CIPP/C Flashcards

1
Q

3 levels of government in Canada

A

Federal
Provincial
Territorial and Municipal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Canadian legislative branch comprised of…

A

House of Commons

Senate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 3 branches of government in Canada?

A

Executive
Legislative
Judiciary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the role of administrative tribunals?

A

Interpret laws
Sometimes enforce charter rights
Administer specific programs
Supposed to expertly deal with matters before them
Decisions are considered government decisions and are subject to judicial review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Canadian provinces use Common Law?

A

All except Quebec (Civil law)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Section 7 of the Canadian Charter of Rights and Freedoms states…

A

Everyone has the right to life, liberty and the security of the person, and the right not to be deprived thereof except in accordance with the principles of fundamental justice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Section 8 of the Canadian Charter of Rights and Freedoms

A

Everyone has a right to be secure against unreasonable search or seizure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What Federal privacy law governs the public sector in Canada?

A

The Privacy Act (1983)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What Federal privacy law governs the private sector in Canada?

A

Personal Information Protection and Electronic Documents Act of 2001 (PIPEDA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What provincial privacy laws are substantially similar to PIPEDA?

A

BC and Alberta: PIPAs
Quebec: Act Respecting the Protection of Personal Information in the Privacy Sector (Quebec Act)

Health laws:
Ontario: Personal Health Information Protection Act (PHIPA)
New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA) (2010)
Newfoundland and Labrador: Personal Health Information Act (PHIA) (2011)
Nova Scotia: Personal Health Information Act (PHIA) (2013)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When is a law considered substantially similar to PIPEDA?

A

When it:

  • Provides equal privacy protection
  • Contains the 10 PIPEDA fair information principles
  • Provides for independent oversight and redress with the power to investigate
  • Allows the collection, use and disclosure of personal information only for appropriate or legitimate purposes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is “Work Product Information”?

A

Information about an individual that is related to that individual’s position, functions and/or performance of their job

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is “Personal employee information”?

A

With respect to an employee/potential employee: Information reasonably required by an organization to manage or terminate
(i) an employment relationship; or (ii) volunteer relationship

Does not include information about the individual that is unrelated to that relationship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What employment information is CARVED OUT from the definition of ‘personal information’ under the Privacy Act?

A

Information about an individual who is/was an officer or employee of a government institution that relates to the position or function of the individuals

  • employment status
  • title, address, etc.
  • classification, salary range, responsibilities
  • Name on document prepared by the individual in course of employment;
  • Personal opinions or views given in the course of employment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What information is ‘publicly available’ and therefore does not have protections under the Privacy Act?

A

Information is found in a library or museum and is preserved for public reference or exhibition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What information is ‘publicly available’ and therefore does not have protections under PIPEDA?

A

Information contained in a public directory, such as

  • telephone directories
  • professional or business directories
  • published registries
  • court or tribunal records
  • Magazines and newspapers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What will an organization need to do, under PIPEDA, to collect publicly-available information for the purpose of making it publicly-available in another forum?

A

Collect the individual’s CONSENT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

According to the OPC’s interpretation on publicly-available information, what are some examples of when consent is NOT required for collecting/using/disclosing publicly-available information?

A

Disclosing information available in court records that relates directly to the purpose
Collecting information from a source for the specific purpose behind the disclosure
Collecting, using or disclosing information in a public registry that relates to its purpose for being there
A company collects customer information from its parent company’s white pages for its own purposes
Republishing personal white pages telephone director information in an online format
Collecting information about a business from publicly available sources like the yellow pages
Using information from the context of published books, magazines and newspapers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the 8 principles from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Information (1981)

A

Eight principles:

  • Accountability
  • Purpose specification
  • Collection limitation
  • Use Limitation
  • Data Quality
  • Security Safeguards
  • Openness
  • Individual participation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the 10 privacy principles from the Canadian Standards Association (1996)?

A
  • Accountability
  • Identifying purpose
  • Consent
  • Limiting collection
  • Limiting use, disclosure, and retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the 10 Generally Accepted Privacy Principles from the American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants?

A
Management. 
Notice. 
Choice and consent. 
Collection. 
Use and retention. 
Access. 
Disclosure to third parties. 
Security for privacy. 
Quality. 
Monitoring and enforcement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Canada’s “Digital Charter?”

A

Government of Canada released a “Digital Charter” document in 2019 meant to signal the direction of future government policy. Non-binding, will need to be incorporated into future laws.

  • Universal access
  • Safety and security
  • Control and consent
  • Transparency
  • Open and modern digital government
  • Level playing field for canadian businesses
  • Data and digital for good (ethics)
  • Strong democracy (fight misinformation)
  • Free from hate and violent extremism
  • Strong enforcement and real accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What law prohibits requiring individuals to undergo a genetic test or disclose the results of genetic tests as a condition of receiving goods or entering into contract?

A

Genetic Non-Discrimination Act (GNDA) 2017

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which provinces have provincial healthcare laws?

A

All provinces except Nunavut and Quebec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the common theme for consent across provincial healthcare laws?

A

Consent must be meaningful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What kind of entities are subject to PIPEDA?

A

Private sector organizations collecting, using or disclosing information that is:

(1) in the course of a commercial activity, OR
(2) about an employee of the organization in connection with the operation of a federal work, undertaking or business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What types of organizations are NOT subject to PIPEDA?

A

Public sector institutions (Privacy Act or similar applies)
Personal or domestic purposes
Journalistic, artistic, or literary purposes
When there is a provincial law that is “substantially similar” to PIPEDA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the main requirement for collecting or using personal information under PIPEDA?

A

Knowledge and consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

When does Canada’s Anti-Spam Legislation (CASL) apply?

A

Applies to all Commercial Electronic Messages that are (1) sent by or accessed from a computer system in Canada, or (2) sent into Canada

Applies to non-profits and charities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are CASL’s main obligations/requirements?

A

Record-keeping
Identification
Unsubscribe mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What entity enforces CASL?

A

Canadian Radio-Television and Telecommunications Commission (CRTC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

When is implied consent sufficient to send a CEM under CASL?

A

Sender and recipient have an existing business relationship.
Sender and recipient have an existing non-business relationship
Recipient has conspicuously published their email address on a website and did not express they do not wish to receive messages
Recipient has disclosed their email address directly to the sender and did not express they did not wish to receive messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

When is consent NOT required under CASL?

A

Personal or family relationships
Inquiry about a product or service offered by the recipient
Quote or estimate provided upon request
Ongoing subscription or membership information
Information related to an employment relationship or benefit plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What CEM records must be maintained under CASL?

A

Demonstrate consent
CASL compliance
Unsubscribe requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What does CASL require for unsubscribe mechanisms?

A

Must be functional, simple, free and quick

Must be processed within 10 days

36
Q

What privacy laws does the OPC oversee?

A

Privacy Act and PIPEDA

37
Q

What two public-sector privacy laws refer to each other to regulate public sector activities?

A

Privacy act

Access to Information Act

38
Q

What is personal information under the Privacy Act? And is it narrow or broad?

A

Broad. Includes 9 examples under the act:

Info relating to the race, ethnic origin, color, religion, age, or marital status;
Info relating to educational, medical, criminal, employment history, or financial transactions the individual has been involved in;
Number, symbols or other particulars
Address, fingerprints or blood type
Opinions or views except when they are about another individual
Private correspondence between an individual and government institution
Views or opinions of another about the individual
Views or opinions of another in regard to a grant or award (except when naming someone else)

39
Q

What does the Privacy Act require to COLLECT personal information?

A

Information must be related to the operating program of the institution

Consent is NOT required

Institution must be able to demonstrate information is a necessity

40
Q

When can personal data be disclosed/transferred under the Privacy Act?

A

Either (1) with consent, or (2) without consent in these situations:
For the purposes for which the information was obtained or compiled by the institution or for a use consistent with that purpose;
For any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes the disclosure
For the purpose of complying with a subpoena or court order;
To the AG of Canada for use in legal proceedings involving the Canadian Government;
To an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province caring out lawful investigation
Under agreement between the government of Canada and the government of a province, foreign government, international organization, etc. for the purpose of administering or enforcing any law or carrying out a lawful investigation;
To a member of parliament for purpose of assisting the individual to whom the information relates in resolving a problem;
To officers or employees of the institution for internal audit purposes
To the library of archives of canada for archival purposes
To any person or body for research or statistical purposes with permission from the head of the government institution

NOTE: If consent is not obtained, records must be kept

41
Q

What is “consistent use” under the Privacy Act?

A

If future use is consistent with the purpose for which the government collected it, then it can be disclosed without consent

42
Q

What kind of ‘notice’ is required under the Privacy Act?

A

Not much.

Government institutions must publish information about their Personal Information Banks in the INFO SOURCE

43
Q

When can the right of access be refused under the Privacy Act?

A

Reasons for denial include:

Obtained in confidence from foreign state who is insisting on nondisclosure
Reasonable expectation of injury, national defense, etc.
Info is less than 20 years old and may pose security threat
Info collected by Police
Reveals identity of an informant
Disrupts parole release program
Information threatens safety of others
Attorney-client privilege
Health info

44
Q

What is a main difference in the scope of the Privacy Act and the provincial FIPPAs?

A

Provincial FIPPAs BOTH provide access to the information and protect privacy

45
Q

Why are government institutions required to conduct PIAs?

A

Federal government requires via policies that institutions under the Privacy Act conduct PIAs. “Directive on Privacy Impact Assessments” (by Treasury Board)

46
Q

Under the Directive on Privacy Impact Assessments, when must a PIA be conducted?

A

All new proposals and programs;

any re-designs of existing programs and services

47
Q

Under the Directive on Privacy Impact Assessments, what must a PIA cover and identify?

A
Collection authority
Direct collection, notification and consent
Retention
Accuracy
Use
Disclosure
Administrative, physical and technical safeguards
Technology and privacy issues
48
Q

What is “The Standard” and what does it require?

A

The Standard on Privacy and Web Analytics

Applies to the government’s use of web analytics (institutions subject to the privacy act)

Requires privacy notices on websites, maximum retention periods, and strict privacy protective language in 3rd party contracts; depersonalization or anonymization tools

Failure to comply may result in additional reporting by Treasury board of Canada

49
Q

What is “Personal Health Information”?

A

Any information concerning an individual’s physical and/or mental health

50
Q

What do most provincial health information laws require from Health Information Network Providers (HINPs)?

A

HINPs must:

  • Conduct PIAs and TRAs (threat risk assessments)
  • Enter into written agreements with custoidans
51
Q

When can consent generally be inferred under most provincial healthcare laws?

A

When information is shared within the individual’s health circle

52
Q

What is eHealth Ontario?

A

The result of a merger between ministry of health and long term care with smart systems. Organization planned to complete an integrated health information system for individuals and their healthcare providers, but had large setbacks. Still working towards its goal that was supposed to be accomplished in 2015

53
Q

Digital Health Canada

A

Mission is to take health informatics mainstream, through promotion of health technology systems and effective use of health information. Provides practical guidance and measures to ensure appropriate privacy and security in a healthcare context

54
Q

Canadian Institute for Health Information (CIHI)

A

publicly-funded health data aggregator. Meant to help improve canada’s health system and well-being of canadians by being a leading source of unbiased, credible and comparable information that will enable health leaders to make better decisions

55
Q

Which entities are subject to the Privacy Act?

A

Government institutions listed in a schedule to the act.

All ministries;
Many federal government institutions (Canada Revenue Agency, etc.) and tribunals (Canadian Human Rights Tribunal);;
Some Crown corporations (Canadian Broadcasting Corporation)

56
Q

Under the Privacy Act, what requirements must be met for institutions to COLLECT personal information?

A

Information must be related to the operating program or activity of the institution

Does NOT need consent

Must collect directly from the individual when the information will be USED for an administrative purpose (unless this is impossible, individual consents, or collection is pursuant to specific exceptions

57
Q

Under the Privacy Act, when can institutions disclose personal information to third parties?

A

(1) with consent, or
(2) without consent if:
- consistent use
- in accordance with an act of parliament
- to comply with court order
- to the AG of Canada for use in legal proceedings involving Canadian Government;
- to investigative body in accordance with regulations
- Under agreement between governments to enforce or investigate law
- To member of parliament to assist the individual in resolving a problem
- To internal employees for audit purposes
- To library of archives
- For research or statistical purposes WITH PERMISSION from head of government institution

58
Q

What entities are subject to provincial FIPPAs?

A

Government entities, including crown corporations; and

Education

59
Q

When must a breach be reported under PIPEDA (and to whom)?

A

Mandatory notification to OPC for any breach of security safeguards involving PI;
Notification to individuals where there is a risk of significant harm;
Must keep record of all breaches

60
Q

What are PIPEDA’s 10 privacy principles that organizations SHOULD follow?

A
Accountability;
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure, and Retention;
Accuracy;
Safeguards;
Openness;
Individual Access;
Challenging Compliance
61
Q

What are the main obligations of private organizations under the Alberta and BC PIPAs?

A

Act Reasonably

10 PIPEDA principles encapsulated into these laws

62
Q

Who oversees the Alberta and BC PIPAs?

A

OIPC of Alberta

OIPC of BC

63
Q

What oversight powers do the OIPCs of Alberta and BC have with respect to the PIPAs?

A

OPIC can ORDER organizations to take action (not just make recommendations like OPC for PIPEDA)

64
Q

When are disclosures outside of Quebec allowed, under the Quebec Act (1994)?

A

Disclosures outside of Quebec to a 3rd party is only allowed if the organization is satisfied that:

  • Information will not be used for any purposes not relevant to the object of the file, or communicated to 3rd persons without consent;
  • For marketing lists, the person must have valid opportunity to refuse to allow PI to be used for commercial purposes
65
Q

What kind of consent is required under CASL for installation of computer programs?

A

Express consent to install computer programs

Implied consent is okay for:

  • Cookies
  • HTML
  • Javascript
  • operating system
  • Any executable through another program where the user already consented
  • Software installed to correct a bug
66
Q

What 5 obligations do many provincial health laws have in common?

A

Access and right to correct information
Accountability
Consent (must be meaningful but can be implied unless to a non-custodian or other custodians outside circle of care)
Safeguarding and breach notification
Openness (not always required, but sometimes recommended that privacy information is provided in print or website

67
Q

Blackstone Learning Corp

A

CASL violation for sending CEMs without consent (erroneously relied on implied consent)

68
Q

Compu-Finder

A

PIPEDA violation for collecting and using email addresses without consent

OPC found that Compu-finder was either not aware or did not respect its privacy obligations under PIPEDA

Entered into a compliance agreement with the OPC

69
Q

Society for Worldwide Interbank Financial Telecommunication (SWIFT)

A

2006

Complaint against 6 Canadian financial institutions for disclosures of personal information to US government authorities

OPC determined that SWIFT had not contravened the act when it disclosed the personal information to the US Government

OPC did determine that PIPEDA applied – just because a company operates in multiple jurisdictions doesn’t change that

Banks involved had adequate contractual provisions to ensure a comparable level of protection once the data was transferred to SWIFT, so the complaint against them was not well-founded

70
Q

TJX (Winners, Homesense)

A

Data was compromised from TJX, including credit card numbers, names, addresses, telephone numbers, and Canadian driver’s licenses and other provincial ID numbers and names.

TJX notified Federal and provincial privacy commissioners of the breach.

Privacy commissioner did not like the collection of DL information, because it was mostly irrelevant to any legitimate purpose of the retailer

Thereafter, TJX started to hash DL number

71
Q

Facebook (2008)

A

Students at the University of Ontario’s cyberlaw clinic filed a complaint with the OPC regarding Facebook’s privacy policies and procedures

Facebook was providing personal info to app developers without ‘meaningful consent’

OPC was critical of FB practices. Found FB had not misrepresented or acted deceptively but had not met knowledge and consent obligations under PIPEDA

FB adopted OPC recommended that app developers receive no more info than needed, provide better notice, and give users an opportunity to meaningfully consent to transfers of data

72
Q

Nexopia (2010)

A

Youth-oriented social networking site

OPC found Nexopia in breach of PIPEDA obligation and issued 24 recommendations, including adoption of an ability for Nexopia users to permanently delete their personal information

73
Q

Google

A

2010: Investigation around inadvertent collection of data from unsecured wi-fi networks as camera cars documented street images for google’s mapping service. Issue was tabled because Google agreed to implement OPC recommendations
2013: Google ads used health information to display health-related ads (search history for sleep apnea, etc.). Google committed to providing more information to advertisers and increasing monitoring for possible violations of its policies
2014: Complaint filed when its Search App update required consent to collect information beyond what was required for app’s functionality. OPC found in google’s favor because granting app permissions does not liken to consent for collection, use or disclosure. OPC nonetheless recommended google to take steps to clarify for its users the meaning and function of permissions

74
Q

Ganz (2012)

A

Toy developer with wifi pet used personal information of children without adequately explaining its purpose or obtaining appropriate consent. Issued 11 recommendations, Ganz agreed to implement the recommended measures

75
Q

Apple

A

2013: OPC initated investigation into Apple’s use of unique device identifiers. Apple ID account details for every device user were accessible by apple, so OPC said it was personal information. UDIDs were disclosed to developers for targeted advertising, and OPC said that when used this way it’s sensitive personal information due to potential to be used to create detailed user profiles

Apple replaced UDIDs with Ad IDs and provided an option for users to reset tracking history or opt out of receiving targeted ads

76
Q

Globe24h

A

2013: Globe24h republished court decisions containing personal info on its website, allowing information to be indexed and searched and charging a fee for removal.

OPC said Globe24h needed consent to republish court decisions because reasonable person would not thing it was appropriate in the circumstances

Globe24h refused to adopt recommendations, but has removed personal information for some complainants. OPC may pursue further.

77
Q

Bell (2014)

A

Tracked internet browsing habits, app usage, TV viewing, and calling patterns of its customers, which could be combined with demographic and account data to create highly detailed, sensitive profiles for third parties to use for a fee.

OPC received lots of complaints after the announcements. Bell agreed to make changes to planned program but refused to implement process to obtain consent. Bell decided to withdraw the program and delete user profiles.

OPC said it would be paying special attention to targeted advertising moving forward

78
Q

Equifax (2017)

A

Breach resulted in access to 140+ million individuals including 19k Canadians.

OPC investigated and concluded Equifax failed to compy with PIPEDA because, among other things, breach response measures were inadequate (Equifax Canada wasn’t notified even though Equifax Inc knew Canadian data was in scope), there was a lack of clarity of responsibilities and roles, and failure of Equifax Canada to supervise Equifax US

79
Q

Loblaws (2018)

A

Loblaws had been colluding with other market actors to fix the price of bread. In response, they offered a $25 gift card to use in their stores. To verify eligibility they asked for a utility bill or driver’s license. OPC complaint was that this was more than necessary for the purpose

80
Q

Facebook (2019)

A

Privacy commissioner of Canada and Alberta published jointly a report summarizing investigation into FB and third party app thisisyourdigitallife. Info was used to generate user profiles and target individuals with political advertising. May have been disclosed to cambridge analytica

Conclusions:

  • FB failed to obtain valid and meaningful consent from installing user and friends of installing users
  • FB had inadequate safeguards to protect user info
  • FB failed to be accountable for user information under its control
81
Q

Authentication Guidelines

A

Privacy commissioner guidance suggests that organizations should:

  • Guard against authentication for the sake of authentication. If no need, don’t do it
  • Know the individuals they are interacting with, then choose the correct level of authentication
  • Regularly assess risk and deploy risk mitigation measures, including adjusting the strength of the authentication process
  • Keep vigilant of ‘risk creep’ - esp as related to adding new services onto existing services
  • Monitor attempted attacks
  • Give individuals some choice when it comes to authentication
82
Q

A.T. v Globe24h

A

PIPEDA applies to organizations operating outside of Canadian borders

83
Q

Accusearch (ABIKA) case

A

Applicant contested OPC’s finding that PIPEDA had no authority to take jurisdiction over organization that seemed to be able to collect information of individuals within Canada

OPC had initially refused to investigate because PIPEDA did not give them jurisdiction to investigate complaint.

In questions of jurisdiction, court reviews DE NOVO. Court said OPC erred by not taking jurisdiction

84
Q

Eastmond case

A

Employees of railway company objected to video surveillance. Adopted 4 part test now frequently used for reasonableness:

  1. Is collection NECESSARY to meet specific need?
  2. Is collection likely to be EFFECTIVE in meeting specific need?
  3. Is loss of privacy PROPORTIONAL to benefit gained?
  4. Is there a LESS-PRIVACY-INVASIVE way of achieving the same end?

Court disagreed with OPC. Court reviewed DE NOVO

85
Q

Blood Tribe Case

A

Deals with power of the OPC under PIPEDA to review documents requested that are subject to solicitor-client privilege

Federal court determined that OPC cannot even ask organizations to prove a document is privileged.

86
Q

TELUS Voiceprint Case

A

Employees of TELUS Communications filed complaint for practice of collecting their voiceprint

Court agreed that consent was required to collect voiceprint info, but refused to give an opinion as to whether employees could be disciplined for failing to consent