reveal confidential commercial information; (c) to do so could reasonably be expected to threaten the life or security of another individual; (c.1) the information was collected under paragraph 7(1)(b); (d) the information was generated in the course of a formal dispute resolution process; or (e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.
However, in the circumstances described in (b) or (c) above, if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.
Section 9(5): An organization that decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1) shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.
II. General Interpretations by the Courts
- A request for access to personal information must be made in writing and identify the information requested. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
- In response to an access to personal information request, organizations need only search for and provide those records related to the conduct of their business, not those sent between employees for personal reasons. (Johnson v. Bell Canada, 2008 FC 1086)
- An organization receiving a broad request for access to personal information has two options: (1) it can inquire of the party making the request if the party can be more specific as to the information requested, in which case the requesting party has an obligation to cooperate in defining the request, or (2) it can conduct a reasonable search of information it can reasonably expect to be responsive to the request. Where that latter course is chosen, and absent further evidence, there is no reason to conduct a search for messages falling outside the scope of what the organization reasonably believes it would collect, use and disclose in the course of its business operations. (Johnson v. Bell Canada, 2008 FC 1086)
- If the party who made an access request claims that there is other information that has not been produced, the burden lies on the requester to establish at least a prima facie case that the search was inadequate. (Johnson v. Bell Canada, 2008 FC 1086)
- “It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information.” (Johnson v. Bell Canada, 2008 FC 1086)
- “From a practical and pragmatic standpoint, what subsection 8(8) of PIPEDA requires of an organization is that it retain that information that it has discovered in its search that is or may be responsive to the request, until the person making the request has exhausted all avenues of appeal.” (Johnson v. Bell Canada, 2008 FC 1086)
- For purposes of independently verifying claims of solicitor-client privilege invoked by organizations as grounds for refusing access, the Privacy Commissioner may refer the issue to the Federal Court at any point in her investigation, or the Privacy Commissioner may report an impasse over the issue of privilege in her Report of Findings and bring an application to the Federal Court for relief. (Canada (Privacy Commissioner) v. Blood Tribe Department of Health, 2008 SCC 44; Privacy Commissioner of Canada v. Air Canada, 2010 FC 429)
- Merely informing a third party that information has been amended without sending the amended information to the third party is not sufficient to satisfy the requirement set out in clause 4.9.5 of PIPEDA. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
- Handwritten notes of a doctor taken during an independent medical examination performed at the request of an insurance company may be subject to an access request. (Wyndowe v. Rousseau, 2008 FCA 39)
III. Application by the OPC in Different Contexts
Whether an organization can be said to meet its access obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the access principle has been interpreted and applied by the OPC and some of its findings derived from different contexts.
Policies, Practices, and Procedures
- An organization should have procedures in place to ensure that an access to personal information request is properly processed.
- Organizations should have a straightforward procedure that will be adhered to by the personnel handling access to personal information requests.
- Organizations must adequately train their staff on how to properly handle access to personal information requests and on the legal obligations of the organization in this regard.
Responding to Access Requests
- Organizations may require individuals to provide further information, such as identification, in order to process their requests for access to personal information.
- A complainant who requests access to all personal information relating to him or her should be provided with all information that the organization can provide to the complainant. If the organization has the information and there is no reason to deny access, it should release all the responsive information even though certain documents were not specifically requested.
- When an organization responds to an access request, it should give an indication of where it looked for the requestor’s information and the types of information it holds. Organizations should be forthcoming in providing details regarding the sources of information and to whom information has been disclosed.
- When in receipt of a request for access to personal information, organizations must respond in a meaningful way, even if only to indicate that they have already provided the individual with all of their information.
- In responding to access requests, organizations must search all their files and locations for personal information, not only those that are obvious sources of such data.
- An organization must inform an individual in writing of an access request refusal, setting out the reasons for the refusal and any recourse that the individual may have underPIPEDA.
- For personal information implicated in a specific access request, organizations should consider, and where necessary, override their regular deletion/retention practices until such time as the individual has exhausted any recourse underPIPEDA to get access to that information.
- In response to an access request, an organization may make sensitive medical information available through a medical practitioner.
- There is no obligation for complainants to specify in an access to personal information request that they are making their request pursuant toPIPEDA.
- The requested information shall be provided in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.
- Principle 4.9.4 clearly puts the onus on the organization to explain information in understandable terms to the individual andPIPEDA makes no provision for an organization to refer the individual to another organization for that purpose.
- Access to personal information does not necessarily mean that copies of the information have to be provided—PIPEDA specifies only that access be given to the requester.
- If information about a third party is severable from the record pertaining to an individual’s access request, the organization must sever the information about a third party and give the individual access to his or her personal information.
- An organization will not be expected to provide an individual with access to the individual’s personal information which is neither in its possession nor under its control.
- Personal information handled by third-party service providers is generally considered to be under the control of the party that has contracted out the service.
- To fulfill its obligations underPIPEDA, an organization must reply to a request for access to personal information in writing within thirty calendar days of receipt of the request.
- The 30-day timeframe should begin upon receipt of a complete access to personal information request, as deemed by the organization.
- When receiving an individual’s access request, the organization should determine as quickly as possible whether it will be able to complete the request within the initial time limit allowed byPIPEDA. If it believes it has insufficient time and requires an extension, the organization must advise the complainant in writing no later than 30 days after the date of the access request, advising the complainant of the new time limit, the reasons for extending the initial limit and the complainant’s right to make a complaint to the Commissioner with regard to the extension.
- The Commissioner found that an organization’s partial response to an access request within 30 days was not sufficient to satisfy the 30 day time limit provided for inPIPEDA.
- A time extension cited by an organization was found not to be valid as no consultations were undertaken to find the information an individual had requested.
- By failing to respond an organization will be deemed, in accordance with subsection 8(5), to have refused the complainant’s access request.
- PIPEDA Report of Findings 2010-005 An organization improperly discloses client’s personal information
- PIPEDA Case Summary #2004-285 Company refuses former employee's request for access
- PIPEDA Case Summary #2003-239 Access request sent to wrong location
- PIPEDA Case Summary #2003-179 Trucking company accused of refusing former employee's access request
- PIPEDA Case Summary #2003-165 Individual is denied access to personal information
- PIPEDA Case Summary #2003-253 A bank exceeds the time limit for answering an access request
- PIPEDA Case Summary #2003-221 Bank fails to respond to access request within time limit
- PIPEDA Case Summary #2002-112 Individual denied access to personal information
- If an organization intends to charge a fee for an access request, it is obliged to inform the requester of the fee estimate and to give the requester an opportunity to respond.
- PIPEDA Case Summary #2006-341 Fees and the role of a medical practitioner considered in denial of access complaint
- PIPEDA Case Summary #2004-283 A bank charged fees to process requests for personal information
- PIPEDA Case Summary #2003-247 Bank alleged to have denied customer access to her personal information
- Fees are not to be used by organizations to discourage requests; an organization should consider charging fees for processing a request only when the request is exceptional, and then only at minimal cost.
- Even if the organization informs the complainant of the approximate cost of responding to an access request, the amount must be considered minimal. AlthoughPIPEDA does not define "minimal" the implication is that the fee should be a token one.
- While photocopy fees may be acceptable, a flat fee cannot be charged if it may have the effect of dissuading individuals from requesting access.
- There could be less costly options in providing access than providing copies. While reasonable photocopy fees may be acceptable, a storage fee is unreasonable.
- Requests for access to one’s personal information are not automatically granted. Such requests can be refused if any of the exceptions set out underPIPEDA apply.
- An organization need not provide access to documents that do not contain personal information of the complainant.
9(3)(a) – information protected by solicitor-client privilege
- Information withheld under paragraph 9(3)(a) can include information prepared by company lawyers with respect to a workers’ compensation board dispute and a grievance lodged by a complainant.
- Under paragraph 9(3)(a) ofPIPEDA, an organization can withhold access to personal information if it is subject to litigation privilege. Litigation privilege is a component of solicitor-client privilege; it protects materials brought into existence for the dominant purpose of litigation or reasonably anticipated litigation.
- Individuals involved in ongoing civil litigation who have been denied access to their personal information for reasons of solicitor-client privilege can more appropriately use civil court procedures to address the matter of the claimed privilege. In such cases, individuals can bring a motion to the Court to obtain a binding ruling on the appropriateness of the privilege being asserted on their personal information.
- 9(3)(a) was found to apply to withhold information relating to advice that the organization sought or obtained from its legal counsel with regard to problems it experienced with an individual.
9(3)(b) – confidential commercial information
- Information generated by a bank’s investigation of alleged credit card fraud can be considered to be confidential commercial information, where commercial interests of the organization could suffer irreparable harm if the information is released and preservation of confidentiality constitutes a sufficiently important interest.
- A bank’s internal credit scoring model can be considered confidential commercial information.
- The Commissioner did not agree that information regarding compensation paid to the complainant and the costs related to his claim with the province's workplace safety board constituted confidential commercial information.
9(3)(c.1) – information collected under paragraph 7(1)(b)Footnote 2
- The Commissioner found that an organization had properly exercised its discretion to rely on paragraph 9(3)(c.1) in denying the complainant access to personal information the organization had collected for reasonable purposes related to an investigation into a breach of an employment agreement. The complainant’s knowledge and consent in the matter would have compromised the availability and accessibility of the information.
- An organization relying upon paragraph 9(3)(c.1) to withhold personal information must notify the Privacy Commissioner in accordance with subection 9(5) ofPIPEDA.
- Information relating to an organization’s investigation into its employee’s fitness to work fell under paragraph 9(3)(c.1).
9(3)(d) – information generated in the course of a formal dispute resolution process
- The Commissioner found that paragraph 9(3)(d) could not be invoked to deny access to information gathered in the course of an administrative process for resolving complaints or grievances.
- Notes generated in the process of conducting a medical evaluation to assist an insurer in determining the complainant's eligibility for benefits were not considered to have been “generated in the course of a dispute resolution process”.
- A grievance and arbitration process can be considered a formal dispute resolution process.
- An individual must demonstrate the inaccuracy of the information that an organization holds for the organization to be required to amend the information in question.
- PIPEDA Case Summary #2005-293 Commissioner considers access, correction, and inappropriate disclosure allegations against insurance company
- PIPEDA Case Summary #2006-359 Bank reported accurate information regarding bounced cheque
- PIPEDA Case Summary #2002-70 Bank accused of assigning inaccurate credit ratings
- An organization was found to have met its obligations under Principle 4.9.6 when it gave an individual the opportunity to provide a statement regarding a disputed entry, which the organization then recorded and attached to the individual's credit file and transmitted to any third parties having access to the individual's credit information.
For more information regarding access to personal information under PIPEDA, see the OPC Fact Sheet on Accessing Personal Information under PIPEDA and related Guidance for Organizations.
- Date modified: