Access and Rectification Rights: Business Obligations
Art. 27-41, LPRPSP
What the law requires
Quebec's privacy law grants every person the right to access the personal information you hold about them and to have it rectified. These rights can only be limited in specific cases provided by law.
Right of access (Art. 27): Any person can request to view the personal information concerning them. They can also obtain information about how it is used and to which third parties it has been disclosed.
Response deadline (Art. 32): You have 30 days to respond to an access request.
Right of rectification (Art. 28): The person can request correction of inaccurate, incomplete, or ambiguous information. They can also request deletion of information whose collection or retention is not authorized.
Legal reference
Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant's request, computerized personal information must be communicated in the form of a written and intelligible transcript.
Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant's request, to any person or body authorized by law to collect such information.
If the person concerned is handicapped, reasonable accommodation must be provided on request to enable the person to exercise the right of access provided for in this division.
Art. 27, Act respecting the protection of personal information in the private sector
What you must do
Managing access requests requires a structured process to meet legal deadlines and document your actions. Each request must be handled with rigor and consistency.
Establish a reception process
Designate a clear contact point for access requests, ideally the privacy officer (RPRP). Ensure all employees know how to forward a received request.
- Publish a dedicated email address or form for requests
- Acknowledge receipt quickly (even if processing takes 30 days)
- Record the receipt date, as it triggers the legal deadline
- Request clarification if the request is unclear
Verify requester identity
Before disclosing information, you must ensure the requester is the person concerned. The verification method should be proportionate:
- For less sensitive information: verification of known email address
- For sensitive information: government-issued identification
- Never request more information than necessary for verification
Search for information
Conduct a search across all your systems:
- Customer or employee databases
- Email systems
- Paper files and archives
- Subcontractor systems (if you transferred data)
- Backups (if accessible without disproportionate effort)
Prepare the response
Compile the information in an understandable format. If documents contain third-party information, you must redact (mask) it before transmission.
- Provide information in a readable format (PDF, spreadsheet)
- Clearly explain the source and use of the data
- Indicate third parties to whom information was disclosed
- If partially refusing, explain the legal grounds
Handle rectification requests
If the person requests a correction:
- Verify if the information is actually inaccurate
- Correct errors in all your systems
- Transmit the correction to relevant third parties if requested
- Keep a record of the original version and the correction
Common mistakes
- Exceeding the 30-day deadline. Failure to respond is equivalent to a refusal and exposes the business to a CAI complaint. Use a tracking system to never miss a deadline.
- Charging excessive fees. Fees must reflect actual reproduction costs. Prohibitive fees violate the spirit of the law.
- Refusing without legal grounds. You can only refuse for reasons provided by law.
- Not verifying identity. Transmitting information without verification exposes the business to a data breach and a complaint from the person concerned.
- Forgetting secondary systems. Emails, handwritten notes, and Excel files often contain personal information. An incomplete search is an incomplete response.
- Not documenting the process. In case of complaint, you must be able to demonstrate proper handling. Keep a record of each step.
- Ignoring former customer requests. Access rights persist even after the business relationship ends. Handle these requests with the same rigor.
Frequently asked questions
What is the deadline for responding to an access request?
You must respond within 30 calendar days of receiving the request.
Can I charge fees for an access request?
You can charge reasonable fees for reproducing or transmitting documents, but you must inform the person in advance. Fees must reflect actual costs and not be prohibitive.
How do I verify the requester's identity?
You must reasonably ensure the requester is the person concerned. Request identification or use a verification method proportionate to the sensitivity of the information.
What if the information also concerns a third party?
You must redact the third party's information before transmitting the document. If this is impossible without making the information unintelligible, you may partially refuse the request.
Can a person request rectification of their information?
Yes. If the information is inaccurate, incomplete, or ambiguous, the person can request rectification. You must correct the information and, upon request, transmit the correction to third parties who received it.
What happens if I don't respond within the deadline?
Failure to respond within 30 days is equivalent to a refusal. The person can then file a complaint with the Commission d'accès à l'information (CAI), which could order disclosure and impose penalties.
How do I handle a request from a former employee or customer?
The same rules apply. Former employees and customers retain their access rights. Check your archives and respond within 30 days, even if the business relationship has ended.
Next step
Once your request handling process is in place, ensure you also have a privacy incident registry and a response plan in case of a data breach.