Chapter 2: Concepts and Practices Flashcards
Private-sector privacy legislation in Canada is based what 10 principles
10 fair information
principles
What is the purpose of accountability principle
- An organization must implement procedures that protect personal information, establish procedures to receive and respond to complaints or questions, train staff, and be transparent about all these procedures and practices
- these obligations culminate in the drafting and posting of a privacy policy-a document that tells customers, potential customers, employees, and any other individuals who might have their personal information collected, used or disclosed by the organization what that organization’s personal- information-handling practices are.
- This principle also requires an organization to appoint individuals with primary responsibility for privacy protection and goes further by making organizations responsible for the personal information over which they have either custody or control.
How did the interpretation of accountability principle arose
- February 9, 2010, Google Inc. released Google Buzz, a social networking tool that automatically draws upon contact information from a user’s Gmail account, adding certain contacts as “followers” and thereby revealing potentially sensitive user information.
- February 12 of that year, one blogger had already posted a complaint stating that the automatic follow feature had exposed information about her current location and workplace to an abusive ex- husband.
- The privacy commissioner, along with privacy officers from nine other nations, sent an open letter to Google’s CEO calling on the company to correct its inadequate privacy protection system. In essence, the data protection commissioners from around the world called on Google and all large social media companies to be more accountable for the information they control
Explain the purpose of identifying purposes
Integral to privacy protection is the obligation of organizations to identify and document the purposes for the collection of any personal information at or before the time of collection
If personal information is collected for a different purpose then what was stated, is the individuals privacy violated?
yes , privacy breach occurred
What does organization need to do if they want to use personal information for different purpose?
get new consent after the purpose is communicated to the individual
What principle from Model Code creates challenges to an organization
identifying purposes because organizations to describe their purposes in ways that are precise enough to provide valuable information to individuals but broad enough to include potential future purposes so they don’t need to obtain consent every time they identify a new use for personal information. This principle often leads organizations to state purposes for use in a broad manner.
What is consent principle
The general principle states that an organization may collect, use or disclose personal information only if an individual consents. Paramount to the concept of consent is that it be informed and meaningful. This requires the individual to know and understand the purposes for the collection, use or disclosure of the personal information.
-The principle of consent also states that “an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes
What principle from Model Code is required in each Canadian privacy law
Canadian law, including PIPEDA, deals with the requirement for consent explicitly.
Financial and medical information is what kind of information
sensitive information
What is sensitive information
Sensitive personal information is information that is more significantly related to the notion of a reasonable expectation of privacy
does individuals have the right to withdraw consent
yes
Many organizations are required to do ____ to manage the difficulty and complexity of personal information
perform periodic privacy audits to ensure the required consents are being obtained and documented
Privacy audits or assessments are implemented by.. and why
internally or by independent third parties to ensure that an organization holds personal information in compliance with the various privacy obligations to which the organization may be subject and with internal privacy standards established by the organization, such as commitments specified in an online privacy notice for customers
Why is the principle of consent under considerable strain
-The 2016-2017 Parliamentary Report of Canada’s privacy commissioner was focused on this issue.
The main challenges presented were the opaque nature of the privacy policies that are the basis of consent, complex information flows, and business processes that involve a multitude of third-party intermediaries.
it can be exceedingly difficult for consumers to determine exactly what information they are sharing and with whom.
-Despite the challenges, the OPC has stated that the consent model needs to be updated and altered rather than replaced. In its report, the OPC claims that the circumstances in which consent is “impracticable” are likely to be “very specific.”
What is limiting purposes principle
- Closely linked to the principle of identifying purposes, the “limiting purposes” principle requires organizations to collect only the amount and type of personal information legitimately needed to fulfill the identified purpose. It requires that organizations not collect personal information indiscriminately or beyond the scope of services provided.
- organizations must not collect personal information by misleading individuals or being less than candid about the purpose of the collection.
What is Limiting Use, Disclosure and Retention principle
This principle requires that “personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Personal information shall be retained only as long as necessary for the fulfillment of those purposes
What must a organization due once the purpose for the collection, use or disclosure of the personal information has been fulfilled,
destroy personal information
What are rention schedule
guidelines and procedures for the adequate destruction of personal information at the appropriate time,
What is the purpose of accuracy principle
obliges organizations to keep personal information as “accurate, complete and up-to-date as is necessary for the purposes for which it is being used.” Obviously, the specific implementation of this principle is heavily dependent on the context surrounding the collection, use, disclosure and type of personal information.
Does organizations need to periodically update personal information .
no,
An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected
What two model code principles provide little in terms of practical guidance
Limiting Use, Disclosure and Retention and Accuracy
What is safeguard principle
protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification. This obligation transcends media, applying equally to paper-based and electronic data
- principle also requires information to be protected according to the sensitivity of the information, such that financial or medical information should receive greater security protection than address information.
- principle implies the obligation to create procedures and practices that formalize the manner in which personal information will be kept safe, in particular the appropriate level of security applicable to the sensitivity of the personal information, often called “data classification.”
What makes safeguard principle hard to implement
complexity surrounding technology
-rapid rate of technological change, which complicates any conclusion about whether a particular safeguarding method is sufficiently secure.
What case case illustrates an obligation to remain diligent about technological advancements.
retailer in alberta fell victim to a technologically savvy thief who broke through the retailer’s wireless network to gain access to sensitive personal financial information. Upon the completion of the investigation, the OPC and the Office of the Information and Privacy Commissioner (OIPC) of Alberta both held the retailer responsible because it had not implemented an adequate level of encryption for sensitive personal financial information
What is the purpose of openness principles
The principle requires organizations to make readily available to individuals specific information about their policies and practices relating to the management of personal information.
organizations must be open about their policies and practices with respect to the management of personal information, these policies are generally made available electronically on websites and on paper at the customer service point of interaction
What model code principle is responsible for the proliferation of privacy policies in the last several year
Openness principle
List what information needs to be included in the openness principle
6 points
- The name or title and address of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded
- the means of gaining access to personal information held by the organization
- a description of the type of personal information held by the organization, including a general account of its use
- copy of any brochure or other information that explains the organization’s policies, standards or codes
- personal information that is made available to related organizations (e.g., subsidiaries)
What is the purpose of individual access
Organizations must be able to respond to requests from individuals for access to their personal information.
- This principle incorporates such obligations as the requirement to inform individuals of the existence, collection, use and disclosure of personal information.
- if an individual reviews their information and finds inaccuracies, the organization must be prepared to record this appropriately.
- Organizations are generally under an obligation to assist individuals trying to access their own personal information by being helpful and providing the information in a user-friendly format.
- this principle recognizes that access to personal information will not be required or desirable in every instance
- Each law also provides specific situations that would negate the obligation to provide access.
When responding to requests for access, can an organization delay it
no, laws provide specific timelines by which responses must be made
What is Challenging Compliance principle
ability to challenge the organization’s personal- information-handling practices.
- laws in Canada provide individuals with the right to complain to the appropriate commissioner
- There are diferences between the extent to which remedies can be ordered or recommended, but each commissioner is given extensive powers of investigation.
- organizations are meant to have the proper policies and procedures in place to deal with complaints made directly to the organizations.
What should a individual do first before filing compliant against an organization
Commissioners will often ask the individual to first check with the organization to resolve their issue before opening a complaint
What law came to in on January 1, 2001
PIPEDA
Why was PIPEDA passed
as part of the government’s electronic commerce strategy-a policy initiative reportedly motivated by the desire to make Canada a world leader in electronic commerce.
What is the purpose of PIPEDA
To establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
This “purpose” has been interpreted as being a “compromise both as to substance and form” that:
is undoubtedly directed at the protection of an individual’s privacy; but it is also directed at the collection, use and disclosure of personal information by commercial organizations. It seeks to ensure that such collection, use and disclosure are made in a manner that reconciles, to the best possible extent, an individual’s privacy with the needs of the organization. There are, therefore, two competing interests within the purpose of the PIPED Act: an individual’s right to privacy on the one hand, and the commercial need for access to personal information on the other. However, there is also an express recognition, by the use of the words “reasonable person,” “appropriate” and “in the circumstances” (repeated in Subsection 5(3)), that the right of privacy is not absolute.
PIPEDA was drafted to apply across the country; however, the federal government explicitly invited the provincial governments to occupy their own fields of responsibility and pass their own privacy laws. This was done by exempting organizations from PIPEDA’s application, if the organization is otherwise subject to a provincial law that has been declared “substantially similar” to PIPEDA.
PIPEDA applies to every organization that “collects, uses or discloses personal information in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
What motivated the PIPEDA to be passed
respond to the relatively new (at the time) privacy legislation in Europe
How was privacy regulated prior to PIPEDA
based largely on industry self-regulation.
Who does the PIPEDA apply to
private sector
a) the organization collects, uses or discloses in the course of commercial activities; or
b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
Who is PIPEDA limited to
a) any government institution to which the Privacy Act applies;
b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose
How did the implenetation of PIPEDA effect the federal gov
constitutional limit to the powers of the federal government in Canada
the federal government’s ability to regulate privacy is limited, and federal officials contend that PIPEDA was carefully drafted to ensure the act did not overstate constitutional bounds.
How does OPC defined federal work
Includes “any work, undertaking or business that is under the legislative authority of Parliament.” While most federally regulated organizations would be captured under this definition, not all these types of organizations are federal works. While most federally regulated organizations would be captured under this definition, not all these types of organizations are federal works. For instance, insurance companies and credit unions may be subject to some federal regulation, but are considered to be within provincial jurisdiction under the Constitution and are not federal works for the purposes of the Act
List the specific federal works defined in PIPEDA
-inter-provincial or international transportation by land or water airports, aircraft or airlines -telecommunications -radio and television broadcasting -banks -grain elevators nuclear facilities -offshore drilling operations
Explain the term substantially similar and its purpose in the PIPEDA
substantially similar would result in a greater alignment of federal and provincial private-sector privacy laws
- If a province believes it has passed a substantially similar law, then it informs Industry Canada (now referred to as Innovation, Science and Economic Development Canada), which may seek the view of the OPC.
- any substantially similar law must be consistent with the schedule for PIPEDA, have an independent oversight body like the OPC, and contain a redress mechanism for those who are aggrieved