Employers must respond within 30 days, include reasons for withholding personal information.
The Federal Court recently underscored the importance of compliance with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) in a decision that applies only to federal works and undertakings subject to the Act. In Cote v. Day & Ross (Cote), 2015 FC 1283, Justice Harrington affirmed that: employers governed by PIPEDA  must respond to requests by employees for their personal information file within 30 days; reasons must be provided when refusing to provide full and complete information in response to a request; a personal information file may also include third-party information about an employee; and that the trend of awarding nominal damages for breach is ongoing.
What you need to know
- Decision applies only to federal works, undertakings and businesses subject to PIPEDA. Only those employers falling within section 4(1)(b) are subject to the Act. 
- 30-day timeframe for responding to PIPEDA requests. The Cote decision affirms that PIPEDA requires companies to respond to employee requests for access to the employee’s personal information held by the company within a 30-day timeframe, pursuant to section 8(3) of the Act.
- Provide reasons for withholding information. Compliance with section 8(7) of PIPEDA requires that a employers provide reasons for withholding personal information in response to an access request, even where the employee does not ask for reasons. Company privacy policies may not include a qualification that reasons for denying access to an employee’s personal information will only be provided “upon request.”
- Personal vs. third-party information. Communications between an employer and a third party about an employee are part of that employee’s personal information file. Section 9(1) of PIPEDA provides that a company may withhold personal information from an individual if doing so would result in revealing personal information about a third party. However, the third-party information must be severed where possible and the remaining information must be provided to the individual.
- Nominal damages. Cote confirms that damages for such breaches continue to be nominal, but that they may be ordered to reinforce the importance of complying with PIPEDA even where the employer has brought its policies and practices into compliance with the Act. In Cote, the employee was awarded $5,000 in damages and $1,000 for disbursements.
Companies should continue to be alert to their obligations sunder PIPEDA, and the decision in Cote emphasizes the importance of reviewing employee privacy policies and practices to ensure that access requests are addressed in a responsive and timely manner.
To discuss these issues, please contact the author(s).
Lisa K. Talbot, Molly Reynolds, and Eliot Che, with assistance from Caitlin Morin, Articling Student
© 2015 by Torys LLP. All rights reserved.
 Not all employers are subject to PIPEDA, per section 4(1)(b) of the Act. Federal works, undertakings and businesses are defined in section 2 of the Act, and include companies involved in, for example: banking, navigation and shipping, railways or other works that extend beyond provincial borders, air transportation; radio broadcasting, and works that operate outside provincial authority.