Language selection


Interpretation Bulletin: Access to Personal Information

Revised: June 2020

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties, over time, findings on certain key issues can crystallize into general principles that can serve as helpful guidance for both complainants and organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA . These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA . As the Commissioner issues more findings, and the courts render more decisions, these interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA )

Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 4.9.1: Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.

Principle 4.9.2: An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

Principle 4.9.3: In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

Principle 4.9.4: An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

Section 8(1): A request under clause 4.9 of Schedule 1 must be made in writing.

Section 8(2): An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

Section 8(3): An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Section 8(4): An organization may extend the time limit (a) for a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or (b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

Section 8(5): If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

Section 8(6): An organization may respond to an individual’s request at a cost to the individual only if (a) the organization has informed the individual of the approximate cost; and (b) the individual has advised the organization that the request is not being withdrawn.

Section 8(7): An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under [Part 1 of PIPEDA ].

Section 8(8): Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under [Part 1 of PIPEDA ] that they may have.

Section 9(1)Footnote 1: Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Section 9(3): Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if (a) the information is protected by solicitor-client privilege or the professional secrecy of advocates and notaries or by litigation privilege; (b) to do so would reveal confidential commercial information; (c) to do so could reasonably be expected to threaten the life or security of another individual; (c.1) the information was collected under paragraph 7(1)(b); (d) the information was generated in the course of a formal dispute resolution process; or (e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

However, in the circumstances described in (b) or (c) above, if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Section 9(5): An organization that decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1) shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

II. Application by the Courts and the OPC in Different Contexts

Whether an organization can be said to meet its access obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the access principle has been interpreted and applied by the Courts and the OPC in different contexts.

Policies, Practices, and Procedures

Right of Access


Reasonable Search

  • An organization receiving a broad request for access to personal information has two options: (1) it can inquire of the party making the request if the party can be more specific as to the information requested, in which case the requesting party has an obligation to cooperate in defining the request, or (2) it can conduct a reasonable search of information it can reasonably expect to be responsive to the request. Where that latter course is chosen, and absent further evidence, there is no reason to conduct a search for messages falling outside the scope of what the organization reasonably believes it would collect, use and disclose in the course of its business operations. (Johnson v. Bell Canada, 2008 FC 1086)
  • Where an organization has conducted a reasonable search in response to an access request, and the requester claims that there is other information that has not been produced, the burden lies on the requester to establish at least a prima facie case that the search was inadequate. (Johnson v. Bell Canada, 2008 FC 1086)
  • In responding to access requests, organizations must search all their files and locations for personal information, not only those that are obvious sources of such data.

Responding to Access Requests


Time Limit




9(1) – Personal information of a third party

9(2.1)-(2.4) – Information relating to paragraphs 7(3)(c), (c.1), (c.2) or (d) of PIPEDA

  • The purpose of the scheme under subsections 9(2.1) to 9(2.4) is to protect the integrity of lawful investigations. Where an individual seeks either: (a) to be informed about a disclosure to a government institution pursuant to certain provisions or the existence of any information that the organization has relating to such a disclosure, or (b) access to such information itself, then the organization has an obligation to follow the process set out under subsection 9(2.2). This provision requires the organization, where it has made a disclosure to a government institution or a part of it, to ask the institution whether it objects to the disclosure of the information sought on certain grounds. In the event that the relevant government institution objects, the organization becomes subject to the obligations under subsection 9(2.4), which include refusing the request, informing the Office of the Privacy Commissioner, and not disclosing any of the information specified under paragraph 9(2.4)(c).
  • Organizations are only limited in responding to requests pursuant to subsection 9(2.4) if the request relates to a disclosure that falls within subsection 9(2.1) and the government institution has objected. However, if no disclosure has taken place, an organization must inform the individual of this fact upon request. Similarly, if a disclosure has taken place, but it is not covered by subsection 9(2.1) or another exemption, then an organization must not refuse access.

9(3)(a) – information protected by solicitor-client privilege / professional secrecy of lawyers and notaries

9(3)(b) – confidential commercial information

9(3)(c.1) – information collected under paragraph 7(1)(b)Footnote 2

9(3)(d) – information generated in the course of a formal dispute resolution process


For more information regarding access to personal information under PIPEDA , see the OPC Fact Sheet on Accessing Personal Information under PIPEDA and related Guidance for Organizations.

Date modified: