CIPP/C Flashcards
3 levels of government in Canada
Federal
Provincial
Territorial and Municipal
Canadian legislative branch comprised of…
House of Commons
Senate
What are the 3 branches of government in Canada?
Executive
Legislative
Judiciary
What is the role of administrative tribunals?
Interpret laws
Sometimes enforce charter rights
Administer specific programs
Supposed to expertly deal with matters before them
Decisions are considered government decisions and are subject to judicial review
Which Canadian provinces use Common Law?
All except Quebec (Civil law)
Section 7 of the Canadian Charter of Rights and Freedoms states…
Everyone has the right to life, liberty and the security of the person, and the right not to be deprived thereof except in accordance with the principles of fundamental justice.
Section 8 of the Canadian Charter of Rights and Freedoms
Everyone has a right to be secure against unreasonable search or seizure
What Federal privacy law governs the public sector in Canada?
The Privacy Act (1983)
What Federal privacy law governs the private sector in Canada?
Personal Information Protection and Electronic Documents Act of 2001 (PIPEDA)
What provincial privacy laws are substantially similar to PIPEDA?
BC and Alberta: PIPAs
Quebec: Act Respecting the Protection of Personal Information in the Privacy Sector (Quebec Act)
Health laws:
Ontario: Personal Health Information Protection Act (PHIPA)
New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA) (2010)
Newfoundland and Labrador: Personal Health Information Act (PHIA) (2011)
Nova Scotia: Personal Health Information Act (PHIA) (2013)
When is a law considered substantially similar to PIPEDA?
When it:
- Provides equal privacy protection
- Contains the 10 PIPEDA fair information principles
- Provides for independent oversight and redress with the power to investigate
- Allows the collection, use and disclosure of personal information only for appropriate or legitimate purposes
What is “Work Product Information”?
Information about an individual that is related to that individual’s position, functions and/or performance of their job
What is “Personal employee information”?
With respect to an employee/potential employee: Information reasonably required by an organization to manage or terminate
(i) an employment relationship; or (ii) volunteer relationship
Does not include information about the individual that is unrelated to that relationship
What employment information is CARVED OUT from the definition of ‘personal information’ under the Privacy Act?
Information about an individual who is/was an officer or employee of a government institution that relates to the position or function of the individuals
- employment status
- title, address, etc.
- classification, salary range, responsibilities
- Name on document prepared by the individual in course of employment;
- Personal opinions or views given in the course of employment
What information is ‘publicly available’ and therefore does not have protections under the Privacy Act?
Information is found in a library or museum and is preserved for public reference or exhibition
What information is ‘publicly available’ and therefore does not have protections under PIPEDA?
Information contained in a public directory, such as
- telephone directories
- professional or business directories
- published registries
- court or tribunal records
- Magazines and newspapers
What will an organization need to do, under PIPEDA, to collect publicly-available information for the purpose of making it publicly-available in another forum?
Collect the individual’s CONSENT
According to the OPC’s interpretation on publicly-available information, what are some examples of when consent is NOT required for collecting/using/disclosing publicly-available information?
Disclosing information available in court records that relates directly to the purpose
Collecting information from a source for the specific purpose behind the disclosure
Collecting, using or disclosing information in a public registry that relates to its purpose for being there
A company collects customer information from its parent company’s white pages for its own purposes
Republishing personal white pages telephone director information in an online format
Collecting information about a business from publicly available sources like the yellow pages
Using information from the context of published books, magazines and newspapers
What are the 8 principles from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Information (1981)
Eight principles:
- Accountability
- Purpose specification
- Collection limitation
- Use Limitation
- Data Quality
- Security Safeguards
- Openness
- Individual participation
What are the 10 privacy principles from the Canadian Standards Association (1996)?
- Accountability
- Identifying purpose
- Consent
- Limiting collection
- Limiting use, disclosure, and retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging compliance
What are the 10 Generally Accepted Privacy Principles from the American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants?
Management. Notice. Choice and consent. Collection. Use and retention. Access. Disclosure to third parties. Security for privacy. Quality. Monitoring and enforcement.
What is Canada’s “Digital Charter?”
Government of Canada released a “Digital Charter” document in 2019 meant to signal the direction of future government policy. Non-binding, will need to be incorporated into future laws.
- Universal access
- Safety and security
- Control and consent
- Transparency
- Open and modern digital government
- Level playing field for canadian businesses
- Data and digital for good (ethics)
- Strong democracy (fight misinformation)
- Free from hate and violent extremism
- Strong enforcement and real accountability
What law prohibits requiring individuals to undergo a genetic test or disclose the results of genetic tests as a condition of receiving goods or entering into contract?
Genetic Non-Discrimination Act (GNDA) 2017
Which provinces have provincial healthcare laws?
All provinces except Nunavut and Quebec
What is the common theme for consent across provincial healthcare laws?
Consent must be meaningful
What kind of entities are subject to PIPEDA?
Private sector organizations collecting, using or disclosing information that is:
(1) in the course of a commercial activity, OR
(2) about an employee of the organization in connection with the operation of a federal work, undertaking or business
What types of organizations are NOT subject to PIPEDA?
Public sector institutions (Privacy Act or similar applies)
Personal or domestic purposes
Journalistic, artistic, or literary purposes
When there is a provincial law that is “substantially similar” to PIPEDA
What is the main requirement for collecting or using personal information under PIPEDA?
Knowledge and consent
When does Canada’s Anti-Spam Legislation (CASL) apply?
Applies to all Commercial Electronic Messages that are (1) sent by or accessed from a computer system in Canada, or (2) sent into Canada
Applies to non-profits and charities
What are CASL’s main obligations/requirements?
Record-keeping
Identification
Unsubscribe mechanism
What entity enforces CASL?
Canadian Radio-Television and Telecommunications Commission (CRTC)
When is implied consent sufficient to send a CEM under CASL?
Sender and recipient have an existing business relationship.
Sender and recipient have an existing non-business relationship
Recipient has conspicuously published their email address on a website and did not express they do not wish to receive messages
Recipient has disclosed their email address directly to the sender and did not express they did not wish to receive messages
When is consent NOT required under CASL?
Personal or family relationships
Inquiry about a product or service offered by the recipient
Quote or estimate provided upon request
Ongoing subscription or membership information
Information related to an employment relationship or benefit plan
What CEM records must be maintained under CASL?
Demonstrate consent
CASL compliance
Unsubscribe requests