The process for requesting records containing your personal information is very similar to that for requesting records in general. However, in the BC private non-government sector you are only permitted to request personal information from organizations/businesses, not records in general.
Personal information protection acts establish rules regarding the collection, use and disclosure of personal information by private sector organizations. They also provide individuals with the right of access to their own personal information, the right to request it be corrected when it is incorrect, and the right to file a complaint about improper collection, use and disclosure of their personal information by private sector organizations.
At this time (2017), there are four personal information protection acts covering private sector organizations in Canada. To inquire about accessing personal information in these jurisdictions, please click on the relevant link:
If you make a request in writing, an organization must provide you with your personal information in its custody or control. An organization under PIPA must also tell you about how the organization has used your personal information and who else has been given your personal information. Organizations under PIPEDA are encouraged to provide the same types of information although the requirement is not as strict.
Credit agencies in BC must also provide you with names of the sources of your personal information within the prior 12 months, unless it is reasonable to assume that individuals can find that out themselves.
To access your personal information, write a letter informing the organization that you are making a formal request under the applicable legislation. Provide your name, address and the type of information you are seeking (subject matter, date range, type of records, etc.).
If you receive a fee estimate from a private sector organization/business that you think is unreasonable, you can ask the Information and Privacy Commissioner to review the estimate and render a decision. There is no right to request a fee waiver from a private sector organization/business as there is for a public body, but you do have the right to request a review of how reasonable a fee might be.
It is important to understand that the right to access is sometimes limited. Most of the time, the organization must give you access to your personal information. However, sometimes the organization can choose to refuse access, and sometimes the organization is required by law to refuse access.
These situations are a bit different depending on whether BC’s PIPA or the Federal PIPEDA applies to the organization.
For example, under PIPA, an organization may refuse to give you access to your personal information for the following reasons:
Under PIPA, an organization must refuse to give you access to your personal information:
Under PIPEDA, an organization may refuse to give access:
Under PIPEDA, an organization must refuse to give access to personal information if doing so would likely reveal personal information about a third party.
In all cases, if possible, the organization must separate the information you cannot have from the your personal information, and give you the remainder. This is called severing the information.
If access to all or part of the information is refused by an organization under PIPA, it must tell you the reasons for the refusal, the section of PIPA that applies, and the contact information of an employee of the organization who can answer questions about the refusal. It must also tell you that you have the right to ask the Office of the Information and Privacy Commissioner of BC for a review within 30 days of being notified of the refusal.
If the organization is under PIPEDA and refuses to give you access, it must tell you in writing the reasons for the refusal. It must also tell you about any recourse you may have, including your right to complain to the Privacy Commissioner of Canada. You have six months after a refusal to make a complaint to the Privacy Commissioner of Canada.
If the organization doesn’t answer your request at all, it is deemed by law to have refused to give access. This means that you have a right to seek a review from the appropriate Privacy Commissioner. Generally, Privacy Commissioners will encourage you to try to resolve your complaint directly with the organization before they get involved.
For more information on complaints, see our help topic.
You have a right to ask an organization to make a correction to your information. You do not have a right to require the organization to make the correction. The organization can refuse to make the change if it believes (on reasonable grounds) that doing so is not appropriate in the circumstances.
You might be asked to tell the organization the reasonable grounds for making the change. Simple factual errors are unlikely to be controversial (such as a new address). An organization may be less likely to change information contained in an opinion.
If the organization decides to make the correction, it must do so as soon as reasonably possible and must send the corrected personal information to each organization to which the error was disclosed in the prior year. These organizations should also make the correction.
If the organization decides not to make the correction, it must keep a record of the request and make a note on the personal information which the individual requested be corrected, showing the nature of the request.
If you make a written request that gives enough detail for the organization to identify you and the information you want, the organization must make a reasonable effort to assist you and to respond as accurately and completely as possible. Generally, an organization must respond no later than 30 days after receiving the completed, written request, but may extend the time in certain circumstances.
An organization has a duty to assist you when you make a request for access or a request for correction. This means that if your request doesn’t have enough detail the organization may want to work with you to identify the information you want access to or want corrected. Remember that the 30 day period starts to run when your request is clear enough for the organization to be able to identify the records which contain the personal information you want.
Organizations are required to have procedures in place to receive and respond to complaints and questions about their information-handling practices. The complaint procedures should be easy to access and simple to use. An organization should investigate all complaints, and if it finds a complaint is justified it may take action, including changing its privacy policy and practices, if appropriate.
If you have completed the processes offered by the organization and are not satisfied, then you may seek assistance from the relevant Commissioner. The Privacy Commissioner of Canada and the Information and Privacy Commissioner of BC have slightly different powers. For more information, click here.
> Requesting Personal Information from the Federal Government