If you’re a privacy professional you will know that Canada’s privacy laws are in place to protect the privacy rights of individuals, not businesses.
Despite this fact and that Canada’s federal privacy law, PIPEDA, has been in force since 2001, it’s surprising how many others are confused on this point.
For instance, I recently had a client make an information request to an organization for access to corporate information. When the organization responded, they denied access to the requested information and claimed that PIPEDA required that they do so in order to protect the privacy interests of a business.
There may be circumstances where organizations have other legitimate reasonsĀ for denying access to certain information. There may also be circumstances where privacy laws such as PIPEDA should be cited in denying access to certain business records where releasing the information could unlawfully disclose the personal information of another individual. Organizations should not, however, cite Canada’s privacy laws as a justification to deny access to information requests on account of the privacy rights of a business.
If you encounter this scenario you may be dealing with someone who either doesn’t understand privacy laws or who is perhaps being disingenuous. After all, the general thrust of Canada’s privacy laws is to encourage organizations to create a culture of privacy in order to protect the privacy of individuals whose personal information is collected, used, retained or disclosed by such organizations.
If businesses do have commercially sensitive information, how should they deal with this type of request? Would they simply deny the request outright?
I can think of a number of situations where a business would not want information (even not particularly sensitive information) to get into the hands of their competitors, or to be published in the media. I understand that PIPEDA doesn’t grant an organization the right to refuse, so should the business adopt its own policy to state that the business will not disclose information it considers confidential or having commercial value?
If someone makes a request for commercially sensitive information, you could certainly deny the request (unless they have legal reasons to require the disclosure of the requested information).
PIPEDA generally provides individuals with the right to access their own “personal information”. It doesn’t, however, provide individuals with the right to make access to information requests for other information in a manner similar to public sector access to information laws (i.e. the federal Access to Information Act).
You raise an excellent point that businesses should proactively adopt internal practices to guide their staff when responding to access requests for information that is not “personal information” (i.e. commercially sensitive information). You may want to click on the “Corporate Information” Tag and then read my earlier post entitled “Information requires safekeeping”.