A Canadian Data Access Request is a formal written request by an individual to an organization demanding disclosure of the personal information that the organization holds about them. Under the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), Principle 4.9 (Individual Access), upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information.

PIPEDA applies to private sector organizations that collect, use, or disclose personal information in the course of commercial activity across Canada, except in provinces that have enacted substantially similar legislation. British Columbia's Personal Information Protection Act (PIPA, S.B.C. 2003, c. 63), Alberta's Personal Information Protection Act (PIPA, S.A. 2003, c. P-6.5), and Quebec's Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1) each provide access rights that are substantially similar to PIPEDA.

For public sector organizations, each province and territory has enacted freedom of information and protection of privacy legislation that provides individuals with a right of access to their personal information held by government institutions. These include Ontario's Freedom of Information and Protection of Privacy Act (FIPPA, R.S.O. 1990, c. F.31), British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA, R.S.B.C. 1996, c. 165), Alberta's Freedom of Information and Protection of Privacy Act (FOIP, R.S.A. 2000, c. F-25), and equivalent legislation in other provinces.

Under PIPEDA, the organization must respond to the request within 30 days of receipt. The response must be in a form that is generally understandable. The organization may not charge a fee that is excessive or that acts as an unreasonable barrier to the individual's right of access.

A Canadian Data Access Request is needed whenever an individual wants to know what personal information an organization holds about them. Common situations include employees or former employees requesting access to their personnel records and personal data held by their employer; consumers requesting access to data collected by retailers, financial institutions, telecommunications companies, or online platforms; individuals investigating potential unauthorized use or disclosure of their personal information; individuals who wish to exercise their right to correction or deletion and need to first understand the scope of data held; and individuals preparing to file a complaint with the Office of the Privacy Commissioner of Canada or a provincial privacy commissioner.

The request may be directed to any private sector organization that is subject to PIPEDA or substantially similar provincial legislation. This includes banks, insurance companies, telecommunications providers, retailers, technology companies, employers, landlords, healthcare providers in the private sector, and any other organization that collects, uses, or discloses personal information in the course of commercial activity.

For public sector organizations, the request should be made under the applicable provincial freedom of information and protection of privacy legislation. Different procedures and timelines may apply.

The request should be submitted as early as possible because response deadlines run from the date of receipt. Under PIPEDA, the organization must respond within 30 days. Provincial legislation may have different timelines.

A comprehensive Canadian Data Access Request should include several essential elements to comply with PIPEDA and provincial privacy legislation.

The requester's identifying information must be provided, including full name, address, province of residence, and email address. Account numbers, customer IDs, or other reference information held by the organization should be included to help locate the requester's personal information.

The legal basis section should identify PIPEDA Principle 4.9 and the applicable provincial privacy legislation. The scope of the request should specify whether the requester is seeking all personal information or limiting the request to specific categories or time periods.

Under PIPEDA Principle 4.9, the individual is entitled not only to a copy of the personal information but also to information about the use that has been made of it and the third parties to whom it has been disclosed. The request should specifically ask for this supplementary information.

The preferred response format should be stated. Under PIPEDA, the information must be provided in a form that is generally understandable, and where abbreviations or codes are used, the organization must provide an explanation.

The response deadline section should cite the 30-day statutory response period under PIPEDA. The request should note that fees must not act as an unreasonable barrier to access. The right to complain to the Office of the Privacy Commissioner of Canada or the applicable provincial privacy commissioner should be referenced.