United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- Requests for personal information are increasing across Canada, and timelines are tight. HR teams that plan ahead can avoid last-minute scrambles and compliance headaches.
- Whether federal, provincial, public, or private, every regime expects careful handling of personal data and specific timelines and exemptions to consider.
- A clear playbook, trained staff, and mapped data make access requests manageable. The organizations that invest in readiness protect privacy, reduce risk, and build trust.
This is the second article in a four-part series aligned with Cybersecurity Awareness Month, which occurs annually in October. Part 1 discusses compliance tips for U.S. privacy leaders handling practical data rights requests, Part 3 discusses tips and strategies under analogous privacy laws in the European Union, and Part 4 covers the considerations for responsible use of artificial intelligence (AI) and automated decision-making tools (ADMTs).
For employers and businesses operating across multiple provinces or straddling public, private, and federally regulated sectors, the challenge is acute. In Ontario, for example, a private-sector employer that isn’t federally regulated may have no legal obligation to give employees or applicants access to their own “employee personal information,” yet the same company must respond to a consumer’s access request for customer data.
In short, access rights in Canada are real, rising, and relentlessly nuanced. Organizations need preparation, training, and disciplined workflows to stay compliant, meet timelines, and minimize legal risk.
The Patchwork Problem: Who Is Covered by Which Law?
Across the country, different rules apply depending on who holds the information and who is asking for it. The result is a network of similar legal tracks that sometimes overlap and occasionally collide.
Federal public sector: At the federal level, public institutions are covered by the Privacy Act, which gives individuals a right to access personal information held by federal bodies and sets out timelines, exemptions, and review processes.
Provincial public sector: Provincial and territorial public sectors operate under their own freedom of information and privacy statutes, each with different names and nuances. These laws generally provide access to records in the custody or control of public institutions, along with specific exceptions and review rights.
Private sector: In the private sector, consumer access to personal information is primarily governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law. Some provinces have adopted their own legislation that is considered “substantially similar.” Health information often falls under separate health privacy statutes.
Employee data: Employee information adds another layer. For federally regulated employers, PIPEDA governs employee access requests. For provincially regulated employers, the picture varies: only certain provinces have privacy statutes that extend access rights to employees, though other employment or sectoral laws may provide access to specific records.
Together, these rules create a complex matrix. Organizations operating across Canada will want to understand how access rights differ by sector, jurisdiction, and requestor type, whether the request comes from a consumer, an employee, a job applicant, or a third-party representative.
Access Is Not Carte Blanche: Withholdings, Severance, and Exemptions
Access rights across Canada are powerful but not unlimited. Privacy laws in every jurisdiction set boundaries to protect individuals, organizations, and the public interest.
Privacy and confidentiality. Access requests can involve third-party personal information or confidential business data. In some cases, organizations may need to consult or notify affected parties before deciding what to release. Most of the privacy laws also prohibit releasing information that identifies another individual and sharing it can create compliance risks. For example, if an applicant requests access to interview notes and those notes include the names or responses of other candidates, releasing that information could breach their privacy. Similarly, if a complaint file reveals the identity of the person who raised the concern, disclosure could create a risk of harm for that individual.
Legal privilege and investigations. Records tied to legal advice, disputes, or investigations are often exempt. Many laws also protect materials created for formal resolution processes.
Safety and public interest. Disclosure can be limited if it could endanger someone’s safety, affect law enforcement, or compromise an ongoing investigation. Some laws also allow or require proactive disclosure when health, safety, or environmental risks are at stake.
Custody and control. Access generally applies only to records an organization holds or controls. Determining what falls within scope can depend on where and how information is stored.
Severance. If exempt information can be separated, the rest of a record may still be shared.
An emerging trend involves job applicants asking for access to interview notes or emails. These requests can raise questions about confidential evaluations, third-party information, and privilege. Access does not automatically extend to internal assessments or legal advice, and some content may be protected or only partially releasable.
Timelines and Extensions: Meeting the Clock
While the specifics vary, most Canadian access regimes set a baseline thirty-day response period, with some provinces offering the possibility of a one-time extension (often up to an additional thirty days) for large volumes, complex searches, consultations, or operational interference. Many public-sector statutes also impose a “duty to assist” and require detailed response letters, including reasons for refusal and review/complaint rights. Failure to respond within the statutory period is typically deemed a refusal, triggering review rights.
Below is a consolidated, high-level chart focused on private-sector entities. This review is not exhaustive. For public bodies, most statutes set a thirty-day baseline with defined extension grounds; always verify the precise requirements in the applicable law.
Access Request Timelines—Private-Sector Entities
| Jurisdiction | Private-Sector Law | Baseline Response | Common Extensions* |
| Federal (private sector; and federally regulated employers ex: banks, telecommunication etc.) | PIPEDA | 30 days | Up to +30 |
| Alberta consumers and employees | Personal Information Protection Act (PIPA) | 45 days | Up to +30 |
| British Columbia consumers and employees | Personal Information Protection Act (PIPA) | 30 days | Up to +30 |
| Ontario consumers only | No general private-sector statute for provincially regulated employers’ employee PI; PIPEDA applies to commercial/consumer PI | 30 days (under PIPEDA) | Up to +30 |
| Manitoba consumers only | PIPEDA applies to commercial activity not to employee data | 30 days | Up to +30 |
| New Brunswick consumers only | PIPEDA applies to commercial activity not to employee data | 30 days | Up to +30 |
| Nova Scotia consumers only | PIPEDA applies to commercial activity not to employee data | 30 days | Up to +30 |
| Newfoundland consumers only | PIPEDA applies to commercial activity not to employee data | 30 days | Up to +30 |
| Prince Edward Island consumers only | PIPEDA applies to commercial activity not to employee data | 30 days | Up to +30 |
| Québec consumers and employees | Act respecting the protection of personal information in the private sector (P-39.1) | 30 days | Limited extensions no specific extension permitted in the applicable legislation. |
| Saskatchewan consumers only | PIPEDA applies to commercial activity not to employee data | 30 days | Up to +30 |
* Common extensions are summarized. Actual grounds, durations, and notice requirements are statute-specific and may require written notice specifying reasons and review rights.
Practical Readiness
Many organizations fail to respect timelines on responding to access requests not because the issues are complex, but because coordination stalls. A few practical habits can make the difference:
- Clear ownership: Employers may want to set up a single intake point for access requests and who is responsible if this person is on vacation or not available. Try to set up employees and applicants so they are aware whom to contact and how the process works. Having an email address such as Privacy@company or Access@company can be helpful to ensure the email is always monitored.
- Smart training: Training HR, recruiting, and managers on what belongs in personnel and applicant files is important for compliance with the various laws. Employers may want to review templates for interview notes and evaluations, and write with the expectation that content may one day be reviewed.
- Data awareness: Employers may want to keep an updated map of systems and service providers that hold personal information. In addition, employers will want to check that contracts support access rights and don’t create barriers to lawful disclosure.
- Simple procedures: Using checklists for intake, ID verification, scoping, searches, and legal review are useful methods for maintaining compliance with the privacy laws. Employers will want to track deadlines and extensions to stay on top of statutory timelines.
- Quick-reference guide: Maintaining a short “exceptions” playbook covering common exemptions such as third-party information, privilege, confidential business data, and investigatory records is another key consideration. Employers may want to include tips for severance and consultations for the team responsible for handling requests in their playbooks.
- Verifying before sharing: Confirming the requester’s identity or authority can reduce the risk of fraud or misdirected disclosures.
Access laws are designed to give people meaningful access to their own information, not to create unnecessary burden. Knowing what can be shared, what can be withheld, and how to meet deadlines helps HR teams protect both privacy and organizational integrity.
Next Steps
As requests multiply and media attention grows, organizations face rising expectations for speed, accuracy, and fairness. The challenge lies not only in meeting strict timelines and parsing exemptions, but in managing the messy realities of multijurisdictional operations, legacy systems, and unclear data ownership.
For employers, this shift is particularly significant. Employee and applicant access requests are becoming more common, and even when not legally mandated, mishandling them can erode trust, invite complaints, or draw regulatory scrutiny.
The solution: building a coherent, cross-Canada access playbook that harmonizes timelines, clarifies who owns each step of the process, and trains teams on how to search, sever, and respond with precision can help employers meet their legal, privacy, and security challenges. Strong contract terms with vendors, solid record management, and clear escalation protocols are critical safeguards.
Bottom line: organizations that treat access rights as part of everyday governance—not an ad hoc legal fire drill—will stay ahead of regulators, strengthen employee and consumer confidence, and turn a compliance obligation into a trust-building opportunity.
Ogletree Deakins’ Calgary, Montréal, and Toronto offices, Cross-Border Practice Group, and Cybersecurity and Privacy Practice Group will continue to monitor developments and provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
