CIPP/C Flashcards

Question

What type of state is Canada?

Answer 1

Federal state

Answer 2

Federal, Provincial and Municipal

Answer 3

House of Commons -members elected in general elections held every four years Senate - members are appointed

Answer 4

Parliamentary

Answer 5

Must be approved by both the House of Commons and the Senate

Answer 6

House of Commons and the Senate

Answer 7

Introduce, debate and pass bills and policy Play a role in the oversight of the executive branch Appoint officers of Parliament (i.e. the Federal Privacy Commissioner)

Answer 8

Headed by the Supreme Court of Canada Made up of a network of federal and provincial courts that hear and decide criminal and civil matters across the country

Answer 9

Constitution Act of 1867

Answer 10

Constitution Act of 1867 - trade and commerce

Answer 11

Provinces are responsible for such areas as hospitals, education, provincial courts and municipalities.

Answer 12

Property and civil rights

Answer 13

Interpret laws Review laws and government actions to ensure rights and freedoms are upheld Judicial review - review of gov't decisions (limited to review of such decisions for specific types of errors)

Answer 14

Interpret laws Can enforce Charter rights vehicles of the executive branch and are organized to administer specific programs with a certain degree of expertise

Answer 15

Charter rights are those created by the Canadian Charter of Rights and Freedoms. Are constitutional rights and thus considered the most valuable rights in Canada

Answer 16

An administrative tribunal

Answer 17

Officer of Parliament

Answer 18

Is an Officer of Parliament, not a not a member of the executive branch of government, and is therefore accountable directly to the legislature.

Answer 19

All except Quebec

Answer 20

In common law systems, laws are found in statutes (bills that have been introduced, debated and passed by the legislative branch of government) and in case law. Accordingly, the judiciary’s role is instrumental in the development of law because this “judge-made” law is on equal footing with any statute-based law.

Answer 21

In civil law jurisdictions, laws are are codified into a civil code, which obviates the need to search through judicial decisions to determine what laws exist.

Answer 22

Legislation Common Law Contracts Constitution and the Charter

Answer 23

The Privacy Act

Answer 24

Imposes rules that govern the government’s collection, use and disclosure of personal information. Provides for a right of access to PI Sets up the OPC to oversee and enforce the Privacy Act

Answer 25

Freedom of Information and Protection of Privacy, though each law has slightly different approaches

Answer 26

Personal Information Protection and Electronic Documents Act (PIPEDA)

Answer 27

Private sector organizations that that are subject to substantially similar legislation to PIPEDA passed by a province.

Answer 28

Personal Information Protection Act in Alberta (“Alberta PIPA”) Personal Information Protection Act in British Columbia (“BC PIPA”) Act Respecting the Protection of Personal Information in the Private Sector in Quebec (“the Quebec Act”), Personal Health Information Protection Act in Ontario (PHIPA)

Answer 29

Judge-made law because it is derived over time from the various rulings, decisions and interpretations made by judges who hear the cases that are brought before them. Judge-made law that protects privacy in Canada is in its infancy

Answer 30

One Supreme Court of Canada decision from the late 1990s upheld a plaintiff's claim for damages b/c a photograph of her was used on a magazine cover.

Answer 31

Ontario Court of Appeal recognized the tort of intrusion upon seclusion in Jones v Tsige in 2012

Answer 32

Traditionally, the notion of privacy was well protected by more traditional interests such as trespass and nuisance

Answer 33

Private laws created by parties who agree to be bound by certain terms

Answer 34

Privacy rights can be created and protected by contracts when the parties to the contract agree to respect the confidentiality and security of the information they become privy to b/c of the contractual arrangement or other discrete terms within the contract, such as privacy or security terms. Often occur within a commercial or employment context

Answer 35

In outsourcing situations where one party provides personal information under its control to another party. The receiving party is often asked to be contractually bound to protect that PI and to keep it properly safeguarded.

Answer 36

Applies only to government action; private litigants would not be able to base a claim for breach of privacy against anyone other than a government entity Section 7 of the Charter states that “everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice.” While there is no mention of the word privacy, there is an emerging body of case law that supports the view that Section 7 serves as a source of constitutional protection of the right to privacy. Section 8 of the Charter states: “everyone has the right to be secure against unreasonable search or seizure.”

Answer 37

In the criminal and administrative context to prevent government authorities from violating privacy rights while gathering evidence, conducting investigations or conducting administrative functions (such as inspecting food-packaging plants). Triggered when the state interferes with an individual's reasonable expectation of privacy and when such interference itself is found to be unreasonable.

Answer 38

Between private parties and unless settled privately are enforced through the courts

Answer 39

In actions against the government?

Answer 40

Ombudspeople

Answer 41

Only after a complaint is lodged- though sometimes the commissioners themselves can commence complaints.

Answer 42

Renders a report and matter may proceed to court.

Answer 43

A brand new hearing.

Answer 44

What governments and organizations can do with PI

Answer 45

A determination that the type of information being discussed is indeed personal information

Answer 46

Any identifiable information about an individual

Answer 47

purely corporate information (e.g., trade secrets, confidential business info, or nonidentifiable info belonging to groups of people) is not PI, and such info is not protected by Canadian privacy laws (although non-privacy laws may apply)

Answer 48

B/c each provincial or federal law will have its own definition of PI

Answer 49

To information under the control of federal government institutions

Answer 50

Privacy Act considers opinions about an individual to be the personal information of that individual. This important b/c it means that privacy laws provide a right of access to one's own PI. Eg. if Jones has expressed an opinion about Smith that was documented, Smith can discover it by making a request to see his own personal information. Under the Privacy Act, not only can Smith see the content of the opinion about himself, but he will often be allowed to know the identity of the opinion holder as well. This is b/c the identity of the opinion holder is considered the PI of both the opinion holder and the opinion subject.

Answer 51

The difficulty of interpreting the meaning of "about" as it is used in the phrase "about an identifiable individual"

Answer 52

Definition is undeniably expansive. Language is deliberately broad and entirely consistent with the great pains that have been taken to safeguard individual identity. Its intent seems to be to capture any information about a specific person, subject only to specific exceptions.

Answer 53

To justify finding that many categories of info, regardless of whether the info is sensitive, private, innocuous or well-known are PI Notably used by some judges to conclude that job-related info fall sunder the definition of PI and thus merits some protection under privacy legislation

Answer 54

When if, in combination with other information, it could be used to identify an individual Eg. In 2008, the federal court determined that data regarding the provincial location in which medical patients were treated was personal information because such data, when coupled with other available data, could lead to the identification of individual patients. In In adopting a new test to determine what should be considered PI, the court provided that “information will be about an individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.

Answer 55

Public policy reasons To recognize that while some data might otherwise be considered to be about an identifiable individual, there is a public policy reason for not treating it as such. Eg. information about public-sector employees

Answer 56

Information about an identifiable individual. Similar to the Privacy Act's definition - intentionally broad and expansive interpretation

Answer 57

Applies to every organization that “collects, uses or discloses PI in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses PI in connection with the operation of a federal work, undertaking or business.

Answer 58

An employee’s business contact information is treated differently in that it is said not to apply to an organization in respect of the business contact info of an individual that the organization collects, uses or discloses solely for the purpose of communication or facilitating communication with the individual in relation to their employment, business or profession. This also includes an individual's work cell phone records.

Answer 59

Health context

Answer 60

Whether separate laws ought to exist for employee information and work product information

Answer 61

“‘personal employee information’ means, in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating:(i) an employment relationship; or,(ii) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship

Answer 62

Information about an individual that is related to that individual’s position, functions and/or performance of their job.

Answer 63

Regular personal information and employee-related information or work-product information.

Answer 64

Carves out some employment and work-product-related information

Answer 65

Where the PI is publicly available.

Answer 66

BC and AB by defining it.

Answer 67

Provides that a government’s restricted ability to use and disclose personal information does not apply if the information is publicly available. However, the government’s obligations to collect the information in accordance with the act are not affected by whether the info. is available No definition in the Privacy Act to help guide users as to what is and is not considered publicly available.

Answer 68

Any information that is found in a “library or museum material preserved solely for public reference or exhibition purposes; or material placed in the Library and Archives of Canada, the National Gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature or the National Museum of Science and Technology by or on behalf of persons or organizations other than government institutions.

Answer 69

Generally, PIPEDA requires the knowledge and consent of an individual before collection, use or disclosure of personal information can take place. However, PIPEDA states that an organization may collect, use or disclose personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the regulations. For the purposes of PIPEDA, it is a fact-specific inquiry as to whether info is found to be "publicly available".

Answer 70

Merely because an individual appears in public does not mean they “automatically forfeit” their “interest in retaining control over the personal information which is thereby exposed For an organization to be exempted from the consent requirement, the personal information must be both publicly available and specified by the regulations The exception to the consent requirement does not apply to the organization that initially collects the information for the purposes of subsequently making it publicly available.

Answer 71

With the advent of online social networking and the ability to find info about individuals easily via the internet, more info is meeting the criteria for publicly available.

Answer 72

The info. can only be released if doing so would not be an unreasonable invasion of privacy.

Answer 73

The Organisation for Economic Co-operation and Development (OECD)'s set of 8 privacy principles entitled “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.”

Answer 74

Broke the OECD’s code into 10 principles that were incorporated as a schedule to Canada’s private-sector privacy law, PIPEDA and formed the basis of the principles of the Canadian Standards Association.

Answer 75

the "Model Code for the Protection of Personal Information" ("Code")

Answer 76

Developed in order to assist with finding a balance btw legitimate business interests and the individual right to privacy.

Answer 77

Was influenced by a committee concerned with protection of privacy in Canada.

Answer 78

Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure and Retention Accuracy Safeguards Openness Individual Access Challenging Compliance

Answer 79

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

Answer 80

The purposes for which PI is collected shall be identified by the organization at or before the time the information is collected.

Answer 81

The knowledge and consent of the individual are required for the collection, use or disclosure of PI, except where inappropriate.

Answer 82

The collection of PI shall be limited to that which is necessary for the purposes identified by the organization.

Answer 83

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Answer 84

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Answer 85

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Answer 86

An organization shall make readily available to individuals specific info about its policies and practices relating to the management of PI.

Answer 87

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Answer 88

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

Answer 89

Jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)

Answer 90

The GAPP are meant to be used by any organization involved in the handling of personal information. These principles were established to help businesses navigate the competing interests of business, government and consumers.

Answer 91

Each principle is supported by “objective and measurable criteria” available in the full text of the document

Answer 92

Management Notice Choice and consent Collection Use, retention and disposal Collection Use, retention and disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement

Answer 93

The 10 fair information principles found in Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA)?

Answer 94

The Accountability principle.

Answer 95

An organization: 1. Must implement procedures that protect PI 2. Establish procedures to receive and respond to complaints or questions 3. Train staff 4. Be transparent about all these procedures and practices

Answer 96

A privacy policy

Answer 97

A document that tells customers, potential customers, employees and any other individuals who might have their PI collected, used or disclosed by the organization what the organization's PI-handling practices are.

Answer 98

An organization to appoint individuals with primary responsibility for privacy protection. Makes organizations responsible for the PI over which they have either custody or control. For ex. if an organization outsources some functions and the outsourced entity will have access to the PI collected by the organization, the organization must ensure that the 3P is contractually bound to the organization in a manner that provides adequate protection for the PI.

Answer 99

Google Inc's release of Google Buzz - a social networking tool that automatically draws upon contact information from a user’s Gmail account, adding certain contacts as “followers” and thereby revealing potentially sensitive user information. As a result, the data protection commissioners from around the world called on Google and all large social media companies to be more accountable for the information they control.

Answer 100

The obligation of organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.

Answer 101

If personal information is collected for a different purpose then the individual's privacy has been violated and the principle breached.

Answer 102

It must procure new consent after the new purpose is communicated to the individual.

Answer 103

To describe their purposes in ways that are precise enough to provide valuable information to individuals but broad enough to include potential future purposes so they don’t need to obtain consent every time they identify a new use for PI.

Answer 104

The general principle states that an organization may collect, use or disclose PI only if an individual consents.

Answer 105

State purposes for use in a broad manner (i.e. be as vague and as broad as possible).

Answer 106

That it be informed and meaningful.

Answer 107

This requires the individual to know and understand the purposes for the C, U or D of the PI.

Answer 108

Sensitive PI is information that is more significantly related to the notion of a reasonable expectation of privacy (e.g. medical or financial info., also pieces of info that, if procured by the wrong individuals, could result in serious cases of identity theft, might also be considered sensitive PI).

Answer 109

Acknowledging that different situations require different standards.

Answer 110

When the PI being collected is innocuous and the purpose of the collection straightforward.

Answer 111

When the PI being collected is innocuous and the purpose of the collection straightforward.

Answer 112

When the PI is sensitive, explicit and documented.

Answer 113

Require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purpose. For example: a customer entering her favourite electronics store to buy AA batteries cannot be required to share her address as a condition for her transaction, as it is neither related or necessary.

Answer 114

Withdraw consent

Answer 115

The need for many organizations to perform periodic privacy audits to ensure the required consents are being obtained and documented.

Answer 116

Exercises performed internally or by independent third parties to ensure that an organization holds personal information in compliance with the various privacy obligations to which the organization may be subject and with internal privacy standards established by the organization, such as commitments specified in an online privacy notice for customers.

Answer 117

The opaque nature of the privacy policies that are the basis of consent, complex information flows, and business processes that involved a multitude of 3P intermediaries. In this complex and rapidly changing digital environment, it can be exceedingly difficult for consumers to determine exactly what info they are sharing and with whom.

Answer 118

Requires organizations to collect only the amount and type of PI legitimately needed to fulfull the identified purpose. Requires that organizations not collect PI indiscriminately or beyond the scope of services provided.

Answer 119

This principle requires that “personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. PI shall be retained only as long as necessary for the fulfillment of those purposes.

Answer 120

The Limited Purposes principle

Answer 121

The notion that collection of excess PI can become a potential liability for an organization, requiring the protection and destruction of information that was not needed in the first instance. For these reasons, it is important that organizations carefully consider the information required to fulfil the purposes they have outlined.

Answer 122

This principle directs an organization to destroy the PI. This requires organizations to address the issue of retention schedules beforehand and to develop guidelines and procedures for the adequate destruction of PI at the appropriate time.

Answer 123

(1) PI that has been used to make a decision about an individual should be retained long enough to allow the individual access to the information after the decision (2) An organization may be subject to legislative requirements with respect to retention periods for certain types of information.

Answer 124

The time and manner of destruction of PI.

Answer 125

The context surrounding the collection, use, disclosure and type of PI.

Answer 126

The principle that obliges organizations to keep personal information as “accurate, complete and up-to-date as is necessary for the purposes for which it is being used.”

Answer 127

That organizations should make sure the information they are using to make decisions about providing credit or medical care to people is accurate in order to avoid inappropriate decisions or ill-fated consequences.

Answer 128

Keep information up to date (unless such a process is necessary to fulful the purposes for which the info was collected).

Answer 129

Must protect PI against loss or theft as well as unauthorized access, disclosure, copying, use or modification. This obligation transcends media, applying equally to paper-based and electronic data.

Answer 130

The complexity surrounding the technology of information holdings. The rapid rate of technological change, which complicates any conclusion about whether a particular safeguarding method is sufficiently secure.

Answer 131

Sensitive PI stored on any mobile device or information that can be accessed or transmitted across public wireless networks.

Answer 132

The sensitivity of the information, such that financial or medical info should receive greater security protection than address info.

Answer 133

Sensitivity of the information Cost-benefit analysis of the various technological solutions System performance.

Answer 134

Procedures and practices that formalize the manner in which personal information will be kept safe, in particular the appropriate level of security applicable to the sensitivity of the PI, often called "data classification."

Answer 135

Make readily available to individuals specific information about their policies and practices relating to the management of PI.

Answer 136

Because organizations must be open about their policies and practices with respect to the management of personal information, these policies are generally made available electronically on websites and on paper at the customer service point of interaction.

Answer 137

Organizations must be able to respond to requests from individuals for access to their personal information.

Answer 138

This principle incorporates such obligations as the requirement to inform individuals of the existence, collection, use and disclosure of PI. Moreover, if an individual reviews their information and find inaccuracies, the organization must be prepared to record this appropriately.

Answer 139

An organization cannot unduly delay

Answer 140

Obligation to assist individuals trying to access their own personal information by being helpful and providing the information in a user-friendly format.

Answer 141

Organizations provide information from inside a database via a printout that includes explanations for any codes contained in the database.

Answer 142

That access to PI will not be required or desirable in every instance.

Answer 143

Information protected by solicitor-client privilege.

Answer 144

Individuals should have an ability to challenge the organization’s PI-handling practices.

Answer 145

Jan. 1, 2001

Answer 146

The Act was passed as part of the government’s electronic commerce strategy - a policy initiative reportedly motivated by the desire to make Canada a world leader in electronic commerce.

Answer 147

Industry self-regulation

Answer 148

If the organization is otherwise subject to a provincial law that has been declared “substantially similar” to PIPEDA.

Answer 149

(1) The first is a matter of determining whether an organization is involved in a commercial activity. PIPEDA applies to every organization that “collects, uses or discloses personal information in the course of commercial activities” or (2) Whether the organization operates as or in connection with a federal work or undertaking. “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”

Answer 150

PIPEDA was drafted to apply across the country; however, the federal government explicitly invited the provincial governments to occupy their own fields of responsibility and pass their own privacy laws.

Answer 151

(1) Only for purposes that a reasonable person would consider appropriate in the circumstances. It places a heavy burden on an organization to be prepared to demonstrate that it is always acting reasonably in its treatment of PI. (2) Only with consent.

Answer 152

The constitutional limit to the powers of the federal government in Canada. In support of this argument is the fact that PIPEDA applies only to organizations involved in commercial activities. The basis for this limitation is that the federal government’s jurisdiction rests on its power to regulate trade and commerce across the entire country. PIPEDA’s application to employees of organizations connected to or operating as federal works and undertakings rests on its constitutional ability to regulate industries that operate at a federal level (such as telecommunication companies, railways and airlines).

Answer 153

PIPEDA states that consent of an individual is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure of their PI (unless PIPEDA permits otherwise)

Answer 154

A greater alignment of federal and provincial private-sector privacy laws.

Answer 155

(1) Must be consistent with the schedule for PIPEDA (2) Has an independent oversight body like the OPC (3) Contain a redress mechanism for those who are aggrieved

Answer 156

Alberta’s Personal Information Protection Act (“Alberta PIPA”) British Columbia’s Personal Information Protection Act (“BC PIPA”) Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“the Quebec Act” Ontario’s Personal Health Information Protection Act of 2004 (PHIPA) New Brunswick’s Personal Health Information Privacy and Access Act (PHIPAA), with respect to personal health information custodians Newfoundland and Labrador’s Personal Health Information Act (PHIA), with respect to personal health information custodians Nova Scotia’s Personal Health Information Act (PHIA), with respect to health information custodians

Answer 157

“any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Answer 158

A fact-specific inquiry.

Answer 159

Quite broadly.

Answer 160

Nonprofit associations (presumably including unions) and private schools However, the OPC has determined that even though an organization may be nonprofit and membership-based, it can still engage in commercial transactions that trigger PIPEDA.

Answer 161

The requirement of obtaining consent and the obligation to act reasonably when doing so. Right to provide access to PI.

Answer 162

When doing so would reveal: -info about a 3P, for specified national security or law enforcement reasons; -solicitor-client privileged info; -commercially sensitive info; -info gathered as part of a formal dispute resolution mechanism; or -info collected w/o consent b/c the organization was investigating a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that info.

Answer 163

That these organizations do not need to respond to requests for access to PI. The OPC has made it clear that the obligation to provide access to PI cannot be circumvented by the fact that the organization is involved in litigation with the same individual.

Answer 164

Cost recovery. This is limited b/c organizations must respond to requests for PI at minimal or no cost to the individual. Thus, OPC has found that any type of flat fee would likely not be acceptable.

Answer 165

The OPC is responsible for the enforcement of the act and is comparable to that of an ombudsperson.

Answer 166

Complain to the OPC.

Answer 167

Investigate complaints under PIPEDA (are conducted in private) Can initiate a complaint if there are reasonable grounds for doing so. Power to subpoena and compel the giving of evidence

Answer 168

Enhanced powers regarding the conduct of investigations. Under 12(1), OPC may decline to investigate a complaint in certain circumstances. Under 12.2(1), the OPC may discontinue an investigation in certain circumstances.

Answer 169

A report is issued that details the findings and recommendations. The OPC report is nonbinding on the organization and rarely does the OPC name the organization.

Answer 170

The OPC can apply to the federal court to request a court order enforcing the implementation of recommendations.

Answer 171

Conduct an audit. At the end of the audit, the organization is given a nonbinding report (and OPC is not granted the power to initiate a application in federal court if an organization refuses to implement the recommendations contained in an audit report).

Answer 172

Education and awareness.

Answer 173

By passage of the Digital Privacy Act (DPA).

Answer 174

1. Breach Notification and Record-keeping Requirements 2. Updated definitions 3. Update to Consent 4. Compliance Agreements 5. Public Interest Disclosures

Answer 175

Organizations will be subject to mandatory notifications to the OPC of any breach of security safeguards involving PI. For breaches where there is a "real risk of significant harm to individuals" the requirement mandates notification to individuals. Organizations must keep a record of all breaches involving PI and provide a copy to the OPC upon request. Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines up to $100K.

Answer 176

PI - updated to mean info about an identifiable individual. Business contact info - updated to include any info that is used to communicate or facilitate communication with an individual in relation to their employment, business or profession.

Answer 177

Consent is considered valid only if it is reasonable to expect that individuals to whom an organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. `

Answer 178

Investigations/fraud detection and prevention Business transactions Witness statements in insurance claims Identifying injured, ill, deceased,; communicating with next of kin Financial abuse Employment relationships in federally regulated workplaces PI produced in the course of employment, business or profession

Answer 179

Compliance agreements aimed at ensuring organizations comply w/ PIPEDA.

Answer 180

Where the OPC believes, on reasonable grounds, than an organization has committed, is about to commit, or is likely to commit an act or omission that could constitute a contravention of PIPEDA, or a failure to follow a recommendation in Schedule I to the act.

Answer 181

Take certain actions to bring itself into compliance w/ PIPEDA.

Answer 182

Commencing or continuing a court application under PIPEDA with respect to any matter covered by the agreement.

Answer 183

After notifying the organization, the OPC could: (1) apply to the court for an order requiring the organization to comply with the terms of the agreement, or (2) commence or reinstate court proceedings under PIPEDA, as appropriate.

Answer 184

PIPEDA's confidentiality provisions continue to apply, but the scope of what can be disclosed in the public interest has been broadened. OPC may now make public any information that comes to its knowledge in the performance or exercise of its duties or powers under PIPEDA if it deems that doing so is in the public interest. Previously, this discretion applied only to information "relating to the PI management practices of an organization."

Answer 185

Both are considered to be substantially similar legislation to PIPEDA and therefore organizations that are subject to these acts are exempt from PIPEDA. Apply to the CUD of PI by the private sector Provide a right of access to one's own PI Set up an oversight body to which individuals can complain

Answer 186

These acts apply to the CUD of PI of individuals in employment and noncommercial contexts.

Answer 187

Alberta PIPA and BC PIPA apply to employee PI. This is important b/c w/o provincial legislation filling the gap, the only employees afforded any privacy protection in Canada would be those of organizations that operated as, or in conjunction with, federal works or undertakings.

Answer 188

Data such as work contact information is clearly not afforded the same degree of protection.

Answer 189

Consent, if the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

Answer 190

Work product. Allows for some ambiguity at the federal level, with a blurry distinction between i) work product, ii) business information and iii) contact information. As a result, the extent to which work product and PI overlap remains unclear.

Answer 191

While the OPC recognizes hat an employee can produce unprotected work-generated information, it currently deems PI that may be work product as subject to the act and suggests work-product issues be addressed on a case-by-case basis.

Answer 192

Excludes "work product" from PI treatment, thereby removing this information from protection under the act.

Answer 193

Similar to PIPEDA, it does not address work product or employee-generated information.

Answer 194

Obligation to act reasonably. Also, the 10 overriding principles found in the schedule to PIPEDA are all encapsulated in these laws.

Answer 195

Consent - before an organization can CUD PI , it must ensure that it has the requisite consent or that the situation is one that allows for nonconsensual CUD Individuals have a right of access their PI and a right to correct inaccurate information.

Answer 196

Deals w/ professional regulatory bodies - for these entities, the AB PIPA allows organizations to establish PI codes ad thereafter abide by the code instead of all the obligations imposed by PIPA.

Answer 197

A set of rules governing the CUD of PI in a manner that is consistent with the purposes and intent of the AB PIPA.

Answer 198

AB PIPA - organizations are required to notify the OIPC of AB when a privacy/security breach results in a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure of their PI.

Answer 199

The OIPC - these commissioners are given very broad and powerful powers of investigation. They investigate complaints.

Answer 200

Provincial commissioners have the power to order an organization to take an action (under PIPEDA, the federal commissioner only has the power to recommend that an organization take an action.

Answer 201

Act Respecting the Protection of Personal Information in the Private Sector (the Quebec Act)

Answer 202

The unique nomenclature used. Eg. organizations are called "enterprises" and disclosures are referred to as "communications".

Answer 203

Applies to every enterprise that collects, stores, uses or communicates PI about a natural person to third parties.

Answer 204

Those under PIPEDA, as the laws are substantially alike.

Answer 205

The Quebec Act's provision dealing with the communication of PI outside of Quebec. This provision, which is very similar to the way European data protection laws operate, provides that an enterprise in Quebec can disclose PI to a 3P outside of Quebec only if it is first satisfied that -info will not be used for purposes not relevant to the object of the file or communicated to 3Ps w/o the consent of the personal concerned -in the case of marketing lists, that the persons concerned have a valid opportunity to refuse to allow their PI to be used for commercial purposes

Answer 206

Is its specific code, which reflects close consultation between the lawmakers and the direct marketing industry.

Answer 207

"the commission" - has the obligation of hearing and deciding cases related to the application of the provisions concerning access to or rectification of PI or cases dealing w/ marketing lists. Has broad powers of inquiry and can order an organization to comply with its orders Decision can be appealed but its findings of fact are final.

Answer 208

Introduced on Jul. 1, 2014, is considered the toughest anti-spam law in the world.

Answer 209

The growth of electronic commerce by deterring certain practices that undermine the value of the internet as a medium for commerce.

Answer 210

Sending of commercial electronic messages (CEM) Installation of computer programs Prohibits the unauthorized alteration of transmission data.

Answer 211

Applies to: -all forms of electronic messaging, including email, SMS test messages, and messages sent via social networking. -any CEM that is sent from or accessed by a computer system located in Canada. -senders of CEMs from Canada, as well as to those who send messages into Canada from other countries. -nonprofit organizations and registered charities (however there are exceptions under the Income Tax Act)

Answer 212

Obligations relating to consent, identification and unsubscribing:

Answer 213

Express Consent - when requesting express consent, senders cannot consent on behalf of the end user. Moreover, silence or inaction on the part of the end user cannot be construed as providing express consent. (e.g. a prechecked box cannot be used, as it assumes consent). Express consent must be obtained through an opt-in mechanism, as opposed to opt-out. This mechanism must prompt the end user to take a positive action in order to indicate their consent.

Answer 214

Consent can be obtained either in writing or orally. In both cases, the onus is on the sender of the CEM to prove it has in fact obtained consent in order to send the CEM.

Answer 215

Consent may be implied in 4 circumstances: 1) Sender and recipient have an existing business relationship. 2) Sender and recipient have an existing nonbusiness relationship. 3) Recipient has conspicuously published their electronic address (e.g. on a website) and has not expressly stated that they do not wish to receive unsolicited messages. The message must be related to the recipient's professional capacity. 4) Recipient has disclosed their electronic address directly to the sender and has not expressly stated that they do not wish to receive unsolicited messages. The message must be related to the recipient's professional capacity.

Answer 216

Clearly identify themselves. if the message is sent on behalf of another person, that person must be identified as well. When a CEM is sent on behalf of multiple persons, all these persons must be identified in teh CEM; this specifically includes persons that play a material role in the sending of the CEM.

Answer 217

Senders can include a hyperlink to a web page containing this information. Link must be clearly and prominently set out in the CEM and the web page must be readily accessible at not cost to the recipient of the CEM.

Answer 218

Sender must demonstrate that it had the proper consent (implicit or explicit) to send CEMS to recipients. This also includes demonstrating adequate consent where the sender is relying on the existing business or nonbusiness relationship.

Answer 219

A functional unsubscribe mechanism that enables the recipient to unsubscribe at no cost. This must include an unsubscribe link that is functional for a minimum of 60 days. Unsubscribe requests must be processed without delay and in no event more than 10 days after the request has been made. An unsubscribe mechanism must be 'readily performed" - it should be simple, quick and easy for the end user.

Answer 220

Administrative monetary penalties (AMPs) for violations of CASL of up to $1M per violation for individuals and $10M per violation for other persons (or businesses).

Answer 221

CRTC found that Blackstone committed multiple violations including sending CEMs w/o consent through nine campaigns and targeting Canadian provincial and federal employees. CRTC found that Blackstone did not demonstrate that it had received consent to send the messages at issue. CRTC issued a $50K AMP

Answer 222

OPC investigation found that Compu-Finder did not have the appropriate consent for the collection and use of email addresses for the purpose of sending out emails promoting its business activities. CRTC issued a $1.1M AMP.

Answer 223

Express consent That the express consent of an owner or unauthorized user of a computer system be obtained before installing, or causing to be installed, a computer program on that individual's device.

Answer 224

That the purpose of the CASL is to protect consumers from computer program, such as malicious software (malware), that pose a real threat to individuals, and that it would be focusing its enforcement in that direction.

Answer 225

Malware - sometimes malware is installed along with other software. Concealed software Concealed software may be automatically executed when a consumer purchases a music CD and inserts it in their computer to listen to music or copy songs.

Answer 226

When the telecommunications service provider is installing software to protect the security of all or part of an end-user's network from a current an identifiable threat or updating or upgrading all or part of the network.

Answer 227

Cookies HTML JavaScript An operating system Bug fixes An executable program to which the end user already consented However, organizations are only considered to have consent for these types of computer programs as long as the person's conduct indicates that they consent to it.

Answer 228

Applies to the use and disclosure of personal financial information by Schedule I, Schedule II and Schedule II banks. The act oversees the institution's compliance w/ the protection of customer's personal and financial information.

Answer 229

Canadian privacy laws generally do not prohibit the international transborder flow of PI from Canada to locations outside of Canada, including the US. There is no language in PIPEDA to suggest there is a prohibition on the transfer of PI outside of Canada. In fact, the law explicitly contemplates transfers of PI.

Answer 230

The use of the cookie.

Answer 231

Cookies allow web servers to keep track of the end user's browser activities and connect individual web requests into a session. Cookies can also be used to prevent users from needing authorization for every password-protected page they access during a session by recording that they have successfully supplied their usernames and passwords already.

Answer 232

A cookie placed by the website that is visited.

Answer 233

A cookie placed by a party other than the visited website.

Answer 234

Cookie that is deleted when a session ends.

Answer 235

A cookie that remains for a period of time after a session ends.

Answer 236

Cookie permits data regarding browsing history to be recorded and saved to better predict a user's interests and develop a more accurate marketing profile of the user.

Answer 237

(1) An ID that is 18 characters long and unique to the individual's browser (2) the date, time and duration of the individual's visit to the "cookied" website.

Answer 238

The cookies will remain on their computers in perpetuity unless the individual removes them.

Answer 239

What is PI? Is the data processor collecting, using or disclosing PI as part of its activities?

Answer 240

That they are PI.

Answer 241

Is when an unauthorized access, CUD of PI occurs.

Answer 242

When PI is hacked, stolen, lost or inadvertently disclosed to the wrong people.

Answer 243

That an organization takes steps to address the situation, mitigate harm, and avoid similar future incidents.

Answer 244

Introduced new data breach reporting and notification provisions, which include a requirement for organizations to notify the OPC and affected individuals

Answer 245

Yes, however this must be equally supported by transparency and an individual's right to privacy.

Answer 246

The Generally Accepted Privacy Principles.

Answer 247

The Generally Accepted Privacy Principles framework promulgated by the American Institute of Certified Public Accountants in conjunction with the Canadian Institute of Chartered Accountants.

Answer 248

The Privacy Act in 1983 The Access to Information Act in 1985

Answer 249

"Freedom of Information and Protection of Privacy" acts.

Answer 250

Government entities including crown corporations and education.

Answer 251

Enforce transparency around Canada's public sector. They enable the public to request and obtain copies of records held by government ministries or the Office of the Premier when those records are not routinely available. Also, individuals are able to request access to their own information held by public institutions.

Answer 252

Applies to government institutions (i.e. ministries, tribunals, Crown corporations etc).

Answer 253

Collect PI only if the information relates directly to an operating program or activity of the institution. Significantly, there is no need for data subject consent prior to the collection of PI.

Answer 254

There is a general obligation to collect the PI directly from the individual when the information is going to be used for an administrative purpose unless: 1) this is impossible; 2) the individual authorizes the indirect collection; or 3) the collection is pursuant to one of 13 exceptions specified in the act. (these 13 exceptions mirror those for the nonconsensual disclosure of info.)

Answer 255

To use PI, consent is required; however, and importantly, an institution does not need consent to use the information if it is being used for the purpose for which the information was obtained or compiled by the institution, for a use consistent with that purpose, or for a purpose for which the information may be nonconsensually disclosed to the institution.

Answer 256

General obligation is that government institutions must not disclose PI w/o consent from the individual to whom the information pertains. (There are 13 situations where nonconsensual disclosure is permitted).

Answer 257

There are often requirements that the disclosure be recorded.

Answer 258

Contains the requests under the Access to Information Act submitted by individuals to access records under the control of Treasury Board of Canada Secretariat, the replies to such requests, and any other information relevant to the processing of the requests.

Answer 259

The Privacy Act provides a right of access to every Canadian citizen or permanent resident. It is a mandatory right that requires government institutions to release the PI under its control to the individual requestor to whom the information pertains. Access must be granted within 30 days of the request's receipt by the institution, though extensions of time are permitted in certain circumstances. Access to PI may be denied only in certain prescribed situations. Any individual who is granted access to information is also granted the right to request that corrections or notations be made to the PI.

Answer 260

Maintains an inventory of applications from individuals requesting employment w/ the Treasury Board Secretariat.

Answer 261

The Privacy Act allows for the creation of exempt banks by institutions that have PI holdings consisting predominantly of PI that would be inaccessible b/c it is info that was obtained or prepared by any government institution or part of any gov't institution that is an investigative body in the course of lawful investigations pertaining to the enforcement of any law of Canada or a province.

Answer 262

The Privacy Act does not specify an obligation to properly safeguard and retain PI.

Answer 263

The Privacy Act creates the OPC. The role of the OPC is to investigate complaints received by individuals who believe their Privacy Act rights have been violated.

Answer 264

To conduct effective investigations. However, the trade off is that at the end of the complaint's investigation, the commissioner may only recommend solutions to gov't institutions that may have been found to be noncompliant w/ the Privacy Act.

Answer 265

Where an the commissioner finds that the government institution erroneously denied access to PI being requested. In such instances, the OPC may proceed to the federal court for a determination of whether or not the information was properly withheld from release.

Answer 266

The no-fly list. This was a Transport Canada program whereby individual names would be added to a list and then subsequently distributed to airlines operating in Canada.

Answer 267

Led to increasing interest in video surveillance for both the private and public sectors. As result, the OPC issued guidelines for video surveillance in both sectors.

Answer 268

Discourage the use of video as an initial security option. Video surveillance should be viewed as an exceptional step, to be taken only in the absence of a less privacy-invasive alternative. Public should be advised that they will be under surveillance Video surveillance system should be subject to independent audit and evaluation Fair information practices should be respected in CUD, retention and destruction of PI

Answer 269

Reasonable expectation of privacy limitation.

Answer 270

While the federal scheme relies solely on a broad definition of PI, the approach in many provinces is to protect the vast array of data that is included in the definition of PI in some instances, but in other cases to afford less protection to that PI if it does not merit a reasonable expectation of privacy. Especially, when dealing w/ the protections relating to the disclosure of PI.

Answer 271

When it does not result in an unreasonable invasion of privacy.

Answer 272

BC and NS place significant restrictions on a public body's transfer of PI outside of their respective jurisdiction.

Answer 273

Provincial commissioners have order making powers Most of the provinces chose to give the commissioners the power to issue orders after they conduct their investigations or inquiries. This power is significant because they have substantially more legal power to force proper privacy protections.

Answer 274

Because: - it was written before the full development in Canada of the broad range of fair information practices. -it does not require the same degree of openness and transparency as private-sector laws. --it fails to address the issue of transborder data flows in a world where the pressure to disclose to entities and organizations outside of Canada is increasing almost daily.

Answer 275

A document meant to signal the direction of future government policy in spheres of the digital economy, data and privacy protection. It outlines 10 principles. It is not a legal document and thus its principles have no enforceable effect.

Answer 276

In its 2018-2019 Report to Parliament on PIPEDA and the Privacy Act, Commissioner Daniel Therrien announced that the government has finally committed to reforming Canada's aging privacy legislation.

Answer 277

Commissioner called for a rights-based approach that has 3 key impacts on Canada's public sector privacy framework: 1) For the public sector to adapt the principles of "necessity and proportionality" in its data management practices. 2) Enforcement mechanisms should be strengthened so that federal institutions have the incentive for broad compliance. 3) The requirement of "demonstratable accountability'. Rather than having to engage in lengthy investigations into government institutions to uncover breaches of accountability, the institution would be expected to demonstrate its compliance with the regulator upon request and be required to design for privacy at the planning stages.

Answer 278

Required by federal gov All gov institutions subject to Privacy Act must conduct a PIA Meant to be sent to the OPC for the commissioner's involvement Purpose of the PIA is to evaluate whether program and service delivery initiatives that involve the CUD of PI comply w/ the obligations set out in: -the Privacy Act -the government's Privacy and Data Protection Policy -The Library and Archives of Canada Act -Any other program-specific legislation or regulation dealing w/ information management

Answer 279

An assessment need only be "commensurate" with the level of risk at hand. Where risk is low, an assessment does not need to be as extensive as where risk is high.

Answer 280

Defined by the federal gov as an activity that involves comparing personal data obtained from a variety of sources, including personal information banks, to make decisions about the individuals to whom the data pertains. It is a specialized activity involving the collection, use and disclosure of PI, wh/ is subject to the various requirements of the Privacy Act.

Answer 281

It involves an indirect collection of PI that leads to discovery and new knowledge about individuals. The new info can then be used by the entity that controls the data for new purposes.

Answer 282

The collection, analysis, measurement and reporting of data about web traffic and user visits for the purpose of understanding and optimizing web usuage.

Answer 283

Market research to improve advertising campaigns and website effectiveness. Many gov institutions also use web analytics to learn about visitors to their sites in order to better meet the visitor's needs and deliver more effective services.

Answer 284

Various, including: Mandated privacy notices on institutional websites Maximum retention periods Use of strict privacy-protection language in any contracts w/ 3P service providers.

Answer 285

Use of web analytics by gov institutions and its associated privacy issues.

Answer 286

PI (as defined by the Privacy Act) that is collected, used, retained and disposed of for web analytics. All institutions that are subject to the Privacy Act are subject to it, including parent Crown corporations and their wholly owned subsidiaries.

Answer 287

When IP addresses and other info about browsing behaviour are disclosed to 3Ps located outside of Canada.

Answer 288

The sensitivity of the PI The expectations of the individuals to whom the PI relates The potential injury if PI is wrongfully disclosed or misused. Whether a 3P operates only in Canada, subcontracts to parties outside of Canada or operates exclusively outside of Canada.

Answer 289

Privacy Act does not restrict the processing of PI by a 3P located outside of Canada. Canadian business and gov institutions are free to engage in commercial relationships that involve the processing of info in the US as long as doing so is consistent w/ Canadian privacy practices including transparency, notice and application of adequate safeguards.

Answer 290

Introduced in 2016. Amended ON's PHIPA to assist in improving privacy and accountability by introducing new measures to protect PHI of patients. Made breach reporting mandatory, increasing transparency, and doubling fines for offences to $100K for individuals and $500K for organizations. Strengthened the process for prosecuting offences by removing the requirement to prosecute within six months of the alleged offence.

Answer 291

Aim to control the CUD of PHI by specified health sector participants. End goal is to enhance privacy and confidentiality while simultaneously ensuring efficient health service delivery.

Answer 292

Trustees - Sask and MB Custodian or HIC - AB, ON , NB, NFLD & NS

Answer 293

Nunavut and Quebec

Answer 294

Share PHI through electronic means by providing them w/ IT services. They are subject to provincial health privacy laws.

Answer 295

PHI and define it in similar terms: any info concerning an individual's physical and mental health.

Answer 296

Each law provides that if info is truly anonymized or deidentified, it is not protected by law. Before an organization can treat the information as not being subject to the law, it must validate that no form of data mining or data manipulation can render the information identifiable.

Answer 297

The privacy principles contained in other information protection laws in Canada, w/ the same general obligations fond throughout each law.

Answer 298

ON PHIPA NB PHIPAA NFLD PHIA NS PHIA

Answer 299

AB and MB As such the healthcare provider is expected to comply w/ both statutes.

Answer 300

Each law provides individuals with the right to access their own health information held by the entities covered by the law. Also, have the right to correct or amend inaccurate info.

Answer 301

Each law provides that an independent agency, such as the privacy commissioner, has independent oversight of the entities covered by the law. Role of the oversight body is, among other things, to review and resolve complaints from individuals who believe their rights were violated.

Answer 302

Each law places the onus on the entity covered to remain accountable for the use proper use, retention, safeguarding and disposal of health info under its custody or control. This obligation remains even when the covered entity uses a 3P to outsource some of its functions.

Answer 303

Given the vast and varied flows of PHI, the central role of govt in the delivery of heatlhcare services, and the vital and time-sensitive nature of much of the information at issue.

Answer 304

Must be meaningful. Many situations will allow custodian/trustees to infer consent Generally, the rule is that the individual will be deemed to have implicitly consented to CUD of their information within their circle of care. Consent will not be implied if the disclosures will be made to non-custodians or to other custodians outside the circle of care.

Answer 305

All provincial laws provide obligations on custodians/trustees to properly safeguard the health information under their control and custody.

Answer 306

Adopt reasonable administrative, technical and physical safeguards that ensure confidentiality, security, accuracy and integrity of the information.

Answer 307

Mandate the custodian to notify the privacy commissioner in situations where a custodian reasonably believes there has been a material breach involving the unauthorized CUD of PHI. The obligation to notify includes any instance where PHI is handled in a way that does not conform to the custodian's published policy statement on its information-handling practices.

Answer 308

Notify the commissioner of the breach.

Answer 309

Generally, the provincial laws do not strictly adhere to the same standards as, for example, PIPEDA in terms of an organization's obligation to develop comprehensive privacy policies and make them accessible.

Answer 310

ON, NFLD and BC. In these provinces, health data authorities are required to make available information that describes

Answer 311

1. The data authorities' information practices. 2. How to contact the appropriate data authority 3. How to obtain access to or request correction of PHI (except for BC) 4. How to file a complaint.

Answer 312

Created several different Canadian organizations that are tasked specifically w/ providing the proper infrastructure in the health sector that can be used securely.

Answer 313

Digital Health Canada

Answer 314

Canadian Organization for the Advancement of Computers in Health (COACH), Canada's health informatics association.

Answer 315

To "take health informatics mainstream" through the promotion of health technology systems and the effective use of health information. They provide practical guidance and measures to ensure appropriate privacy and security in a healthcare context.

Answer 316

A publicly funded health data aggregator that focuses on information about Canada's health system and the heath records of Canadians.

Answer 317

To "help improve Canada's health system and the well-being of Canadians by being a leading source of unbiased, credible and comparable information that will enable health leaders to made better-informed decisions"

Answer 318

A HIC. This allows HICs in ON to disclose PHI to the CIHI w/o patient consent, for analysis and management.

Answer 319

1. Occurred in Toronto during the filming of a feature motion picture. Scrap paper was actually medical records. IPC found that clinic was ultimately responsible not the offsite shredding company. 2. A man's ex-wife who worked as an X-ray technician in an Ottawa hospital unlawfully accessed the medical files of her ex-husband's girlfriend to find out whether he was trying to start a family w/ his new partner. 3. Sale of thousand's of patients PI by two former hospital employees. 4. Health Canada disclosed the PHI of over 40K licensees of its Marihuana Medical Access Program when it sent written notices to these individuals outlining changes to its program. The envelopes had MMAP on them visible to anyone.

Answer 320

Evaluating the privacy implications associated w/ the collection and use of genetic info.

Answer 321

An important step for privacy and human rights as it helps to prohibit genetic discrimination across Canada. It bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as condition of providing goods or services or entering into a contract.

Answer 322

1. Is the collect and use of the tests results necessary to achieve a legitimate business purpose? 2. Are the test results likely to be effective in achieving that purpose? 3. Are the collection and use proportionate to the benefits gained? 4. Are there less privacy-intrusive alternatives to the collection and use of genetic test results?

Answer 323

The European and American approaches.

Answer 324

Data protection

Answer 325

The protection of privacy as a fundamental human right. The general rule is to not allow any collection or use of personal data unless permitted to do so by law.

Answer 326

Based on the EU providing member states w/ directives that instruct each member state to pass minimum laws that address the instructions found in each directive.

Answer 327

the General Data Protection Regulation

Answer 328

the EU Data Protection Directive (the Directive) (this one is the most important) the Privacy and Electronic Communications Directive (ePrivacy Directive)

Answer 329

To create a clearer, more certain and trustworthy legal environment for both businesses and citizens, which will in turn increase both competition and innovation in the digital market. In theory this legal uniformity with also yield less bureaucracy and thus level the playing field for all businesses on the Euromarket. That said, although a uniform law will provide a certain degree of consistency across the EU, each member state will nonetheless be able to interpret the GDPR through the lens of its own national approaches and idiosyncrasies.

Answer 330

Any controller or processor of EU citizen data, regardless of where the controller or processor is headquartered and where the actual processing takes place (even if that is outside of the EU): Examples -A telecommunications organization that offers its goods and services through its EU-based regional offices to EU data subjects -A retailer that offers its goods or services to EU data subjects via its online website -A marketing agency that monitors the purchasing habits and behaviours of EU data subjects using data-processing techniques to create individual profiles and predict personal preferences, behaviours and attitudes

Answer 331

"the purpose limitation" wh/ provides that personal data should only be collected for "specified, explicit and legitimate purposes and not further processed in a manner that is incompatible w/ those purposes."

Answer 332

Principles of: -purpose limitation -data minimization -accuracy -storage limitation -integrity -confidentiality

Answer 333

-biometric data -genetic data -data concerning sexual orientation As a result, these types of data are now subject to the stricter rules governing processing and consent w/ regard to sensitive personal data

Answer 334

By introducing a formal idea of accountability meaning that controllers and processors of data "shall be responsible for and be able to demonstrate compliance with" the law.

Answer 335

Controllers and Processors

Answer 336

As "the natural or legal person, public authority, agency or any other body wh/ alone or jointly w/ others determines the purposes and means of processing personal data".

Answer 337

As any same such body (as a controller) wh/ processes personal data on behalf of the controller.

Answer 338

to implement: -compliance policies -data protection by design -data protection by default -record-keeping obligations -data protection impact assessments engage in prior consultation w/ DPAs in high-risk cases

Answer 339

data protection authorities (DPA)

Answer 340

a forum for individuals to enforce the rights

Answer 341

Receiving complaints, mediating solutions and making orders.

Answer 342

civil and criminal enforcement of the data controller's obligations

Answer 343

data processors

Answer 344

That a processor may not subcontract its services w/o the prior written or specific consent of the controller. Data controllers now have extremely detailed requirements to impose contractually on their vendors who act as data processers.

Answer 345

The Directive's notice requirements.

Answer 346

The GDPR features more detailed transparency obligations, which require controllers and processors to draft detailed privacy notices

Answer 347

Relying on consent to justify the use of PI

Answer 348

The Directive allowed controllers to rely on implicit and opt-out consent in some circumstances. The GDPR requires the data subject to convey agreement by either an express statement or a "clear affirmative act." Affirmative consent must be freely given, specific, informed and unambiguous. Can include ticking a box on a website. Accordingly, silence, pre-ticked boxes or inactivity" does not constitute such consent. If consent is presented as take it or leave it, it is not regarded as being freely given. In addition, consent can no longer be bundled w/ terms and conditions.

Answer 349

Removal of the opt-out possibility.

Answer 350

1. The right to withdraw 2. The specificity requirement 3. Age of consent deharmonization 4. Services conditional upon consent

Answer 351

Can retract consent at any time Controllers must give notice of right to w//d before consent is given Once consent is w/d, data subjects have the right to their personal data being erased

Answer 352

Consent must be specific to each data-processing operation and demonstrable upon demand.

Answer 353

Children under the age of 16 must get parental approval to give consent.

Answer 354

A controller may not make a service conditional upon consent unless the processing is necessary for the actual performance of the service or contract.

Answer 355

1. The right to erasure 2. The right to data portability Results in a greater need for data controllers and processors to be ready to honour people's increased level of control.

Answer 356

the right to be forgotten and bestows upon it the new name "right to erasure"

Answer 357

Controllers must erase personal data w/o undue delay if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful. The right is not unlimited - it must be balanced against freedom of expression; the public interest in health, scientific and historical research; and the exercise or defence of legal claims.

Answer 358

The controller must take reasonable steps to inform other controllers that are processing the data about the person's objection, unless it would require "disproportionate efforts". Any controller processing the data must then erase copies of it or links to it.

Answer 359

If the data was collected when the data subject was still a child in need of parental consent, OR if the data collected falls into one of the special categories of sensitive PI, even if the data has already been made public.

Answer 360

Requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests. Controllers have to provide any information they hold about a data subject free of charge and within one month of request.

Answer 361

Only when processing was originally based on the user's consent or on a contract; it does not apply to processing based on a public interest or the controller's legitimate interests.

Answer 362

Nonmember state countries ("third countries") that the European Commission has deemed as having an adequate level of personal data protection.

Answer 363

GDPR allows transfers also to a territory or specified sector within a third country (ie, a cross border transfer), or to an international organization provided that it has been awarded the Commission's adequacy designation.

Answer 364

That the third country or specified entity ensures "an adequate level of protection essentially equivalent to that ensured within the European Union"

Answer 365

Canada's PIPEDA However, this adequacy ruling was made before the GDPR so amendments may be required to maintain adequacy status.

Answer 366

Yes; allowable if the controller or processor utilizes certain Article 46 safeguards

Answer 367

Provide certain information to data subjects when their information is obtained. The controller must provide disclosure of its intention to transfer personal data to a third country or international organization. Must also provide either (a) disclosure that the transfer is pursuant to an adequacy decision by the Commission or (b) reference to the appropriate or suitable safeguards and the means for the data subject to obtain them.

Answer 368

Directive was silent GDPR adopts specific breach notification guidelines

Answer 369

As a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed"

Answer 370

Notify the appropriate supervisory authority w/o undue delay and where feasible, not later than 72 hours after having become aware of it. If notification is not made within 72 hours, the controller must provide a "reasoned justification" for the delay. Notification is not required if "the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals"

Answer 371

Must "at least" describe: -the nature of the personal data breach, -provide the data protection officer's contact info -the likely consequences of the personal data breach -how the controller proposes to address the breach Info can be provided in phases

Answer 372

It must also communicate info regarding the breach to the affected data subjects "without undue delay"

Answer 373

the controller; otherwise no notification or reporting obligation

Answer 374

Enhanced into first-instance body where citizens of member states can submit complaints about data breaches. GDPR also strengthens cooperation btw the respective national DPAs, wh/ helps ensure consistency and oversight.

Answer 375

The right to compensation for breaches for material or immaterial damage, as well as huge administrative fines. If either a data processor or a controller is found to be noncompliant, the burden shifts to said defendant to prove it is not responsible for the damage.

Answer 376

A noncompliant organization can be fined -up to $20M or - in case of an undertaking, up to 4% of the company's total worldwide annual turnover from the preceding financial year, whichever is higher. Also, citizens an pressure groups have the right to engage in group litigation to recover compensation for mere distress caused by contraventions of the GDPR.

Answer 377

Google - fine $50M Euros Found to have (1) failed to meet the accessibility and transparency requirements and (2) failed to obtain valid consent form users to process their data for ad personalization purposes.

Answer 378

A data protection officer (DPO)

Answer 379

-For all public authorities -where the core activities of the controller or the processor involve "regular and systematic monitoring of data subjects on a large scale" -where the entity conducts large-scale processing of the aforementioned "special categories of personal data that are provided in Article 9

Answer 380

GDPR does not establish the precise credentials DPOs must possess, but it does require that they have "expert knowledge of data protection law and practices". Level of expert knowledge "should be determined in particular according to the data-processing operations carried out and the protection required for the personal data processed by the controller or the processor"

Answer 381

May appoint a single DPO as long they are easily accessible from each establishment.

Answer 382

For the performance of their tasks and places no limitation on the length of this tenure.

Answer 383

the Privacy and Electronic Communications Directive (ePrivacy Directive)

Answer 384

Prior (opt-in) consent

Answer 385

Directive allows communications within an established customer relationship. This exception permits companies to email or send text messages to a mobile phone to market products and services to customers who have purchased similar products or services from the company under the same brand name. In this case, the company must offer an opt-out so that individuals can discontinue receiving the communications if they choose.

Answer 386

The use of cookie files on websites. Requires transparency about the use of cookies by requiring a display of the terms under wh/ the company uses cookies on its websites.

Answer 387

Provides rights for individual subscribers to decide whether or not they want to be listed in subscriber directories and specifically permits value-added services such as location-based advertising to mobile phones provided subscribers have given their informed consent and are informed of the data-processing implications.

Answer 388

Is one marketing approach in wh/ a marketer develops an understanding of a consumer through the use of cookies, which can be used to track a user's preferences and online activities.

Answer 389

The EU Cookie Directive

Answer 390

Visitor's consent "having been provided w/ clear and comprehensive info about the purpose of the cookie, before a cookie may be placed on the visitor's device. Also provides Europe's DPAs w/ complementary enforcement powers.

Answer 391

When it involves "any form of automated processing of personal data evaluating the personal aspects relating to a natural person"

Answer 392

It must involve more than mere tracking; not only does such personal data have to be gathered, but the automated processing of that data must be for the purpose of making decisions about the data subjects.

Answer 393

Must inform the data subject at the time the data is collected that profiling will occur, and it must also provide "meaningful info about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject."

Answer 394

Aims to ensure respect for private life, confidentiality of communications, and the protection of personal data in the electronic communications sector. Aims to ensure free movement of electronic communications data and electronic communications services within the EU. Will allow for reinforcement of trust and security in digital services and the objectives of the Digital Single Market Strategy.

Answer 395

The processing of electronic communications data carried out in connection w/ the provision and the use of electronic communications services and to information related to the terminal equipment of end users.

Answer 396

1. Protection of of Electronic Communications of Natural and Legal Persons and Information Stored in their Terminal Equipment 2. Natural and Legal Persons Rights to Control Electronic Communications 3. Independent Supervisory Authorities and Enforcement, and Remedies, Liabilities and Penalties

Answer 397

An organization focused on the economic development of the Asia-Pacific region.

Answer 398

APEC works as a cooperative by coming to terms on nonbinding agreements. The purpose behind APEC is the enhancement of economic growth for the region.

Answer 399

Framework promotes a consistent approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows. Its distinctive approach is to focus attention on practical and consistent information privacy protection. It tries to balance info privacy w/ business needs and commercial interests, and at the same time, accords due recognition to cultural and other diversities that exist within member economies. Sets out nine privacy principles that provide guidance to businesses operating in APEC economies.

Answer 400

That many member economies have well-established privacy laws and/or practices, while others may only be considering the issues.

Answer 401

the Cross Border Privacy Rules found in the APEC privacy framework

Answer 402

Their own internal rules on cross-border data privacy procedures. In addition, the internal rules must (1) comply w/ minimum requirements based on a set of commonly agreed-upon rules known as the APEC Privacy Framework and (2) be verified by assessment and certification from an independent public or private sector body - an accountability agent.

Answer 403

Came into force w/ the aim of protecting PI and individual privacy.

Answer 404

The law has a focus on the standardization of collection and usage of PI of Chinese citizens. Specifically, organizations processing PI of Chinese citizens and information related to national security or both will be required to store data within China. This will make organizations responsible for setting up Chinese-local servers for data and undergoing a security review before any data can be moved outside of China.

Answer 405

Chinese crime or security investigators by providing them w/ full access to data and additional support upon request.

Answer 406

Very different from approach taken in Europe and Canada Sectorial approach - results in a number of different laws, each of which address specific issues in specific industries

Answer 407

Accurate and relevant data collection by entities that compile consumer reports as well as persons who use consumer reports. It gives consumers the ability to access and correct their information and limits the use of consumer reports to permissible purposes.

Answer 408

Any entity that routinely furnishes consumer reports to third parties for a fee.

Answer 409

The Fair Trade Commission, state attorneys general and individual have a private right of action.

Answer 410

Is a US law that specifically addresses health information privacy. Requires the US Department of Health and Human Services to adopt national standards for electronic healthcare information transactions. These are referred to as HIPAA rules (one subset deals w/ privacy, another w/ security and a third set for transactions).

Answer 411

The HIPAA privacy and security rules are designed to establish minimum standards (i.e. to set the legal floor). States are free to develop more rigorous requirements as long as these requirements do not conflict w/ HIPAA.

Answer 412

HIPAA governs a covered entity's management of PHI.

Answer 413

Healthcare providers Health plans Healthcare clearinghouses

Answer 414

the Gramm-Leach-Bliley Act (GLBA), which among other things provided significant privacy and security protections for consumers.

Answer 415

Applies to domestic financial institutions, defined to include any US company that is "significantly engaged" in financial activities.

Answer 416

Nonpublic financial information

Answer 417

An example of a specific legal response to what can be considered a very specific concern: the protection of children in the online environment

Answer 418

COPPA applies to the operators of commercial websites and online services (especially those directed to children under the age of 13), though it also applies to general-audience websites and online services if they have actual knowledge that they are collecting PI from children under the age of 13.

Answer 419

Choice In the EU and Canada, laws generally require the consumer to opt-in to marketing programs, while in the US, the laws generally provide for opt-out choice.

Answer 420

For-profit organizations and cover charitable solicitations placed by for-profit telefunders.

Answer 421

The National Do Not Call Registry - this program provides a means for US citizens to register residential and wireless phone numbers that they do not wish to called for telemarketing purposes.

Answer 422

Commercial conduct that intentionally causes substantial injury w/o offsetting benefits and that consumers cannot reasonably avoid.

Answer 423

Organizations must be very careful in constructing privacy notices. Organizations must be honest and upfront about their PI handling practices.

Answer 424

The California Consumer Privacy Act (CCPA) Applies to for-profit businesses doing business in California that meet one of three thresholds.