The ninth principle of the 10 Privacy Principles of PIPEDA is Individual Access.
The principle of Individual Access states that upon an individual’s request, an organization shall make known to the individual the existence, use, and disclosure of personal information and give access to it.
If an individual challenges the accuracy or completeness of his or her personal information, the organization shall amend the information where appropriate. This can involve correcting, deleting, or adding personal information.
Where appropriate, your organization should transfer the amended information to third parties.
An organization may deny access to some personal information for a number of reasons.
For example, a request may be denied if information is solicitor-client privileged or if by granting access it would reveal confidential commercial information.
If an organization or public body denies access to personal information, it must notify the individual of the reason for doing so and it must be a legitimate reason allowable by privacy legislation.
The organization should also provide the individual information about their complaint procedures or how to contact the Privacy Commissioner of Canada if the individual wishes to file a complaint about the denied access request.
Before providing access to or amending personal information, an organization should verify that it is communicating with the correct individual.
Some organizations choose to do this by asking for government-issued identification. Others may ask an individual on the phone to verify his or her account information by providing information such as a maiden name or password before proceeding.
An organization should only collect this information for identification purposes. Once the individual has been identified, the organization should not continue to hold that information, as it has already fulfilled its purpose.
An organization should also not seek to use stringent identification requests as a barrier to access.
Third Party Disclosure
If an individual desires to know which third parties his or her personal information has been disclosed to, the organization shall let the individual know.
If it is difficult to know which third parties personal information may have been disclosed to, then the organization should mention all third parties to which the information may have been disclosed to.
Reasonable Time and Costs
An organization should respond to access requests in a reasonable amount of time and at a minimal or no cost to the individual.
An organization shall reply in no longer than 30 days from receipt of the request. If an organization legitimately requires more time to fulfill a request, it must send a notice of extension to the individual, provide the reason for doing so, and notify the individual of his or her right to make a complaint with the Privacy Commissioner of Canada.
Making Information Accessible
If an organization uses abbreviations or codes, it should provide an explanation of what they mean to an individual.
If a case is not resolved to an individual’s satisfaction, the organization should record details of the case. The existence of the unresolved case should then be transmitted to third parties wherever appropriate.