What rights do Canadian’s have over their personal information?
PIPEDA grants Canadians the right to access their personal information held by an organization. An organization is defined generally to apply to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. Organizations that are subject to PIPEDA must follow the ten fair information principles to protect personal information. The ninth fair information principle is individual access. In addition to granting access to an individual’s request for their personal information, organizations must also comply with an individual’s request to challenge the accuracy and completeness of the information and have it amended as appropriate.
Once an individual requests to access their personal information, your organization is obligated to:
- Confirm whether you have the requested information
- Explain how you have used the information
- Provide a list of anyone with whom the information has been shared
- Provide a copy of the information in an accessible format, and make alternative formats available for people with disabilities; and
- Not charge the individual for making this request (unless it would be reasonable to charge a small fee. In this case, you must provide an estimate and ensure the individual is happy to proceed).
Your organization has a maximum of 30 days to fulfill the request. An extension is available, but only for three circumstances. The first circumstance that warrants an extension to this 30 day time frame is where responding on time would present an unreasonable interference with your business activities. The second circumstance is when you are making consultations regarding the request and this produces a delay. The third circumstance is when you need to provide the information in an alternate format and this causes a delay.
When your organization fulfills an individual’s request to access their personal information you must explain the type of information your organization collects about that individual as well as explain how that information was obtained. And, depending on the nature of the request, there could be various formats in which your organization displays the information. For example, PIPEDA allows organizations to provide a written or electronic copy of the information, or allow the individual to view the information or listen to a recording of the information. Additionally, your organization needs to convey the request for personal information in a way that is easily understandable to the individual. This means upon fulfilling a request, your organization should explain all acronyms, abbreviations and codes and regulations relating to the information. If your organization does not hold any personal information on the individual who made the request you still have a duty to let them know.
Can an organization refuse to fulfill an individual’s request to access their personal information?
PIPEDA allows for three narrow circumstances in which an organization can deny an individual’s request to access their personal information. Those three exceptions could be available where compliance with the request could reasonably be expected to be injurious to:
- National security, the defence of Canada or the conduct of international affairs;
- The detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
- The enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.
PIPEDA sets a high bar for organizations if they attempt to refuse to fulfill an individual’s request to access their personal information. This underscores how important this right is for Canadian consumers and the need for businesses to follow through when they receive such a request.
Is an organization exempted from fulfilling an individual’s request to access their personal information?
PIPEDA accounts for seven exemptions where an organization does not have to fulfill an individual’s request to access their personal information. An organization may deny an individual’s request to access their personal information only if:
- Disclosure would reveal personal information about someone else (subsection 9(1)). However, if the information that relates to the third party can be severed or blacked out, you are required to provide the information to the requester with such information on third parties stricken or removed.
- This exemption does not apply if the third party consents to you releasing this information, or if the individual needs the information because somebody’s life, health or security is threatened (subsection 9(2)).
- The information is protected by solicitor-client privilege (paragraph 9(3)(a)).
- Disclosure of the information would reveal confidential commercial information. (paragraph 9(3)(b)). If you can, however, address this problem by striking or severing portions of the information, you must give the requester access to the rest of his or her personal information.
- Disclosure of the information could reasonably be expected to threaten the life or security of another individual (paragraph 9(3)(c)). Again, if you can address this problem by severing this information, you must give the requester access to the rest of his or her personal information.
- The information was collected for purposes related to an investigation of a breach of an agreement or a contravention of the laws of Canada or a province, and it would be reasonable to expect that the individual’s knowledge of or consent for the collection would compromise the availability or accuracy of the information (paragraph 9(3)(c.1)).
- The information was generated in the course of a formal dispute resolution process (paragraph 9(3)(d)).
- The information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act (commonly referred to as the whistleblower law), or in the course of an investigation into a disclosure under that Act (paragraph 9(3)(e)).
Best practices when fulfilling an individual’s request to access their personal information
PIPEDA provides additional guidance for organizations when it comes to complying with PIPEDA’s Fair Information Principle 9- Individual Access. These best practices include:
- Maintaining a record of where personal information can be found.
- Conducting a thorough search for personal information. This includes both physical and electronic searches.
- Never disclosing personal information unless you are certain of the identity of the requestor and that person’s right of access.
- Recording the date you received the request for the information.
- Ensuring your staff members know how to handle an access request.
- Because legal standards to be met for withholding information as “confidential commercial information” is high, organizations need to be ready to justify such a claim before refusing access.
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.