Rights of Data Subjects

Although not characterized as “rights”, PIPEDA and the provincial statutes (which are materially similar) provide individuals with a number of options, and impose on organizations a number of obligations, that together create a regime similar to many of the rights of data subjects contained in the GDPR.

Openness.  An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.  The information must include the name or title and contact information for the person accountable for these policies and practices, and to whom complaints or inquiries can be forwarded.  Organizations must also make available a description of the type of personal information it holds and a general account of its use, the information available to related organizations, and information about how individuals can gain access to the personal information the organization holds about them.

Identifying Purposes. The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.  Identification of the purposes for which personal information is collected is at the heart of the consent requirement that provides the fundamental authorization for processing under PIPEDA.

Individual Access. Upon request, an individual must be informed of the existence, use and disclosure of his/her personal information and must be given access to that information, subject to certain exceptions set out in the law, and subject to other legal or contractual restrictions. The information should include an account of third parties to which personal information has been disclosed and the purposes for such disclosure.  An organization must respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The organization is encouraged to indicate the source of the personal information.

Correction of information. Included within the option to obtain access to information held by an organization, an individual is able to challenge the accuracy and completeness of the information and have it amended as appropriate. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization must amend the information.  Organizations are required to ensure that the personal information that they hold is as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Consent.  As noted above, an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization is required to inform the individual of the implications of such withdrawal.  This ability to withdraw consent includes the ability of an individual to request deletion (i.e., to withdraw consent to the continued retention of their personal information by an organization), to restrict processing (i.e., to withdraw consent for the use of their personal information for specified purposes) or to otherwise object to the processing of their personal information.  Related obligations of an organization include limiting the retention of personal information to only that information that is required to fulfil the purposes for which it was collected.