Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires private sector organizations to provide personal information to individuals on request.
Failing to comply with privacy access requests can lead to unhappy customers, reputational damage, and investigation by the Office of the Privacy Commissioner (OPC).
In this article, we'll be helping you understand all aspects of how to respond to PIPEDA privacy access requests.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
First, we're going to give a brief overview of PIPEDA and how it applies to organizations operating in Canada. If you already know that you need to comply with PIPEDA, you can skip ahead to our guidance on privacy access requests.
As Canada's major privacy law, PIPEDA applies to all organizations that engage in "commercial activity."
Here's how PIPEDA defines "commercial activity":
This definition generally excludes public sector organizations (which are instead covered by the Privacy Act, available here), but it can include nonprofits and organizations that receive some public funding.
According to the OPC, non-Canadian companies with a "a real and substantial connection to Canada" must comply with PIPEDA.
The Canadian Federal Court has also applied PIPEDA to businesses without any physical presence in Canada.
Certain Canadian provinces have local privacy laws that override PIPEDA, including Alberta, British Columbia, and Quebec.
However, these local laws are substantially similar to PIPEDA, and our guidance on privacy access requests also applies to businesses operating in these provinces.
Irrespective of these provincial exemptions, PIPEDA applies to:
Along with the obligation to facilitate privacy access requests, PIPEDA imposes many other requirements on organizations, including:
For more information about these requirements, see our main PIPEDA article.
The privacy access request process requires organizations to provide the personal information of any individual who requests it.
PIPEDA's privacy access request process works in a similar way to the subject access request process under the EU General Data Protection Regulation (GDPR).
There are numerous exceptions to PIPEDA's right of access (which we'll look at below), but these are only available in very specific circumstances.
Individuals may request access to a specific piece of personal information that you hold about them, or all the personal information you hold about them.
If you don't hold the personal information that the individual has requested, you must let them know.
Under PIPEDA, personal information can be any "information about an identifiable individual."
In addition to the most obvious examples (including a person's name, address, or ID number), the OPC has identified the following types of personal information:
You must provide the information in a form that is "generally understandable." If the information contains abbreviations or codes, you may need to explain what these mean.
If the individual requests the information in an alternative format due to a disability, you must accommodate this request.
If an individual informs you that the personal information you hold about them is inaccurate or incomplete, and they can demonstrate this, then you must correct or update it. You might also need to delete part of the information.
If you have disclosed inaccurate or incomplete information to third parties, you may also need to inform them so that they can correct or update it.
You must respond to a privacy access request within 30 calendar days of receiving it.
There are three exceptions. You may extend the deadline if:
Under such circumstances, you may take an additional 30 days before providing the information.
You must let the individual know of the reason for your delay, and inform them of their right to make a complaint to the OPC (you can direct them to the OPC's website, here).
You must not normally charge a fee for responding to a privacy access request.
If you do need to charge a fee, it must be as low as reasonably possible and based on a genuine estimate of the costs involved in providing the requested information.
You should give the individual an estimate of the costs in advance, and obtain their approval before carrying out the request.
Neither PIPEDA nor the OPC suggests that you verify an individual's identity before providing personal information.
However, the right of access must be balanced against PIPEDA's requirement to keep personal information secure. Therefore, common sense dictates that you may need to verify an individual's identity in certain circumstances.
However, because there is no explicit obligation to verify an individual's identity in the course of a privacy access request, it is important not to be obstructive when doing so.
Ideally, you will be able to identify an individual by asking them to confirm information that you already hold about them. For example, you may ask them to log into their online account, or to list recent transactions they have made with your company.
However, on some occasions, it may be appropriate to ask for identification. If you do so, ensure that you keep copies of the individual's identification secure, and erase them as soon as they are no longer needed.
There are numerous exemptions and exceptions to the privacy access request process.
If an individual's request falls under one of these exemptions, you may (or in some cases, must) refuse to provide the personal information they have requested.
When rejecting a privacy access request, you must inform the individual of your reason for doing so. You must also inform them of their right to make a complaint to the OPC.
If an individual makes a request in person or over the phone, you should ask them to put it in writing.
Privacy access requests are only valid if made in writing. If the person has difficulty formulating their request in writing, you should offer to help them.
You don't need to comply with a privacy access request "if doing so would likely reveal personal information about a third party."
However, this exemption doesn't apply if you can remove or redact the personal information of other individuals.
For example, the email below contains the personal information of one individual, along with the redacted personal information of four others:
With consent from the other individuals referred to in this email, you could also reveal their personal information, if appropriate.
You don't need to provide personal information that is subject to solicitor (lawyer)-client privilege.
Canadian law defines "solicitor-client privilege" as "confidential communications between lawyers and their clients" (from the case of Blank v Canada). This is also known as the "legal advice privilege."
However, the solicitor-client privilege exemption shouldn't be interpreted too narrowly. It can also encompass information that falls under so-called "litigation privilege." This includes "information and materials gathered or created in the litigation context."
So, under the solicitor-client privilege exemption, you may not need to provide the following types of information under a privacy access request, even if they contain personal information:
Beware of applying this exemption too broadly, however. In a 2017 complaint report, the OPC advises against adopting a "blanket" policy of refusing to share documents that might be required in legal proceedings.
You don't need to comply with a privacy access request if "to do so would reveal confidential commercial information."
If you are able to exclude confidential commercial information from the personal information you provide to the individual, you must do so.
You don't need to comply with a privacy access request if "to do so could reasonably be expected to threaten the life or security of another individual."
Again, if you are able to exclude life- or security-threatening information from the personal information you provide to the individual, you must do so.
You don't need to provide access to personal information that was collected under paragraph 7(1)(b) of PIPEDA.
Here's paragraph 7(1)(b):
This part of PIPEDA states that organizations may collect personal information without knowledge or consent as part of an investigation into:
If you have collected personal information for these purposes, you may not be required to share it under a privacy access request.
You don't need to provide access to personal information if "the information was generated in the course of a formal dispute resolution process."
In a 2016 complaint report, the OPC stated that a "formal dispute resolution process" must:
A complaints process will not qualify as a "formal dispute resolution process" unless it has the above characteristics. Therefore, personal information generated or collected when dealing with a customer's complaint is unlikely to fall under this exemption.
You don't need to provide access to personal information if "the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act."
The Public Servants Disclosure Protection Act (PSDPA, available here) is also known as the "Whistleblower Law." The law provides a mechanism for individuals to report wrongdoing in the public sector.
The PSDPA only relates to the activity of public sector employees. However, it is relevant to individuals in the private sector who are reporting wrongdoing in the public sector.
The exemption may apply if, for example:
Under these circumstances, you would not have to provide details of the report to the individual.
This exemption may apply if you have disclosed an individual's personal information:
If you receive a privacy access request for access to such personal information, you must inform the institution to which you disclosed the personal information.
If you do not hear back from the institution within 30 days, you must respond to the individual's request in the normal way.
If the institution objects to you releasing the information, you must not respond to the individual's request (even to inform them that you have been ordered not to disclose the information). You must also report this refusal to the OPC, in writing.
If your organization is covered by PIPEDA and it receives a privacy access request from an individual:
If the individual can demonstrate that the information is incomplete or inaccurate, you must update, delete, or correct it as appropriate.
Under certain circumstances, you can refuse a privacy access request, including:
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022