Chapter 2

Question 1

Do Canadian privacy laws generally prohibit international transborder flow of personal information from Canada to locations outside of Canada, including the United States.”

explain

Answer 1

no
statutory language in PIPEDA, taken together with the privacy commissioner’s interpretations of PIPEDA, clearly demonstrates that transfers outside of Canada are permitted. ”

Question 2

does discuss transfers of personal information. if yes what section. if no why not

Answer 2

yes.
“Section 4.1.3 of the schedule to the act states that, when transferring personal information, appropriate safeguards must be used so that the transferring organization remains accountable: “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.” ”

Question 3

explain “ PIPEDA Case Summary #333”

Answer 3

“Canadian-based company shares customer personal information with U.S. parent”), two individuals filed complaints concerning their security ”.system provider. The complainants asserted the company was using an inappropriate form of consent with respect to its practice of sharing customer personal information with its American parent company. Both complainants also expressed concern about the possibility of their personal information being accessed by U.S. government authorities because of the passage of the USA PATRIOT Act.
The commissioner, however, determined that the company had taken the appropriate step of informing its customers about its personal information practices and was not required to obtain additional consent from its customers. In addition, the organization properly safeguarded the information after it was transferred to the company in the United States.

Question 4

when did OPC begin a consultation process concerning proposed changes to their interpretation of transborder dataflows under PIPEDA. and what were they and what happened

Answer 4

April 2019, “ The proposed changes included (1) making consent mandatory for any cross-border transfer for processing and (2) requiring businesses to communicate options that are available to individuals if they do not want their information processed outside of Canada. ”

“The OPC received 87 replies to the consultation, many of which expressed concern that the mandatory consent requirement was not justified under the current text of the act and that it was unreasonably onerous. The OPC responded by shelving the proposed changes, and thus for now the status quo has been maintained.”

Question 5

What are cookies 2 parts

Answer 5

1. Cookies allow web servers to keep track of the end user’s browser activities and connect individual web requests into a session.
2. Cookies can also be used to prevent users from needing authorization for every password-protected page they access during a session by recording that they have successfully supplied their usernames and passwords already.”

Question 6

first-party cookies

Answer 6

(if they are placed by the website that is visited)

Question 7

“third-party”cookies

Answer 7

(if they are placed by a party other than the visited website).

Question 8

session cookies

Answer 8

” if they are deleted when a session ends, or “persistent cookies” if they remain longer

Question 9

What happens when a cookie is installed on a user’s computer by or on behalf of a third-party marketer,

Answer 9

• the cookie’s ID will be matched when the user later visits a website that is part of the marketer’s network, thus allowing the marketer to place a specific ad on the website being viewed by the user.
• The cookie permits data regarding browsing history to be recorded and saved to better predict a user’s interests and develop a more accurate marketing profile of the user.”

Question 10

What does the cookie contain

Answer 10

(1) an ID that is 18 characters long and unique to the individual’s browser and
(2) the date, time and duration of the individual’s visit to the “cookied” website.”

Question 11

do cookies have expiration dates

Answer 11

“Some cookies have no expiration date, so, unless individuals remove them themselves, the cookies will remain on their computers in perpetuity.
”

Question 12

“PIPEDA applies to activities as they relate to Canadians residing in provinces that do not have their own laws. Provinces with their own private-sector laws are Quebec, Alberta and British Columbia. ”

the applicability of any law to the marketing activities depends on two fundamental questions:”

Answer 12

1. “What is personal information,
2. is the data processor collecting, using or disclosing personal information as part of its activities?

If no personal information is involved in the data processing, then none of the privacy laws apply.

If personal information is involved in the initiative, then each law applies.

Because of the similarities between the laws, compliance with one would almost certainly result in compliance with the others.”

Question 13

“Several pronouncements have been made concluding that data such as an IP address and cookie-related information is personal information.The privacy commissioner has stated:”

Answer 13

“Some respondents would like the OPC to provide guidance on determining the point at which tracking information becomes information about an identifiable individual.

Without conducting an investigation, it would not be prudent for the OPC to definitively state that all online data collected is or is not personal information

. We have traditionally applied a broad interpretation of personal information.

In certain cases, we have determined that IP addresses, for example, are personal information, including in the context where an IP address is associated with an individual’s online activities.

We have also found that cookies are personal information. While we realize that there are gray areas and that context will always be a “factor, the above examples of OPC findings illustrate that the information involved in online tracking, profiling and targeting has been found to be personal information in the past—a point that organizations may want to consider when developing their practices.

Question 14

why is cookies considered pi as cookies doenot itself identify the individual cite privacy commissioner response

Answer 14

“With respect to the argument that the cookie does not itself identify the individual, this is likely not sufficient for it to fall outside the definition of personal information. For example, in one case, the privacy commissioner reasoned that the information is personal even if the information itself does not lead to the identity of the individual. If the information is unique to the individual, then it is identifiable.”

Question 15

“In 2013, the OPC investigated a complaint about Google’s online advertising service . explain

Answer 15

“In 2013, the OPC investigated a complaint that Google’s online advertising service had used sensitive information about individuals’ online activities to target them with health-related advertisements, contrary to Google’s own policies and in violation of PIPEDA.

Question 16

what is a breach

Answer 16

“A data breach is when unauthorized access, collection, use or disclosure of personal information occurs. ”

Question 17

the Digital Privacy Act came into force, introducing changes PIPEDA”

when and what introduced .

7 points

Answer 17

1. several amendments to PIPEDA
2. new data breach reporting and notification provisions.

The provisions include a requirement for organizations to notify the OPC and affected individuals of “any breach of security safeguards involving personal information under [the organization’s] control if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to an individual.

Specifically, the written notification to the OPC must include the following:
Description of the circumstances of the breach and, if known, the cause

Day on which, or the period during which, the breach occurred

Description of the personal information that is the subject of the breach

Estimate of the number of individuals who risk significant harm from breach

Description of the steps the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm

Description of the steps the organization has taken or intends to take to notify each affected individual of the breach

Name and contact information of a person who can answer, on behalf of the organization, the OPC’s questions about the breach
”

Question 18

in a breach “notification must be provided to affected individuals, and it must include the following:
7 points

Answer 18

“
Description of the circumstances of the breach

Day on which, or period during which, the breach occurred

Description of the personal information that is the subject of the breach

Description of the steps the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm

“Description of the steps the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm

A toll-free number or email address the affected individual can use to obtain further information about the breach

Information about the organization’s internal complaint process and about the affected individual’s right, under the act, to file a complaint with the OPC
”

Question 19

how does organization “To satisfy the record-keeping requirement regarding breaches

3 points

Answer 19

“The organization must also “keep and maintain a record of every breach of security safeguards involving personal information under their control” and produce the record to the OPC upon request.

“a record of every breach of security safeguards for 24 months after the day on which the organization determines the breach has occurred.

Also included in the act is a provision resulting in fines of up to $100,000 for knowingly violating the notification or record-keeping requirements.”

Question 20

Alberta breach response

Answer 20

“Alberta PIPA requires organizations to provide the commissioner with notice about the loss of, or unauthorized access to, personal information under the organizations’ control.

Organizations that are subject to Alberta PIPA must report to Alberta’s commissioner about any incidents involving loss, unauthorized access, or disclosure of personal information if a reasonable person would find that a real risk of significant harm to an individual exists as a result.

Question 21

alberta notification to the commissioner must include 5 points

Answer 21

the incident

the date or time period during which the incident occurred,

a description of the personal information involved,
an assessment of the risk of harm to individuals as a result of the incident,

an estimate of the number of individuals affected,

a description of any steps taken by the organization to reduce the risk of harm to individuals, and contact information for an individual at the organization who can answer the commissioner’s questions about the inciden”

Question 22

Albertas guidelines outlining response measures to a data breach include :

2 points

Answer 22

a method of evaluating the risk (i.e., potential “significant harm”) associated with the breach.

The factors that are relevant to determining whether a breach creates a real risk of significant harm to the individual include the following:
Sensitivity of the personal information involved in the breach
Probability that the personal information has been, is being, or will be misused
Any other prescribed factor”

Question 23

what happens when breach notice has been given to the commissioner,

Answer 23

“Once notice has been given to the commissioner, the OPC determines whether the individual(s) affected must be informed of the breach.
The office has issued a statement highlighting the information that must be included to satisfy these notice requirements.110”

Question 24

does Canada’s privacy legislation allow for organizations to conduct video surveillance. ”

Answer 24

yes “However, this must be equally supported by transparency and an individual’s right to privacy.”

Question 25

explain the “ Society for Worldwide Interbank Financial Telecommunication case study and date

Answer 25

“2006, an individual filed a complaint against six Canadian financial institutions related to the disclosures of personal information made to U.S. government authorities by the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

This complaint was filed subsequent to the publication of an article in the New York Times that revealed that, since September 11, 2001, the U.S. Department of the Treasury had been regularly accessing tens of thousands of financial transaction records from SWIFT.

The essence of the complaint was that the banks were not authorized, pursuant to PIPEDA, to allow the disclosures to take place without consent.

SWIFT did not dispute the disclosures.

In response to the publicity about the New York Times article, it posted a statement on compliance on its website.

According to the statement, it “responded to compulsory subpoenas for limited sets of data from the Office of Foreign Assets Control of the United States Department of the Treasury.”

SWIFT supplies messaging services and software to more than 7,900 financial institutions in more than 200 countries.

In essence, the messages are usually used for cross-border payments, and the SWIFT system is used by Canadian banks. The messages in question contained personal information, such as name, address, account number, and amount of transfer. All the personal information was stored on databases that were mirrored in both Europe and the United States.”

“ven though SWIFT’s operations in Canada made up only a small percentage of the organization’s global business operations, the OPC noted that SWIFT had a significant Canadian presence. The vast majority of international transfers involving personal information flowing to or from Canadian financial institutions used the SWIFT network.”

“ OPC determined that SWIFT had not contravened the act when it disclosed personal information to the U.S. government. PIPEDA allows an organization such as SWIFT to abide by the legitimate laws of other countries in which it operates, and an organization may disclose personal information without knowledge or consent in response to a subpoena issued by a court, person or body with jurisdiction to compel the production of information.

Recognizing that multinational organizations must comply with the laws of the jurisdictions in which they operate, the OPC reasoned that an organization that is subject to PIPEDA and that has legitimately moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. The OPC therefore found that the exception to consent that allows for such disclosures applied.”

“The OPC concluded that the complaint against the banks was not well-founded because the contractual documentation that existed between SWIFT and the banks included clauses that proved the banks met their obligations under PIPEDA, which required the banks to ensure a comparable level of protection once the personal information was transferred to SWIFT.”

Question 26

TJX (Winners, Homesense) case date and explain

Answer 26

dec 2006
“an intruder had gained access to their internal computer systems. The intruder was able to surreptitiously access and copy personal information of customers who had shopped at one of TJX’s retail outlets.
The personal information of Canadians was compromised in addition to that of U.S. residents. The personal information included:

Credit card numbers, including expiration dates, used by customers.

This information was collected and retained in order to process payments.

Names, addresses and telephone numbers of customers entered electronically after November 2005.
Canadian driver’s licenses and other provincial identification numbers, and names and addresses used by customers”

“The information in the last two examples was collected to prevent fraud. The intrusions started in mid-2005 and continued until December 2006.”

“TJX informed relevant law enforcement and regulatory authorities of the breach throughout December 2006 and January 2007. Among the officials notified were the federal and provincial privacy commissioners. Based on what TJX had informed them, the OPC and the IPC Alberta initiated investigations into the data breach to determine if TJX had violated any Canadian privacy laws.”

“After noticing the breach, TJX Companies:

Undertook forensic and other investigations to audit and analyze the security of the TJX computer system as well as to enhance the security of the TJX computer system in a continuing effort to safeguard against future attempted unauthorized intrusions.

Contacted law enforcement officials.

Issued press releases about the computer intrusion and posted updated customer alerts on its websites, including at www.winners.ca and www.homesense.ca. TJX also sent letters to the approximately 330 individuals with Canadian addresses whose personal ID numbers, together with related names and addresses, had likely been accessed during the computer intrusion.

Established a 24-hour, seven-days-a-week, toll-free help line for customers, including Canadian customers.
Implemented a number of technical changes.”

the commissioners began their analysis of the case first by pursuing the following lines of questioning:

Whether or not the organization had a reasonable purpose for collecting the personal information affected by the breach

Whether or not the organization retained the information in compliance with the legislation (i.e., PIPEDA and the Alberta PIPA)

Whether or not the organization had reasonable safeguards ”

“Regarding the types of information collected, the commissioners concluded that names and credit card information are necessary for transacting business as a retailer. However, the commissioners took great exception with the other types of information that was collected and compromised; namely, the collection of driver’s license numbers ”

“On the issue of the retailer’s retention policies, the commissioners again concluded that the existing practice failed to meet legislative requirements. Specifically, the retailer had been storing the personal information indefinitely. Moreover, because the commissioners thought the collection of driver’s license numbers was not reasonable to begin with, any retention of the same could not be justified either.

Probably the most difficult issue investigated by the commissioners was whether the retailer had adequate safety measures in place at the time of the breach. In this regard, it is important to understand exactly how the breach occurred. The intruder was able to access the retailer’s electronic database of customer information by breaching a wireless signal used in two of the retailer’s U.S. stores. At the time, the retailer ”“retailer used an encrypted wireless signal, but it was with a cryptographic standard known as WEP (Wired Equivalent Privacy).
”
“With respect to the level of encryption used by the retailer in its wireless systems, the commissioners concluded that the WEP standard had been known to be inadequate since 2003. Moreover, the industry standard recognized that the WEP encryption methodology was inadequate. Although the retailer argued that it was one of the few organizations that had already begun the process of installing a better encryption methodology—Wi-Fi Protected Access (WPA)—the commissioners were nonetheless of the view that the delinquency of others in adopting the better standard did not exonerate TJX from its legislated obligation to have reasonable safeguards in place.”

Question 27

TJX (Winners, Homesense) solution to dl

Answer 27

these conclusions caused the commissioners to recommend that the retailer cease collecting drivers’ license information.
In response, TJX came up with an innovative technical solution called hashing. The new process makes use of a cryptographic hashing function, in which an identification number is immediately converted to a new number referred to as a “hash value,” thereby rendering actual driver’s license numbers unreadable to anyone.”

“The hash value would accomplish the goal of establishing a unique numeric identifier for each customer making a return without storing or keeping the actual driver’s license number. ”

Question 28

“From the TJX and SWIFT case studies, key conclusions can be drawn about how private-sector privacy protection is being handled in Canada:

Answer 28

The international data flow of information will not impede the applicability of laws in Canada. If an organization operates in Canada and affects the personal information of people within Canada, it is likely that one or more Canadian laws will apply.

Notwithstanding the broad application of the law, it seems that Canadian privacy laws will not stand in the way of legitimate business uses of personal information, nor will they stand in the way of organizations moving that information outside of Canada so long as appropriate notice is given to the individuals concerned.116
”

“When it comes to properly safeguarding information, the responsibility will lie with the organization to prove it is doing all that is reasonable. It will not be sufficient to point to the lack of effort by other organizations to try and lower the standard.

The principle that organizations collect only the personal information necessary to fulfil legitimate purposes will be strictly enforced. At the same time, technological solutions such as hashing may prove to be valuable tools that allow organizations to collect what they need when they need it.”

Question 29

Facebook: 2008 case study what happened

Answer 29

“In 2008, students at the University of Ontario’s cyberlaw clinic (Canadian Internet Policy and Public Interest Clinic, or CIPPIC), filed a formal complaint with the OPC regarding certain Facebook privacy policies and procedures.”

“In practice, Facebook had been providing personal information to third-party application developers without users’ “meaningful consent,” relying instead on permissive preset privacy settings.
In addition, the CIPPIC contended that Facebook was not meeting its obligations to inform users about the type of information being collected, how that information was being used, or how personal information was affected by the default privacy settings.”

“The OPC released a report in 2009 critical of several Facebook practices. The central issue addressed was “whether Facebook was providing a sufficient knowledge basis for meaningful consent by documenting purposes for collecting, using, or disclosing personal information and bringing such purposes to individuals’ attention in a reasonably direct and transparent way.”117 Although the OPC did not find that Facebook had acted deceptively or had misrepresented its activities, it was determined that the service provider had not met knowledge and consent obligations under PIPEDA.”

Question 30

“The OPC recommendations , Facebook in 2008 and its third-party developers:

Answer 30

“The OPC recommended, in part, that Facebook and its third-party developers:

Receive no more personal information than necessary to run a specific application

Provide users with sufficient notice about which data will be collected and the purpose for the data collection

Provide users an opportunity to give meaningful consent to the transfer of personal data
Facebook acquiesced and implemented the OPC’s recommendations.

However, by January 2010, the organization was under investigation again in response to complaints about the adequacy of a new privacy settings web tool.”

Question 31

Nexopia case study and date what happened

Answer 31

“In 2010, the OPC received complaints that Nexopia.com, a youth-oriented social networking site, had failed to protect the privacy of its users.

Among the complaints were allegations that:

Disclosure of users’ personal information to the general public did not meet the reasonable expectations of its users”

“The site had inappropriate and unreasonable default privacy settings, and users were not adequately informed of those settings

Users were not adequately informed of how their personal information would be shared with third parties

Adequate consent was not obtained at the time of registration for the collection of personal information

Non-Nexopia users’ personal information was retained without their knowledge and consent

All personal information (including that of non-Nexopia users) was retained indefinitely and without an option to request for deletion119”

Question 32

OPC NEXTOPIA findings

Answer 32

“The OPC found Nexopia to be in breach of its obligations under PIPEDA and issued 24 recommendations to bring it within compliance, including the adoption of an ability for Nexopia users to permanently delete their personal information.

Question 33

Google case study

Answer 33

June 2010,

the Office of the OPC launched an investigation into Google’s allegedly inadvertent collection of data from unsecured Wi-Fi networks as camera cars documented street images for Google’s mapping services over the course of several years.”

similar to the data protection violation in the Facebook decision, Google had gathered personal information in excess of the purpose for which it was being collected and had failed to provide adequate disclosure or solicit consent from the data subjects. As in the Facebook complaint, the issue was tabled when Google agreed to implement the OPC’s recommendations, contingent on future compliance.”

Question 34

google 2013 case study

Answer 34

“he OPC received a complaint that Google’s advertising service, Google Ads, used sensitive information about individuals’ online activities to target them with health-related ads, contrary to their obligations under PIPEDA. The complainant had visited sites to research medical devices to treat his sleep apnea, resulting in cookies being placed on his browser and subsequently triggering ads for sleep apnea devices when he visited sites that utilized Google Ads. Google’s privacy policy stated that cookies would not be associated with sensitive categories like health information.

In a joint investigation with the U.S. Federal Trade Commission (FTC), the OPC identified several shortcomings in Google’s systems for monitoring compliance with its policies, and, as a result, Google committed to providing additional information to advertisers, increasing monitoring for possible violations of its policies, offering more training to its staff, and upgrading its automated review system

Question 35

google 2014 case study

Answer 35

complaints were filed against Google when its Search App update required consent to collect personal information beyond that required for the App’s functionality.

The OPC concluded, however, that the complaints were not well-founded.

The OPC conceded that the act of granting app permissions alone does not liken to consent for the collection, use or disclosure of associated personal information.

Nonetheless, the OPC encouraged Google to take steps to clarify for its users the meaning and function of permissions and to integrate into the permissions system a way for app developers to explain how permissions will be used.

Question 36

ganz case study what happened

Answer 36

2010

“In March 2012, the OPC initiated a complaint against toy manufacturer Ganz, Inc.

Ganz had created web-enabled toy pets with which a child could sign into an account on a website aimed at children ages 6–13 and play with a virtual version of the toy pet.

The OPC complaint alleged that Ganz was collecting, using, disclosing and retaining the personal information of children without adequately explaining its purpose or obtaining appropriate consent, contrary to its obligations under PIPEDA.

The information was shared with third-party advertisers to track and profile children for targeted online behavioral advertising.

Question 37

what recommendations were issued to Ganz

Answer 37

“The OPC issued 11 recommendations to Ganz, including:

Providing greater clarity during online account registration

Communicating to children the importance of involving their parents in the registration

Obtaining parental consent

Using language appropriate to the site’s user base

Updating the site’s privacy policy to better reflect the actual practices of that particular site, rather than posting a global policy used for multiple Ganz sites

Improving communication of collection, use, disclosure, retention and destruction policies

“Ultimately, Ganz agreed to implement the recommended measures and also chose to cease collection of personal information during account registration.133”

Question 38

Apple case study what happened

Answer 38

In 2013, the OPC investigated allegations that Apple used and shared personal information in the form of unique device identifiers (UDID) for tracking purposes, without the knowledge and consent of the individual.

(Prior to sale, Apple assigned a UDID to each of its devices.135) Although Apple contended that the UDIDs were not personal information because they alone could not be used to identify a user, the OPC’s investigation found that Apple ID account details for every device user were accessible by Apple. Therefore, the UDIDs were considered to be personal information. Furthermore, the UDIDs were disclosed to third-party app developers for targeted advertising purposes.

Question 39

What did ops concluded from Apple 2013 case study

Answer 39

The OPC concluded that, when used in this way, UDIDs are to be considered sensitive personal information due to their potential to be used to create detailed user profiles.138 Ultimately, Apple replaced UDIDs with Ad IDs and provided an option for users to reset their tracking history or opt out of receiving targeted ads altogether.139”

Question 40

Globe24h.com case study

Answer 40

“Also in 2013, the OPC received complaints that the operator of Globe24h.com (“Globe24h”) had collected, used and disclosed personal information for inappropriate purposes and without consent.1Specifically, Globe24h republished court decisions containing personal information on its website, allowing the information to be indexed by search engines and charging a fee for its removal.

Although Globe24h maintained that it did not need consent to republish the court decisions, the OPC concluded that Globe24h’s purposes for republishing the information were not ones that a reasonable person would consider to be appropriate in the circumstances.142 Globe24h stated that it would no”“reasonable person would consider to be appropriate in the circumstances.1”

“Globe24h stated that it would not implement the OPC’s recommendations to delete the information from its servers and take steps to remove it from search engine caches; however, Globe24h has removed personal information from its site for some complainants.143 In its report of findings, the OPC concluded that it would consider pursuing the matter further under authority granted under PIPEDA.144”

Question 41

bell 2013 case study what happened

Answer 41

“In August 2014, Bell announced the launch of RAP, a targeted advertising initiative that involved the tracking of internet browsing habits, app usage, TV viewing, and calling patterns of its customers.145 The data would then be combined with demographic and account data to create highly detailed, and sensitive, profiles for third parties to use in delivering targeted advertisements to Bell’s customers for a fee.

In the weeks following the announcement, the Office of the OPC received 170 privacy complaints alleging that Bell’s program violated PIPEDA.147”

Question 42

what did ops conclude from bells 2013 case study

Answer 42

“After an OPC investigation, Bell agreed to make a number of changes to its program, but it refused to implement a process to obtain express consent from its customers.148 The OPC found that Bell’s opt-out process did not fully respect individual choice on whether or not to participate in the program.149 Ultimately, however, Bell chose to withdraw RAP and delete all existing customer profiles and agreed to require express opt-in consent in any similar future programs.150

In its report of findings, the OPC stated that, although it accepts the objective of maximizing advertising revenue while improving the online experience of customers as a legitimate business objective, it would be paying special attention to the targeted advertising business going forward.

Question 43

Equifax 2016 case study what happened

Answer 43

“In September of 2017, Equifax publicly announced that an attack on its servers had provided access to the personal information of 143 million individuals, including an estimated 19,000 Canadians.152

The OPC subsequently launched an investigation to determine if Equifax’s information safeguards and accountability methods were sufficient under PIPEDA and whether they had obtained adequate consent for the transfer of personal information from Equifax Canada to Equifax Inc. in the United States”

Question 44

Equifax 2016 case study ops recommendations

Answer 44

“he OPC ultimately concluded that Equifax had failed to comply with the requirements of PIPEDA in each of these areas.

The report summarized the inadequacies of Equifax’s information-safeguarding practices as follows:

Inadequate vulnerability management—to prevent attacks through known vulnerabilities

Inadequate network segregation—to reduce the scope of access and harm in the case of a breach

Inadequate implementation of basic information security practices—to be able to appropriately manage the use of personal information and identify potential unauthorized use

Inadequate oversight
”

“the breach response measures were inadequate. Failures of communication led to Equifax Canada not being informed of the breach until mere hours before the public announcement, even though Equifax Inc. knew that Canadian information had been compromised. Second, there was a lack of clarity about the scope of the information being handled by Equifax Inc. Equifax Canada ultimately made conflicting submissions about what information was shared between the organizations and for what purposes. Third, there was a lack of clarity about roles and responsibilities, with Equifax Canada considering Equifax Inc. to be the controller of the information even though accountability was required of Equifax Canada under PIPEDA. Fourth, there was inadequate monitoring, with Equifax Canada failing to have adequate systems in place to ensure Equifax Inc. adequately protected the personal information of its Canadian customers.”

“Finally, Equifax Canada failed to collect and handle information in accordance with PIPEDA. It did not adequately inform Canadians that their personal information would be under the control of Equifax Inc. and failed to provide any options to customers who did not want to have their information disclosed in this way. Further, Equifax held on to personal information it no longer needed for years past the five-year period mandated by its own retention policy. Staff were inadequately informed of this policy, and it was not widely put into place.”

“Equifax Canada ultimately signed a compliance agreement binding it to undertake a range of corrective measures recommended by the OPC. The agreement includes ongoing reporting and independent auditing requirements to ensure compliance with OPC recommendations into the future.
2.4.11 Loblaws”

Question 45

loblaws 2018 case what happened

Answer 45

“In 2018, it was revealed by a Competition Bureau investigation that Loblaws had been colluding with other market actors to fix the price of bread.154 In response, Loblaws offered its customers a $25 Loblaw card that could be used in its stores.
As part of its process to determine each card was going to an eligible individual, it asked for either a utility bill or a copy of the individual’s driver’s license. One affected individual made a complaint to the OPC, alleging that

(1) the information contained in these documents was broader than what Loblaws actually required for its purposes and
(2) the information was being inappropriately shared with program administrators in the United States.”

Question 46

loblaws 2018 case

Answer 46

“The OPC found that the first complaint was well-founded but that the second was not.155 On the first point, Loblaws ought to have specifically informed its customers that they could submit the ID in redacted form with some of the information removed. It ultimately changed its policy to implement this change. The second allegation of inappropriate cross-border transfer was found to be unfounded. Loblaws’ contractual provisions were sufficiently detailed, and its use of the information was within the use explained to its applicants. Loblaws was also sufficiently transparent about the cross-border transfers through its written communications with applicants for the Loblaws card.”

Question 47

Facebook 2019 case

Answer 47

In April 2019, the Privacy Commissioners of Canada and Alberta published a jointly authored report summarizing their investigation into Facebook and TYDL.156 This case involved the disclosure of the personal information of Facebook’s users to a third-party app called “thisisyourdigitallife”(TYDL)

“This information was used by TYDL to generate user profiles and ultimately target individuals with political advertising. Although it could not be established for certain in this case that the personal information of Canadians was disclosed to organizations such as Cambridge Analytica, the data was in the hands of the same individual who sold the personal information of American Facebook users to Cambridge Analytica. Thus, the personal information of Canadians was exposed to considerable risk of being used in a similar fashion.”

“The app worked by asking its users to fill out a personality quiz. Further, it would request users to disclose information about their Facebook friends. It then used this information to create user profiles linked to the individuals’ Facebook profiles. Through this process, Facebook ultimately disclosed the personal information of hundreds of thousands of Canadian users, including birthdates, names, profile pictures, current city of residence, “liked” pages, and friends’ lists. For a subset of users who provided the app with the relevant permissions, even email addresses, posts, photos, and private messages were disclosed.”

Question 48

ipc findings Facebook 2019 case

Answer 48

“They came to four major conclusions, all of which constituted violations of PIPEDA:

Facebook failed to obtain the valid and meaningful consent of its installing users

Facebook also failed to obtain meaningful consent from friends of installing users

Facebook had inadequate safeguards to protect user information”

“Facebook failed to be accountable for the user information under its control”

“On the issue of consent, the commissioners concluded that Facebook’s consent mechanisms were insufficient to obtain valid and meaningful consent. Facebook relies on third-party apps to obtain consent themselves through a prescribed permissions model. When users download the app, they are presented with pop-up boxes that ask the user which aspects of their data they would like the app to have access to. However, these boxes do not explain why the app needs the data or what the consequences of disclosure might be. Facebook also requires third-party apps to include a link to their privacy policy, but they could provide no evidence that a policy was available in this instance. The commissioners concluded that this process would not have allowed users to meaningfully consent to the “alarming and atypical” purposes for which the data was used (i.e., targeted political advertising).”

“Further, the commissioners found that there was no valid and meaningful consent for the disclosure of the information of users’ friends because the only consent obtained for this was agreeing to the Data Use Policy on signup. People cannot be reasonably expected to consent years in advance to the disclosure of unknown data for unknown purposes.

Facebook’s information safeguards were also found to be insufficient. These relied on contractual provisions and oversight, but the commissioners found that oversight of compliance with the contractual terms was “superficial” and “ineffectual” and that Facebook could provide no evidence of any enforcement actions they had taken in response to violations.”

“under its control
On the issue of consent, the commissioners concluded that Facebook’s consent mechanisms were insufficient to obtain valid and meaningful consent. Facebook relies on third-party apps to obtain consent themselves through a prescribed permissions model. When users download the app, they are presented with pop-up boxes that ask the user which aspects of their data they would like the app to have access to. However, these boxes do not explain why the app needs the data or what the consequences of disclosure might be. Facebook also requires third-party apps to include a link to their privacy policy, but they could provide no evidence that a policy was available in this instance. The commissioners concluded that this process would not have allowed users to meaningfully consent to the “alarming and atypical” purposes for which the data was used (i.e., targeted political advertising).
Further, the commissioners found that there was no valid and meaningful consent for the disclosure of the information of users’ friends because the only consent obtained for this was agreeing to the Data Use Policy on signup. People cannot be reasonably expected to consent years in advance to the disclosure of unknown data[…]”

Excerpt From: “IAPP_Canadian-Privacy-4E-EPUB_1.0.” Apple Books.

Question 49

what was most troubling about ipc findings Facebook 2019 case

Answer 49

it echoed the concerns the OPC had articulated in the 2008 investigation covered in section 2.4.3. In their report, the commissioners claimed that had Facebook implemented the recommendations they suggested back in 2009, the improper disclosure of Canadians’ personal information either wouldn’t have happened or would have been severely mitigated. According to the report, Facebook has refused to adopt the commissioners’ recommendations, and, for this reason, the “risk is high” that further inappropriate disclosures to third-party apps will continue into the future.”

Question 50

“Collection of Biometric Information: The TELUS Voiceprint Case”

issue

Answer 50

“In 2007, the employees of TELUS Communications Corporation filed a complaint with the OPC in connection with TELUS’ practice of collecting their voiceprint information, following the company’s implementation in its operations of a new technology called e.Speak.157 This technology uses voice recognition to allow TELUS employees to remotely access and use the company’s internal computer network by speaking commands through any telephone, including a cell phone.
Prior to collecting the voiceprints, TELUS sought the consent of certain employees. However, three refused to provide a sample, and another who initially agreed, allegedly under coercion, subsequently withdrew his consent. The four employees then filed a complaint about TELUS’ voiceprint practices with the OPC. Upon investigation, the OPC found that the purposes for which TELUS had collected the personal information were appropriate in the circumstances, that the employees were properly informed of these purposes, and that appropriate safeguards were in place to protect the voiceprint information. The OPC also found that TELUS had met the consent requirements set out in PIPEDA for the collection of personal information.”

Question 51

“Collection of Biometric Information: The TELUS Voiceprint Case”

appeal

Answer 51

“On appeal to the Federal Court of Appeal, the court defined the characteristics of a person’s voice as personal information. It weighed the employees’ privacy rights against TELUS’ business interests, its security measures, the effectiveness of using voiceprints to meet its objectives, and the degree of sensitivity associated with voiceprints. The court then agreed with the OPC that a reasonable person would find the use of e.Speak technology to be reasonable in the circumstances that existed at the time of the collection.

Regarding the requirement for consent, the court emphasized that PIPEDA was clear in listing the instances in which personal information may be collected without the knowledge or consent of the individual. In examining these instances, the court concluded that none could be applied in these circumstances. Consent would therefore have to be procured prior to the collection of the voiceprint.

“Since the employees refused to consent to the collection of their voiceprints, the court was asked to give an opinion on what TELUS could reasonably do in terms of employee discipline if they did not participate in this legitimate program.

“On the issue of disciplinary measures, the court agreed with the employees’ argument that threats of disciplinary measures would vitiate consent under PIPEDA. However, (1) the purpose of the collection was considered appropriate in the circumstances by a reasonable person, (2) TELUS had sought the employees’ consent to collect their voiceprints, and (3) no disciplinary measures had yet been taken. The court declined to address whether TELUS’ management rights allowed it to discipline employees who refused to submit their personal information on the basis that TELUS had not yet taken disciplinary measures, making the question hypothetical. Further, the court held that this issue comprised a labour law dispute, which should be settled in a labour law context since such disputes did not fall within the purview of PIPEDA.

Of course, this issue of disciplinary measures would not remain unsettled, as it does under PIPEDA in either British Columbia or Alberta, because those provinces have explicit rules dealing with employee personal information.”

Question 52

“Deference, De Novo and the Nature of Hearing: The Eastmond Case”

issue
ops finding

Answer 52

“The Eastmond case concerned the employees of a national railway company who objected to the invasion of privacy caused by the installation of video cameras in the workplace. Unable to resolve the issue with the company, one of the employees (a Mr. Eastmond), filed a complaint directly with the OPC. The basis of the complaint was that the installation of the video cameras in the workplace violated two aspects of PIPEDA: (1) the installation did not meet the overriding obligation imposed on organizations to act reasonably, (2) even if it did meet this obligation, the video cameras collected information about the employees without their consent, and (3) there was no provision in PIPEDA that would otherwise justify the nonconsensual collection of personal information.158”

“After the case was investigated and determined by the OPC, the employee who complained took the matter to the federal court.159 The OPC had found the complaint to be well justified on the basis of the first aspect noted: that the installation of the video camera resulted in a collection of personal information for a purpose a reasonable person would consider inappropriate in the circumstances.”

Question 53

“Deference, De Novo and the Nature of Hearing: The Eastmond Case”

court finding

Answer 53

The court’s decision with respect to this part of the case is instructive. First, it outlined the test to be used when determining if an organization meets the overriding obligation in PIPEDA to be reasonable when an organization decides to install video cameras. This test, or slight variations of it, is now used in most cases dealing with whether an organization meets the overriding obligation to be reasonable when collecting personal information. The test asks four questions:”

“1.Is the collection of the personal information necessary to meet a specific need of the organization?

2. Is the collection likely to be effective in meeting this specific need?
3. Is the loss of privacy caused by the collection of personal information proportional to the benefit gained?
4. Is there a less privacy-invasive way of achieving the same end?”

“Unlike the O“of personal information, as a nonconsensual collection, was otherwise permitted by PIPEDA. Curiously, the court concluded that it was a permitted nonconsensual collection in this instance, because the collection of information only really takes place when someone within the organization views the videotape (not at the moment the images are caught and recorded). Because a tape would only be viewed in the course of an investigation of wrongdoing, the court relies on the exception in PIPEDA that allows for nonconsensual collection of personal information in instances where the organization is conducting such an investigation.160”

“The second reason this case is instructive is that the court came to a different conclusion than the OPC. There are several reasons for this; they all involve administrative law principles that apply when the court hears matters that another adjudicative body has already heard.
The first principle about applications heard under PIPEDA that is highlighted in this case is that Court applications are de novo. In other words, the parties to the application can file their evidence and arguments afresh. They are not bound by what they may or may not have put before the commissioner during the OPC’s investigation. Obviously, this can result in a significantly different set of arguments and evidence being put before the court than those presented before the OPC.”

“The second principle about applications heard under PIPEDA that is addressed in this case is the notion of whether the court should give much deference to the OPC’s report. In this case, the answer is that the OPC’s report is not to be given much deference, if any at all, because the proceeding is de novo. Since the arguments and evidence before the court can be entirely different from those presented to the OPC, it would be dangerous to provide too much deference to the reasons and decisions of the OPC. The court will accept the OPC’s report and admit it into evidence, but ultimately, how much attention the report receives will be left up to the judge hearing the case.”

Question 54

“The OPC’s Role in Determining Solicitor-Client Privilege: The Blood Tribe Case”

Answer 54

“The Blood Tribe case deals with the power of the OPC, under PIPEDA, to review documents requested under the act that have been exempted from being disclosed pursuant to paragraph 9(3)(a) of the act, the provision protecting from disclosure information subject to solicitor-client privilege.161

In this case, an individual had made an access request to the Blood Tribe, an organization subject to PIPEDA, for information about herself. The request was denied, and the individual complained to the OPC. The OPC sought access to the information in dispute in order to conduct its investigation. The Blood Tribe provided the OPC with all the information, except for the information it claimed was protected by solicitor-client privilege. Based on the OPC’s powers of investigation under Section 12 of the act, the OPC issued a production order to the Blood Tribe for the records for which it was claiming solicitor-client privilege.

The relevant portions of Section 12 read:”

“12. (1) The Commissioner shall conduct an investigation in respect of a complaint and, for that purpose, may,
(a) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary to investigate the complaint, in the same manner and to the same extent as a superior court of record; . . .”

“(c) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law.”

Excerpt From: “IAPP_Canadian-Privacy-4E-EPUB_1.0.” Apple Books.

Question 55

“Contesting the OPC’s Finding: The Accusearch Case”

issue

Answer 55

“he Accusearch (ABIKA) case was brought to court because the applicant felt the OPC was wrong in deciding that PIPEDA had no authority to take jurisdiction over an American organization that seemed to be able to collect, use and disclose personal information of individuals within Canada.163 This case was decided by the court about half a year before the OPC conducted the investigation in the SWIFT matter previously discussed; this case was instrumental in helping the OPC decide there was jurisdiction over SWIFT.

The applicant in the case filed a complaint with the OPC on the grounds that ABIKA, an American corporation, was routinely collecting, using and disclosing personal information for inappropriate purposes and without the knowledge and consent of the individuals in question, contrary to PIPEDA. The OPC refused to investigate based on the conclusion that PIPEDA did not give the OPC jurisdiction to investigate this complaint, prompting the complainant to file an application for judicial review to the federal court.”

“ABIKA conducted its commercial activities via the Abika.com website, which offered a variety of search services on individuals, generally for a fee, including background checks, psychological profiles, email traces, unlisted and cell phone numbers, automobile license plate details, and criminal records. These searches were not limited to Americans but extended to persons in Canada and numerous other countries.”

“The applicant tested the service by ordering a background check and psychological profile of herself from Canada using her Canadian work email address and a mail server in Ottawa. ABIKA’s principal place of business was in Wyoming, United States, and the domain name, Abika.com, was found to be registered with an American web-hosting company. Once the applicant had paid a fee of $119 for the report, ABIKA confirmed the order and payment and requested further information, including the applicant’s Canadian address, telephone number, and date of birth, which she provided to them. The results of her criminal record check and psychological profile were then sent to the applicant’s work email address, as requested. The applicant subsequently filed a breach of privacy complaint to the OPC, alleging that Abika.com routinely collected, used and disclosed personal information about Canadians for inappropriate purposes without their knowledge or consent and compiled and disclosed inaccurate personal information under its psychological profile service.

“ She claimed that, although these commercial activities were conducted by a company based in the United States, Abika.com had violated PIPEDA in various respects.
The OPC held that PIPEDA did not grant jurisdiction to investigate the applicant’s complaints because the OPC did not have the legislative authority to exercise its powers outside Canada to investigate Abika.com. In addition, while ABIKA also operated a website named Abika.ca, which appeared to denote some connection to Canada, this website was simply a conduit to connect with Abika.com and therefore did not present a sufficient connecting factor to indicate a real and substantial link between Canada and the Abika.com operation in the United States. The OPC also stated that its investigation efforts had been frustrated by the fact that Abika.com would not respond to its request for the names of its Canadian-based sources. Therefore, it had no means of identifying or investigating ”“those who represented a Canadian presence for Abika.com and had no ability to compel an American organization to produce the evidence necessary for it to conduct an investigation.
The federal court confirmed that, when reviewing decisions about jurisdiction such as this one, the court would afford the OPC no deference, and the standard of review for the OPC’s decision was correctness.”

Question 56

“Contesting the OPC’s Finding: The Accusearch Case”

court appeal

Answer 56

Although the court found that Parliament could not have intended that PIPEDA govern the collection and use of personal information worldwide, and that regulatory and investigative functions must have some connection with the state that enacts the legislation, it ruled that the OPC erred in law by concluding that the applicant’s complaint did not fall within PIPEDA’s jurisdiction.
The court also pointed out that the OPC’s concern that an investigation might be ineffective was irrelevant; though the inability to identify Canadian sources might frustrate an investigation, this did not mean PIPEDA should be interpreted to suggest that Parliament had not given the OPC jurisdiction to investigate complaints.
The court further held that, as Parliament had vested the OPC with authority to investigate a complaint, the OPC must conduct an investigation pursuant to Section 12 of PIPEDA. In addition, Section 13 of the act required the OPC to prepare a report, barring the application of certain exceptions enumerated in the act, to enable an applicant to seek redress in federal court. In this case, however, the court noted that because no report had been issued as required, the applicant was prevented from making such an application.
In sum, and as a matter of statutory interpretation, the court ruled that the OPC had jurisdiction under PIPEDA to investigate a complaint relating to the transborder flow of personal information. The location of the website and the geographical jurisdiction in which ABIKA was incorporated was not all-controlling, given that the collection and communication of private information occurred in both Canada and the United States. Consequently, the court granted the application for judicial review and referred the matter back to the OPC for investigation.
2.5.5 Globe 24h
In A.T. v. Globe24h.com, the federal court considered whether PIPEDA applied to organizations operating outside of Canadian borders.164 Globe24h.com was a Romanian website that published Canadian court and tribunal decisions that were originally published on the Canadian Legal Information Institute (CanLII). Unlike similar websites, Globe24h allowed the decisions to be indexed via third-party search engines such as Google. As a result, the decisions would appear in searches that contained one of the parties’ names. Normally, this information could only be accessed by deliberately seeking out the relevant decision on CanLII itself.
Beginning in October 2013, the OPC began receiving numerous complaints from individuals claiming that links to decisions containing their personal information were appearing prominently in search results on common platforms. The information revealed by these searches included personal information about bankruptcy, divorce proceedings, health issues, and immigration matters. Moreover, Globe24h was accepting payment in return for removal of the personal information.
The OPC conducted an investigation of Globe 24h’s activities. The court summarized its findings as follows:
Globe24h.com is an organization that collects, uses

Question 57

Globe 24h case

issue

Answer 57

In A.T. v. Globe24h.com, the federal court considered whether PIPEDA applied to organizations operating outside of Canadian borders.164 Globe24h.com was a Romanian website that published Canadian court and tribunal decisions that were originally published on the Canadian Legal Information Institute (CanLII). Unlike similar websites, Globe24h allowed the decisions to be indexed via third-party search engines such as Google. As a result, the decisions would appear in searches that contained one of the parties’ names. Normally, this information could only be accessed by deliberately seeking out the relevant decision on CanLII itself.
Beginning in October 2013, the OPC began receiving numerous complaints from individuals claiming that links to decisions containing their personal information were appearing prominently in search results on common platforms. The information revealed by these searches included personal information about bankruptcy, divorce proceedings, health issues, and immigration matters. Moreover, Globe24h was accepting payment in return for removal of the personal information.

The OPC conducted an investigation of Globe 24h’s activities. The court summarized its findings as follows:

Globe24h.com is an organization that collects, uses and discloses personal information in the course of commercial activities within the meaning of PIPEDA.

PIPEDA can apply to Globe24h as a foreign-based organization because there is an established “real and substantial connection” between the parties and/or the facts giving rise to the complaint in Canada.

The “journalistic purpose” exception under paragraph 4(2)(c) of PIPEDA does not apply to the respondent’s activities because the underlying purpose of Globe24h is to generate revenue by incentivizing individuals to pay to have their personal information removed.165

The underlying purpose of Globe24h—which is to make available Canadian court and tribunal decisions through search engines that allow the sensitive personal information of individuals to be found by happenstance—cannot be considered as “appropriate from the perspective of a reasonable person” under subsection 5(3) of PIPEDA.166

The ”publicly available information” exception does not apply to Globe24h’s activities because the website’s purpose in allowing the decisions to be indexed by popular search engines is not “directly related” to the purpose for which the personal information appears in the record or document. Therefore, the exceptions to PIPEDA’s knowledge and consent requirements described under paragraphs 7(1)(d), 7(2)(c.1) and 7(3)(h.1) do not apply in this situation.167

Question 58

Globe 24h case

appeal

Answer 58

The court’s decision echoed each one of these findings. The key question at the outset was whether PIPEDA could be said to apply

Question 59

Globe 24h case

appeal

Answer 59

The court’s decision echoed each one of these findings. The key question at the outset was whether PIPEDA could be said to applyto an organization located outside of Canada. The test for the extraterritorial application of Canadian laws is whether the conduct in question has a “real and substantial” connection to Canada. Here, the court concluded that it did, because Globe24h presented information copied from Canadian websites and targeted and advertised its product toward a Canadian audience and because the impact of the website’s activities was felt by Canadians. The fact that Romanian authorities had already taken action against Globe24h was held not to be a reason to prevent litigation in Canada, since the Romanian authorities could not deal with the unlawful consequences of the website’s activities in Canada. In this way, the applicant’s claim complemented the prosecution in Romania rather than taking away from it.
The court went on to conclude that Globe24h’s activities violated the prohibitions against collection, use and disclosure without consent contained in Section 7 of the act. Further, the court determined that the exception for information that is “publicly available” should not apply here because the intentions of Globe24h’s operator were inconsistent with the open courts principle that underlies the exception. Globe24h was ordered to remove all Canadian legal decisions containing personal information from its website and to pay the applicant $5,000 in damages.

Question 60

The 10 generally accepted privacy principles and their purpose

Answer 60

The purpose or objective of the principles is for organizations that abide by them to deliver a certain degree of trust so that an individual dealing with an organization can trust that it is collecting, using, retaining and disclosing personal information in conformity with the code (and with any privacy policy the organization may have adopted as well).

ccepted Privacy Principles (GAPP) framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA).
10 generally accepted privacy principles are:
1.Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.

2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use and retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfil the stated purposes.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

Question 61

tools are used by commissioner to promote privacy

Answer 61

A variety of different tools are used, including blogs, media advisories, case summaries, fact sheets (such as the one on social networking and privacy), annual reports, and other guidelines and tools.

Question 62

two of the more substantive and significant tools developed by then commissioner to promote privacy rights and obligations.

Answer 62

are the guidelines to help organizations deal with issues of authentication and to respond to privacy breaches. For example, the OPC addressed concerns about the implementation of unfamiliar transborder data privacy requirements by issuing “Guidelines for Processing Personal Data Across Borders.”169

Question 63

Authentication Guidelines

Answer 63

Probably the most practical set of advice coming from the commissioner’s guidelines is the reminder that organizations and individuals alike should choose authentication methods that are easy to remember but difficult to guess. Also important is the advice that organizations avoid using personal information that does not change, such as social insurance numbers and driver’s license numbers.171

Guard against such practices and authenticate based only on the risks associated with not authenticating. If there is no need to know for sure who the individual is, an organization should not collect any information for identification.

Know the individual they are interacting with, then choose the correct level of authentication to be used. There are different levels of authentication, and one may or may not be more intrusive and more privacy-invading than another.

Regularly reassess risks and deploy risk mitigation measures, including adjusting the strength of authentication processes, to address changing threats. This entails keeping abreast of changes in business practices and technology that either strengthen existing authentication processes or undermine them.

Keep vigilant in relation to “risk creep,” not just from changing threats and technology but also in relation to the practice of regularly adding new services onto existing services. In such cases, organizations need to ensure that the authentication processes in place are sufficiently strong to mitigate the potential additional risk of the newly added service.

Monitor any attempted attacks on their authentication system and evaluate any losses that might result if a breakdown occurs. Obviously, if such events occur, the organization must make the necessary adjustments.

Give the individual some choice when deciding what authentication mechanisms are used. For example, if an individual does not want to disclose their mother’s maiden name, a different marker can be identified. Moreover, individuals should be given the opportunity to change the authentication methods and data being used by an organization, if appropriate.