Are you concerned about personal information that organizations can collect and how they can use this information?
Whether or not you are worried about the misuse of personal information, it’s important to know that, even when information is requested, you don’t necessarily have to provide it. You can place limits on what you provide and assert your rights. If you need help, you can contact the Commission d’accès à l’information (access to information commission).
Important!
Different rules than those discussed in this article may apply to federal organizations, for example, regarding information collected for Employment Insurance, Old Age Security, or federal taxes.
Likewise for information collected by enterprise covered by federal laws such as Crown corporations (for example, Canada Post), banks (except for caisses populaires), and telecommunications companies (for example, phone, internet, and television networks).
To learn more, contact the Office of the Privacy Commissioner of Canada.
At the time information is collected
Both private enterprises and public bodies must have a serious and legitimate reason for collecting your personal information. These organizations must also obtain your consent. To be valid, your consent must be clear, free, and informed.
The organization’s obligation to inform you
Organizations must inform you in clear and simple terms about:
- the reason for which the information is being collected
- how the information is being collected
- whether the organization is using technology that can locate or profile the user
- whether the information will be shared with anyone outside the organization
- whether there’s a possibility the information may be communicated outside Quebec, and
- your right to access the information and have it corrected, if you agree to its collection.
You also have the right to know
- how long your information will be kept,
- the categories of people who will have access to your information within the organization, and
- the contact information of the person responsible for the protection of personal information.
In general, information is collected directly from the person concerned. But there are some exceptions. For example, a parent or tutor can generally provide consent on behalf of a minor child.
Your right to accept or refuse
Although it may be necessary to provide information to receive public services or to be hired for a job, you can consider – any time you are asked – whether the information is truly necessary. Perhaps there is an alternative that better respects your privacy.
The more sensitive the information, the more careful you should be.
For example, if the information is being collected just to confirm your identity, a simple visual inspection of an ID card should be sufficient. It’s unnecessary for the organization to make a photocopy or take a picture of the card and keep it.
Regarding an employment contract, your criminal record or medical information can only be requested under very specific circumstances.
In addition, you only need to provide your social insurance number once you have started a job. A potential employer should not ask for your social insurance number before you are hired.
Finally, you can always refuse to be added to a list to receive advertising. In fact, you can refuse all forms of commercial or philanthropic solicitation.
See our articles on credit reports and leases to learn about your rights in those situations.
After the information has been collected
Even after you have provided your information, you can still assert your rights!
Additional consent
Your personal information has been collected for very specific purposes and can only be used for those purposes.
Therefore, an organization must generally ask for your consent again if it wishes to use your personal information for a different purpose.
There are some exceptions in which information can be used for another purpose without asking for your consent again. The website of the Commission provides more information on this.
Requests for access, correction and de-indexation
In some cases, you can also request access to information about a deceased loved one:
- to understand the circumstances of their death
- to assist you in arrangements following their death, for example, to obtain a photo of them
- for information about a possible genetic or family disease.
Such a request may be helpful in situations like the following:
- Problem: The organization has made an automated decision based on incorrect information.
Solution: You ask it to redo the calculation based on the correction information. - Problem: Someone stole your credit card and your credit report has been severely affected.
Solution: You contact the credit bureaus to correct the information and add a note explaining the incident.
It’s sometimes also called the “right to be forgotten.”
You can only make these requests to a private enterprise. This includes private businesses and non-profit organizations.
You must prove that the dissemination of your information
- causes a harm to your reputation or your privacy that outweighs any public interest, or
- contravenes a law or a court order (for example, a court has ordered in camera proceedings).
It’s sometimes also called the “right to be forgotten.”
You can only make these requests to a private enterprise. This includes private businesses and non-profit organizations.
You must prove that the dissemination of your information
- causes a harm to your reputation or your privacy that outweighs any public interest, or
- contravenes a law or a court order (for example, a court has ordered in camera proceedings).
How to make a request
The organization must answer you
A private enterprise has 30 days from the day it receives the request to answer you.
A public body must answer you within 20 days unless it provides – by the 20th day – a notice it will be late. In that case, it has an additional 10 days (30 days in total) to respond.
The organization can answer in any of three ways:
In this case, the organization gives you a copy of the information you requested, corrects it, deletes it, or de-indexes it, depending on what you requested.
If the information is in digital format, you can request a written and clear transcription. This could be, for example, a transcription of a recorded call, in addition to the audio file.
If information in digital form has been collected from you, you can require that it be provided in a “structured, commonly used technological format.” For example, you can state you prefer digital rather than paper format and that the file must be readable in a commonly used computer program.
If you have a disability, you can require reasonable and necessary accommodations to enable you to consult and understand the document.
The organization must explain why it has refused your request.
It should specify the article of law that justifies its decision.
It must answer your questions, if you need assistance to understand its answer.
Finally, it must inform you of the recourses available to contest this decision and the applicable time limits.
Some examples of reasons for refusal:
- The request is abusive, excessive, or unjustified.
- Access to the information could disclose information about another person and cause them serious harm.
- The “correction” requested concerns a professional opinion (for example, a medical diagnosis).
- The information cannot be de-indexed because the public interest is more important (for example, it involves a criminal conviction).
Your request is considered to have been refused.
If the organization refuses or does not answer you
You have 30 days to ask the Commission to review the organization’s decision.
When it involves a public body, the request is called an Application for Review. When it involves a private enterprise, it’s called an Examination of a Disagreement.
The application must be made in writing and fees may apply.
The Commission has a form that is used for both types of applications. Commission personnel can assist in completing the form if necessary.
In addition to this recourse at the Commission, a person can file a lawsuit in a civil court.
Here’s a reminder of time limits that must be respected:
Request to a Private Enterprise
The enterprise receives your request
The enterprise answers you
The enterprise has 30 days to answer you.
Types of answers:
- Accepts
- Refuses
- Does not reply
In case of refusal or no reply
You can request an “Examination of a Disagreement”
You have 30 days from the date of refusal to file this request with the Commission d’accès à l’information (access to information commission).
If the organization did not reply, your time limit to file a request is 30 days from the organization’s deadline to answer you.
Request to a public body
The organization receives your request
The organization answers you or sends you a notice that it will be late
The organization has 20 days to answer you or inform you that it will be late.
The organization answers late
The organization has an additional 10 days (30 days in total) to answer you, if it informed you that it will be late.
In case of a refusal or no reply
You can make an “Application for Review”
You have 30 days from the date of the refusal to file this application with the Commission d’accès à l’information (access to information commission).
If the organization did not reply, your time limit to file the application is 30 days from the organization’s deadline to answer you.
If you suspect that an organization is not complying with the law
Organizations must follow strict rules in handling your personal information and informing you of your rights.
If you suspect that an organization is not complying with the law, don’t hesitate to let them know about your concerns. You can also file a complaint with the Commission.