How to Handle PIPEDA Privacy Access Requests

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires private sector organizations to provide personal information to individuals on request.

Failing to comply with privacy access requests can lead to unhappy customers, reputational damage, and investigation by the Office of the Privacy Commissioner (OPC).

In this article, we'll be helping you understand all aspects of how to respond to PIPEDA privacy access requests.

PIPEDA Overview

First, we're going to give a brief overview of PIPEDA and how it applies to organizations operating in Canada. If you already know that you need to comply with PIPEDA, you can skip ahead to our guidance on privacy access requests.

Who Does PIPEDA Apply to?

As Canada's major privacy law, PIPEDA applies to all organizations that engage in "commercial activity."

Here's how PIPEDA defines "commercial activity":

This definition generally excludes public sector organizations (which are instead covered by the Privacy Act, available here), but it can include nonprofits and organizations that receive some public funding.

Does PIPEDA Apply to Non-Canadian Companies?

According to the OPC, non-Canadian companies with a "a real and substantial connection to Canada" must comply with PIPEDA.

The Canadian Federal Court has also applied PIPEDA to businesses without any physical presence in Canada.

Does PIPEDA Apply in Every Canadian Province?

Certain Canadian provinces have local privacy laws that override PIPEDA, including Alberta, British Columbia, and Quebec.

However, these local laws are substantially similar to PIPEDA, and our guidance on privacy access requests also applies to businesses operating in these provinces.

Irrespective of these provincial exemptions, PIPEDA applies to:

• All processing of personal information that takes place across provincial borders, and
• All federally-regulated organizations, including banks, broadcasters, and telecommunications companies

Other PIPEDA Requirements

Along with the obligation to facilitate privacy access requests, PIPEDA imposes many other requirements on organizations, including:

• Maintaining a PIPEDA-compliant Privacy Policy
• Protecting personal information via reasonable security safeguards
• Designating a Privacy Officer to oversee your organization's PIPEDA compliance
• Obtaining consent for the collection of personal information, where appropriate

For more information about these requirements, see our main PIPEDA article.

Privacy Access Requests Under PIPEDA

The privacy access request process requires organizations to provide the personal information of any individual who requests it.

PIPEDA's privacy access request process works in a similar way to the subject access request process under the EU General Data Protection Regulation (GDPR).

There are numerous exceptions to PIPEDA's right of access (which we'll look at below), but these are only available in very specific circumstances.

What Information Must be Provided to the Individual?

Individuals may request access to a specific piece of personal information that you hold about them, or all the personal information you hold about them.

If you don't hold the personal information that the individual has requested, you must let them know.

Under PIPEDA, personal information can be any "information about an identifiable individual."

In addition to the most obvious examples (including a person's name, address, or ID number), the OPC has identified the following types of personal information:

• Financial transaction histories
• Credit histories
• Other people's opinions about an individual
• Photographs of an individual
• Fingerprints
• Voice prints
• Blood type
• Video or audio footage in which an individual appears or is heard
• Web cookies
• Internet browsing history
• IP address

You must provide the information in a form that is "generally understandable." If the information contains abbreviations or codes, you may need to explain what these mean.

If the individual requests the information in an alternative format due to a disability, you must accommodate this request.

Inaccurate or Incomplete Information

If an individual informs you that the personal information you hold about them is inaccurate or incomplete, and they can demonstrate this, then you must correct or update it. You might also need to delete part of the information.

If you have disclosed inaccurate or incomplete information to third parties, you may also need to inform them so that they can correct or update it.

Timeframe

You must respond to a privacy access request within 30 calendar days of receiving it.

There are three exceptions. You may extend the deadline if:

1. Meeting the deadline would interfere to an unreasonable extent with your organization's activities
2. You need to make consultations that would make it impractical to meet the deadline
3. You need to convert the information into an alternative format (at the individual's request)

Under such circumstances, you may take an additional 30 days before providing the information.

You must let the individual know of the reason for your delay, and inform them of their right to make a complaint to the OPC (you can direct them to the OPC's website, here).

Charging a Fee

You must not normally charge a fee for responding to a privacy access request.

If you do need to charge a fee, it must be as low as reasonably possible and based on a genuine estimate of the costs involved in providing the requested information.

You should give the individual an estimate of the costs in advance, and obtain their approval before carrying out the request.

Verifying an Individual's Identity

Neither PIPEDA nor the OPC suggests that you verify an individual's identity before providing personal information.

However, the right of access must be balanced against PIPEDA's requirement to keep personal information secure. Therefore, common sense dictates that you may need to verify an individual's identity in certain circumstances.

However, because there is no explicit obligation to verify an individual's identity in the course of a privacy access request, it is important not to be obstructive when doing so.

Ideally, you will be able to identify an individual by asking them to confirm information that you already hold about them. For example, you may ask them to log into their online account, or to list recent transactions they have made with your company.

However, on some occasions, it may be appropriate to ask for identification. If you do so, ensure that you keep copies of the individual's identification secure, and erase them as soon as they are no longer needed.

Refusing a PIPEDA Privacy Access Request

There are numerous exemptions and exceptions to the privacy access request process.

If an individual's request falls under one of these exemptions, you may (or in some cases, must) refuse to provide the personal information they have requested.

When rejecting a privacy access request, you must inform the individual of your reason for doing so. You must also inform them of their right to make a complaint to the OPC.

Oral Requests

If an individual makes a request in person or over the phone, you should ask them to put it in writing.

Privacy access requests are only valid if made in writing. If the person has difficulty formulating their request in writing, you should offer to help them.

Breach of Third-Party Privacy

You don't need to comply with a privacy access request "if doing so would likely reveal personal information about a third party."

However, this exemption doesn't apply if you can remove or redact the personal information of other individuals.

For example, the email below contains the personal information of one individual, along with the redacted personal information of four others:

With consent from the other individuals referred to in this email, you could also reveal their personal information, if appropriate.

Solicitor-Client Privilege

You don't need to provide personal information that is subject to solicitor (lawyer)-client privilege.

Canadian law defines "solicitor-client privilege" as "confidential communications between lawyers and their clients" (from the case of Blank v Canada). This is also known as the "legal advice privilege."

However, the solicitor-client privilege exemption shouldn't be interpreted too narrowly. It can also encompass information that falls under so-called "litigation privilege." This includes "information and materials gathered or created in the litigation context."

So, under the solicitor-client privilege exemption, you may not need to provide the following types of information under a privacy access request, even if they contain personal information:

• Communications between your company and its legal advisers
• Documents that you have gathered or created for use in legal proceedings

Beware of applying this exemption too broadly, however. In a 2017 complaint report, the OPC advises against adopting a "blanket" policy of refusing to share documents that might be required in legal proceedings.

Confidential Commercial Information

You don't need to comply with a privacy access request if "to do so would reveal confidential commercial information."

If you are able to exclude confidential commercial information from the personal information you provide to the individual, you must do so.

Threats to Life or Security

You don't need to comply with a privacy access request if "to do so could reasonably be expected to threaten the life or security of another individual."

Again, if you are able to exclude life- or security-threatening information from the personal information you provide to the individual, you must do so.

Legal Investigations

You don't need to provide access to personal information that was collected under paragraph 7(1)(b) of PIPEDA.

Here's paragraph 7(1)(b):

This part of PIPEDA states that organizations may collect personal information without knowledge or consent as part of an investigation into:

• A breach of an agreement (e.g. a contract), or
• Illegal activity

If you have collected personal information for these purposes, you may not be required to share it under a privacy access request.

Dispute Resolution

You don't need to provide access to personal information if "the information was generated in the course of a formal dispute resolution process."

In a 2016 complaint report, the OPC stated that a "formal dispute resolution process" must:

• Have a framework or structure
• Be either legislated or agreed to by the parties to the dispute
• Have recognized rules

A complaints process will not qualify as a "formal dispute resolution process" unless it has the above characteristics. Therefore, personal information generated or collected when dealing with a customer's complaint is unlikely to fall under this exemption.

Whistleblowing

You don't need to provide access to personal information if "the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act."

The Public Servants Disclosure Protection Act (PSDPA, available here) is also known as the "Whistleblower Law." The law provides a mechanism for individuals to report wrongdoing in the public sector.

The PSDPA only relates to the activity of public sector employees. However, it is relevant to individuals in the private sector who are reporting wrongdoing in the public sector.

The exemption may apply if, for example:

• Your company provides services to a public body
• One of your employees observes wrongdoing at the public body
• Your employee decides to report this wrongdoing under the PSDA
• You keep records of your employee's report
• The individual accused of wrongdoing submits a privacy access request to your company

Under these circumstances, you would not have to provide details of the report to the individual.

Subpoenas, Warrants, or Orders

This exemption may apply if you have disclosed an individual's personal information:

• Pursuant to a subpoena, warrant or order, or
• To a government institution or investigative body in relation to any of the following issues:
  • National security
  • National defense
  • Terrorism
  • Law enforcement
  • Money-laundering

If you receive a privacy access request for access to such personal information, you must inform the institution to which you disclosed the personal information.

If you do not hear back from the institution within 30 days, you must respond to the individual's request in the normal way.

If the institution objects to you releasing the information, you must not respond to the individual's request (even to inform them that you have been ordered not to disclose the information). You must also report this refusal to the OPC, in writing.

Summary

If your organization is covered by PIPEDA and it receives a privacy access request from an individual:

• You must provide any requested personal information you hold on the individual
• You must respond within 30 days unless you have a valid reason for delaying, in which case you may inform the individual and take another 30 days
• You should not normally charge a fee

If the individual can demonstrate that the information is incomplete or inaccurate, you must update, delete, or correct it as appropriate.

Under certain circumstances, you can refuse a privacy access request, including:

• If the request has not been made in writing (ask the individual to write to you or email you)
• If a third party's privacy would be breached
• If the information is covered by solicitor-client privilege
• If the information contains confidential commercial information
• If revealing the information presents a threat to life or security
• If the information was collected or generated as part of a legal investigation
• If the information was collected or generated as part of a formal dispute resolution process
• If the information was collected or generated to make a disclosure under the Public Servants Disclosure Protection Act
• If the information has been submitted to a court or government institution and the institution object to its disclosure