Chapter 2 Canadian Private Laws and Practices Flashcards
What are the 10 Fair Information Principles?
Accountability
Identifying Purposes
Consent
Limiting Purposes
Limiting Use, Disclosure, and Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
Accountability Explained…
An org. must do the following:
Implement procedures that protect PI
Establish procedures to receive and respond to complaints or questions
Train staff
Be transparent about all of these procedures and practices
Appoint individuals with primary responsibility for privacy protection
Orgs. are responsible for the PI they have custody or control of (includes third parties)
Note: This often culminates in the drafting of a privacy policy
Identifying Purposes Explained…
Orgs. must identify and coument the purposes for the collection of any PI at or before the time of collection
New purposes must require fresh consent
Orgs. must describe purposes in a way that is valuable to individuals and broad enough to avoid obtaining consent everytime
Consent Explained…
Consent must be informed and meaningful
Individual must be able to withdraw consent
Cannot require consent for unrelated purposes
What is a Privacy Audit?
Exercises performed internally or by independent third parties to ensure that orgs. hold PI in compliance with various applicable privacy obligations and with internal privacy standards established by the org.
What 10 Fair Info Principle Spawned the Need for Privacy Audits
?
Consent
What are the Challenges with Principle of Consent?
Opaque nature of privacy policies that are the basis of consent
Complex Information Flows
Business Processes that involve a multitude of third party intermediaries
Limiting Purposes Explained…
Requires org. to collect only the amount of PI legitimately needed to fulfill the identified purpose
Org. should not collect PI indiscriminately or beyond the scope of services provided
Cannot collect PI by misleading individuals or being less than candid about the purpose of collection
Limiting Use, Disclosure, and Retention Explained…
PI shall not be used or disclosed for purposes other than those for which it was collected, except with consent of an individual or as required by law
PI shall be retained only for as long as necessary to fulfill those purposes - Must be disposed of after - also must address retention schedules and develop guidelines for destruction
Accuracy Explained…
Keep PI as accurate, complete, and up-to-date as is necessary for the purposes for which it is being used
Org. should make sure medical or credit PI to be accurate to avoid ill-fated consequences
True or False? “An organization shall not routinely update PI, unless such a process is necessary to fulfill the purposes for which the information was collected”
True
Safeguards Explained…
Must protect PI against loss of theft as well as unauthorized access, disclosure, copying, use, or modification
Must be protected according to the sensitivity of the information
True or False? Safeguards only applies to electronic data
False applies to both paper and electronic data
Openness Explained…
Responsible for proliferation of privacy policies
Make readily available to individuals specific information about their policies and practices relating to management of PI
Openness Fair Principle: the information made available must include the following
Name or title & address of the person accountable to whom complaints or inquiries can be forwarded
The means of getting access to PI held by the organization
A description of the type of PI held by the organization, including a general account of its use
The PI that is made available to related orgainzations