When access prohibited
(1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
(2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual’s life, health or security is threatened.
Information related to paragraphs 7(3)(c), (c.1) or (d)
(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization
(a) inform the individual about
(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or
(ii) or paragraph 7(3)(c.2) or (d), or
(b) give the individual access to the information referred to in subparagraph (a)(ii).
Notification and response
(2.2) An organization to which subsection (2.1) applies
(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and
(b) shall not respond to the request before the earlier of
(i) the day on which it is notified under subsection (2.3), and
(ii) thirty days after the day on which the institution or part was notified.
(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to
(a) national security, the defence of Canada or the conduct of international affairs;
(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.
(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization
(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);
(b) shall notify the Commissioner, in writing and without delay, of the refusal; and
(c) shall not disclose to the individual
(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under para graph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,
(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or
(iii) that the institution or part objects.
When access may be refused
(3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if
(a) the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries;
(b) to do so would reveal confidential commercial information;
(c) to do so could reasonably be expected to threaten the life or security of another individual;
(c.1) the information was collected under para graph 7(1)(b);
(d) the information was generated in the course of a formal dispute resolution process; or
(e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.
However, in the circumstances described in para graph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.
(4) Subsection (3) does not apply if the individual needs the information because an individual’s life, health or security is threatened.
(5) If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.
2000, c. 5, s. 9, c. 17, s. 97; 2001, c. 41, s. 82; 2005, c. 46, s. 57; 2006, c. 9, s. 223; 2015, c. 32, s. 9.