BC Freedom of Information and Privacy Association
Your Data Your Rights
Requesting personal information from the private sector
The process for requesting records containing your personal information is very similar to that for requesting records in general. However, in the BC private non-government sector you are only permitted to request personal information from organizations/businesses, not records in general.
Personal information protection acts establish rules regarding the collection, use and disclosure of personal information by private sector organizations. They also provide individuals with the right of access to their own personal information, the right to request it be corrected when it is incorrect, and the right to file a complaint about improper collection, use and disclosure of their personal information by private sector organizations.
At this time (2017), there are four personal information protection acts covering private sector organizations in Canada. To inquire about accessing personal information in these jurisdictions, please click on the relevant link:
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- Quebec’s Act respecting the protection of personal information in the private sector
- British Columbia’s Personal Information Protection Act (PIPA)
- Alberta’s Personal Information Protection Act (PIPA)
If you make a request in writing, an organization must provide you with your personal information in its custody or control. An organization under PIPA must also tell you about how the organization has used your personal information and who else has been given your personal information. Organizations under PIPEDA are encouraged to provide the same types of information although the requirement is not as strict.
Credit agencies in BC must also provide you with names of the sources of your personal information within the prior 12 months, unless it is reasonable to assume that individuals can find that out themselves.
How do I request my personal information?
To access your personal information, write a letter informing the organization that you are making a formal request under the applicable legislation. Provide your name, address and the type of information you are seeking (subject matter, date range, type of records, etc.).
Is there a fee?
If you receive a fee estimate from a private sector organization/business that you think is unreasonable, you can ask the Information and Privacy Commissioner to review the estimate and render a decision. There is no right to request a fee waiver from a private sector organization/business as there is for a public body, but you do have the right to request a review of how reasonable a fee might be.
Your right to see and know is sometimes limited by another person’s rights
It is important to understand that the right to access is sometimes limited. Most of the time, the organization must give you access to your personal information. However, sometimes the organization can choose to refuse access, and sometimes the organization is required by law to refuse access.
These situations are a bit different depending on whether BC’s PIPA or the Federal PIPEDA applies to the organization.
For example, under PIPA, an organization may refuse to give you access to your personal information for the following reasons:
- if the information is protected by solicitor-client privilege (for example, if it is part of a legal opinion or a court case);
- if it was collected for an investigation;
- if it would reveal confidential business information; or
- if it was collected by a mediator or arbitrator in specified circumstances.
Under PIPA, an organization must refuse to give you access to your personal information:
- if there is a health or safety risk in giving you the information;
- if doing so would reveal another individual’s personal information; or
- if giving access would reveal the identity of someone who gave an opinion about you and the opinion-giver has not consented to his or her identity being disclosed (for example, this can cover situations involving an employee review or a personal reference).
Under PIPEDA, an organization may refuse to give access:
- if the information is protected by solicitor-client privilege (for example, if it is part of a legal opinion or a court case);
- if it would reveal confidential commercial information;
- if it could reasonably be expected to threaten the life or security of another individual;
- if the information was collected in the course of an investigation into a breach of an agreement or a law;
- if the information was generated in the course of a formal dispute resolution process.
Under PIPEDA, an organization must refuse to give access to personal information if doing so would likely reveal personal information about a third party.
In all cases, if possible, the organization must separate the information you cannot have from the your personal information, and give you the remainder. This is called severing the information.
What the organization must tell you if it refuses to give you access
If access to all or part of the information is refused by an organization under PIPA, it must tell you the reasons for the refusal, the section of PIPA that applies, and the contact information of an employee of the organization who can answer questions about the refusal. It must also tell you that you have the right to ask the Office of the Information and Privacy Commissioner of BC for a review within 30 days of being notified of the refusal.
If the organization is under PIPEDA and refuses to give you access, it must tell you in writing the reasons for the refusal. It must also tell you about any recourse you may have, including your right to complain to the Privacy Commissioner of Canada. You have six months after a refusal to make a complaint to the Privacy Commissioner of Canada.
If the organization doesn’t answer your request at all, it is deemed by law to have refused to give access. This means that you have a right to seek a review from the appropriate Privacy Commissioner. Generally, Privacy Commissioners will encourage you to try to resolve your complaint directly with the organization before they get involved.
For more information on complaints, see our help topic.
Do you have a right to request correction of your personal information in the private sector?
You have a right to ask an organization to make a correction to your information. You do not have a right to require the organization to make the correction. The organization can refuse to make the change if it believes (on reasonable grounds) that doing so is not appropriate in the circumstances.
You might be asked to tell the organization the reasonable grounds for making the change. Simple factual errors are unlikely to be controversial (such as a new address). An organization may be less likely to change information contained in an opinion.
If the organization makes the correction
If the organization decides to make the correction, it must do so as soon as reasonably possible and must send the corrected personal information to each organization to which the error was disclosed in the prior year. These organizations should also make the correction.
If the organization does not make the correction
If the organization decides not to make the correction, it must keep a record of the request and make a note on the personal information which the individual requested be corrected, showing the nature of the request.
Deadlines for responding to a request for access or correction in the private sector
If you make a written request that gives enough detail for the organization to identify you and the information you want, the organization must make a reasonable effort to assist you and to respond as accurately and completely as possible. Generally, an organization must respond no later than 30 days after receiving the completed, written request, but may extend the time in certain circumstances.
The organization has a duty to assist you
An organization has a duty to assist you when you make a request for access or a request for correction. This means that if your request doesn’t have enough detail the organization may want to work with you to identify the information you want access to or want corrected. Remember that the 30 day period starts to run when your request is clear enough for the organization to be able to identify the records which contain the personal information you want.
Your complaint and inquiry rights in the private sector
Organizations are required to have procedures in place to receive and respond to complaints and questions about their information-handling practices. The complaint procedures should be easy to access and simple to use. An organization should investigate all complaints, and if it finds a complaint is justified it may take action, including changing its privacy policy and practices, if appropriate.
Before you make a complaint or an inquiry
- Check the organization’s privacy policy to find out if it has a complaints process and if it does, follow it.
- If the published policy does not explain the complaint process, try to contact the privacy officer directly and ask them any questions that you may have about the process.
- It is always a good idea to make a complaint to the organization in writing if you can.
If you have completed the processes offered by the organization and are not satisfied, then you may seek assistance from the relevant Commissioner. The Privacy Commissioner of Canada and the Information and Privacy Commissioner of BC have slightly different powers. For more information, click here.
> Requesting Personal Information from the Federal Government
