Last updated on January 8, 2023
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), individuals have certain rights over their personal information when under an organization’s control.
In order to exercise your rights under PIPEDA, the organization must be subject to that law. If you are unsure, seek to first understand Canadian privacy legislation.
It is important to note that BC, Alberta, and Quebec all have provincial privacy legislation that is substantially similar to PIPEDA. If a private-sector organization is not subject to PIPEDA but is located in these provinces, your rights should be similar.
Your Right to Know
You have a right to know about an organization’s policies and procedures with respect to the management of your personal information.
You also have the right to ask an organization if your personal information exists under their control, although there are some exceptions to this right (e.g. personal information under the control of some governments).
Every Canadian organization is required by law to appoint someone to be accountable for privacy compliance and to answer inquiries. This position is usually referred to as a privacy officer in larger organizations.
When providing personal information for a product or service, the employee requesting your personal information (or the consent form you fill out) should be able to explain why your personal information is required. The type of personal information requested must also be necessary and reasonable for its intended purpose.
For example, it would not be reasonable for a retail store to collect your weight, height, or your drivers licence when you make a return, but it would be reasonable for an insurance agency to ask you of any health conditions you have when you apply for insurance.
Your Right to Access
You have a right to access your personal information.
This can be done by either directly examining the record (whenever possible), or sending a written request to the organization.
You should provide enough detail so that the organization can properly identify the information you are requesting. Be sure to include information such as dates, account numbers, and any correspondence you have had with anyone in the organization in relation to your request.
Once an organization or public body receives your request, they usually have thirty days to respond, but they may be allowed to request additional time if your request requires information that is difficult to obtain or process within thirty days.
PrivacySense offers a free template for information access requests.
Difficulties Making Requests
If you have difficulty preparing a written request, the organization is obligated to help you prepare one.
If you have a sensory disability, the organization is obligated to provide access to your information in an alternative format if it is reasonable and you can prove it is necessary.
Your personal information must be provided free or at a minimal cost. The organization should also provide you with a fee estimate before you agree to go forward with your request.
An organization cannot charge excessive fees or seek to make a profit from granting you access to your personal information.
The privacy commissioners of British Columbia, Alberta, and Canada frequently investigate organizations which have sought to charge individuals high fees (usually in excess of $50) for access to their personal information and have often ordered organizations to refund and reduce fees (See this PIPEDA Example).
An organization may deny you access to your personal information for a number of reasons.
For example, your request may be denied if information is solicitor-client privileged or if by granting you access it would reveal confidential commercial information.
When an organization denies you access to personal information, it must notify you of the reason for doing so and it must be a legitimate reason that is allowed by privacy legislation.
The organization should also provide you information about their complaint procedures or how to contact the appropriate privacy commissioner or ombudsman if you wish to file a complaint about the denied access request.
If you examine your personal information and realize there are errors or omissions, the organization is obligated to correct your personal information. This request should also be in writing.
You have the right to withdraw consent from an organization collecting, using, and disclosing your personal information, subject to legal and contractual restrictions and reasonable notice. An organization should let you know what the implications of withdrawing your consent are.
Retaining Personal Information
Organizations are only supposed to retain your personal information for as long as is necessary to fulfil the intended purposes.
Organizations should have a complaint procedure and should notify you of any other methods of recourse you have available if you disagree about how it is managing your personal information.
Filing a Complaint
If you disagree with the way an organization is managing your personal information and you have already exhausted their internal complaint process, you may file a complaint with the privacy commissioner or ombudsman who has authority over privacy matters in that jurisdiction.
Some of the things you may complain about are:
- The way an organization manages your personal information,
- The high fees charged to access your personal information,
- An organization refusing to provide you with access to your personal information,
- An organization ignoring your request, or
- The organization not providing you with a product or service when you refuse to supply personal information that is not related or necessary.
There is usually a time limit to submit a complaint, so it is important to do it as soon as possible.
By understanding your privacy rights and the basics of Canadian privacy legislation, you can now take control over your personal information.
A great example of using your privacy rights is to request a free credit report.
Hello – at the beginning of January 2018 I ordered a copy of my credit file (as I do annually) and found that a US-based retail store where I made several online purchases had made a ‘soft’ inquiry on my credit file in November 2017.
This business does not offer credit to its customers; it offers a points program, along with birthday “gifts” … so they had my name, address, date of birth and credit card information. I have never authorized them to have access to my credit information, and there is no reason for them to have it.
When I contacted them to ask why they inquired and under what authority, they denied doing it. I have filed a complaint with the Privacy Commissioner of Canada… but I’m wondering what my options will be depending on their findings.