Accessing Personal Information under PIPEDA
Frequently Asked Questions
What is personal information?
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information is defined as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” The definition is broad and can include a wide range of information. For example, your financial transaction histories, your credit history, other people’s opinions about you, photographs of you, your fingerprints or voice prints, your blood type, video or audio footage where you appear or are heard – these are a few examples of information that can be considered personal information.
Can I ask a company for my personal information?
Yes. PIPEDA gives you a general right to access personal information that organizations hold about you.
How do I ask for my personal information?
You need to put your request to the organization in writing. It is a good idea to provide sufficient information and be as specific as possible, because that will help speed up the process at their end. The information you provide to support your request can only be used for the purpose of processing your request.
Can I get a copy of my personal information?
While you might typically receive a paper copy of the documents containing your personal information, the organization is not obliged by law to give you a copy. Rather, they are required to provide you with access to your personal information.
In some cases, you may be invited to simply go to the organization’s premises and access the material on site.
If you have a disability that requires a format other than paper or prevents you from accessing the material on site, you should advise the organization at the time of your access request.
How long should I expect the process to take?
Under the law, the organization is supposed to give you access to your personal information within 30 calendar days. If they don’t have it, they must advise you of this fact within those 30 days.
There are some very specific circumstances under which the organization may require an extension of up to 30 additional days. If that is the case, they have to advise you within the first 30 days and explain the reason for the delay. You have the right to complain about this delay to the Office of the Privacy Commissioner of Canada.
What if I find an error in my personal information?
You may request that any factual errors or omissions be corrected. You would typically have to provide some evidence to back up your claim. Under the law, an organization must amend the information as required if you successfully demonstrate that it’s incomplete or inaccurate.
If you and the organization can’t agree on changing the information, you have the right to have your concerns recorded.
If the organization has previously shared incorrect information with third parties, it must, where appropriate, forward the amended information (or the record of the unresolved challenge) to those parties, so that they too can correct their records.
Does it cost anything to access my personal information?
Ordinarily, it should cost you little or nothing to gain access to your personal information. The law requires an organization to respond to your request at minimal or no cost to you.
An organization may only charge you a minimal fee for responding if it has informed you of the approximate cost up front and you agree to proceed with the request at that cost.
If you feel that an organization is attempting to charge an unreasonable fee, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.
Can I obtain access to the personal information of a family member?
Ordinarily, you may only request access to information about yourself. Organizations may withhold information that relates to a third party, such as a family member, or sever it from other personal information that relates to you.
If, however, the family member consents in writing to the release of the information or if you need the information because an individual’s life, health or security is threatened, then you may be entitled to access it.
Can a company deny my request for access to my personal information?
Yes. The law sets out a number of exceptions to your general right of access to your personal information.
There are, for example, circumstances under which the organization may choose to withhold some or all of the information. There are also circumstances under which organizations are forbidden by law from releasing the information.
Please refer to our guidance for further details.
If the organization denies part or my entire access request, do I have any recourse?
If you feel that the organization is withholding more information than it should, you have a right to file a complaint with the Office of the Privacy Commissioner of Canada.
However, before doing so, you should try to resolve the matter with the organization directly. Sometimes the problem stems from a simple oversight or a misunderstanding that can be easily corrected.