Canadian Privacy Basics - Chapter 2

Question 1

2.1 What is private sector legislation based on?

Answer 1

10 fair information principles found in PIPEDA.

Question 2

2.1 What are the 10 principles in PIPEDA?

Answer 2

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Purposes
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

Question 3

2.1.1 What is Accountability

Answer 3

An organization must implement procedures that protect personal information, establish procedures to receive and respond to complaints or questions, train staff, and be transparent about all these procedures and practices.

Organizations are required to appoint individuals with primary responsibility for privacy protection and makes organizations responsible for the personal information over which they have either custody or control.

Question 4

2.1.1 Provide an example of how Accountability can be interpreted?

Answer 4

Google (2010) created Google Buzz, which allowed Google Mail contacts to be added as followers. This resulted in an abusive ex husband to know the whereabouts of his ex-wife.

Question 5

2.1.2 What is the intent of the Identifying Purposes principle?

Answer 5

Organizations are obligated to identify and document the purposes for the collection of any personal information at or before the time of collection.

Question 6

2.1.2 Can personal information be repurposed without consent of the individual?

Answer 6

No, this would be a privacy breach. If PI is collected for a different purpose, consent must once again be collected.

Question 7

2.1.3 What is required for meaningful consent?

Answer 7

Meaningful consent is that which the individual knows and understands the purposes for the collection, use or disclosure of the personal information.

Question 8

2.1.3 What is sensitive personal information?

Answer 8

Sensitive personal information is medical or financial, or information that could result in serious cases of identify theft.

Question 9

2.1.3 What does implied consent become appropriate?

Answer 9

When the personal information being collected is innocuous and the purpose of the collection straightforward.

Question 10

2.1.3 When is it ok to use an opt-in feature when asking for consent?

Answer 10

When the purpose of collection is straightforward and the information is innocuous,

Question 11

2.1.3 When is an opt-out feature required when asking for consent?

Answer 11

When the information being collected is sensitive, explicit and documented.

Question 12

2.1.3 Is an individual required to supply more personal information than what is required?

Answer 12

No, the principle specifically states: an organization shall not… require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purpose.

Question 13

2.1.3 Is consent always required?

Answer 13

Yes, each individual must be given the opportunity to withdraw consent.

Question 14

2.1.4 What does the Limiting Purposes principle state?

Answer 14

Organizations are required to collect only the amount and type of personal information legitimately needed to fulfill the identified purposes.

Question 15

2.1.5 What does the Limiting Use, Disclosure and Retention principle require?

Answer 15

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Question 16

2.1.5 What is important to remember about retaining personal information?

Answer 16

1. Personal information that has been used to make a decision about an individual should be retained long enough to allow the individual access to the information after the decision has been made
2. An organization may be subject to legislative requirements with respect to retention periods for certain types of information.

Question 17

2.1.6 Why is it important to keep personal information updated while in use?

Answer 17

Organizations should make sure the information they are using to make decisions about providing credit or medical care to people is accurate in order to avoid inappropriate decisions or ill-fated consequences.

Note: the irony is that PIPEDA does not require PI to be kept up to date by law.

Question 18

2.1.7 What are the requirements when safeguards are used?

Answer 18

Security safeguards must protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification, regardless of media type.

Information must be protected according to the sensitivity of the information (e.g. data classification).

Question 19

2.1.8 What are the requirements of the Openness principle?

Answer 19

Policies and practices must be readily available for individuals relating to management of personal information.

Policies and practices must include:
1. Name, title and address of where complaints can be filed
2. How to gain access to PI that is held by the organization
3. A description of the type of information held by the organization, and a general statement on how it’s used
4. A copy of any information that explains the organizations policies, standards or codes.
5. The PI that is made available to related organizations, such as subsidieries.

Question 20

2.1.9 What are the obligations under Individual Access?

Answer 20

Individuals must be informed of the existence, collection, use and disclosure of personal information.

Discrepancies in PI must be corrected.

Requests for access must be not be delayed.

Question 21

2.1.10 Do individuals have the right to challenge how their personal information is being handled?

Answer 21

Yes, Canadian law provides individuals with the right to complain if they are unhappy with how their PI is being handled, and if the situation is not remediated by the organization.

Question 22

2.2.1 When did PIPEDA start to come into force?

Answer 22

January 1, 2001

Question 23

2.2.1 What government strategy was PIPEDA part of?

Answer 23

Canada’s electronic commerce strategy.

Question 24

2.2.1 What was the intent of Canada’s electronic commerce strategy?

Answer 24

To make Canada a world leader in electronic commerce.

Question 25

2.2.1 What was the significance of the launch of PIPEDA?

Answer 25

It ushered in a new era of privacy protection in Canada.

Question 26

2.2.1 What is the purpose of PIPEDA?

Answer 26

To establish… rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Question 27

2.2.1 How has the purpose of PIPEDA been interpreted?

Answer 27

As a balance between the needs of protecting personal information and the needs of the organization to conduct business.

Question 28

2.2.1 What are the two competing interests that PIPEDA tries to address?

Answer 28

1. An individual’s right to privacy and,
2. the commercial need for access to personal information

Question 29

2.2.1 Why is the Right of Privacy not absolute within PIPEDA?

Answer 29

Because the terminology used includes:
*reasonable person
*appropriate
*in the circumstances

Question 30

2.2.1.1 To whom does PIPEDA apply to?

Answer 30

The entire private sector.

Question 31

2.2.1 What existed in Canada prior to PIPEDA?

Answer 31

A industry self-regulatory approach that is still used in the US today.

Question 32

2.2.1.1 What does Section 4 of PIPEDA state in regards to whom the act applies?

Answer 32

PIPEDA applies to every organization in respect of personal information that
a) the organization collects, uses or discloses in the course of commercial activities; or
b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business

Question 33

2.2.1.1 How is PIPEDA limited in scope?

Answer 33

It does not apply to:
a) any government institution to which the Privacy Act applies

b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes (and not for any other purpose)

c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes (and not for any other purpose)

Question 34

2.2.1.1 What are two important concepts to understand about PIPEDA?

Answer 34

1. It must be determined that the organization is involved in commercial activity
2. It must be understood to what extent the organization operates as or in connection with a federal work or undertaking.

Question 35

2.2.1.1 What ‘federal works’ are considered to fall under the legislation of PIPEDA?

Answer 35

1. airports, airlines, aircraft
2. telecommunications
3. radio and television broadcasting
4. banks
5. grain elevators
6. nuclear facilities
7. offshore drilling operations

Question 36

2.2.1.1 What determines if a company is a federal work, undertaking or business?

Answer 36

If the company is subject to any part of the Canada Labour Code.

Question 37

2.2.1.1 How is PIPEDA different from other federal statutes?

Answer 37

PIPEDA was drafted to apply across the country.

Question 38

2.2.1.1 If provinces pass their own privacy law, what standards must it adhere to?

Answer 38

1. The 10 Privacy Principles of PIPEDA.
2. Have an independent oversight body like the OPC
3. Contain a redress mechanism for those who are aggrieved

Question 39

2.2.1.1 What provinces have similar privacy laws?

Answer 39

1. Alberta PIPA
2. British Columbia PIPA
3. The Quebec Act
4. Ontario PHIPA
5. New Brunswick PHIPAA
6. Newfoundland and Labrador PHIA
7. Nova Scotia PHIA

Question 40

2.2.1.2 How does PIPEDA define commercial activity?

Answer 40

Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Question 41

2.2.1.2.2 What has OPC determined in regards to nonprofit organizations in the context of PIPEDA?

Answer 41

Even though an organization may be nonprofit and membership-based, it can still engage in commercial transactions that trigger PIPEDA.

Question 42

2.2.1.3 What does PIPEDA make mandatory when an organization collects, uses and discloses personal information?

Answer 42

The collection, use and discloser must only be done with the consent of the individual of which the personal information is being collected.

Question 43

2.2.1.3 When is consent not required when collecting personal information?

Answer 43

Consent is not required when collecting personal information in the following circumstances:
a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
c) it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;
d) it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;
e) the collection is solely for journalistic, artistic or literary purposes;
f) the information is publicly available and is specified by the regulations or the collection is made for the purpose of making a disclosure

Question 44

2.2.1.3 What obligations are critical for organizations bound by PIPEDA?

Answer 44

1. The requirement of obtaining consent and the obligation to act reasonably when doing so.
2. The right to provide access to personal information.

Question 45

2.2.1.3 When does the right to provide access to personal information not need to be abided by an organization bound by PIPEDA?

Answer 45

1. When the information would reveal details about a third party for national security or law enforcement reasons;
2. when commercially sensitive information is revealed;
3. when solicitor-client privileged information is revealed;
4. when life or security of an individual is threatened

Question 46

2.2.1.4 What is the role of the OPC?

Answer 46

1. Enforcement of PIPEDA
2. Initiate a complaint if there are reasonable grounds for doing so
3. Utilize extensive powers of investigation, including power of subpoena and compelling individuals to give evidence
4. Enter the premise of an organization during the investigation of a complaint
5. Develop and conduct information programs to encourage public understanding of PIPEDA

Question 47

2.2.1.4 Are OPC investigations public or private?

Answer 47

There are statutory requirements to keep investigatory details out of the public domain unless the public interest in the matter requires otherwise, or unless on of the specific enumerated reasons for the investigation allows for the disclosure of information

Question 48

2.2.1.4 Under the OPC’s mandate of education and awareness, what is required of the OPC?

Answer 48

1. Develop and conduct information programs to encourage public understanding the PIPEDA
2. Carry out and publish research on matters relating to the protection of personal information
3. Encourage organizations to voluntarily adopt appropriate compliance practices and procedures

Question 49

2.2.1.4.1 What changes were made to breach notification and record keeping requirements with the 2015 passage of the Digital Privacy Act?

Answer 49

1. Organizations will be subject to mandatory notifications to the OPC of any breach of security safeguards involving personal information. Real significant harm requires notification to individuals.
2. Organizations will be required to keep a record of all breaches involving personal information and provide a copy to OPC upon request.

Question 50

2.2.1.4.2 How has the Digital Privacy Act changed the definition of personal information?

Answer 50

Personal information has been updated to mean information about an identifiable individual, including business contact information.

Question 51

2.2.1.4.5 When is consent considered valid?

Answer 51

Only if it is reasonable to expect that individuals to whom an organizations’ activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

Question 52

2.1.4.3 When is consent not required when collecting PI?

Answer 52

1. Investigations/fraud detection and prevention: during instances of investigations / fraud detection and prevention
2. business transactions, such as the sale of a business, a merger, or lease of company assets
3. Witness statements in insurance claims
4. Identifying injured, ill, deceased or communicating with next of kin: however, if the person is alive, they must be notified in writing that their PI has been shared
5. Financial abuse: I can be disclosed without consent if the individual has been or may be the victim of abuse
6. Employment relationships in federally regulated workplaces: consent is not required to establish, manage, or terminate an employment relationship. However, individuals must be informed in advance that their PI can be collected, used or disclosed for such purpose
7. Personal information produced during the course of employment: consent not required, as long as it is consistent with its intended purpose