Information # Assistance # Accreditation # Membership # Advisory Board

How to respond to requests to correct Personal Information

The following information may provide you with a understanding of how to respond to requests for access to Personal Information under PIPEDA. It is intended to be helpful, but it is not legal advice. If you notice any errors or omissions, please let us know so we may improve the document. This document includes compendia of the Federal Privacy Commissioner's Decision Summaries released up to Decision Summary #260.

Many people have invested much thought to create other helpful guidance documents. Several very helpful ones are listed below this information.

The following information may provide you with a understanding of how to respond to requests to correct Personal Information under PIPEDA. It is intended to be helpful, but it is not legal advice. If you notice any errors or omissions, please let us know so we may improve the document. This document includes compendia of the Federal Privacy Commissioner's Decision Summaries released up to Decision Summary #260.

How to respond to requests to correct Personal Information

Table of Contents

After this tutorial you will be able to:

  • Apply definitions and guidelines from the Personal Information Protection and Electronic Documents Act and analogous information in previous decisions by the Privacy Commissioner's Office to requests to correct personal information held by your organization.
  • Decide how to appropriately respond to requests to correct personal information.

Click here to return to this tutorial's table of contents

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information (hence its name) and provides guidelines for organizations' privacy officers to respond to individuals' requests to correct their personal information held by organizations.

As a Privacy Officer, you want to know how to respond to requests to correct personal information.

Fortunately, a number of clues are available to you:

  • The legislators included rules and guidelines for responding to requests to correct personal information in PIPEDA.
  • Disputants have asked the federal privacy commissioner to decide whether organizations have appropriately responded to their requests to have their personal information corrected. The Office of the Privacy Commissioner has published summaries of many of its decisions regarding these disputes.
  • In the absence of a dispute the federal privacy commissioner's office has published general guidelines on dealing with personal information, including responding to requests to correct personal information.

Click here to return to this tutorial's table of contents

PIPEDA contains the following provisions in its principles which are pertinent to the accuracy and correction of personal information.

4.6 Principle 6 - Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

4.6.2

An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

4.6.3

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

4.9 Principle 9 - Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

4.9.2

An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

4.9.5

When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

4.9.6

When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

PIPEDA contains the following provisions in its statute sections which are pertinent to individuals' requests regarding personal information, including correction of personal information.

8. (1) A request under clause 4.9 of Schedule 1 must be made in writing.

(2) An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

(3) An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

(4) An organization may extend the time limit

(a) for a maximum of thirty days if

(i) meeting the time limit would unreasonably interfere with the activities of the organization, or

(ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or

(b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

(5) If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

(6) An organization may respond to an individual's request at a cost to the individual only if

(a) the organization has informed the individual of the approximate cost; and

(b) the individual has advised the organization that the request is not being withdrawn.

(7) An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.

(8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.

Please see our tutorial "How to respond to requests for access to Personal Information" for guidance and examples regarding access requests, response time extensions, and charges to requestors.

Click here to return to this tutorial's table of contents

The federal privacy commissioner's office has made a number of decisions which help clarify the federal privacy commissioner's office's interpretation of the statute sections and principles. (Decisions cited are not necessarily the only Decisions relevant to the concepts they clarify, but are given as examples of the Commissioner's application of the statute provisions and principles.)

The Act requires an individual be given the opportunity to challenge the accuracy and completeness of his or her personal information. The individual must have the opportunity to have incorrect information corrected. An organization must correct incorrect data when asked to do so.

  • A bank continued to send invoices to a customer after the customer had paid the invoiced amount. The error in the bank's records resulted in the customer's credit card being cancelled and in credit agency reports showing a "bad debt" entry. The Commissioner's investigation revealed numerous discrepancies in the way the payment was handled, and numerous attempts by the customer to have the problem corrected. Although the bank corrected the payment information and had the credit reports corrected, it refused to issue the customer a new credit card. Decision Summary #275.
  • A bank reported inaccurate information to a credit bureau regarding its customer. The bank also failed to update inaccurate information after its customer challenged its accuracy. In both cases, the bank violated PIPEDA. Decision Summary #224.
  • An individual had asked his bank to remove his Social Insurance Number and driver's license number from all its records about him. After requesting his personal information from the bank some time later, he discovered his SIN and driver's license number were still in some of the records. The bank had inadvertently left one instance of the SIN in the records; it had no record of the individual's request to have his driver's license number removed from the records. The bank then removed all instances of the SIN and driver's license number from the records. Decision Summary #189.
  • A credit bureau complied with the Act when it amended information proved to be inaccurate in an individual's credit file. Decision Summary #187.
  • An organization which posted a payment in error to another customer's account and showed the actual payor's account to be past due violated PIPEDA. In this case, payment information was disclosed to a third-party collection agency for collection; correction of the error included transmitting the corrected payment information to the collection agency. Decision Summary #163.
  • An organization is not required to amend an individual's records unless the individual successfully demonstrates that they are inaccurate. Decision Summaries #124, #85, #70.
  • An organization which did not keep its employee files up to date and did not have established policies and procedures regarding retention of information failed to comply with the Act. Decision Summary #73.
  • A bank failed to comply with the Act when it released a photograph taken by a surveillance camera of a suspected criminal. The person under scrutiny was falsely identified as a result of the bank's failure to set the clock correctly on its journal roll. The true suspects appeared on the tape 12 minutes after the person falsely identified. Subsequently, the bank took measures to ensure the journal roll clock and videotape clock would be correctly synchronized in future. The falsely identified individual received official apologies from the bank and police, as well as a printed retraction by the anticrime organization which had published her picture in a newspaper. Decision Summary #53.
  • An organization held some inaccurate information about an individual, but it did not do so willfully or knowingly. The onus was on the individual to correct the information held by the organization. Decision Summary #122.

When an individual challenges information believed to be inaccurate but the challenge remains unresolved, the organization must record the substance of the challenge. When appropriate, third parties must be informed of the challenge.

  • A credit bureau complied with this requirement when it included a statement written by an individual concerning information contained in the credit report. Decision Summaries #187, #102.

The Privacy Commissioner's office has issued nearly 300 decision summaries which help us interpret PIPEDA by providing numerous examples of its application. For a concise compendium of summaries (such as those above) of those decisions, order the OPO Compendium. All decision summaries may be read in their entirety on the Privacy Commissioner's Web site. If you have a few specific pieces of information in mind, ask about them in the OPO Answer Forum. To access the OPO Answer Forum, simply join OPO.

There are no Federal Court decisions providing that court's interpretation of the statute on this particular subject.

Click here to return to this tutorial's table of contents

In addition to the decision summaries, the federal privacy commissioner's office has published a number of fact sheets to assist organizations and individuals in interpreting and applying the Act. These are available online for easy reference:

Gearing up for the Personal Information Protection and Electronic Documents Act: http://www.privcom.gc.ca/fs-fi/02_05_d_16_e.asp. This fact sheet assists organizations' privacy officers in applying PIPEDA at work. Excerpt:

The PIPED Act reflects the realities of the business world. It's based on the Canadian Standards Association's Model Code for the Protection of Personal Information, which is incorporated into the legislation. The Code came out of a collaborative effort by representatives of government, consumers and business groups, and lists 10 principles of fair information practices. . . .

Best Practices for dealing with pre-PIPEDA personal information (grandfathering): http://www.privcom.gc.ca/fs-fi/02_05_d_22_e.asp. Learn how to apply PIPEDA to all personal information held by your organization, regardless of when it was collected. Excerpt:

How does thePersonal Information Protection and Electronic Documents Act (PIPEDA) apply to personal information collected before the Act came into effect?

The answer, in brief, is that all provisions of PIPEDA, including the consent principle, apply to all personal information held by an organization, regardless of when the information was collected. This means, among other things, that organizations are required to keep the information as accurate, complete and up-to-date as necessary, protect the information with appropriate safeguards and give individuals access to their personal information.

However, it does not necessarily follow that an organization must seek established customers' express consent to the continued retention, use or disclosure of their personal information.

How to Access your Personal Information and Lodge Complaints:

http://www.privcom.gc.ca/fs-fi/02_05_d_11_e.asp. This fact sheet introduces Canada's Privacy Act and PIPEDA, and assists individuals in applying these laws to their own lives. Excerpt:

Do you think that an organization in the private sector is mishandling your personal information? Would you like to see what information an organization in the federally regulated private sector has about you?

The Personal Information Protection and Electronic Documents Act: http://www.privcom.gc.ca/fs-fi/02_05_d_11_02_e.asp. This document assists individuals who wish to access or correct personal information about themselves which is held by organizations.

Excerpt:

To correct errors or omissions to your personal information

  • Write to the organization that has personal information about you and explain the correction you are requesting and why.
  • Supply copies of any documents that support your request, if you have them.
  • If the organization refuses to correct your personal information, you may require it to attach a statement of your disagreement to the file, where appropriate. This statement must be passed on to any other organization that may have access to the information.

Click here to return to this tutorial's table of contents

The statutory provision is an express statement of the law. The Privacy Commissioner's decision summaries are the Privacy Commissioner's opinions of what the statutory provision means. PIPEDA subsection 14(1) permits complainants to go to the Federal Court after receiving the Privacy Commissioner's report in some situations. Therefore, there may be instances of the Federal Court offering opinions of what the statutory provisions mean that contradict those offered by the Privacy Commissioner. There may also be apparently contradictory decisions issued by either the Privacy Commissioner's office or the Federal Court. Contradiction may result from, among many other reasons, changes of the Privacy Commissioner, competing requirements of fairness in the respective fact situations, and changes in what is considered acceptable over time. Some may consider the Privacy Commissioner's opinions offered in the fact sheets to be less persuasive than the decision summaries because only the latter benefit from representations by both sides of a dispute. However, as the opinions expressed in the fact sheets have been expressed to provide guidance to organizations, that guidance ought to be given due consideration.

As a Privacy Officer you want to know what the decision maker will decide if a dispute ever arises. In Canada the ultimate decision maker is the Privacy Commissioner whenever complainants cannot afford a subsequent application to the Federal Court. Therefore, in assessing how to respond to requests to correct personal information, you should ask yourself what you think the Privacy Commissioner or Federal Court would determine the appropriate response to be if asked the question rather than what your organization would prefer to do.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Here is a handy procedure for use in determining the appropriate response to a request to correct personal information held by your organization:

Does the correction request contain sufficient information for you to identify the individual's personal information in your organization's records?

If yes, go to the next question.

If no, inform the requestor in writing of the need for clarification. Assist the requestor with clarification of his request if necessary.

Does the organization agree to correct the individual's information as requested?

If yes, proceed with correcting the information and go to the next question.

If no, inform the requestor. Record the substance of the unresolved challenge in the organization's records. Go to the next question.

Does the corrected information (or notice of an unresolved challenge) need to be transmitted to third parties that previously received the information in question?

If yes, transmit the corrected information or notice of unresolved challenge to those parties.

If no, you're done.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Try a few quick questions about responding to requests to correct Personal Information.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Quiz Questions

1. An individual discovered that there was a negative rating in her credit report due to incorrect information about her that had been reported by a bank. The bank records were inaccurate due to oversight and human error. Following the individual's request that the information be corrected, the bank informed her that it had sent a corrected credit rating to the credit reporting agency. Subsequently, the individual discovered she was being charged high interest on loans she had obtained, and that the negative credit report listed with the agency had not been corrected. How did the bank fail to comply with PIPEDA?

2. Whose responsibility is it to correct personal information held by an organization?

3. What is required if an organization does not agree that an individual's information needs to be amended?

4. A bank posted a loan payment to the wrong account in error, and the payment information was transmitted to a collection agency. The person who made the payment notified the bank of the problem. What must the bank do to comply with PIPEDA?

5. Why are organizations required to transmit corrected personal information to third-party organizations which previously received the information?

6. What is the most extreme example given in this tutorial of the consequences of inaccurate personal information being transmitted?

7. Is an organization always required to amend personal information at the request of the individual the information is about?

Check your answers.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Quiz Answers

1. The bank failed to comply with PIPEDA by reporting inaccurate information to a credit bureau regarding its customer and by failing to update inaccurate information after its customer challenged its accuracy, despite its assurance it had done so. The individual was negatively affected because the credit agency made a decision about her (charged her higher interest) based on the incorrect information. Decision Summary #224.

2. Although organizations are charged with maintaining accurate and up-to-date information, the onus is generally on the individual to correct information held by organizations when he discovers it is inaccurate. For example: An organization held some inaccurate information about an individual, but it did not do so willfully or knowingly. The onus was on the individual to correct the information held by the organization. Decision Summary #122. However, in some cases organizations have been found in violation of PIPEDA because they had inadequate policies and procedures in place for dealing with the collection, retention, and correction of personal information. For example: An organization which did not keep its employee files up to date and did not have established policies and procedures regarding retention of information failed to comply with the Act. Decision Summary #73. Although it is generally the individual's responsibility to make sure his personal information is correct, organizations should be sure they have consistent, thorough policies and procedures in place for dealing with personal information.

3. If an individual challenges the accuracy of his personal information that is held by an organization, but the organization does not accept that the challenge is valid, the organization must record the unresolved challenge in its records and inform third parties which have received the disputed information of the unresolved challenge. For example: A credit bureau complied with this requirement when it included a statement written by an individual concerning information contained in the credit report. See Decision Summaries #187, #102.

4. The bank must correct its own records and also transmit the corrected payment information to the collection agency. See Decision Summary #163.

5. Organizations must inform third-party organizations to which they previously sent personal information of any corrections to that information because the third-party organizations may otherwise use inaccurate information to make decisions about individuals. A common example is inaccurate credit rating information which can affect an individual's ability to obtain credit at favourable interest rates or to obtain credit at all. See Decision Summaries #275, #224, #187.

6. The most extreme example given here of incorrect personal information negatively affecting an individual is recounted in Decision Summary #53. A bank released a photograph taken by a surveillance camera of a suspected criminal. The person under scrutiny was falsely identified as a result of the bank's failure to set the clock correctly on its journal roll. The true suspects appeared on the tape 12 minutes after the person falsely identified. Subsequently, the bank took measures to ensure the journal roll clock and videotape clock would be correctly synchronized in future. The falsely identified individual received official apologies from the bank and police, as well as a printed retraction by the anticrime organization which had published her picture in a newspaper.

7. No. An organization is not required to amend an individual's records unless the individual successfully demonstrates that they are inaccurate. See Decision Summaries #124, #85, #70. If the organization disagrees with the individual's claim that the information is inaccurate, it may record the fact of an unresolved challenge in its files. A statement regarding the unresolved challenge must also be transmitted to any other organizations with which the organization has shared the individual's disputed personal information. See Decision Summaries #187, #102.

Click here to return to this tutorial's table of contents

Compliance Guides with lower levels of generality