DSAR Requirements Under PIPEDA (Canada)
PIPEDA access request requirements: individual rights, 30-day response deadline, identity verification, penalties, and OPC enforcement.
Last updated: 2026-03-01
Individual Rights That Trigger Access Requests
Under PIPEDA, individuals can request:
- Access to their personal information held by an organization
- Correction of inaccurate or incomplete personal information
- Information about how their personal data has been used and to whom it has been disclosed
PIPEDA does not grant a standalone right to deletion, portability, or opt-out of sale. However, organizations must only retain personal information as long as necessary for the identified purpose.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
30 calendar days from receipt of the request. Organizations must respond within this timeframe, even if the response is to explain why access is being denied or delayed. Extensions beyond 30 days require notifying the individual in writing and providing a reason for the delay.
Identity Verification
Organizations may require individuals to provide sufficient information to verify their identity before responding to an access request. PIPEDA does not prescribe a specific verification method, but the request must be made in writing. Organizations should not collect more personal information than necessary for the purpose of verification.
Cost
Access to personal information must be provided at minimal or no cost to the individual. Organizations cannot charge a fee that would discourage individuals from exercising their access rights.
The 10 Fair Information Principles
PIPEDA is built on 10 fair information principles (Schedule 1 of the Act):
- Accountability — an organization is responsible for personal information under its control
- Identifying purposes — the purposes for collection must be identified at or before the time of collection
- Consent — knowledge and consent are required for collection, use, or disclosure
- Limiting collection — collection must be limited to what is necessary for identified purposes
- Limiting use, disclosure, and retention — personal information shall not be used or disclosed for purposes other than those identified, except with consent
- Accuracy — personal information must be as accurate, complete, and up-to-date as necessary
- Safeguards — appropriate security safeguards must protect personal information
- Openness — an organization must make its privacy policies and practices readily available
- Individual access — upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and given access to it
- Challenging compliance — an individual shall be able to challenge an organization's compliance with these principles
Penalties
PIPEDA enforcement follows a recommendations-based model. The OPC investigates complaints and issues findings and recommendations, but cannot directly impose fines.
- The OPC can apply to Federal Court for compliance orders
- Organizations that violate court orders or obstruct investigations face fines of up to CAD 100,000 per offense
- The OPC can refer matters to the Attorney General of Canada for prosecution
- There is no private right of action under PIPEDA itself, though individuals can apply to Federal Court after the OPC completes its investigation
Enforced by the Office of the Privacy Commissioner of Canada (OPC).
When You Can Refuse Access
PIPEDA recognizes several grounds for refusing access, including:
- Information that is subject to solicitor-client privilege
- Information that could threaten the life or security of another individual
- Information collected for a formal dispute resolution process
- Information that would reveal confidential commercial information
- Information collected for an investigation of a breach of agreement or a contravention of law
When refusing access, organizations must notify the individual in writing within 30 days, state the reason for refusal, and inform them of their right to complain to the OPC.
Who This Applies To
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. There is no revenue threshold or company size exemption.
PIPEDA applies across Canada except in provinces that have enacted substantially similar privacy legislation: Quebec (Law 25), Alberta (PIPA), and British Columbia (PIPA). In those provinces, the provincial law applies to intra-provincial commercial activities, while PIPEDA still applies to federally regulated industries and cross-border data flows.
Related Guides
- Canadian Privacy Laws Overview — federal vs. provincial framework
- Quebec Law 25 DSAR Requirements — Quebec's stricter provincial law
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- DSAR Identity Verification — verification methods
- DSAR Exemptions — when you can refuse