How to Manage Personal Information Access Requests under PIPEDA

PIPEDA as a cornerstone of Canadian privacy law grants individuals critical rights over their personal information. 
Two key rights are the right to access their data and the right to correct any inaccuracies. For organizations, adhering to these regulations is not just a legal obligation; it’s a fundamental step in building trust and transparency with individuals. This blog will explore how organizations can ensure data subjects can fully exercise their rights effectively.

What is the Individual Access Principle

“An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”

Under PIPEDA’s “Individual Access” principle, organizations have certain responsibilities such as:

– They must respond to written requests from individuals regarding the existence, use, and disclosure of their personal information;

– They should provide access to the information, allow corrections if necessary, and inform about third-party disclosures. If access to all information cannot be provided, reasons must be given;

– Organizations must assist in formulating requests, respond promptly (within 30 days), and use understandable formats;

– If a request is denied, reasons and recourse options must be provided;

– Any amendments made to personal information should also be communicated to relevant third parties.

Additionally, organizations are advised to be transparent about their data-sharing practices. When disclosing personal information to third parties, it’s important to specify who these third parties are as precisely as possible. When informing an individual that you possess their information, always strive to identify the source of this information if possible. 

Extension of Time Limits

As mentioned in the previous section, organizations should respond to access requests within the standard 30-day window. However, extensions may be necessary under certain conditions, such as:

– if responding within 30 days would significantly disrupt organizational activities;

– more time is needed for consultations; or

– personal information needs to be converted into a different format.

In such cases, the extension should not exceed an additional 30 days for the first two scenarios and should be only as long as necessary for format conversions. Always inform the requester in writing within the initial 30 days about any extension, explaining the reasons and informing them of their right to complain to the Office of the Privacy Commissioner of Canada (OPC).

How to Handle Access Requests

To effectively handle access requests for personal information, organizations should have detailed procedures aligned with PIPEDA’s “Individual Access” principle. These include being able to provide information in alternative formats and noting exceptions where access might be refused. Systems should facilitate easy retrieval and reporting of data, including third-party disclosures, with minimal operational disruption. Staff should be well-informed about these procedures, including specific time limits and exceptions. Additionally, organizations must publicly provide clear instructions on how to request access to personal information.

When processing access requests for personal information, organizations should assist individuals in drafting requests and clarify any ambiguities. Upon receiving a request, it’s important to verify the requester’s identity and log the request’s receipt date. Responses should be timely, ideally within 30 days, and at minimal cost. If fees are necessary, inform the requester beforehand. Organizations should provide clear information on whether personal data exists, its usage, potential disclosures, and offer access or copies of the data, explaining any technical terms used.

Organizations should also allow individuals to challenge the accuracy and completeness of their personal information. If proven inaccurate or incomplete, the information should be corrected, deleted, or supplemented as necessary. Additionally, any amendments should be communicated to third parties who have received the information. If disputes remain unresolved, the disagreement should be noted in the individual’s file and communicated to relevant third parties.

What Happens When Access is Denied?

When an organization denies access to personal information, it must notify the requester in writing within 30 days, citing reasons for the refusal based on Section 9 of PIPEDA. The organization should also inform the requester of any available recourse, such as filing a complaint with the OPC. Additionally, it must retain the disputed information for as long as necessary to allow the requester to exhaust all possible recourse options under PIPEDA.

What Can You Do To Ensure Compliance

How Can We Help?

Our consultants can help you create policies that would help your organization manage requests effectively, ensuring compliance with PIPEDA and enhancing your ability to respond promptly and accurately to data access requests. This proactive approach can significantly reduce the risk of non-compliance and build trust with your data subjects.