Responding to Individual Access Requests Under Canadian Privacy Law

What an access request is — and what it is not

An individual access request is a written request from an individual asking your organization to confirm whether you hold personal information about them and, if so, to provide access to that information. Under PIPEDA, Alberta PIPA, and BC PIPA, this is a statutory right — not a courtesy you may choose to extend.

An access request is not:

• A request to delete personal information (that right does not exist under PIPEDA or the provincial PIPs in the same form as under GDPR)
• A discovery process in litigation (handled by courts, not privacy statutes)
• A request for documents that do not contain personal information about the requester

The right of access is personal: an individual may only request their own personal information, not someone else's. Requests made on behalf of minors or individuals with reduced capacity require verification of the requester's authority to act on behalf of that person.

---

Which laws apply

Jurisdiction	When it applies	Regulator
PIPEDA	The organization collects, uses, or discloses personal information in the course of commercial activity; or the individual is in a province without substantially similar legislation (Ontario, Manitoba, New Brunswick, and others)	Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
Alberta PIPA	The individual whose information is held is an Alberta resident or the information relates to Alberta employment	OIPC Alberta — oipc.ab.ca
BC PIPA	The individual whose information is held is a BC resident or the information relates to BC employment	OIPC BC — oipc.bc.ca

If multiple statutes apply, each one's requirements must be met independently. Use the most demanding timeline and the narrowest grounds for refusal across all applicable statutes.

---

Step 1 — Verify the request is valid

A valid access request must be in writing and must identify the individual making it. You may require reasonable verification that the requester is who they claim to be — especially if the request covers sensitive information. Reasonable verification means asking for information the individual would plausibly know, not demanding government ID unless the information at stake is highly sensitive.

If a request arrives verbally, ask the individual to put it in writing. You are not required to begin the response clock until the request is in writing.

What you cannot do: Require an unreasonable volume of identifying information as a precondition, or create procedures that effectively deter individuals from making requests.

---

Step 2 — Start the clock and acknowledge receipt

The response clock starts when you receive a valid written request. Acknowledge receipt immediately — confirm you have received the request, identify who in your organization will handle it, and state the date by which you will respond.

Statute	Initial deadline	Maximum extension	Notice required for extension
PIPEDA	30 days	60 days total (30-day extension)	Written notice to individual before day 30
Alberta PIPA	45 days	90 days total (45-day extension)	Written notice to individual before day 45
BC PIPA	30 days	60 days total (30-day extension)	Written notice to individual before day 30

If you need an extension, send written notice before the initial deadline expires. State the reason (volume of records, need for third-party consultation) and provide the new response date. Failing to respond within the deadline — or failing to send a timely extension notice — is a statutory violation.

---

Step 3 — Locate the personal information

Search all systems and locations where the individual's personal information might be held: your database, CRM, email system, physical files, backup systems, and any third-party platforms that process personal information on your behalf. The obligation extends to personal information held by processors and service providers acting on your behalf.

Document your search: which systems were searched, by whom, and on what dates. If your search concludes that you hold no personal information about the individual, your response must say so clearly.

---

Step 4 — Identify what can and cannot be disclosed

Not all personal information you hold must be disclosed in response to an access request. Review the applicable grounds for exception before preparing your response.

Grounds to refuse or limit access — PIPEDA s.9:

Ground	What it means in practice
Third-party personal information	If the record contains personal information about another individual that cannot be severed, you may refuse that portion — but you must sever it if severing is reasonably practicable
Confidential commercial information	If disclosure would reveal confidential business information of the organization or a third party
Solicitor-client privilege	If the information is subject to legal privilege
Law enforcement or security	If disclosure could reasonably be expected to threaten public safety or impede a law enforcement investigation
Collected in relation to a legal dispute	If the information was collected in relation to formal legal proceedings in which the organization is a party

Alberta PIPA and BC PIPA have comparable but not identical grounds for exception. The Alberta PIPA grounds are set out in ss. 25–27; BC PIPA grounds are in ss. 23–24. In practice, the most commonly applicable exception in an SMB context is third-party personal information — a file about one individual often contains information about a second person (a witness statement, a complaint, a co-applicant).

Severing: If a record contains both accessible and non-accessible information, you must sever the non-accessible portions and disclose the rest. Refusing the entire record because one portion is excepted is not permitted unless severance is not reasonably practicable.

Do not withhold information simply because it might be used in a complaint against you. This is not a recognized ground for exception under any of the three statutes. The OPC has specifically rejected "self-protection" as a basis for withholding personal information from the individual it belongs to.

---

Step 5 — Notify the individual of any fee

If you intend to charge a fee for responding to the access request, notify the individual in writing before proceeding. Your notice must:

• State the estimated fee
• Describe what it covers (copying costs, not the cost of reviewing or retrieving records)
• Give the individual an opportunity to withdraw or refine the request

Do not proceed with the response until the individual confirms they wish to continue and accepts the fee estimate. You may not charge for the time spent reviewing, searching, or preparing the response — only for the actual cost of producing and transmitting the records.

Charging excessive fees to deter access is a violation of the individual's right of access. Regulators scrutinize fee policies that appear designed to discourage requests rather than recover costs.

---

Step 6 — Prepare and send your response

Your written response must:

• Confirm whether you hold personal information about the individual
• Provide access to the personal information you are disclosing, or a copy of it
• Identify the categories of personal information you hold and the purposes for which it is used
• If you are refusing access to any portion, state the specific statutory ground for refusal and the relevant provision
• Inform the individual of their right to complain to the applicable privacy commissioner if they are dissatisfied with your response

Provide the response in a format that the individual can reasonably access. If the individual requests a particular format (electronic, paper), accommodate it where reasonably practicable.

---

Step 7 — Document the request and response

Maintain a record of every access request received, including:

• Date the request was received
• Date of your acknowledgement
• Date of your response
• What information was disclosed and what was withheld, with grounds
• Any fee charged and the individual's confirmation
• Whether the individual followed up with a complaint to a regulator

This record is part of your PIPEDA compliance program. If the individual files a complaint with the OPC or a provincial commissioner, the regulator will ask to see your request handling record.

---

Accuracy correction requests

The right of access is paired with a right of correction. If an individual reviews their personal information and believes it is inaccurate or incomplete, they may request a correction. Under PIPEDA, Alberta PIPA, and BC PIPA, you must either:

• Correct the information, or
• If you decline to correct it, annotate the record with the individual's claim that the information is inaccurate and make that annotation available to anyone who subsequently accesses the record

You may decline to correct factual records that accurately reflect what the individual said or did, or records of professional judgments or opinions. You may not decline simply because correction would be inconvenient.

---

Common mistakes

Treating access requests as optional or low priority. Access requests are statutory rights with fixed deadlines. Missing the deadline is a violation regardless of reason. Build a handling procedure before you receive your first request.

Refusing access without specifying the statutory ground. You must identify the specific provision of PIPEDA, Alberta PIPA, or BC PIPA under which you are refusing access. "We cannot provide this information" is not a compliant refusal.

Disclosing third-party personal information unsevered. If a file contains personal information about both the requester and a third party, sever the third-party information before responding. Disclosing a third party's personal information to another individual without authorization is itself a privacy violation.

Starting the clock from the wrong date. The deadline runs from the date you receive the written request — not the date you acknowledge it or begin your search. If you receive a request and take two weeks to acknowledge it, those two weeks have already elapsed against your deadline.

Withholding information because it might be used against the organization. This is not a recognized ground. Individuals have the right to access their information even if they intend to use it in a complaint or legal proceeding.

---

If the individual complains to a regulator

An individual who is dissatisfied with your response — or who receives no response — may file a complaint with the applicable privacy commissioner. The commissioner will contact you, ask for your response record, and investigate. Common findings in access complaint investigations:

• Organization failed to respond within the statutory deadline
• Organization refused access without a valid statutory ground
• Organization charged excessive fees without prior notice
• Organization failed to sever third-party information and either disclosed it improperly or refused the entire record when partial disclosure was possible

Maintaining a complete request handling record and responding promptly within the deadline resolves the majority of access complaints before they reach a formal investigation finding.

---

Related guides

• PIPEDA Compliance Requirements for Canadian Organizations
• Alberta PIPA Compliance Requirements
• BC PIPA Compliance Requirements
• PIPEDA Compliance Checklist — Principle 9 covers individual access rights
• Do I Need a Designated Privacy Officer?

---

This guide covers individual access rights under PIPEDA, Alberta PIPA, and BC PIPA for private-sector organizations. Government institutions subject to the Privacy Act or provincial freedom of information legislation operate under different frameworks not covered here. Quebec's Act respecting the protection of personal information in the private sector (Law 25) is not covered here.