Chapter 2: Concepts and Practices Flashcards
1
Q
Private-sector privacy legislation in Canada is based what 10 principles
A
10 fair information
principles
2
Q
What is the purpose of accountability principle
A
- An organization must implement procedures that protect personal information, establish procedures to receive and respond to complaints or questions, train staff, and be transparent about all these procedures and practices
- these obligations culminate in the drafting and posting of a privacy policy-a document that tells customers, potential customers, employees, and any other individuals who might have their personal information collected, used or disclosed by the organization what that organization’s personal- information-handling practices are.
- This principle also requires an organization to appoint individuals with primary responsibility for privacy protection and goes further by making organizations responsible for the personal information over which they have either custody or control.
3
Q
How did the interpretation of accountability principle arose
A
- February 9, 2010, Google Inc. released Google Buzz, a social networking tool that automatically draws upon contact information from a user’s Gmail account, adding certain contacts as “followers” and thereby revealing potentially sensitive user information.
- February 12 of that year, one blogger had already posted a complaint stating that the automatic follow feature had exposed information about her current location and workplace to an abusive ex- husband.
- The privacy commissioner, along with privacy officers from nine other nations, sent an open letter to Google’s CEO calling on the company to correct its inadequate privacy protection system. In essence, the data protection commissioners from around the world called on Google and all large social media companies to be more accountable for the information they control
4
Q
Explain the purpose of identifying purposes
A
Integral to privacy protection is the obligation of organizations to identify and document the purposes for the collection of any personal information at or before the time of collection
5
Q
If personal information is collected for a different purpose then what was stated, is the individuals privacy violated?
A
yes , privacy breach occurred
6
Q
What does organization need to do if they want to use personal information for different purpose?
A
get new consent after the purpose is communicated to the individual
7
Q
What principle from Model Code creates challenges to an organization
A
identifying purposes because organizations to describe their purposes in ways that are precise enough to provide valuable information to individuals but broad enough to include potential future purposes so they don’t need to obtain consent every time they identify a new use for personal information. This principle often leads organizations to state purposes for use in a broad manner.
8
Q
What is consent principle
A
The general principle states that an organization may collect, use or disclose personal information only if an individual consents. Paramount to the concept of consent is that it be informed and meaningful. This requires the individual to know and understand the purposes for the collection, use or disclosure of the personal information.
-The principle of consent also states that “an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes
9
Q
What principle from Model Code is required in each Canadian privacy law
A
Canadian law, including PIPEDA, deals with the requirement for consent explicitly.
10
Q
Financial and medical information is what kind of information
A
sensitive information
11
Q
What is sensitive information
A
Sensitive personal information is information that is more significantly related to the notion of a reasonable expectation of privacy
12
Q
does individuals have the right to withdraw consent
A
yes
13
Q
Many organizations are required to do ____ to manage the difficulty and complexity of personal information
A
perform periodic privacy audits to ensure the required consents are being obtained and documented
14
Q
Privacy audits or assessments are implemented by.. and why
A
internally or by independent third parties to ensure that an organization holds personal information in compliance with the various privacy obligations to which the organization may be subject and with internal privacy standards established by the organization, such as commitments specified in an online privacy notice for customers
15
Q
Why is the principle of consent under considerable strain
A
-The 2016-2017 Parliamentary Report of Canada’s privacy commissioner was focused on this issue.
The main challenges presented were the opaque nature of the privacy policies that are the basis of consent, complex information flows, and business processes that involve a multitude of third-party intermediaries.
it can be exceedingly difficult for consumers to determine exactly what information they are sharing and with whom.
-Despite the challenges, the OPC has stated that the consent model needs to be updated and altered rather than replaced. In its report, the OPC claims that the circumstances in which consent is “impracticable” are likely to be “very specific.”
16
Q
What is limiting purposes principle
A
- Closely linked to the principle of identifying purposes, the “limiting purposes” principle requires organizations to collect only the amount and type of personal information legitimately needed to fulfill the identified purpose. It requires that organizations not collect personal information indiscriminately or beyond the scope of services provided.
- organizations must not collect personal information by misleading individuals or being less than candid about the purpose of the collection.
17
Q
What is Limiting Use, Disclosure and Retention principle
A
This principle requires that “personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Personal information shall be retained only as long as necessary for the fulfillment of those purposes
18
Q
What must a organization due once the purpose for the collection, use or disclosure of the personal information has been fulfilled,
A
destroy personal information
19
Q
What are rention schedule
A
guidelines and procedures for the adequate destruction of personal information at the appropriate time,
20
Q
What is the purpose of accuracy principle
A
obliges organizations to keep personal information as “accurate, complete and up-to-date as is necessary for the purposes for which it is being used.” Obviously, the specific implementation of this principle is heavily dependent on the context surrounding the collection, use, disclosure and type of personal information.
21
Q
Does organizations need to periodically update personal information .
A
no,
An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected
22
Q
What two model code principles provide little in terms of practical guidance
A
Limiting Use, Disclosure and Retention and Accuracy
23
Q
What is safeguard principle
A
protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification. This obligation transcends media, applying equally to paper-based and electronic data
- principle also requires information to be protected according to the sensitivity of the information, such that financial or medical information should receive greater security protection than address information.
- principle implies the obligation to create procedures and practices that formalize the manner in which personal information will be kept safe, in particular the appropriate level of security applicable to the sensitivity of the personal information, often called “data classification.”
24
Q
What makes safeguard principle hard to implement
A
complexity surrounding technology
-rapid rate of technological change, which complicates any conclusion about whether a particular safeguarding method is sufficiently secure.
25
What case case illustrates an obligation to remain diligent about technological advancements.
retailer in alberta fell victim to a technologically savvy thief who broke through the retailer’s wireless network to gain access to sensitive personal financial information. Upon the completion of the investigation, the OPC and the Office of the Information and Privacy Commissioner (OIPC) of Alberta both held the retailer responsible because it had not implemented an adequate level of encryption for sensitive personal financial information
26
What is the purpose of openness principles
The principle requires organizations to make readily available to individuals specific information about their policies and practices relating to the management of personal information.
organizations must be open about their policies and practices with respect to the management of personal information, these policies are generally made available electronically on websites and on paper at the customer service point of interaction
27
What model code principle is responsible for the proliferation of privacy policies in the last several year
Openness principle
28
List what information needs to be included in the openness principle
6 points
- The name or title and address of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded
- the means of gaining access to personal information held by the organization
- a description of the type of personal information held by the organization, including a general account of its use
- copy of any brochure or other information that explains the organization’s policies, standards or codes
- personal information that is made available to related organizations (e.g., subsidiaries)
29
What is the purpose of individual access
Organizations must be able to respond to requests from individuals for access to their personal information.
- This principle incorporates such obligations as the requirement to inform individuals of the existence, collection, use and disclosure of personal information.
- if an individual reviews their information and finds inaccuracies, the organization must be prepared to record this appropriately.
- Organizations are generally under an obligation to assist individuals trying to access their own personal information by being helpful and providing the information in a user-friendly format.
- this principle recognizes that access to personal information will not be required or desirable in every instance
- Each law also provides specific situations that would negate the obligation to provide access.
30
When responding to requests for access, can an organization delay it
no, laws provide specific timelines by which responses must be made
31
What is Challenging Compliance principle
ability to challenge the organization’s personal- information-handling practices.
- laws in Canada provide individuals with the right to complain to the appropriate commissioner
- There are diferences between the extent to which remedies can be ordered or recommended, but each commissioner is given extensive powers of investigation.
- organizations are meant to have the proper policies and procedures in place to deal with complaints made directly to the organizations.
32
What should a individual do first before filing compliant against an organization
Commissioners will often ask the individual to first check with the organization to resolve their issue before opening a complaint
33
What law came to in on January 1, 2001
PIPEDA
34
Why was PIPEDA passed
as part of the government’s electronic commerce strategy-a policy initiative reportedly motivated by the desire to make Canada a world leader in electronic commerce.
35
What is the purpose of PIPEDA
To establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
This “purpose” has been interpreted as being a “compromise both as to substance and form” that:
is undoubtedly directed at the protection of an individual’s privacy; but it is also directed at the collection, use and disclosure of personal information by commercial organizations. It seeks to ensure that such collection, use and disclosure are made in a manner that reconciles, to the best possible extent, an individual’s privacy with the needs of the organization. There are, therefore, two competing interests within the purpose of the PIPED Act: an individual’s right to privacy on the one hand, and the commercial need for access to personal information on the other. However, there is also an express recognition, by the use of the words “reasonable person,” “appropriate” and “in the circumstances” (repeated in Subsection 5(3)), that the right of privacy is not absolute.
PIPEDA was drafted to apply across the country; however, the federal government explicitly invited the provincial governments to occupy their own fields of responsibility and pass their own privacy laws. This was done by exempting organizations from PIPEDA’s application, if the organization is otherwise subject to a provincial law that has been declared “substantially similar” to PIPEDA.
PIPEDA applies to every organization that “collects, uses or discloses personal information in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
36
What motivated the PIPEDA to be passed
respond to the relatively new (at the time) privacy legislation in Europe
37
How was privacy regulated prior to PIPEDA
based largely on industry self-regulation.
38
Who does the PIPEDA apply to
private sector
a) the organization collects, uses or discloses in the course of commercial activities; or
b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
39
Who is PIPEDA limited to
a) any government institution to which the Privacy Act applies;
b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose
40
How did the implenetation of PIPEDA effect the federal gov
constitutional limit to the powers of the federal government in Canada
the federal government’s ability to regulate privacy is limited, and federal officials contend that PIPEDA was carefully drafted to ensure the act did not overstate constitutional bounds.
41
How does OPC defined federal work
Includes “any work, undertaking or business that is under the legislative authority of Parliament.” While most federally regulated organizations would be captured under this definition, not all these types of organizations are federal works. While most federally regulated organizations would be captured under this definition, not all these types of organizations are federal works. For instance, insurance companies and credit unions may be subject to some federal regulation, but are considered to be within provincial jurisdiction under the Constitution and are not federal works for the purposes of the Act
42
List the specific federal works defined in PIPEDA
```
-inter-provincial or international transportation by land or water
airports, aircraft or airlines
-telecommunications
-radio and television broadcasting
-banks
-grain elevators
nuclear facilities
-offshore drilling operations
```
43
Explain the term substantially similar and its purpose in the PIPEDA
substantially similar would result in a greater alignment of federal and provincial private-sector privacy laws
- If a province believes it has passed a substantially similar law, then it informs Industry Canada (now referred to as Innovation, Science and Economic Development Canada), which may seek the view of the OPC.
- any substantially similar law must be consistent with the schedule for PIPEDA, have an independent oversight body like the OPC, and contain a redress mechanism for those who are aggrieved
44
What 10 principles PIPEDA use for organization to follow
Canadian Standards Association (CSA’s) Model Code (Fair Principle)
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
45
What laws have been declared substantially similar
- Alberta’s Personal Information Protection Act (“Alberta PIPA”)
- British Columbia’s Personal Information Protection Act (“BC PIPA”)
- Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“the Quebec Act”)
- Ontario’s Personal Health Information Protection Act of 2004 (PHIPA)
- New Brunswick’s Personal Health Information Privacy and Access Act (PHIPAA), with respect to personal health information custodians
- Newfoundland and Labrador’s Personal Health Information Act (PHIA), with respect to personal health information custodians
- Nova Scotia’s Personal Health Information Act (PHIA), with respect to health information custodians
46
How does PIPEDA define commerical activity
“any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
Determining whether an organization’s collection, use or disclosure of personal information occurs during a commercial activity requires a fact-specific inquiry
47
What are some debates surrounding the definition of commerical activity
Does an organization have to operate for profit? Can nonprofit organizations be otherwise involved in commercial activities? What is the status of associations that represent similarly situated or like-minded entities or individuals based on the collection of dues or fees?
48
how do the courts interpret the definition of commercial activity
- a judge who had occasion to evaluate the breadth of the definition of “commercial activity” rejected any notion that the organization’s taxable status was relevant to determining whether the organization was involved in a commercial activity for the purpose of PIPEDA’s application. At the same time, however, the judge rejected any argument that the mere contractual relationship between two entities involving the quid pro quo would be enough to be considered a commercial activity.
- In another instance, a judge ruled that information-gathering in preparation for a civil tort action was not the type of commercial activity contemplated by PIPEDA, even when third parties, such as private investigators, are used to collect the personal information.26 It’s also clear that, if an insurance party has to step in to defend a lawsuit as part of its obligations to the insured, the information collected by the insurance company in the defence of the litigation will not be information subject to PIPEDA’s obligations
-In a third case, a commercial activity was found to exist when a physician conducted an independent medical examination on an individual on behalf of an insurance company for the purpose of processing a claim for insurance benefits
49
how does the OPC interpret the definition of commercial activity
It includes any regular course of conduct that is of a commercial nature. So the act would apply to commercial organizations and their activities but it could also apply to organizations such as charities (which would not ordinarily be considered as commercial ventures) if those charities sell or rent donor lists across boundaries. The emphasis is on the nature of the transaction rather than the nature of the enterprise
- The OPC has decided that, for the most part, nonprofit associations (presumably including unions) and private schools operate outside of any commercial activity
- -the financial sector, the OPC found the relaying of financial information into and out of Canada for international transactions with Canadian banks to constitute engaging in commercial activity.30 In another case, a bankruptcy trustee who collected personal information to be used in administering a bankruptcy was found to have been engaged in commercial activity even though he was designated an officer of the court
- In the education context, the OPC concluded that a day care organization was engaged in commercial activities even though it was a nonprofit that received municipal subsidies.32 However, in another case, the OPC determined a private school was not engaged in commercial activity when its admissions office was collecting personal information
50
How does OPC determine what is commerical activity
a two-part test in making its determination:
1
. What is the core activity of the institution? If the core activity is educational services, then the activities are presumed to not have a “commercial character.”
2
. The presumption against “commercial character” is rebutted if one of the objectives of the institution is to earn a profit for its owners
51
What are the 3 obligations arising under PIPEDA
1. PIPEDA requires organizations to collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
2. be prepared to demonstrate that it is always acting reasonably in its treatment of personal information.
3. most of the other obligations that arise under PIPEDA are found in a schedule to the act, a
- principles found in the schedule to the act are those adopted by the CSA
52
Under PIPEDA consent is not required when
a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
c) it is contained in a witness statement and the collection is necessary to assess, process or setle an insurance claim;
d) it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;
e) the collection is solely for journalistic, artistic or literary purposes;
f) the information is publicly available and is speciifed by the regulations; or
g) the collection is made for the purpose of making a disclosure
i) under subparagraph (3)(c.1)(i) or (d)(ii)41 or ii)that is required by law.
53
What is the two important obligation in PIPEDA
1. The requirement of obtaining consent and the obligation to act reasonably when doing so
2. the right to provide access to personal information. Sections 8 through 10 of the act describe how that right is exercised and in what circumstances an organization need not abide by a request to provide access.
54
Can an organization require an individual, as a condition of the supply of a product or service, to consent to the collection, use or disclosure of more personal information than is necessary to fulfil the organization’s explicitly stated and legitimate purposes.
no
55
True or false: Organization can provide access to personal information if doing so would reveal information about a third party, for specified national security or law enforcement reasons.
False, they dont need to
56
Organization does not need to provide access if
(1) would reveal solicitor-client privileged information, (2) would reveal commercially sensitive information, or (3) could reasonably be expected to threaten the life or security of another individual.
57
Can information gathered as part of a formal dispute resolution mechanism be released
does not need to be released, nor does information that was collected without consent because the organization was investigating a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that information
58
Does organziation in ligation need to respond to requests for access to personal information
yes, The OPC has made it clear that the obligation to provide access to personal information cannot be circumvented by the fact that an organization is involved in litigation with the same individual.
59
What doe PIPEDA state about cost recovery basis
The act states that organizations, in their provision of access to personal information, may do so on a cost recovery basis
This cost recovery basis is limited, as the legislation states that an organization must respond to requests for personal information “at minimal or no cost to the individual.” The OPC has interpreted these provisions to mean that any type of flat fee would likely not be acceptable because an organization ought to assess a minimal fee and apply it only
in exceptional cases.51
60
What is the role of OPC
responsible for the enforcement of the act and is comparable to that of an ombudsperson. Substantial powers are given to the OPC for that mandate.
If individuals believe their rights under PIPEDA have been violated by an organization, they can complain to the OPC. The OPC has the power to initiate a complaint if there are reasonable grounds for doing so. The OPC has extensive powers of investigation that include the power to subpoena and compel the giving of evidence. In pursuit of an investigation of a complaint at any reasonable time it may enter any premises occupied by an organization.
-
61
True or false": OPC investigated are conduced in public
False,
The OPC’s investigations are conducted in private. There are statutory requirements to keep investigatory details out of the public domain unless the public interest in the matter requires otherwise, or unless one of the specific enumerated reasons for the investigation allows for the disclosure of information.
62
Based on the supreme court what document do OPC do not have power to see
The Supreme Court of Canada has concluded that the OPC does not have the power to insist on seeing a document subject to solicitor-client privilege.
The Federal Court of Canada has gone one step further and opined that the OPC should not even ask the organization to otherwise prove that a document was privileged.55
63
What year was PIPEDA amended to provide the OPC with enhanced powers regarding the conduct of investigations
april 2011
Under Subsection 12(1) of PIPEDA, the OPC may decline to investigate a complaint when it is of the opinion that:
- The complainant ought to exhaust other reasonably available grievance or review procedures
- The complaint could be dealt with more appropriately (either initially or completely) by a procedure provided for under other federal or provincial laws
- The complaint was not filed within a reasonable period of time
Under Subsection 12.2(1) of PIPEDA, the OPC may discontinue an investigation if it is of the opinion that:
- There is insufficient evidence to pursue the investigation
- The complaint is trivial, frivolous or vexatious, or made in bad faith
- The organization has provided a fair and reasonable response to the complaint
- The matter is already the object of an ongoing investigation The matter has already been the subject of a report by the OPC
- Any of the circumstances described in Subsection 12(1) of PIPEDA (the decline powers) apply
64
What must OPC do if declined investigations
provide notice to organizations
65
What happens after a investigation is completed by OPC
a report is issued that details the findings and recommendations.
66
What is the key responsibilities of the OPC
related to education and awareness.
The OPC is required to develop and conduct information programs to encourage public understanding of the act, to carry out and publish research on matters relating to the protection of personal information, and to encourage organizations to voluntarily adopt appropriate compliance practices and procedures
67
What must be conducted by OPC if PIPEDA is violated by an organization
The OPC is given broad powers to conduct an investigatory audit.
68
Does the Parliament continues to examine the law, and a formal mechanism is in place to allow stakeholders to comment on what is and is not working
yes, In 2007, a parliamentary committee reviewed the law extensively and issued a report that included several recommendations, which were not adopted. Parliament is slated to continue reviewing the law on an ongoing basis. (Pursuant to Division 4, paragraph 29 of the act, a parliamentary committee must review that part of PIPEDA every five years.)57
69
What was passage was amended in 2015 in PIPEDA
In 2015, PIPEDA was amended by passage of the Digital Privacy Act (DPA). The DPA introduced new provisions that are aimed at improving PIPEDA, including the following:
70
What must organization do if any breach of security safeguards involving personal information has happened
notify OPC
71
True or false: organizations notify individuals if a breach has a real risk of significant harm to individuals
true
72
Do organization keep a record of all breaches involving personal information and provide a copy to the OPC upon request
yes, Organizations that knowingly fail to report to the OPC or notify afected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines of up to $100,000.
73
What is the purpose of compliance agreements
The OPC may enter into compliance agreements aimed at ensuring organizations comply with PIPEDA. These agreements are reached in situations where the OPC believes, on reasonable grounds, that an organization has committed, is about to commit, or is likely to commit an act or omission that could constitute a contravention of PIPEDA or a failure to follow a recommendation in Schedule I to the act.
-Under a compliance agreement, an organization agrees to take certain actions to bring itself into compliance with PIPEDA. Entering into a compliance agreement would preclude the OPC from commencing or continuing a court application under PIPEDA with respect to any matter covered by the agreement.
74
If organizations fails the compliance agreement what actions are taken
(1) apply to the court for an order requiring the organization to comply with the terms of the agreement, or (2) commence or reinstate court proceedings under PIPEDA, as appropriate.
75
What is Personal Information Protection Act of Alberta and Personal Information Protection Act of British Columbia (Alberta PIPA and BC PIPA)
known as the PIPAs collectively-came into force on January 1, 2004. As previously mentioned, they are both considered to be substantially similar legislation to PIPEDA and therefore organizations that are subject to these acts are exempt from PIPEDA
76
What is the purpose of Alberta PIPA and BC PIPA
Consistent with the principles found in the schedule to PIPEDA, these laws apply to the collection, use and disclosure of personal information by the private sector in British Columbia and Alberta. They also provide for a right of access to one’s own personal information and set up an oversight body to which individuals can complain if they feel their rights have not been upheld.
Notably, the acts also apply to the collection, use and disclosure of the personal information of individuals in employment and noncommercial contexts. There is a long list of organizations that are exempt from the application of each act that should be consulted if ever there is doubt about the acts’ applicability
77
What is the difference between PIPA( Alberta and BC) and PIPEDA
these provincial acts clearly apply to employee personal information. This is important, because without provincial legislation filling the gap, the only employees aforded any privacy protection in Canada would be those of organizations that operated as, or in conjunction with, federal works or undertakings.
78
How does Alberta PIPA defines personal employee information
“personal employee information” means, in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating
i) an employment relationship, or,
ii) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship
79
How does BC PIPA defines personal employee information
“employee personal information” means personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment
-The consequences of information falling under the definition of personal employee information are that data such as work contact information is clearly not aforded the same degree of protection. This contact information includes the name, position, title, business telephone number, business address, business email, and business fax number of an employee. Moreover, in British Columbia, the concept of work product is specifically addressed and also aforded less protection. Work-product information is defined as information prepared or collected by an individual or group of individuals as part of their responsibilities or activities related to their employment or business
80
True or false: the term work product is defined in PIPEDA
False,
term work product is not used or defined in PIPEDA. The failure to delineate the term has allowed for some ambiguity at the federal level, with a blurry distinction between work product, business information, and contact information. As a result, the extent to which work product and personal information overlap remains unclear.
81
What are the three possibilities for managing work-product issues
If work product is deifned in PIPEDA, the Act can treat it in one of three ways:
1. Exclude work product from the deifnition of “personal information” in PIPEDA. PIPEDA would then not apply to such information at all. An example of this approach is found in B.C.’s PIPA, as described above;
2. Consider work product to be personal information (that is, include work product in the deifnition of personal information), but state that the data protection provisions of PIPEDA do not apply to the information. This is the approach PIPEDA takes, for example, with personal information collected, used or disclosed for journalistic, artistic or literary purposes;
3. Include work product in the deifnition of personal information, but state that the consent requirements found in section 7 of PIPEDA do not apply to work product. Other provisions of PIPEDA would continue to apply to work product. For example, section 3, the “purpose” section, would continue to apply even if the consent provisions did not. Collection, use or disclosure of work product information would still therefore be subject to the test in section 3 that balances the right of privacy of individuals with the need of organizations for that information.
82
True or False: OPC states work-product issues be addressed on a case-by-case basis
true
83
Both BC PIPA and Alberta PIPA exclude or not mention work product information in the act
In the BC PIPA, work product is specifically excluded from “personal information” treatment, thereby removing this information from protection under the act. Similar to PIPEDA, the Alberta PIPA does not address work product or employee-generated information.
84
What is the obligations of Alberta and PIPA
provide the overarching obligation to act reasonably.64 Organizations are responsible for the personal information that is under their custody or control, which means that the laws will apply even if an organization does not physically have the personal information, so long as it is deemed to be under the organization’s control
-10 overriding principles found in the schedule to PIPEDA are all encapsulated in these laws
the Alberta and British Columbia laws provide a more prescriptive set of rules. In certain instances (such as with employee personal information), these specific rules provide a greater degree of clarity than PIPEDA. At the same time, some might argue that the more specific rules provide for less flexibility than the more all-purpose PIPEDA
85
Two principles repeated in PIPA
consent and right to access personal information
86
What is one important provision that provides greater specificity is found in the Alberta PIPA and deals with professional regulatory bodies
the Alberta PIPA allows organizations to establish personal information codes and thereafter abide by the code instead of all the obligations imposed by PIPA. A code is defined as a set of rules governing the collection, use and disclosure of personal information in a manner that is consistent with the purposes and intent of the Alberta PIPA.
87
What is professional regulatory body
A professional regulatory body is one enacted pursuant to an act under which a professional or occupational group or discipline is organized, and that provides for the membership in and the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.
88
Who must organizations subjected to the Alberta PIPA notify when dealing with when a privacy/security breach results in a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure of their personal information
OIPC
89
What are factors relevant to determining whether a breach creates a real risk of significant harm to the individual include
- The sensitivity of the personal information involved in the breach
- The probability that the personal information has been, is being, or will be misused
- Any other prescribed factor
90
What government body oversees privacy laws of Alberta and BC PIPA
OIPC
91
What is the role of OIPC
these commissioners are given very broad and powerful powers of investigation. They investigate complaints from individuals who believe their rights have not been respected by private-sector organizations in the provinces.
92
What is the difference between the federal provincial commissioners and OPIC
provincial commissioners (including, as detailed below, the one in Quebec) have the power to order an organization to take an action. Of course, under PIPEDA, the federal commissioner only has the power to recommend that an organization take an action (and later try to take the organization to federal court if the organization refuses to implement the recommendation).
93
What is the Act Respecting the Protection of Personal Information in the Private Sector (“The Quebec Act”)
Probably the most difficult part of Quebec private-sector privacy legislation for people outside Quebec to understand is the unique nomenclature used. For example, organizations are called “enterprises” and disclosures are referred to as “communications.”
the act is very comparable to the other private-sector laws because it is based on the same founding principles. It was a law before PIPEDA was passed, and it was immediately declared substantially similar to PIPEDA when PIPEDA was passed
94
What was the first private sector privacy law passed
The Quebec Act
95
In what year was the Quebec Act passed
January 1, 1994,
96
Why was the Quebec Act adopted
complete and provide detailed rules of application for Articles 35 through 41 of the Civil Code of Quebec
97
What are the three principles set out in the Civil Code of Quebec
1
. Every person who establishes a file on another person must have a serious and legitimate reason for doing so
2
. The person establishing the file may not deny the individual concerned access to the information contained in the file
3
. The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information
98
True or false : the Quebec government still believes that PIPEDA impedes upon provincial jurisdiction and has launched a court challenge asking for a determination of this issue
True
99
Who does the Quebec Act applies to
every enterprise that collects, stores, uses or communicates personal information about a natural person to third parties.
The only two notable exceptions to the application of the law are cases of personal information being held, used, stored or collected by public bodies or as journalistic material
100
Define the term enterprise in the Civil Code of Quebec
The carrying on by one or more persons of an organized economic activity
whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service, constitutes the carrying on of an enterprise
101
What are the obligations of the Quebec
obligations in Quebec are virtually identical to those under PIPEDA, as the laws are substantially alike
102
How is personal information defined in the Quebec Act
personal information is any information that relates to a natural person and allows that person to be identified.
-the general rule is that personal information should be collected directly by the individual concerned. This helps ensure the collection is done with consent. However, like the other Canadian laws, the act also provides for situations where the collection can take place indirectly and without consent. Once collected, the information can only be used for the object(s) identified. In terms of disclosures, the Quebec Act again is consistent with the other Canadian laws: generally, communication of personal information to third parties can be done only with consent
103
What is the difference in how Quebec Act defines personal information
the Quebec Act’s provision dealing with the communication of personal information outside of Quebec. This provision, which is very similar to the way European data protection laws operate, provides that an enterprise in Quebec can disclose personal information to a third party outside of Quebec only if it is first satisfied that:
- The information will not be used for purposes not relevant to the object of the file or communicated to third persons without the consent of the persons concerned, except in cases permitted by the Quebec Act
- In the case of marketing lists (also called nominative lists), that the persons concerned have a valid opportunity to refuse to allow their personal information to be used for commercial purposes
104
Does third parties under the Quebec Act include any separate legal entity.
Yes, even related companies and organizations with common ownership must abide by the rules dealing with communication of personal information to third parties
105
What makes the Quebec Act unique
specific code, which reflects close consultation between the lawmakers and the direct marketing industry. The code strikes a balance between the need for privacy on the one hand and the reasonable commercial and philanthropic eforts of organizations on the other. The specific obligations imposed deal with the situations in which organizations are permitted to share marketing lists and the way individuals must be given a meaningful ability to opt out of lists.
106
How does the Quebec Act deal with personal information agents
separate and specific set of rules applies to anyone who operates as a personal information agent in Quebec.
-This term is defined as including any person who, “on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files relates.”
107
What government body oversees for Quebec Act
La Commission d’accèss à l’information (the commission).
108
What is the obligation of La Commission d’accèss à l’information (the commission).
The commission has the obligation of hearing and deciding cases related to the application of the provisions concerning access to or rectification of personal information or cases dealing with marketing lists.
- The commission has broad powers of inquiry and can order an organization to comply with its orders.
- The commission’s decision can be appealed (but only with leave) to the courts, but only on questions of law or jurisdiction.
- The commission’s findings of fact, therefore, are final.
