Accessing Personal Information under the Personal Information Protection and Electronic Documents Act
Our new and updated guide for business:
Privacy Toolkit - A Guide for Businesses and Organizations
Banks, insurance companies and many other private-sector organizations collect personal information about individuals in the course of doing business. Depending on the location and activities of the organization, it may be subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy law for the private sector, or it may be subject to provincial private-sector privacy legislation.1 The following information is intended to address related obligations under PIPEDA.
PIPEDA ensures that the personal information organizations collect about individuals is protected. It also gives people a right to access their personal information held by organizations. Personal information is broadly defined under PIPEDA. For example, financial transaction histories; credit histories; other people’s opinions about an individual; photographs of an individual; an individual’s fingerprints, voice prints or blood type; video or audio footage where an individual appears or is heard – these are a few examples of information that can be considered personal information. While the primary focus of this document is on providing access to personal information that is held in written form, the right of access applies equally to personal information held in other formats. For more information on what personal information can be, please see our Interpretation Bulletin on Personal Information.
The Act allows individuals to see what personal information the organization holds about them, and to ensure it is accurate and complete. If they feel the information is incomplete or factually inaccurate, they may also request that it be amended. If the individual and the organization don’t agree on changing the information, the requester has the right to have his or her concerns be recorded.
If the erroneous information was previously shared with other organizations, individuals may be entitled to have the amended information (or the record of the unresolved challenge) forwarded to those organizations.
The rules governing people’s access to their personal information in the hands of private-sector organizations can be complex – for individuals as well as for businesses.
Therefore, the Office of the Privacy Commissioner of Canada has prepared some Frequently Asked Questions (FAQs) for individuals to help explain some of the details.
We have also developed guidelines to assist organizations in complying with PIPEDA’s access requirements.
 The three provinces with substantially similar private-sector privacy legislation are Alberta, British Columbia, and Quebec.