Interpretation Bulletin: Access to Personal Information

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties, over time, findings on certain key issues can crystallize into general principles that can serve as helpful guidance for both complainants and organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA . These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA . As the Commissioner issues more findings, and the courts render more decisions, these interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA )

Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 4.9.1: Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.

Principle 4.9.2: An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

Principle 4.9.3: In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.

Principle 4.9.4: An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

Section 8(1): A request under clause 4.9 of Schedule 1 must be made in writing.

Section 8(2): An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

Section 8(3): An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Section 8(4): An organization may extend the time limit (a) for a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or (b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

Section 8(5): If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

Section 8(6): An organization may respond to an individual’s request at a cost to the individual only if (a) the organization has informed the individual of the approximate cost; and (b) the individual has advised the organization that the request is not being withdrawn.

Section 8(7): An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under [Part 1 of PIPEDA ].

Section 8(8): Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under [Part 1 of PIPEDA ] that they may have.

Section 9(1)^{Footnote 1}: Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Section 9(3): Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if (a) the information is protected by solicitor-client privilege or the professional secrecy of advocates and notaries or by litigation privilege; (b) to do so would reveal confidential commercial information; (c) to do so could reasonably be expected to threaten the life or security of another individual; (c.1) the information was collected under paragraph 7(1)(b); (d) the information was generated in the course of a formal dispute resolution process; or (e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

However, in the circumstances described in (b) or (c) above, if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Section 9(5): An organization that decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1) shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

II. Application by the Courts and the OPC in Different Contexts

Whether an organization can be said to meet its access obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the access principle has been interpreted and applied by the Courts and the OPC in different contexts.

Policies, Practices, and Procedures

• An organization should have procedures in place to ensure that an access to personal information request is properly processed.
  • PIPEDA Case Summary #2007-377 Law firm’s shoddy privacy practices result in missing personal information; request for access denied
  • PIPEDA Case Summary #2007-367 Need to establish procedures for handling access to personal information requests stressed
  • PIPEDA Case Summary #2014-016 Sobeys Refuses to Respond to Customer's Requests for Access to Personal Information and Does Not Participate in Subsequent OPC Investigation
• Organizations should have a straightforward procedure that will be adhered to by the personnel handling access to personal information requests.
  • PIPEDA Report of Findings #2011-002 Airline must ensure policies comply with Canadian privacy law
• Organizations must adequately train their staff on how to properly handle access to personal information requests and on the legal obligations of the organization in this regard.
  • PIPEDA Case Summary #2009-014 Fraud detection not an acceptable reason to collect driver’s licence numbers for store memberships

Right of Access

• PIPEDA does not give individuals a right of access to any document. Rather, it entitles individuals to be informed of the existence, use and disclosure of their personal information. (Fahmy v. Bank of Montreal, 2016 FC 479)
• In response to an access to personal information request, organizations need only search for and provide those records related to the conduct of their business, not those sent between employees for personal reasons. (Johnson v. Bell Canada, 2008 FC 1086)
• Handwritten notes of a doctor taken during an independent medical examination performed at the request of an insurance company may be subject to an access request. (Wyndowe v. Rousseau, 2008 FCA 39)
• An organization need not provide access to documents that do not contain personal information of the complainant.
  • PIPEDA Case Summary #2008-390 Residential Property Appraisal Documents are Owners’ Personal Information
  • PIPEDA Case Summary #2002-90 – Individual alleges that bank denied him access to his personal information
• Under PIPEDA , individuals are entitled only to have access to information that can be considered their own personal information (i.e., only information that is “about” them, within the meaning of the Act).
  • PIPEDA Report of Findings #2013-005 Beneficiary’s access to estate information is limited to his own personal information under PIPEDA

Control

• “It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information.” (Johnson v. Bell Canada, 2008 FC 1086)
• An organization will not be expected to provide an individual with access to the individual’s personal information which is neither in its possession nor under its control.
  • PIPEDA Case Summary #2005-294 Denial of access and inappropriate disclosure allegations are made against a physician
• Personal information handled by third-party service providers is generally considered to be under the control of the party that has contracted out the service.
  • PIPEDA Case Summary #2007-377 Law firm’s shoddy privacy practices result in missing personal information; request for access denied

Reasonable Search

• An organization receiving a broad request for access to personal information has two options: (1) it can inquire of the party making the request if the party can be more specific as to the information requested, in which case the requesting party has an obligation to cooperate in defining the request, or (2) it can conduct a reasonable search of information it can reasonably expect to be responsive to the request. Where that latter course is chosen, and absent further evidence, there is no reason to conduct a search for messages falling outside the scope of what the organization reasonably believes it would collect, use and disclose in the course of its business operations. (Johnson v. Bell Canada, 2008 FC 1086)
• Where an organization has conducted a reasonable search in response to an access request, and the requester claims that there is other information that has not been produced, the burden lies on the requester to establish at least a prima facie case that the search was inadequate. (Johnson v. Bell Canada, 2008 FC 1086)
• In responding to access requests, organizations must search all their files and locations for personal information, not only those that are obvious sources of such data.
  • PIPEDA Report of Findings #2009-023 Email regarding vehicle repair complaint used for marketing without consent

Responding to Access Requests

• A complainant who requests access to all personal information relating to him or her should be provided with all information that the organization can provide to the complainant. If the organization has the information and there is no reason to deny access, it should release all the responsive information even though certain documents were not specifically requested.
  • PIPEDA Case Summary #2005-291 Collection agency adopts narrow interpretation of access to personal information request
• When an organization responds to an access request, it should give an indication of where it looked for the requestor’s information and the types of information it holds. Organizations should be forthcoming in providing details regarding the sources of information and to whom information has been disclosed.
  • PIPEDA Case Summary #2007-370 Airline broadens interpretation of personal information and improves handling of personal information access requests
• When in receipt of a request for access to personal information, organizations must respond in a meaningful way, even if only to indicate that they have already provided the individual with all of their information, or if only to indicate that they have no information that is responsive to the request.
  • PIPEDA Report of Findings #2010-005 An organization Improperly Discloses Client’s Personal Information
  • PIPEDA Report of Findings #2013-005 Beneficiary’s access to estate information is limited to his own personal information under PIPEDA
• An individual should be advised when personal information has been destroyed in accordance with an organization’s retention policy, if this is in response to a personal information access request.
  • PIPEDA Settled Case Summary #2016-001 Complaint about access request settled as audio recordings were deleted in accordance with retention policy
• An organization must, within the time limits prescribed in PIPEDA , inform an individual in writing of an access request refusal, setting out the reasons for the refusal and any recourse that the individual may have under PIPEDA .
  • PIPEDA Case Summary #2003-216 An airport is accused of not having disclosed all the personal information requested by an employee and of not having retained other personal information
  • PIPEDA Case Summary #2003-149 Individual denied access to personal information
  • PIPEDA Report of Findings #2017-008 Jet Airways says possibility of litigation allows it to refuse access to personal information
• In response to an access request, an organization may make sensitive medical information available through a medical practitioner.
  • PIPEDA Case Summary #2006-341 Fees and the role of a medical practitioner considered in denial of access complaint
  • PIPEDA Case Summary #2005-322 Provision of medical information through physician challenged
• An organization cannot refuse to provide access to personal information on that basis that the information can be obtained through some other channel, such as a court proceeding.
  • PIPEDA Report of Findings #2014-017 Collection agency can't refuse access to personal information on basis that it would be provided as part of a legal proceeding

Form

• A request for access to personal information must be made in writing and identify the information requested. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
• Organizations may require individuals to provide further information, such as identification, in order to process their requests for access to personal information.
  • PIPEDA Case Summary #2006-334 Bank requires piece of identification before responding to request for access to personal information
  • PIPEDA Case Summary #2006-324 Consumer complains about requirement to provide identification in order to obtain credit report
  • PIPEDA Discontinued Case Summary #2014-002 Bank’s request for additional information was a fair and reasonable response to access request
• There is no obligation for requesters to specify in an access to personal information request that they are making their request pursuant to PIPEDA .
  • PIPEDA Case Summary #2003-222 Bank exceeds time limits in responding to an access request
• The requested information shall be provided in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.
  • PIPEDA Report of Findings #2009-023 Email regarding vehicle repair complaint used for marketing without consent
• PIPEDA does not guarantee that individuals can access their personal information in a particular form (i.e. audio recordings versus transcripts) nor that copies of the information have to be provided in all cases—PIPEDA specifies only that access be given to the requester.
  • PIPEDA Case Summary #2008-391 Company must not charge flat fee to process access request
  • PIPEDA Case Summary #2006-328 Medical records storage company revises its access policy
  • PIPEDA Discontinued Case Summary #2013-003 Bank satisfies requirement to provide access to personal information by allowing individual to listen to recordings at a branch location
• Principle 4.9.4 clearly puts the onus on the organization to explain information in understandable terms to the individual and PIPEDA makes no provision for an organization to refer the individual to another organization for that purpose.
  • PIPEDA Case Summary #2002-049 Credit applicant accuses bank of withholding credit reporting information

Time Limit

• To fulfill its obligations under PIPEDA , an organization must reply to a request for access to personal information in writing within thirty calendar days of receipt of the request.
  • PIPEDA Case Summary #2004-272 A bank exceeded the time limit for responding to an access request and cannot send all the records requested
• The 30-day timeframe should begin upon receipt of a complete access to personal information request, as deemed by the organization.
  • PIPEDA Case Summary #2006-334 Bank requires piece of identification before responding to request for access to personal information
• When receiving an individual’s access request, the organization should determine as quickly as possible whether it will be able to complete the request within the initial time limit allowed by PIPEDA . If it believes it has insufficient time and requires an extension, the organization must advise the complainant in writing no later than 30 days after the date of the access request, advising the complainant of the new time limit, the reasons for extending the initial limit and the complainant’s right to make a complaint to the Commissioner with regard to the extension.
  • PIPEDA Case Summary #2010-003 Poor response to customer’s access requests causes unnecessary deletion of his personal information
• The Commissioner found that an organization’s partial response to an access request within 30 days was not sufficient to satisfy the 30 day time limit provided for in PIPEDA .
  • PIPEDA Case Summary #2003-229 Bank denied individual access to her personal information
• A time extension cited by an organization under s. 8(4)(a)(ii) of PIPEDA was found not to be valid as no consultations were undertaken to find the information an individual had requested.
  • PIPEDA Case Summary #2004-266 Bank improves credit card application process
• The fact that a member of the organization’s staff may have been on medical leave does not excuse the organization under PIPEDA for not respecting the time limits. The organization is responsible for ensuring that it has, at all times, appropriate arrangements to comply with the Act.
  • PIPEDA Report of Findings #2017-008 Jet Airways says possibility of litigation allows it to refuse access to personal information
• Even if an organization believes it is entitled to refuse an access request, it must nevertheless respond to the request within the time limits set out in section 8 and provide reasons for the refusal.
  • PIPEDA Report of Findings #2017-008 Jet Airways says possibility of litigation allows it to refuse access to personal information
• By failing to respond an organization will be deemed, in accordance with subsection 8(5), to have refused the complainant’s access request.
  • PIPEDA Report of Findings 2010-005 An organization improperly discloses client’s personal information
  • PIPEDA Case Summary #2004-285 Company refuses former employee's request for access
  • PIPEDA Case Summary #2003-239 Access request sent to wrong location
  • PIPEDA Case Summary #2003-179 Trucking company accused of refusing former employee's access request
  • PIPEDA Case Summary #2003-165 Individual is denied access to personal information
  • PIPEDA Case Summary #2003-253 A bank exceeds the time limit for answering an access request
  • PIPEDA Case Summary #2003-221 Bank fails to respond to access request within time limit
  • PIPEDA Case Summary #2002-112 Individual denied access to personal information

Fees

• If an organization intends to charge a fee for an access request, it is obliged to inform the requester of the fee estimate and to give the requester an opportunity to respond.
  • PIPEDA Case Summary #2006-341 Fees and the role of a medical practitioner considered in denial of access complaint
  • PIPEDA Case Summary #2004-283 A bank charged fees to process requests for personal information
  • PIPEDA Case Summary #2003-247 Bank alleged to have denied customer access to her personal information
• Fees are not to be used by organizations to discourage requests; an organization should consider charging fees for processing a request only when the request is exceptional, and then only at minimal cost.
  • PIPEDA Case Summary #2006-341 Fees and the role of a medical practitioner considered in denial of access complaint
  • PIPEDA Case Summary #2004-283 A bank charged fees to process requests for personal information
  • PIPEDA Early Resolved Case Summary #2016-01 Access to personal information request revised to accommodate both requestor and organization
• Even if the organization informs the complainant of the approximate cost of responding to an access request, the amount must be considered minimal. Although PIPEDA does not define "minimal" the implication is that the fee should be a token one.
  • PIPEDA Case Summary #2004-285 Company refuses former employee's request for access
• While photocopy fees may be acceptable, a flat fee cannot be charged if it may have the effect of dissuading individuals from requesting access.
  • PIPEDA Case Summary #2008-391 Company must not charge flat fee to process access request
  • PIPEDA Case Summary #2004-283 A bank charged fees to process requests for personal information
• There could be less costly options in providing access than providing copies. While reasonable photocopy fees may be acceptable, a storage fee is unreasonable.
  • PIPEDA Case Summary #2006-354 Fees for access questioned

Retention

• “From a practical and pragmatic standpoint, what subsection 8(8) of PIPEDA requires of an organization is that it retain that information that it has discovered in its search that is or may be responsive to the request, until the person making the request has exhausted all avenues of appeal.” (Johnson v. Bell Canada, 2008 FC 1086)
• For personal information implicated in a specific access request, organizations should consider, and where necessary, override their regular deletion/retention practices until such time as the individual has exhausted any recourse under PIPEDA to get access to that information.
  • PIPEDA Case Summary #2010-003 Poor response to customer’s access requests causes unnecessary deletion of his personal information

Exceptions

• Requests for access to one’s personal information are not automatically granted. Such requests can be refused if any of the exceptions set out under PIPEDA apply.
  • PIPEDA Report of Findings #2009-022 Retailer agrees to improve measures to safeguard video surveillance records

9(1) – Personal information of a third party

• Paragraph 9(1) of PIPEDA provides that an individual shall not be given access to personal information if doing so would likely reveal information about a third party. However, if information about the third party is severable, it shall be severed. (Cote v. Day & Ross Inc., 2015 FC 1283)
• If information about a third party is severable from the record pertaining to an individual’s access request, the organization must sever the information about a third party and give the individual access to his or her personal information.
  • PIPEDA Case Summary #2005-314 Insurance company denies access to personal information in third party claimant's statement
  • PIPEDA Case Summary #2017-002: Access to personal information held by insurance company facilitated through the early resolution process
• Individuals have a right to know the details of unauthorized access of their personal information by an organization’s employees. However, organizations must protect third party personal information, such as the disciplinary action taken against the employee involved.
  • PIPEDA Case Summary #2016-001 Bank shares details on employee’s snooping but, rightly, not discipline
• In considering whether to grant access to a requester’s personal information that could also be considered the personal information of third parties, an organization should weigh the private interests of the requester and the third parties as well as the public interest in disclosure or non-disclosure of the information.
  • PIPEDA Report of Findings #2013-004 Bank provides former employee with insufficient access to his personal information

9(2.1)-(2.4) – Information relating to paragraphs 7(3)(c), (c.1), (c.2) or (d) of PIPEDA

• The purpose of the scheme under subsections 9(2.1) to 9(2.4) is to protect the integrity of lawful investigations. Where an individual seeks either: (a) to be informed about a disclosure to a government institution pursuant to certain provisions or the existence of any information that the organization has relating to such a disclosure, or (b) access to such information itself, then the organization has an obligation to follow the process set out under subsection 9(2.2). This provision requires the organization, where it has made a disclosure to a government institution or a part of it, to ask the institution whether it objects to the disclosure of the information sought on certain grounds. In the event that the relevant government institution objects, the organization becomes subject to the obligations under subsection 9(2.4), which include refusing the request, informing the Office of the Privacy Commissioner, and not disclosing any of the information specified under paragraph 9(2.4)(c).
  • PIPEDA Report of Findings #2017-009 Airline relies on access exemption to refuse traveler’s access to their personal information
• Organizations are only limited in responding to requests pursuant to subsection 9(2.4) if the request relates to a disclosure that falls within subsection 9(2.1) and the government institution has objected. However, if no disclosure has taken place, an organization must inform the individual of this fact upon request. Similarly, if a disclosure has taken place, but it is not covered by subsection 9(2.1) or another exemption, then an organization must not refuse access.
  • PIPEDA Report of Findings #2016-008 Investigation into a telecommunications company’s response to an individual’s request for access to information about disclosures of her personal information to other parties

9(3)(a) – information protected by solicitor-client privilege / professional secrecy of lawyers and notaries

• For purposes of independently verifying claims of solicitor-client privilege invoked by organizations as grounds for refusing access, the Privacy Commissioner may refer the issue to the Federal Court at any point in the course of an investigation, or the Privacy Commissioner may report an impasse over the issue of privilege in a Report of Findings and bring an application to the Federal Court for relief. (Canada (Privacy Commissioner) v. Blood Tribe Department of Health, 2008 SCC 44; Privacy Commissioner of Canada v. Air Canada, 2010 FC 429)
• Information withheld under paragraph 9(3)(a) can include information prepared by company lawyers with respect to a workers’ compensation board dispute and a grievance lodged by a complainant.
  • PIPEDA Case Summary #2003-147 Railway company withholds employee's personal information
• Under paragraph 9(3)(a) of PIPEDA , an organization can withhold access to personal information if it is subject to litigation privilege. Litigation privilege is a component of solicitor-client privilege; it protects materials brought into existence for the dominant purpose of litigation or reasonably anticipated litigation.
  • PIPEDA Case Summary #2011-003 Personal Information Collected in Company's Defence of Damage Claim Falls under PIPEDA
  • PIPEDA Case Summary #2009-018 Psychologist’s anonymized peer review notes are the personal information of the patient
• A blanket policy applicable to all documents generated from incidents on board an aircraft did not, in the Commissioner’s view, meet the test for solicitor-client privilege or litigation privilege.
  • PIPEDA Report of Findings #2017-008 Jet Airways says possibility of litigation allows it to refuse access to personal information
• Individuals involved in ongoing civil litigation who have been denied access to their personal information for reasons of solicitor-client privilege can more appropriately use civil court procedures to address the matter of the claimed privilege. In such cases, individuals can bring a motion to the Court to obtain a binding ruling on the appropriateness of the privilege being asserted on their personal information.
  • PIPEDA Case Summary #2010-001 Commissioner does not issue report to individual seeking access to her personal information being withheld for reasons of solicitor-client privilege
• 9(3)(a) was found to apply to withhold information relating to advice that the organization sought or obtained from its legal counsel with regard to problems it experienced with an individual.
  • PIPEDA Case Summary #2005-309 Daycare denied parent access to his personal information

9(3)(b) – confidential commercial information

• In light of the quasi-constitutional nature of PIPEDA , courts cannot simply defer to the general qualification given by an organization to the information withheld under paragraph 9(3)(b) of the Act for confidential commercial information. There must be articulate reasons for denying access to any particular document. The standard for justifying the withholding of information under paragraph 9(3)(b) of the Act is very high (Bertucci v. Royal Bank of Canada, 2016 FC 332)
• “Raw data” about an individual – that is, information that, if disclosed, would not reveal confidential practices, techniques or analysis of a commercial nature – does not fall within the exemption under paragraph 9(3)(b) of the Act (Bertucci v. Royal Bank of Canada, 2016 FC 332)
• The standard for justifying the withholding of personal information because it would reveal confidential commercial information is very high. Providing access to personal information upon request is the rule and withholding such information is the exception.
  • PIPEDA Findings #2017-011 Financial institution originally misuses confidential commercial information exemption to withhold personal information
• Information generated by a bank’s investigation of alleged credit card fraud can be considered to be confidential commercial information, where commercial interests of the organization could suffer irreparable harm if the information is released and preservation of confidentiality constitutes a sufficiently important interest.
  • PIPEDA Report of Findings 2011-010 Bank properly redacted information related to credit card fraud probe
  • PIPEDA Findings #2017-011 Financial institution originally misuses confidential commercial information exemption to withhold personal information
• A bank’s internal credit scoring model can be considered confidential commercial information.
  • PIPEDA Case Summary #2002-063 Bank refuses customer access to internal credit score
• The Commissioner did not agree that information regarding compensation paid to the complainant and the costs related to his claim with the province's workplace safety board constituted confidential commercial information.
  • PIPEDA Case Summary #2003-147 Railway company withholds employee's personal information
• In a complaint stemming from a disputed transaction between a customer and a merchant, a financial institution provided unconvincing and unsubstantiated reasons for withholding access to his personal information, which were found in forms and questionnaires generated in the course of a dispute resolution process. It remained unclear to the Commissioner how either the financial institution or the merchant would suffer irreparable harm in the circumstances.
  • PIPEDA Findings #2017-011 Financial institution originally misuses confidential commercial information exemption to withhold personal information

9(3)(c.1) – information collected under paragraph 7(1)(b)^{Footnote 2}

• The Commissioner found that an organization had properly exercised its discretion to rely on paragraph 9(3)(c.1) in denying the complainant access to personal information the organization had collected for reasonable purposes related to an investigation into a breach of an employment agreement. The complainant’s knowledge and consent in the matter would have compromised the availability and accessibility of the information.
  • PIPEDA Case Summary #2002-073 Telecommunications company asked to adopt consistent retention practices
• An organization relying upon paragraph 9(3)(c.1) to withhold personal information must notify the Privacy Commissioner in accordance with subsection 9(5) of PIPEDA .
  • PIPEDA Case Summary #2002-084 Bank cites exemption to deny former employee access to personal information
  • PIPEDA Case Summary #2002-073 Telecommunications company asked to adopt consistent retention practices
• Information relating to an organization’s investigation into its employee’s fitness to work fell under paragraph 9(3)(c.1).
  • PIPEDA Case Summary #2003-147 Railway company withholds employee's personal information

9(3)(d) – information generated in the course of a formal dispute resolution process

• In order to qualify as a “formal dispute resolution process” pursuant to paragraph 9(3)(d) of PIPEDA , as a basis for withholding access to personal information, the process’s purpose must be to resolve a dispute and the process itself must be formal. A formal process mandates the presence of a framework or structure, either legislated or agreed to by the parties to the dispute
  • PIPEDA Report of Findings #2016-006 An insurance company’s internal ombudsman office is not a “formal dispute resolution process” under PIPEDA
• A formal dispute-resolution process implies the desire of parties to meet for the purposes of negotiating a resolution acceptable to each, which was not the case in a situation where an airport employee facing disciplinary measures was seeking access to documents and tape recordings relating to public complaints lodged against her. In the commissioner’s view, the purpose of this exception is not to protect information gathered in the course of an administrative process for resolving such complaints or grievances. Such an interpretation would not respect the principles of natural justice, and would effectively deny individuals of their fundamental rights to know of allegations made against them and to know the basis of decisions about them.
  • PIPEDA Case Summary #2002-037 Airport management cites solicitor-client privilege to withhold employee's information
• Notes generated in the process of conducting a medical evaluation to assist an insurer in determining the complainant's eligibility for benefits were not considered to have been “generated in the course of a dispute resolution process”.
  • PIPEDA Case Summary #2005-306 Physician refuses to provide access to individual's personal information
• An insurance company’s internal ombudsman office is not considered a “formal dispute resolution process” under PIPEDA .
  • PIPEDA Report of Findings #2016-006 An insurance company’s internal ombudsman office is not a “formal dispute resolution process” under PIPEDA
• A grievance and arbitration process can be considered a formal dispute resolution process.
  • PIPEDA Case Summary #2006-330 Assistant Commissioner considers the nature of certain dispute resolution processes in denial of access complaint
  • PIPEDA Case Summary #2003-147 Railway company withholds employee's personal information

Corrections

• Merely informing a third party that information has been amended without sending the amended information to the third party is not sufficient to satisfy the requirement set out in clause 4.9.5 of PIPEDA . (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
• An individual must demonstrate the inaccuracy of the information that an organization holds for the organization to be required to amend the information in question.
  • PIPEDA Case Summary #2005-293 Commissioner considers access, correction, and inappropriate disclosure allegations against insurance company
  • PIPEDA Case Summary #2006-359 Bank reported accurate information regarding bounced cheque
  • PIPEDA Case Summary #2002-070 Bank accused of assigning inaccurate credit ratings
• Organizations must keep personal information as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. Organizations must amend an individual’s personal information as required when the individual successfully demonstrates either the inaccuracy or the incompleteness of the information.
  • PIPEDA Report of Findings #2013-008 Individual objects to the real-time accuracy of credit score
  • PIPEDA Report of Findings #2013-010 In response to a case of a teen who was a victim of online impersonation, Facebook agrees to help non-users, on a case-by-case basis, reinstate their on-line reputation
• Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
  • PIPEDA Report of Findings #2013-010 In response to a case of a teen who was a victim of online impersonation, Facebook agrees to help non-users, on a case-by-case basis, reinstate their on-line reputation
  • PIPEDA Case Summary #2016-010 Credit reporting agency takes remedial action after failing to maintain accurate records
• An organization was found to have met its obligations under Principle 4.9.6 when it gave an individual the opportunity to provide a statement regarding a disputed entry, which the organization then recorded and attached to the individual's credit file and transmitted to any third parties having access to the individual's credit information.
  • PIPEDA Case Summary #2002-102 Individual objects to agency's delayed response to request for credit history

For more information regarding access to personal information under PIPEDA , see the OPC Fact Sheet on Accessing Personal Information under PIPEDA and related Guidance for Organizations.