Information # Assistance # Accreditation # Membership # Advisory Board

How to respond to requests for access to Personal Information

The following information may provide you with a understanding of how to respond to requests for access to Personal Information under PIPEDA. It is intended to be helpful, but it is not legal advice. If you notice any errors or omissions, please let us know so we may improve the document. This document includes compendia of the Federal Privacy Commissioner's Decision Summaries released up to Decision Summary #260.

Many people have invested much thought to create other helpful guidance documents. Several very helpful ones are listed below this information.

How to respond to requests for access to Personal Information

Table of Contents

After this tutorial you will be able to:

  • Apply definitions and guidelines from the Personal Information Protection and Electronic Documents Act and analogous information in previous decisions by the Privacy Commissioner's Office to requests for personal information.
  • Decide how to appropriately respond to requests for access to personal information.

Click here to return to this tutorial's table of contents

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) protects "personal information" (hence its name) and provides guidelines for organizations' privacy officers to respond to individuals' requests for access to their personal information.

As a Privacy Officer, you want to know how to respond to requests for access to personal information.

Fortunately, a number of clues are available to you:

  • The legislators included rules for responding to requests for personal information in PIPEDA.
  • The rules in PIPEDA on responding to personal information requests include time limits, exemptions, and other specific guidelines.
  • Disputants have asked the federal privacy commissioner to decide whether they are entitled access to their personal information, and to determine whether organizations have responded to their requests appropriately. The Office of the Privacy Commissioner has published summaries of many of its decisions regarding these disputes.
  • The federal privacy commissioner's office has published general guidelines on responding to requests for access to personal information.

Click here to return to this tutorial's table of contents

PIPEDA contains the following provisions regarding individuals' access to their personal information in its statute sections:

Application

4. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

Limit

(2) This Part does not apply to

(a) any government institution to which the Privacy Act applies;

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Compliance with obligations

5. (1) Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.

Appropriate purposes

5. (3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Written request

8. (1) A request under clause 4.9 of Schedule 1 must be made in writing.

Assistance

(2) An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

Time limit

(3) An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Extension of time limit

(4) An organization may extend the time limit

(a) for a maximum of thirty days if

(i) meeting the time limit would unreasonably interfere with the activities of the organization, or

(ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or

(b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

Deemed refusal

(5) If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

Costs for responding

(6) An organization may respond to an individual's request at a cost to the individual only if

(a) the organization has informed the individual of the approximate cost; and

(b) the individual has advised the organization that the request is not being withdrawn.

Reasons

(7) An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.

Retention of information

(8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.

When access prohibited

9. (1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Limit

(2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual's life, health or security is threatened.

Information related to paragraphs 7(3)(c), (c.1) or (d)

[For ease of reference, paragraphs 7(3)(c), (c.1) and (d) provide:

7.(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

(d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;]

(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization

(a) inform the individual about

(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or

(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

(b) give the individual access to the information referred to in subparagraph (a)(ii).

Notification and response

(2.2) An organization to which subsection (2.1) applies

(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

(b) shall not respond to the request before the earlier of

(i) the day on which it is notified under subsection (2.3), and

(ii) thirty days after the day on which the institution or part was notified.

Objection

(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

(a) national security, the defence of Canada or the conduct of international affairs;

(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

*(a.1) the detection, prevention or deterrence of money laundering; or

*[Note: Paragraph 9(2.3)(a.1), as enacted by paragraph 97(1)(c) of chapter 17 of the Statutes of Canada, 2000, will be repealed at a later date.]

(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

Prohibition

(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);

(b) shall notify the Commissioner, in writing and without delay, of the refusal; and

(c) shall not disclose to the individual

(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,

(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or

(iii) that the institution or part objects.

When access may be refused

(3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if

(a) the information is protected by solicitor-client privilege;

(b) to do so would reveal confidential commercial information;

(c) to do so could reasonably be expected to threaten the life or security of another individual;

(c.1) the information was collected under paragraph 7(1)(b); or

[For ease of reference, paragraph 7(1)(b) provides:

7.(1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if

(b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;]

(d) the information was generated in the course of a formal dispute resolution process.

However, in the circumstances described in paragraph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Limit

(4) Subsection (3) does not apply if the individual needs the information because an individual's life, health or security is threatened.

Notice

(5) If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

2000, c. 5, s. 9, c. 17, s. 97; 2001, c. 41, s. 82.

Sensory disability

10. An organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format if

(a) a version of the information already exists in that format; or

(b) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Part.

PIPEDA contains the following provisions regarding individuals' access to their personal information in its principles:

4.2.1

The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9).

4.5 Principle 5 - Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

4.5.2

Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.

4.5.3

Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

4.5.4

This principle is closely linked to the Consent principle (Clause 4.3), the Identifying Purposes principle (Clause 4.2), and the Individual Access principle (Clause 4.9).

4.9 Principle 9 - Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

4.9.1

Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.

4.9.2

An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

4.9.3

In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

4.9.4

An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

Click here to return to this tutorial's table of contents

The federal privacy commissioner's office has made a number of decisions which help clarify the federal privacy commissioner's office's interpretation of the statute sections and principles. (Decisions cited are not necessarily the only Decisions relevant to the concepts they clarify, but are given as examples of the Commissioner's application of the statute provisions and principles.)

The Act provides individuals with the right of access to their information, but not necessarily files or records. It is considered good practice to provide a copy of documents upon request instead of merely allowing access to the documents at the organization's location.

  • When a requestor complained that the organization should be required to provide copies of letters containing personal information, the privacy commissioner's office determined that it was sufficient for the organization to provide the information contained in the letters without providing copies of the letters themselves, since the letters did not contain personal information about the requestor that was unavailable elsewhere. The Act protects information (such as names, financial data, and identifiers that may appear in particular documents) rather than records (the particular documents themselves). Decision Summary #252.

The Act does not apply to personal information held by individuals for personal use.

  • An employee was refused access to records believed to be in the possession of the employer and a co-worker and which contained the details of a complaint previously issue against him/her by another employee. The Act did not apply to the records retained by the co-worker because the records were retained solely for personal use. Decision Summary #60.

Organizations are required to comply with the Act's time-limit provisions, including those provisions regarding time-limit extensions. Organizations must fully respond to an access request within 30 days. Under some circumstances, an organization may notify the requestor within the initial 30-day period of the reasons it requires an extension. An organization may extend the time limit for a maximum of 30 days if meeting the limit would unreasonably interfere with the activities of the organization or if the time required for any necessary consultations would make the time limit impracticable to meet. The Commissioner will determine whether reasons given for an extension are valid. A valid extension will enable the organization a total of 60 days in which to respond. Under some very limited circumstances, an organization's failure to respond within the time limit may be excused. However, the decisions overwhelmingly suggest a delay of even one day in a response results in a violation of PIPEDA.

  • An organization fails to comply with the Act even if the request for information was sent to an operational building that did not normally receive requests from the public and had no procedure or personnel for dealing with requests. Decision Summary #239.
  • An organization must respond to requests for personal information even if the organization does not have an appointed privacy officer or adequate response procedures in place. Decision Summaries #179, #165.
  • When an access request is contingent upon a stated event, the 30-day time limit does not begin until the event happens. Decision Summary #70.
  • A high volume of information requests and human error do not excuse an organization from fulfilling information requests within the 30-day time limit. Decision Summaries #221, #102, #67, #64, #59, #44, #26.
  • An organization fails to comply with the Act even if it believes it had fulfilled its responsibilities by providing required information but, in fact, had not provided all requested information within the required timeframe. Decision Summary #229.
  • The organization must notify the requestor of the need for an extension even if the extension is required because the organization seeks to confirm the requestor's identity. Decision Summary #112.
  • If the reason for the extension is invalid, the organization fails to comply with the Act unless it fulfills the request within 30 days. Decision Summary #199.
  • It was reasonable for an organization that received a request for personal records covering a two-year period during the December holiday season to utilize an extension given the nature of the request, the need to consult various internal departments, and the fact of the holiday season. Decision Summary #68.
  • A verbal promise that information will be sent does not constitute fulfillment of the request. Decision Summary #124.
  • Notification by the organization of any fees required to fulfill the request does not excuse the organization from responding within the prescribed time limit. Decision Summary #29.
  • In some circumstances, an organization which fails to meet the 30-day deadline but acts in good faith may not be deemed to have refused the access request. Decision Summary #247.

Denial of access to personal information is based on what a reasonable person would expect.

  • An individual would not reasonably expect an organization which provides e-mail services to take in and store e-mails received for its customer but deny access while the account was in a suspended state unless explicit consent was obtained. Decision Summary #66.
  • A reasonable person would expect an organization to copy the custodian of records on a response denying access to those records. Decision Summary #20.

An organization is only required to respond to written requests.

  • An organization may respond to telephone requests, but is not required to do so. Decision Summary #7.
  • The requestor is not required to specify that the request is pursuant to the Act. Decision Summary #222.

The fact that the organization does not have the requested information does not excuse it from responding.

  • The organization must inform the requestor that it does not have the requested information. Decision Summary #60.
  • An organization does not refuse access when it does not provide a requested specific document that has never existed. Decision Summary #13.
  • An error occurred prior to the enactment of PIPEDA during a process to microfilm documents. An organization provided as much information as it could with respect to this document upon an individual's request but it did not violate the Act since the error occurred prior to its enactment. Decision Summary #90.

With some exceptions, an organization that denies an access request must provide the requestor with the reasons for its denial and inform him of his right to complain to the Commissioner.

  • A response stating that information could not be located which should have been retained constitutes a denial of access. Such notification to the requestor without the reasons for denial and explication of the requestor's rights violates PIPEDA. Decision Summary #16.

An organization must not provide access to personal information if doing so would reveal personal information about a third party, unless the information about the third party can be severed from the information about the requestor. In determining whether providing access to information would reveal other parties' personal information, it may be helpful to refer to our tutorial, "How to distinguish Personal Information from other information."

  • An organization was wrong to invoke the exception for information that merely referred to third parties and was not actually about those parties. Decision Summary #50.
  • An organization wrongly denied an employee access to a letter sent by it to the employee's physician claiming release of the information would reveal personal information about third parties. The Commissioner determined that the information about the physician was the employee's information since it was his physician. Information about the employee's manager was also the employee's information since the manager was making an allegation about the employee. The author of the letter had already revealed to the employee that she had written the letter. All other third party information was not considered personal information under the Act. Therefore, the denial was wrongful. Decision Summary #103.
  • A beneficiary of a trust has a legal right of access to account information. A bank's refusal to grant access to account information violated the beneficiaries' rights. Decision Summary #236.

Access may be refused to information: 1) protected by solicitor-client privilege; 2) generated for a dispute resolution process; 3) when disclosure might reasonably be expected to threaten the life or security of another individual; 4) if collected in the course of an investigation into a breach of a legal agreement or the contravention of Canadian law; or 5) considered confidential commercial information. An organization which relies upon an exemption from the requirement to provide access to personal information must provide notification of the basis upon which it decides to withhold information. Subsection 8(7) requires setting out the reasons for refusal. The Commissioner's office has not yet issued a decision summary regarding a situation involving paragraph 9(3)(c). It would seem undesireable that the refusal would state for its reason that to give access could reasonably be expected to threaten the life or security of another individual. However, the statute does not provide an express exemption from the subsection 8(7) requirement for a paragraph 9(3)(c) reason.

  • The access exception for records protected by solicitor-client privilege may not be legitimately invoked merely because a lawyer is consulted about the information. The filing of a complaint or grievance in and of itself does not constitute a formal dispute resolution process. Decision Summary #37.
  • An organization is not required to provide access if such access could reasonably be expected to threaten the life or security of another individual. However, to properly invoke this exception, the organization must have good reason to believe disclosure could reasonably threaten the life or security of another individual. Decision Summaries #103, #50.
  • Internal credit scores which might reveal a credit scoring model were considered confidential commercial information exempt from access. Decision Summary #63.
  • An organization is not required to provide access to personal information collected in the course of an investigation into a breach of an employment agreement. Decision Summaries #84, #73.
  • The conclusion of an investigation does not nullify the access exemption. Decision Summary #84.
  • Documentation concerning a grievance is deemed to be a type of formal dispute-resolution process and exempt from access but documentation created to respond to a human rights investigation is not. Decision Summary #88.
  • An investigation by the Commissioner is not a dispute resolution process for purposes of the Act and therefore does not provide a basis for an access request exemption. Decision Summary #92.
  • Notes created by the organization's legal department qualify for the solicitor-client privilege protection exemption. Decision Summary #122.

Organizations are required to establish record retention policies and procedures concerning personal information that is collected, used and disclosed. The guidelines should include minimum and maximum retention periods. Information may be retained in paper or electronic formats. When an organization destroys information which was used to make a decision about an individual before the individual has a reasonable opportunity to request access to and obtain the information, the organization violates PIPEDA. When an organization establishes the required policies but fails to follow them, it violates PIPEDA.

  • An organization was not required to maintain a copy of a complaint that was not used to make any decision about its employee. Decision Summary #60.
  • An organization that destroyed paper copies of letters but retained the data electronically met the requirements of PIPEDA. Decision Summary #252.
  • An organization which lost information it normally retained for seven years violated the Act when it could not respond to a request for access to that information. Decision Summary #16.
  • An organization complied with the Act when it disclosed requested information but failed to comply when it could not produce additional personal information which had been inadvertently destroyed. Decision Summary #216.

An organization must provide requested information which must be disclosed in a form that is generally understandable. Photocopies must be of a quality that can be easily read. An organization may translate the document into the language of the requestor. Where codes are used, an organization must provide a legend.

An organization may assess the costs of responding to an access request to the individual requestor but must inform the individual of the approximate cost. Any charge assessed to the requestor must be minimal and reasonable. Charges in excess of $150 have generally been deemed unreasonable.

The Privacy Commissioner's office has issued nearly 300 decision summaries which help us interpret PIPEDA by providing numerous examples of its application. For a concise compendium of summaries (such as those above) of those decisions, order the OPO Compendium. All decision summaries may be read in their entirety on the Privacy Commissioner's Web site. If you have a few specific pieces of information in mind, ask about them in the OPO Answer Forum. To access the OPO Answer Forum, simply join OPO.

There are no Federal Court decisions providing that court's interpretation of the statute.

Click here to return to this tutorial's table of contents

In addition to the decision summaries, the federal privacy commissioner's office has published a number of fact sheets to assist organizations and individuals in interpreting and applying the Act. These are available online for easy reference:

Gearing up for the Personal Information Protection and Electronic Documents Act: http://www.privcom.gc.ca/fs-fi/02_05_d_16_e.asp. This fact sheet assists organizations' privacy officers in applying PIPEDA at work. Excerpt:

The PIPED Act reflects the realities of the business world. It's based on the Canadian Standards Association's Model Code for the Protection of Personal Information, which is incorporated into the legislation. The Code came out of a collaborative effort by representatives of government, consumers and business groups, and lists 10 principles of fair information practices. . . .

Best Practices for dealing with pre-PIPEDA personal information (grandfathering):http://www.privcom.gc.ca/fs-fi/02_05_d_22_e.asp. Learn how to apply PIPEDA to all personal information held by your organization, regardless of when it was collected. Excerpt:

How does thePersonal Information Protection and Electronic Documents Act(PIPEDA) apply to personal information collected before the Act came into effect?

The answer, in brief, is that all provisions of PIPEDA, including the consent principle, apply to all personal information held by an organization, regardless of when the information was collected. This means, among other things, that organizations are required to keep the information as accurate, complete and up-to-date as necessary, protect the information with appropriate safeguards and give individuals access to their personal information.

However, it does not necessarily follow that an organization must seek established customers' express consent to the continued retention, use or disclosure of their personal information.

...

Under Principle 4.9 of PIPEDA, an organization must, upon request, inform individuals of the existence, use, and disclosure of their personal information, give them access to such information, and enable them to challenge its accuracy and completeness and, if required, have it amended.

This principle applies to all personal information held by an organization, regardless of when it was collected. Customers have a clear right of access to personal information collected by an organization before it became subject to PIPEDA.

How to Access your Personal Information and Lodge Complaints:

http://www.privcom.gc.ca/fs-fi/02_05_d_11_e.asp. This fact sheet introduces Canada's Privacy Act and PIPEDA, and assists individuals in applying these laws to their own lives. Excerpt:

Do you think that an organization in the private sector is mishandling your personal information? Would you like to see what information an organization in the federally regulated private sector has about you?

Faxing Personal Information: http://www.privcom.gc.ca/fs-fi/02_05_d_04_e.asp. You might be considering responding to information requests by fax. This fact sheet will assist you in protecting the information you are transmitting. Excerpt:

Dialing a wrong fax number could accidentally send sensitive personal information, welfare files, unemployment claims, criminal records or medical diagnoses, to the wrong person. On several occasions employees have misdialled numbers or hit the wrong speed-dial key and sent sensitive personal information to the media.

The Personal Information Protection and Electronic Documents Act: http://www.privcom.gc.ca/fs-fi/02_05_d_11_02_e.asp. This document assists individuals who wish to access personal information about themselves which is held by organizations.

Excerpt:

To access personal information held by an organization

  • Send a written request to the organization holding your personal information. You must provide enough detail to allow the organization to identify the information you want; for example, include dates, account numbers, and the names or positions of people you may have dealt with at the organization.
  • Organizations must provide the information requested within a reasonable time and at minimal or no cost.

Click here to return to this tutorial's table of contents

The statutory provision is an express statement of the law. The Privacy Commissioner's decision summaries are the Privacy Commissioner's opinions of what the statutory provision means. PIPEDA subsection 14(1) permits complainants to go to the Federal Court after receiving the Privacy Commissioner's report in some situations. Therefore, there may be instances of the Federal Court offering opinions of what the statutory provisions mean that contradict those offered by the Privacy Commissioner. There may also be apparently contradictory decisions issued by either the Privacy Commissioner's office or the Federal Court. Contradiction may result from, among many other reasons, changes of the Privacy Commissioner, competing requirements of fairness in the respective fact situations, and changes in what is considered acceptable over time. Some may consider the Privacy Commissioner's opinions offered in the fact sheets to be less persuasive than the decision summaries because only the latter benefit from representations by both sides of a dispute. However, as the opinions expressed in the fact sheets have been expressed to provide guidance to organizations, that guidance ought to be given due consideration.

As a Privacy Officer you want to know what the decision maker will decide if a dispute ever arises. In Canada the ultimate decision maker is the Privacy Commissioner whenever complainants cannot afford a subsequent application to the Federal Court. Therefore, in assessing how to respond to requests for personal information, you should ask yourself what you think the Privacy Commissioner or Federal Court would determine the appropriate response to be if asked the question rather than what your organization would prefer to do.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Here is a handy procedure to aid you in determining the appropriate response to a request for personal information:

Is the request for personal information in writing?

If yes, continue.

If no, inform the requestor of the need to make his request in writing. (Alternatively, your organization may have a policy of responding to verbal requests for personal information, even though PIPEDA does not require responses to requests that are not written.)

Does the requestor need assistance preparing his written request for personal information?

If yes, provide or arrange for assistance.

If no, wait for the written request.

Can the organization respond to the written request within 30 days?

If yes, proceed with fulfilling the request.

If no, continue to the next question.

Does the organization have a valid reason for requiring an additional 30 days to respond?

If yes, respond to the requestor with notification of the need for a time extension, including the reason or reasons an extension is necessary.

If no, refer to the statute; requests must be fulfilled within 30 days unless there is a valid reason for a time extension and the requestor is notified of the extension and the reason within 30 days of the original request.

If not sure, check the Act, Decision Summaries and Fact Sheets to determine whether the organization's justification for a time extension is likely to be judged valid.

Will the organization fulfill the request?

If yes, continue to the next question.

If no, unless the reason is one for which the organization is exempted from providing the reason for the refusal, inform the requestor of the reason for refusal and of his right to recourse under the provisions of the Act.

If not sure:

Review 9(1) and 9(2) and interpreting decision summaries. Ex. Does the requested information reveal third-party personal information?

If yes, would revealing the information threaten the life, health or security of an individual?

If yes, refuse the request and inform the requestor of the reasons and of his recourse.

If no, continue to the next question.

Is the third-party personal information severable from the requested information?

If yes, sever the third-party information, unless severing the information threatens an individual's life, health or security. Fulfill the request. Refer to the statute for guidelines on informing third parties that their personal information is being accessed, if necessary.

If no, continue to the next question.

Do any of the government restriction exceptions to the access requirement apply? For example 9(2.1 - 2.4)

Do any of the other exceptions to the access requirement apply? For example, 9(3) as limited by 9(4)?Is the information prohibitively costly to provide? Does the information contain references to other individuals? Can the information not be disclosed for legal, security, or commercial proprietary reasons? Is the information subject to solicitor-client or litigation privilege?

If yes, is the portion of the information excepted by 9(3)(b) or 9(3)(c) severable from the requested information?

If yes, sever the information subject to the exception and fulfill the request.

If no, refuse the request and inform the requestor of the reason as well as of his recourse.

Will the organization charge the requestor a fee for the information?

If yes, inform the requestor of the amount of the fee (making sure it is minimal and reasonable) and continue fulfilling the request.

If no, continue fulfilling the request.

Does the requestor have a sensory disability which necessitates conversion of the information into an alternative format?

If yes, arrange for the information to be converted to the appropriate format and fulfill the request.

If no, continue fulfilling the request.

Does the requestor require the information to be translated into his language?

If yes, arrange for translation of the information and proceed with fulfilling the request.

If no, continue fulfilling the request.

Final checks:

Are photocopies readable?

If the information includes codes, is a legend provided?

Is all requested information included in the response?

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Try a few quick questions about responding to requests for Personal Information.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Quiz Questions

1. A bank destroyed credit information on an applicant for a credit card after the applicant was denied credit. When the applicant requested access to his personal information, the bank was unable to respond. Did the bank violate PIPEDA?

2. An individual requested her credit score information from her local bank. A clerk advised her that the bank did not release such information to its customers. Following the individual's complaint to the Commissioner, the bank searched its records and reported that it had no credit files or applications in the individual's name and therefore had no corresponding credit score for her. Did the bank comply with PIPEDA?

3. An individual requested his personal information from an organization which had denied his credit application based on information it had received from a credit reporting agency. The organization refused to release all of the personal information it had collected about him, stating that:

A. By contractual agreement with the agency in question, it was prohibited from disclosing credit reporting information directly to any individual, except where disclosure is required by law.

B. Training and certifying its employees to review credit reporting information with consumers, in accordance with provincial legislation, would be very expensive.

C. Forcing organizations to disclose credit reporting information would amount to unnecessary duplication of service, since the information can be readily obtained from the credit reporting agencies.

Was the organization justified in refusing the individual's request?

4. An individual requested his personal information and complained to the Commissioner when the organization provided the pertinent data but not copies of the letters he had requested. Was the individual's complaint well-founded?

5. A former employee, who had been dismissed for cause, complained that his former employer had improperly withheld personal information relating to the employer's investigation into the employee's alleged breach of his employment agreement. Since the investigation was concluded and the requestor was no longer employed by the employer, the former employee argued that he should be given access to the information. The employer provided him access to his personnel records, but not to the investigation files, and did not cite a reason for withholding the latter. Was the dismissed employee's complaint well-founded?

6. An individual submitted a written request for his personal information and received two undated responses indicating that fulfillment of his request would be delayed due to a high volume of requests. Additionally, he was asked to provide proof of his identity, and did so. After waiting several months for a response, he telephoned the organization and was given his personal information over the phone, as well as assurance that the written response to his request would follow shortly. After waiting another month, he again wrote to the organization and stated that he had been waiting more than six months since his original request. Shortly thereafter, the organization sent him his personal information. The organization argued that the 60-day period in which it had to respond began with his last letter, since it had been waiting for confirmation of his identity until that point. Did the organization comply with PIPEDA?

Check your answers below.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Quiz Answers

1. Yes, the bank violated PIPEDA when it could not respond to the applicant's access request because it had failed to retain the information for a reasonable period. Decision Summary #253.

2. Yes, the bank complied with PIPEDA. An organization is not required to disclose information it does not have. Decision Summary #7.

3. No. The organization violated PIPEDA because it failed to cite any exemptions which would have allowed it to refuse the request. Decision Summary #47. The Commissioner said that:

A. In fact, disclosure of the information was indeed required by law.

B. Cost to the organization was not a concern of PIPEDA, and excessive costs could be avoided by providing the requestor with a simple legend at the time of the fulfillment of his request.

C. The Act does not provide for refusal on the grounds that the information can be obtained elsewhere.

4. No. The privacy commissioner's office determined that it was sufficient for the organization to provide the information contained in the letters without providing copies of the letters themselves, since the letters did not contain personal information about the requestor that was unavailable elsewhere. The Act protects information (such as names, financial data, and identifiers that may appear in particular documents) rather than records (the particular documents themselves). Decision Summary #252.

5. No. The Commissioner found that the conclusion of an investigation does not nullify the access exemption. Decision Summary #84. However, the Commissioner also found that the employer had failed to comply with PIPEDA because it had not given the requestor its reason for withholding the investigation files.

6. No. The Commissioner found that the organization had violated the time-limit provisions of the Act. Because it had provided the requestor with his personal information over the phone, the organization was assumed at that point to have satisfied its requirement of confirming the requestor's identity. A verbal promise that information will be sent does not constitute fulfillment of the request. Decision Summary #124.

Click here to return to this tutorial's table of contents

Compliance Guides with lower levels of generality