Access
Access to personal information under PIPEDA
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
One of PIPEDA's ten fair information principles is individual access: on request, a person is entitled to be told whether you hold personal information about them, to see that information, and to know how it has been used and to whom it has been disclosed. It pairs with a correction right. Handled well, an access request is routine; handled badly, it becomes a complaint to the regulator. The full text of the Act sits at the Department of Justice: Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), and the principle is summarized by the OPC under fair information principles.
What an individual is entitled to
Under the access principle, an individual can ask you to confirm that you hold their personal information, to provide an account of how it has been and is being used, and to identify the third parties to whom it has been disclosed. They are entitled to receive the information in a form that is generally understandable — if you use abbreviations, codes, or shorthand, you have to explain them. The right is about their own information, not a general right to your records.
The request process and the 30-day clock
You must respond to an access request within 30 days of receiving it. You may extend that deadline in narrow circumstances — for instance, where meeting it would unreasonably interfere with your activities, or where you need time for consultations or to convert the information into an alternative format — but you must notify the individual of the extension, the reason, the new deadline, and their right to complain to the OPC. Treating the request as if there were no clock is the most common way organizations turn a routine request into a finding against them: a missed deadline is deemed a refusal.
Cost: minimal, and only with notice
PIPEDA expects access at little or no cost. If responding will carry a charge, you must give the individual an advance estimate and let them decide whether to go ahead. Fees cannot be used to discourage people from exercising the right.
Correction and annotation
Access comes with a correction right. If an individual demonstrates that the information you hold is inaccurate or incomplete, you must amend it as required and, where appropriate, send the corrected version to third parties who have access. Where you and the individual disagree about a correction, you do not simply refuse — you note the unresolved disagreement on the file (an annotation) and, where appropriate, advise third parties of it. This is the safety valve that keeps disputes from becoming deadlocks.
When you can refuse or withhold
PIPEDA recognizes that some information cannot be released. You may be required or permitted to withhold where disclosure would reveal personal information about another identifiable individual, where the material is protected by solicitor-client privilege, where it was generated in the course of a formal dispute resolution, or where disclosure could reasonably be expected to threaten the life or security of another individual, among other limited grounds. Two disciplines matter here: sever and release — give the individual any portion that can reasonably be separated from the protected material — and explain — tell them you have withheld information, the general reason, and their right to complain to the OPC.
Verify identity first
Before you disclose anything, confirm you are dealing with the individual the information is about. Use the minimum verification necessary — enough to be confident, not a pretext to collect more data. Disclosing someone's personal information to an impostor is itself a safeguards failure, so identity verification is part of doing access correctly, not an obstacle to it.
Access is one of the ten fair information principles, and it interacts with consent and your safeguards posture. When a buyer's questionnaire asks how you handle subject access, the PIPEDA questionnaire guide shows how to answer it credibly.
Common questions.
How long do I have to respond to a PIPEDA access request?
Generally 30 days from receiving the request. You can extend the deadline in limited circumstances — for example, if meeting it would unreasonably interfere with your operations, or you need time to conduct consultations — but you must notify the individual of the extension, the new timeline, and their right to complain to the Office of the Privacy Commissioner. Failing to respond within the time limit is treated as a refusal.
Can I charge a fee to answer an access request?
Only minimally, and only with notice. PIPEDA expects access to be provided at little or no cost. If a cost will apply, you must tell the individual the approximate charge in advance and let them decide whether to proceed. You cannot use fees as a barrier to access.
Can I refuse a PIPEDA access request?
Sometimes. PIPEDA sets out specific grounds for refusing or withholding information — for example, where disclosure would reveal personal information about another individual, where the information is protected by solicitor-client privilege, where it was generated in a formal dispute-resolution process, or where disclosure could threaten security. Where you withhold, you generally must tell the individual, explain why, and inform them of their right to complain. You should release any portion that can reasonably be severed from the protected material.
How is a PIPEDA access request different from a GDPR data-subject access request?
They serve the same purpose — letting people see the data held about them — but differ in the details. GDPR's right of access comes with a one-month default timeline and a broader set of related rights (erasure, portability). PIPEDA frames access around the individual-access principle, sets a 30-day clock, pairs it with a correction right, and does not include a standalone right to erasure or portability. A program built for GDPR usually satisfies the spirit of PIPEDA access, but the timelines and refusal grounds are not identical.