The Right to Know and to Consent

PIPA and PIPEDA give you the right to know the reasons why an organization collects, uses and discloses your personal information. 

Except in specific, limited circumstances, such as where there is a legal requirement, or where you are an employee of the organization, you have a right to consent or not to consent to the collection, use and disclosure of your personal information by an organization in the private sector. Depending on the situation, there may be a term of a contract under which you have waived the right to withdraw consent, or there may be a law requiring the organization to collect your personal information – for example for tax purposes. 

The Right to Withdraw Consent

The right to consent is accompanied by the right to withdraw or change your consent. When you do not consent, or you withdraw your consent after you gave it, the organization has to tell you what the consequences will be of your declining or withdrawal of consent. 

The Right to Access

You also have a right to request access to your personal information. The organization must respond to your request generally within 30 days (although some time extensions are allowed). If the organization refuses to grant you access it must tell you why in writing and tell you that you can make a complaint to the Privacy Commissioner about the refusal. 

The Right to Request Correction

You have the right to request that a correction be made to your personal information. If the organization does not make the requested correction, it must make a note on the file or the document containing the information to explain the correction that was requested.    

Complaints to the Organization and to the Commissioner

You also have the right to make a complaint. You may make a complaint to the organization about its privacy practices and the organization must respond. 

If your dispute is not resolved successfully with the organization, you may seek assistance from the Office of the Information and Privacy Commissioner of BC if PIPA applies, or to the Office of the Privacy Commissioner of Canada if PIPEDA applies. 

Duties Imposed on Organizations in the Private Sector

PIPA and PIPEDA impose duties on organizations. An organization is accountable for all the personal information in its custody or under its control.  It must assign someone to be responsible for complying with the law and carrying out the responsibilities required by the law. That person’s name or work contact information must be made publicly available and the organization must give the contact information to you if you request it. 

Before or at the time it collects personal information, the organization must tell the individual either in person or in writing the purposes for the collection, use and disclosure of personal information. These purposes must always be reasonable and appropriate in the circumstances.