CIPP/C Flashcards

Question 1

Q

What is the Right to Be Let Alone?

Answer

A

-1890

-Two famous American scholars advocated that society need to recoginize a privacy right

-Defined that right as “the right to be let alone”

-Occurred with the advent of the modern press and the ability to publish news in mass-distributed newspapers

Question 2

Q

What are the 3 (Main) Classes of Privacy

Answer

A

Information privacy

Privacy of the person

Territorial privacy

Question 3

Q

What is Information privacy?

Answer

A

One of three classes of privacy

Defined as “the claim of individuals or groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”

Information’s protection is predicated on the assumption that all information about a person fundamentally belongs to them, for them to communicate or retain as they see fit.

By law is concerned with establishing rules that govern the collection and handling of PI (can include FI, medical data or other records)

Question 4

Q

Definitions of privacy include

Answer

A

Privacy has been defined as the desire of individuals to choose freely the circumstances and degree to which they expose their attitudes and behaviours to others

Been connected to the human personality and considered a means to protect an individual’s independence.

The right of the individual to be protected against intrusion into his personal life or affairs or those of his family by direct physical means or by publication of information

Question 5

Q

What is privacy of the person?

Answer

A

Protects bodily integrity, and in particular the freedom from physical contact that would reveal objects or matters a person wishes to conceal.

Bodily privacy is focused exclusively on a person’s physical body; invasions to this class of privacy include genetic testing, drug testing and body cavity searches.

Question 6

Q

What is Territorial privacy?

Answer

A

Concerned with placing limitations on the ability
of an individual or organization to intrude into another individual’s physical environment.

Original notion was founded on the principle that “the house of everyone is to him as his castle and fortress.

Invasion of an individual’s territorial privacy typically comes in the form of physical search of premises, video or audio surveillance, ID checks and similar intrusions.

Question 7

Q

3 Canadian Perspectives on Privacy

Answer

A

Privacy of the individual vis-à-vis the state

Privacy of the individual vis-à-vis other individuals.

Privacy of the individual vis-à-vis organizations

Question 8

Q

Privacy of the individual vis-à-vis the state

Answer

A

One ponders the extent to which an individual is free to live their life without the state interfering or knowing what the individual is doing

Question 9

Q

Privacy of the individual vis-à-vis other individuals.

Answer

A

One examines to what extent an individual can live life free from intrusion from another individual, such as a neighbour, coworker, spouse, parent or child.

Question 10

Q

Privacy of the individual vis-à-vis organizations

Answer

A

One looks at the extent to which organizations can collect, use and disclose personal information about an individual, and once they have collected such information, what obligations they have.

Question 11

Q

What are the 5 World Models for Data Protection?

Answer

A

Comprehensive Laws (Canada, European Union)

Sectoral Laws (United States)

The Self-Regulatory Model (United States, Japan and
Singapore)

Seal Programs

The Technology-Based Model

Question 12

Q

Describe the Comprehensive Laws (Canada, European Union) Model

Answer

A

These laws govern the CUD of PI in the public and private sectors

Country that has comprehensive data protection laws has an official/agency responsible for overseeing enforcement - called a DPA, but in Canada a commissioner/ombudsperson - ensures compliance with law and investigate alleged breaches of the law

Official also bears responsibility for educating the public on data protection and acts as an international liaison for data protection issues

Question 13

Q

What are 2 critical issues with the Comprehensive Law Model?

Answer

A

Enforcement and funding are two critical issues in a
comprehensive data protection scheme.

Question 14

Q

What can the movement toward comprehensive privacy and data protection laws be attributed to?

Answer

A

The need to;
(1) remedy past injustices,

(2) promote electronic commerce, and

(3) ensure consistency with pan-European laws

Question 15

Q

Describe the Sectoral Laws (United States) Model

Answer

A

This framework protects PI through the enactment of laws that specifically address particular industry sectors

Often are used as a complement to comprehensive laws to provide more specific protection for particular data.

Question 16

Q

What are 2 major drawbacks with the Sectoral Laws Model?

Answer

A

Technological Relevance

b/c this model requires new legislation to accompany the introduction of new technologies, legislation often lags the technology that needs to be regulated

Oversight

-model lacks a central agency and a federal privacy mandate to provide oversight

Question 17

Q

Describe the Self-Regulatory Model (United States, Japan and Singapore)

Answer

A

Requires companies to abide by codes of practice as set by a company or group of companies as well as by industry and/or independent bodies to protect data

Question 18

Q

What are two major issues with the Self-Regulatory Model (United States, Japan and Singapore)?

Answer

A

Adequacy of codes of practice set by
companies and industry bodies

Enforcement.

Question 19

Q

Under the Self-Regulatory Model (United States, Japan and Singapore), what has happened b/c industry-developed codes provide limited data protection and are
coupled with weak mechanisms for enforcement?

Answer

A

Several coalitions and independent organizations have established codes of practice and seal
programs.

Question 20

Q

What is the Online Privacy Alliance?

Answer

A

A coalition of numerous online companies and trade associations specifically established to encourage the self-regulation of online privacy.

Question 21

Q

What did the Online Privacy Alliance introduce?

Answer

A

Guidelines for Online Privacy Policies

Question 22

Q

Who created the Guidelines for Online Privacy Policies and what occurs under them?

Answer

A

Online Privacy Alliance

Under these guidelines, OPA members agree to post a privacy policy that informs users about how their information is collected and used.

Notably, the guidelines do not provide for enforcement and instead encourage members to establish enforcement mechanisms independently.

Question 23

Q

What are Seal Programs?

Answer

A

Certifications and attestations provided by third parties

Is a prominent form of self-regulation

A seal program requires its participants to abide by codes
of information practices and adhere to some variation of monitoring to ensure compliance.

Companies that abide by the terms of the seal program are then allowed to display the program’s privacy seal on their websites.

Examples of such programs are TrustArc (formerly TRUSTe), BBBOnline, WebTrust, and the Digital Advertising Alliance (DAA).

Question 24

Q

Describe the Technology-Based Model

Answer

A

Technological security measures can be undertaken to ensure the protection of individuals’ personal data.

Developments in commercially available hardware and
software have enabled consumers to establish privacy protections for their own online activity.

Examples: Digital Cash and Encryption

Question 25

Q

What type of state is Canada?

Answer

A

Federal state

Question 26

Q

What are Canada’s three levels of government?

Answer

A

Federal, Provincial and Municipal

Question 27

Q

What are the two chambers of Parliament?

Answer

A

House of Commons -members elected in general elections held every four years

Senate - members are appointed

Question 28

Q

What type of system is used throughout Canada at the federal and provincial levels?

Answer

A

Parliamentary

Question 29

Q

How does a bill become law?

Answer

A

Must be approved by both the House of Commons and the Senate

Question 30

Q

What members are in the legislative branch?

Answer

A

House of Commons and the Senate

Question 31

Q

What do members of the legislative branch do?

Answer

A

Introduce, debate and pass bills and policy

Play a role in the oversight of the executive branch

Appoint officers of Parliament (i.e. the Federal Privacy Commissioner)

Question 32

Q

Describe the Judiciary Branch

Answer

A

Headed by the Supreme Court of Canada

Made up of a network of federal and provincial courts that hear and decide criminal and civil matters across the country

Question 33

Q

What act makes the federal gov responsible for issues such as criminal law, banking, national defence, and importantly for the topic of privacy protection - trade and commerce?

Answer

A

Constitution Act of 1867

Question 34

Q

Based on what legislation does the federal govt regulate privacy in Canada?

Answer

A

Constitution Act of 1867 - trade and commerce

Question 35

Q

What areas do provinces have jurisdiction over?

Answer

A

Provinces are responsible for such areas as hospitals, education, provincial courts and municipalities.

Question 36

Q

For provinces, what area of jurisdiction is thought to include privacy rights?

Answer

A

Property and civil rights

Question 37

Q

What is the role of the court in Canada?

Answer

A

Interpret laws

Review laws and government actions to ensure rights and freedoms are upheld

Judicial review - review of gov’t decisions (limited to review of such decisions for specific types of errors)

Question 38

Q

What are the role of administrative tribunals?

Answer

A

Interpret laws

Can enforce Charter rights

vehicles of the executive branch and are organized to administer specific programs with a certain degree of expertise

Question 39

Q

What are Charter Rights?

Answer

A

Charter rights are those created by the Canadian Charter of Rights and Freedoms.

Are constitutional rights and thus considered the most valuable rights in Canada

Question 40

Q

What is the Federal Privacy Commissioner misunderstood to be?

Answer

A

An administrative tribunal

Question 41

Q

What is the Federal Privacy Commissioner an officer of?

Answer

A

Officer of Parliament

Question 42

Q

Why must the Federal Privacy Commissioner table annual reports to Parliament outlining work accomplished and conclusions reached?

Answer

A

Is an Officer of Parliament, not a not a member of the executive branch of government, and is therefore accountable directly to the legislature.

Question 43

Q

What provinces use common law?

Answer

A

All except Quebec

Question 44

Q

What is a common law system?

Answer

A

In common law systems, laws are found in statutes (bills that have been introduced, debated and passed by the legislative branch of government) and in case law.

Accordingly, the judiciary’s role is instrumental in the development of law because this “judge-made” law is on equal footing with any statute-based law.

Question 45

Q

What is a civil law system?

Answer

A

In civil law jurisdictions, laws are are codified into a civil code, which obviates the need to search through judicial decisions to determine what laws exist.

Question 46

Q

What are 4 sources of Canadian law?

Answer

A

Legislation

Common Law

Contracts

Constitution and the Charter

Question 47

Q

What federal legislation imposes rules regarding PI?

Answer

A

The Privacy Act

Question 48

Q

What 3 things does the Privacy Act do?

Answer

A

Imposes rules that govern the government’s collection,
use and disclosure of personal information.

Provides for a right of access to PI

Sets up the OPC to oversee and enforce the Privacy Act

Question 49

Q

What is the name of the legislation that each province has that is similar to the Privacy Act typically referred to?

Answer

A

Freedom of Information and Protection of Privacy, though each law has slightly different approaches

Question 50

Q

What legislation governs the private sector?

Answer

A

Personal Information Protection and Electronic Documents Act (PIPEDA)

Question 51

Q

What organizations are excepted from PIPEDA?

Answer

A

Private sector organizations that that are subject to substantially similar legislation to PIPEDA passed by a province.

Question 52

Q

Which (4) provinces have substantially similar legislation to PIPEDA?

Answer

A

Personal Information Protection Act in
Alberta (“Alberta PIPA”)

Personal Information Protection Act in British
Columbia (“BC PIPA”)

Act Respecting the Protection of Personal Information in the Private Sector in Quebec (“the Quebec Act”),

Personal Health Information Protection Act in Ontario (PHIPA)

Question 53

Q

What is common law often referred to as?

Answer

A

Judge-made law because it is derived over time from the various rulings, decisions and interpretations made
by judges who hear the cases that are brought before them.

Judge-made law that protects privacy in Canada is in its infancy

Question 54

Q

Has there been any Supreme Court decisions that have endorsed a tort-based privacy right?

Answer

A

One Supreme Court of Canada decision from the late 1990s upheld a plaintiff’s claim for damages b/c a photograph of her was used on a magazine cover.

Question 55

Q

Have there been any court decisions that have endorsed a tort-based privacy right?

Answer

A

Ontario Court of Appeal recognized the tort of intrusion upon seclusion in Jones v Tsige in 2012

Question 56

Q

What is part of the problem with the advancement of privacy as a right protected in tort law?

Answer

A

Traditionally, the notion of privacy was well protected by more traditional interests such as trespass and nuisance

Question 57

Q

What are contracts?

Answer

A

Private laws created by parties who agree to be bound by certain terms

Question 58

Q

What do contracts do with respect to privacy?

Answer

A

Privacy rights can be created and protected by contracts when the parties to the contract agree to respect the confidentiality and security of the information they become privy to b/c of the contractual arrangement or other discrete terms within the contract, such as privacy or security terms.

Often occur within a commercial or employment context

Question 59

Q

When are contracts most often used?

Answer

A

In outsourcing situations where one party provides personal information under its control to another party. The receiving party is often asked to be contractually bound to protect that PI and to keep it properly safeguarded.

Question 60

Q

How does the Canadian Charter of Rights and Freedoms protect privacy?

Answer

A

Applies only to government action; private litigants would not be able to base a claim for breach of privacy against anyone other than a government entity

Section 7 of the Charter states that “everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice.” While there is no mention of the word privacy, there is an emerging body of case law that supports the view that Section 7 serves as a source of constitutional protection of the right to privacy.

Section 8 of the Charter states: “everyone has the right to be secure against unreasonable search or seizure.”

Question 61

Q

When is section 8 of the Charter used?

Answer

A

In the criminal and administrative context to prevent government authorities from violating privacy rights while gathering evidence, conducting investigations or conducting
administrative functions (such as inspecting food-packaging plants).

Triggered when the state interferes with an individual’s reasonable expectation of privacy and when such interference itself is found to be unreasonable.

Question 62

Q

In what context does contracts and tort-based privacy rights arise?

Answer

A

Between private parties and unless settled privately are enforced through the courts

Question 63

Q

In what context does Charter-based privacy rights arise?

Answer

A

In actions against the government?

Question 64

Q

Who oversees legislated rights to privacy protection under the Privacy Act and in PIPEDA?

Answer 64

A

Ombudspeople

Answer 65

A

Only after a complaint is lodged- though sometimes the commissioners themselves can commence complaints.

Answer 66

A

Renders a report and matter may proceed to court.

Answer 67

A

A brand new hearing.

Answer 68

A

What governments and organizations can do with PI

Answer 69

A

A determination that the type of information being
discussed is indeed personal information

Answer 70

A

Any identifiable information about an individual

Answer 71

A

purely corporate information (e.g., trade secrets, confidential business info, or nonidentifiable info belonging to groups of people) is not PI, and such info is not protected by Canadian privacy laws (although non-privacy laws may apply)

Answer 72

A

B/c each provincial or federal law will have its own definition of PI

Answer 73

A

To information under the control of federal government institutions

Answer 74

A

Privacy Act considers opinions about an individual to be the
personal information of that individual.

This important b/c it means that privacy laws provide a right of access to one’s own PI. Eg. if Jones has expressed an opinion about Smith that was documented, Smith can discover it by making a request to see his own personal information. Under the Privacy Act, not only can Smith see the content of the opinion about himself, but he will often be allowed to know the identity of the opinion holder as well. This is b/c the identity of the opinion holder is considered the PI of both the opinion holder and the opinion subject.

Answer 75

A

The difficulty of interpreting the meaning of “about” as it is used in the phrase “about an identifiable individual”

Answer 76

A

Definition is undeniably expansive.

Language is deliberately broad and entirely consistent with the great pains that have been taken to safeguard individual identity.

Its intent seems to be to capture any information about a specific person, subject only to specific exceptions.

Answer 77

A

To justify finding that many categories of info, regardless of whether the info is sensitive, private, innocuous or well-known are PI

Notably used by some judges to conclude that job-related info fall sunder the definition of PI and thus merits some protection under privacy legislation

Answer 78

A

When if, in combination with other information, it could be used to identify an individual

Eg. In 2008, the federal court determined that data regarding the provincial location in which medical patients were treated was personal information because such data, when coupled with other available data, could lead to the identification of individual patients. In In adopting a new test to determine what should be considered PI, the court provided that “information will be about an individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.

Answer 79

A

Public policy reasons

To recognize that while some data might otherwise be considered to be about an identifiable individual, there is a public policy reason for not treating it as such.

Eg. information about public-sector employees

Answer 80

A

Information about an identifiable individual.

Similar to the Privacy Act’s definition - intentionally broad and expansive interpretation

Answer 81

A

Applies to every organization that “collects, uses or discloses PI in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses PI in connection with the operation of a federal work, undertaking or business.

Answer 82

A

An employee’s business contact information is treated differently in that it is said not to apply to an organization in respect of the business contact info of an individual that the organization collects, uses or discloses solely for the purpose of communication or facilitating communication with the individual in relation to their employment, business or profession.

This also includes an individual’s work cell phone records.

Answer 83

A

Health context

Answer 84

A

Whether separate laws ought to exist for employee information and work product information

Answer 85

A

“‘personal employee information’ means, in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating:(i) an employment relationship; or,(ii) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship

Answer 86

A

Information about an individual that is related to that individual’s position, functions and/or performance of their job.

Answer 87

A

Regular personal information and employee-related information or work-product information.

Answer 88

A

Carves out some employment and work-product-related information

Answer 89

A

Where the PI is publicly available.

Answer 90

A

BC and AB by defining it.

Answer 91

A

Provides that a government’s restricted ability to use and disclose personal information does not apply if the information is publicly available.

However, the government’s obligations to collect the
information in accordance with the act are not affected by whether the info. is available

No definition in the Privacy Act to help guide users as to what is and is not considered publicly available.

Answer 92

A

Any information that is found in a “library or museum material preserved solely for public reference or exhibition purposes; or material placed in the Library and Archives of Canada, the National Gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature or the National Museum of Science and Technology by or on
behalf of persons or organizations other than government institutions.

Answer 93

A

Generally, PIPEDA requires the knowledge and consent of an individual before collection, use or disclosure of personal information can take place.

However, PIPEDA states that an organization may collect, use or disclose personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the regulations.

For the purposes of PIPEDA, it is a fact-specific inquiry as to whether info is found to be “publicly available”.

Answer 94

A

Merely because an individual appears in public does not mean they “automatically forfeit” their “interest in retaining control over the personal information which is thereby exposed

For an organization to be exempted from the consent requirement, the personal information must be both publicly available and specified by the regulations

The exception to the consent requirement does not apply to the organization that initially collects the information for the purposes of subsequently making it publicly available.

Answer 95

A

With the advent of online social networking and the
ability to find info about individuals easily via the internet, more info is meeting the criteria for publicly available.

Answer 96

A

The info. can only be released if doing so would not be an unreasonable invasion of privacy.

Answer 97

A

The Organisation for Economic Co-operation and Development (OECD)’s set of 8 privacy principles entitled “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.”

Answer 98

A

Broke the OECD’s code into 10 principles that were incorporated as a schedule to Canada’s private-sector privacy law, PIPEDA and formed the basis of the principles of the Canadian Standards Association.

Answer 99

A

the “Model Code for the Protection of Personal Information” (“Code”)

Answer 100

A

Developed in order to assist with finding a balance btw legitimate business interests and the individual right to privacy.

Answer 101

A

Was influenced by a committee concerned with protection of privacy in Canada.

Answer 102

A

Accountability

Identifying Purposes

Consent

Limiting Collection

Limiting Use, Disclosure and Retention

Accuracy

Safeguards

Openness

Individual Access

Challenging Compliance

Answer 103

A

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

Answer 104

A

The purposes for which PI is collected shall be identified by the organization at or before the time the information is collected.

Answer 105

A

The knowledge and consent of the individual are required for the collection, use or disclosure of PI, except where inappropriate.

Answer 106

A

The collection of PI shall be limited to that which is necessary for the purposes identified by the organization.

Answer 107

A

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Answer 108

A

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Answer 109

A

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Answer 110

A

An organization shall make readily available to individuals specific info about its policies and practices relating to the management of PI.

Answer 111

A

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Answer 112

A

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

Answer 113

A

Jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)

Answer 114

A

The GAPP are meant to be used by any organization involved in the handling of personal information.

These principles were established to help businesses navigate the competing interests of business, government and consumers.

Answer 115

A

Each principle is supported by “objective and measurable criteria” available in the full text of the document

Answer 116

A

Management

Notice

Choice and consent

Collection

Use, retention and disposal

Collection

Use, retention and disposal

Access

Disclosure to third parties

Security for privacy

Quality

Monitoring and enforcement

Answer 117

A

The 10 fair information principles found in Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA)?

Answer 118

A

The Accountability principle.

Answer 119

A

An organization:

Must implement procedures that protect PI
Establish procedures to receive and respond to complaints or questions
Train staff
Be transparent about all these procedures and practices

Answer 120

A

A privacy policy

Answer 121

A

A document that tells customers, potential customers, employees and any other individuals who might have their PI collected, used or disclosed by the organization what the organization’s PI-handling practices are.

Answer 122

A

An organization to appoint individuals with primary responsibility for privacy protection.

Makes organizations responsible for the PI over which they have either custody or control.

For ex. if an organization outsources some functions and the outsourced entity will have access to the PI collected by the organization, the organization must ensure that the 3P is contractually bound to the organization in a manner that provides adequate protection for the PI.

Answer 123

A

Google Inc’s release of Google Buzz - a social networking tool that automatically draws upon contact information from a user’s Gmail account, adding certain contacts as “followers” and thereby revealing potentially sensitive user information.

As a result, the data protection commissioners from around the world called on Google and all large social media
companies to be more accountable for the information they control.

Answer 124

A

The obligation of organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.

Answer 125

A

If personal information is collected for a different purpose then the individual’s privacy has been violated and the principle breached.

Answer 126

A

It must procure new consent after the new purpose is communicated to the individual.

Answer 127

A

To describe their purposes in ways that are precise enough to provide valuable information to individuals but broad enough to include potential future purposes so they don’t need to obtain consent every time they identify a new use for PI.

Answer 128

A

The general principle states that an organization may collect, use or disclose PI only if an individual consents.

Answer 129

A

State purposes for use in a broad manner (i.e. be as vague and as broad as possible).

Answer 130

A

That it be informed and meaningful.

Answer 131

A

This requires the individual to know and understand the purposes for the C, U or D of the PI.

Answer 132

A

Sensitive PI is information that is more significantly related to the notion of a reasonable expectation of privacy (e.g. medical or financial info., also pieces of info that, if procured by the wrong individuals, could result in serious cases of identity theft, might also be considered sensitive PI).

Answer 133

A

Acknowledging that different situations require different standards.

Answer 134

A

When the PI being collected is innocuous and the purpose of the collection straightforward.

Answer 135

A

When the PI being collected is innocuous and the purpose of the collection straightforward.

Answer 136

A

When the PI is sensitive, explicit and
documented.

Answer 137

A

Require an individual to consent to the
collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purpose.

For example: a customer entering
her favourite electronics store to buy AA batteries cannot be required to share her address as a condition for her transaction, as it is neither related or necessary.

Answer 138

A

Withdraw consent

Answer 139

A

The need for many organizations to perform periodic privacy audits to ensure the required consents are being obtained and documented.

Answer 140

A

Exercises performed internally or by independent third parties to ensure that an organization holds personal information in compliance with the various privacy obligations to which the organization may be subject and with internal privacy standards established by the organization, such as commitments specified in an online privacy notice for customers.

Answer 141

A

The opaque nature of the privacy policies that are the basis of consent, complex
information flows, and business processes that involved a multitude of 3P intermediaries.

In this complex and rapidly changing digital environment, it can be exceedingly difficult for consumers to determine exactly what info they are sharing and with whom.

Answer 142

A

Requires organizations to collect only the amount and type of PI legitimately needed to fulfull the identified purpose.

Requires that organizations not collect PI indiscriminately or beyond the scope of services provided.

Answer 143

A

This principle requires that “personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

PI shall be retained only as long as necessary for the fulfillment of those purposes.

Answer 144

A

The Limited Purposes principle

Answer 145

A

The notion that collection of excess PI can become a potential liability for an organization, requiring the protection and destruction of information that was not needed in the first instance. For these reasons, it is important that organizations carefully consider the information required to fulfil the purposes they have outlined.

Answer 146

A

This principle directs an organization to destroy the PI. This requires organizations to address the issue of retention schedules beforehand and to develop guidelines and procedures for the adequate destruction of PI at the appropriate time.

Answer 147

A

(1) PI that has been used to make a decision about an individual should be retained long enough to allow the individual access to the information after the decision

(2) An organization may be subject to legislative requirements with respect to retention periods for certain types of information.

Answer 148

A

The time and manner of destruction of PI.

Answer 149

A

The context surrounding the collection, use, disclosure and type of PI.

Answer 150

A

The principle that obliges organizations to keep personal information as “accurate, complete and up-to-date as is necessary for the purposes for which it is being used.”

Answer 151

A

That organizations should make sure the
information they are using to make decisions about providing credit or medical
care to people is accurate in order to avoid inappropriate decisions or ill-fated
consequences.

Answer 152

A

Keep information up to date (unless such a process is necessary to fulful the purposes for which the info was collected).

Answer 153

A

Must protect PI against loss or theft as well as unauthorized access, disclosure, copying, use or modification. This obligation transcends media, applying equally to paper-based and electronic data.

Answer 154

A

The complexity surrounding the technology of information holdings.

The rapid rate of technological change, which complicates any conclusion about whether a particular safeguarding method is sufficiently secure.

Answer 155

A

Sensitive PI stored on any mobile device or information that can be accessed or transmitted across public wireless networks.

Answer 156

A

The sensitivity of the information, such that financial or medical info should receive greater security protection than address info.

Answer 157

A

Sensitivity of the information

Cost-benefit analysis of the various technological solutions

System performance.

Answer 158

A

Procedures and practices that formalize the manner in which personal information will be kept safe, in particular the appropriate level of security applicable to the sensitivity of the PI, often called “data classification.”

Answer 159

A

Make readily available to individuals specific information about their policies and practices relating to the management of PI.

Answer 160

A

Because organizations must be open about their policies and practices with respect to the management of personal information, these policies are generally made available electronically on websites and on paper at the customer service point of interaction.

Answer 161

A

Organizations must be able to respond to requests from individuals for access to their personal information.

Answer 162

A

This principle incorporates such obligations as the requirement to inform individuals of the existence, collection, use and disclosure of PI. Moreover, if an individual reviews their information and find inaccuracies, the organization must be prepared to record this appropriately.

Answer 163

A

An organization cannot unduly delay

Answer 164

A

Obligation to assist individuals trying to access their own personal information by being helpful and providing the information in a user-friendly format.

Answer 165

A

Organizations provide information from inside a database via a printout that
includes explanations for any codes contained in the database.

Answer 166

A

That access to PI will not be required or desirable in every instance.

Answer 167

A

Information protected by solicitor-client privilege.

Answer 168

A

Individuals should have an ability to challenge the organization’s PI-handling practices.

Answer 169

A

Jan. 1, 2001

Answer 170

A

The Act was passed as part of the government’s electronic commerce strategy - a policy initiative reportedly motivated by the desire to make Canada a world leader in electronic commerce.

Answer 171

A

Industry self-regulation

Answer 172

A

If the organization is otherwise subject to a provincial law that has been declared “substantially similar” to PIPEDA.

Answer 173

A

(1) The first is a matter of determining whether an organization is involved in a commercial activity.

PIPEDA applies to every organization that “collects, uses or discloses personal
information in the course of commercial activities”

or

(2) Whether the organization operates as or in connection with a federal work or undertaking.

“is about an employee of
the organization and that the organization collects, uses or discloses in connection
with the operation of a federal work, undertaking or business.”

Answer 174

A

PIPEDA was drafted to apply across the country; however, the federal government explicitly invited the provincial governments to occupy their own fields of responsibility and pass their own privacy laws.

Answer 175

A

(1) Only for purposes that a reasonable person would consider appropriate in the circumstances.

It places a heavy burden on an organization to be prepared to demonstrate that it is always acting reasonably in its treatment of PI.

(2) Only with consent.

Answer 176

A

The constitutional limit to the powers of the federal government in Canada.

In support of this argument is the fact that PIPEDA applies only to organizations involved in commercial activities. The basis for this limitation is that the federal government’s jurisdiction rests on its power to regulate trade and commerce across the entire country. PIPEDA’s application to employees of organizations connected to or operating as federal works and undertakings rests on its constitutional ability to regulate industries that operate at a federal level (such as telecommunication companies, railways and airlines).

Answer 177

A

PIPEDA states that consent of an individual is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure of their PI (unless PIPEDA permits otherwise)

Answer 178

A

A greater alignment of federal and provincial private-sector privacy laws.

Answer 179

A

(1) Must be consistent with the schedule for PIPEDA

(2) Has an independent oversight body like the OPC

(3) Contain a redress mechanism for those who are aggrieved

Answer 180

A

Alberta’s Personal Information Protection Act (“Alberta PIPA”)

British Columbia’s Personal Information Protection Act (“BC PIPA”)

Quebec’s Act Respecting the Protection of Personal Information in the
Private Sector (“the Quebec Act”

Ontario’s Personal Health Information Protection Act of 2004
(PHIPA)

New Brunswick’s Personal Health Information Privacy and Access Act
(PHIPAA), with respect to personal health information custodians

Newfoundland and Labrador’s Personal Health Information Act (PHIA), with respect to personal health information custodians

Nova Scotia’s Personal Health Information Act (PHIA), with respect to health information custodians

Answer 181

A

“any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling,
bartering or leasing of donor, membership or other fundraising lists.

Answer 182

A

A fact-specific inquiry.

Answer 183

A

Quite broadly.

Answer 184

A

Nonprofit associations (presumably including unions) and private schools

However, the OPC has determined that even though an organization may be nonprofit and membership-based, it can still engage in commercial transactions that trigger PIPEDA.

Answer 185

A

The requirement of obtaining consent and the obligation to act reasonably when doing so.

Right to provide access to PI.

Answer 186

A

When doing so would reveal:

-info about a 3P, for specified national security or law enforcement reasons;

-solicitor-client privileged info;

-commercially sensitive info;

-info gathered as part of a formal dispute resolution mechanism; or

-info collected w/o consent b/c the organization was investigating a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that info.

Answer 187

A

That these organizations do not need to respond to requests for access to PI. The OPC has made it clear that the obligation to provide access to PI cannot be circumvented by the fact that the organization is involved in litigation with the same individual.

Answer 188

A

Cost recovery. This is limited b/c organizations must respond to requests for PI at minimal or no cost to the individual. Thus, OPC has found that any type of flat fee would likely not be acceptable.

Answer 189

A

The OPC is responsible for the enforcement of the act and is comparable to that of an ombudsperson.

Answer 190

A

Complain to the OPC.

Answer 191

A

Investigate complaints under PIPEDA (are conducted in private)

Can initiate a complaint if there are reasonable grounds for doing so.

Power to subpoena and compel the giving of evidence

Answer 192

A

Enhanced powers regarding the conduct of investigations. Under 12(1), OPC may decline to investigate a complaint in certain circumstances. Under 12.2(1), the OPC may discontinue an investigation in certain circumstances.

Answer 193

A

A report is issued that details the findings and recommendations. The OPC report is nonbinding on the organization and rarely does the OPC name the organization.

Answer 194

A

The OPC can apply to the federal court to request a court order enforcing the implementation of recommendations.

Answer 195

A

Conduct an audit. At the end of the audit, the organization is given a nonbinding report (and OPC is not granted the power to initiate a application in federal court if an organization refuses to implement the recommendations contained in an audit report).

Answer 196

A

Education and awareness.

Answer 197

A

By passage of the Digital Privacy Act (DPA).

Answer 198

A

Breach Notification and Record-keeping Requirements
Updated definitions
Update to Consent
Compliance Agreements
Public Interest Disclosures

Answer 199

A

Organizations will be subject to mandatory notifications to the OPC of any breach of security safeguards involving PI.

For breaches where there is a “real risk of significant harm to individuals” the requirement mandates notification to individuals.

Organizations must keep a record of all breaches involving PI and provide a copy to the OPC upon request.

Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines up to $100K.

Answer 200

A

PI - updated to mean info about an identifiable individual.

Business contact info - updated to include any info that is used to communicate or facilitate communication with an individual in relation to their employment, business or profession.

Answer 201

A

Consent is considered valid only if it is reasonable to expect that individuals to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. `

Answer 202

A

Investigations/fraud detection and prevention

Business transactions

Witness statements in insurance claims

Identifying injured, ill, deceased,; communicating with next of kin

Financial abuse

Employment relationships in federally regulated workplaces

PI produced in the course of employment, business or profession

Answer 203

A

Compliance agreements aimed at ensuring organizations comply w/ PIPEDA.

Answer 204

A

Where the OPC believes, on reasonable grounds, than an organization has committed, is about to commit, or is likely to commit an act or omission that could constitute a contravention of PIPEDA, or a failure to follow a recommendation in Schedule I to the act.

Answer 205

A

Take certain actions to bring itself into compliance w/ PIPEDA.

Answer 206

A

Commencing or continuing a court application under PIPEDA with respect to any matter covered by the agreement.

Answer 207

A

After notifying the organization, the OPC could:

(1) apply to the court for an order requiring the organization to comply with the terms of the agreement, or

(2) commence or reinstate court proceedings under PIPEDA, as appropriate.

Answer 208

A

PIPEDA’s confidentiality provisions continue to apply, but the scope of what can be disclosed in the public interest has been broadened.

OPC may now make public any information that comes to its knowledge in the performance or exercise of its duties or powers under PIPEDA if it deems that doing so is in the public interest.

Previously, this discretion applied only to information “relating to the PI management practices of an organization.”

Answer 209

A

Both are considered to be substantially similar legislation to PIPEDA and therefore organizations that are subject to these acts are exempt from PIPEDA.

Apply to the CUD of PI by the private sector

Provide a right of access to one’s own PI

Set up an oversight body to which individuals can complain

Answer 210

A

These acts apply to the CUD of PI of individuals in employment and noncommercial contexts.

Answer 211

A

Alberta PIPA and BC PIPA apply to employee PI.

This is important b/c w/o provincial legislation filling the gap, the only employees afforded any privacy protection in Canada would be those of organizations that operated as, or in conjunction with, federal works or undertakings.

Answer 212

A

Data such as work contact information is clearly not afforded the same degree of protection.

Answer 213

A

Consent, if the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

Answer 214

A

Work product.

Allows for some ambiguity at the federal level, with a blurry distinction between i) work product, ii) business information and iii) contact information.

As a result, the extent to which work product and PI overlap remains unclear.

Answer 215

A

While the OPC recognizes hat an employee can produce unprotected work-generated information, it currently deems PI that may be work product as subject to the act and suggests work-product issues be addressed on a case-by-case basis.

Answer 216

A

Excludes “work product” from PI treatment, thereby removing this information from protection under the act.

Answer 217

A

Similar to PIPEDA, it does not address work product or employee-generated information.

Answer 218

A

Obligation to act reasonably.

Also, the 10 overriding principles found in the schedule to PIPEDA are all encapsulated in these laws.

Answer 219

A

Consent - before an organization can CUD PI , it must ensure that it has the requisite consent or that the situation is one that allows for nonconsensual CUD

Individuals have a right of access their PI and a right to correct inaccurate information.

Answer 220

A

Deals w/ professional regulatory bodies - for these entities, the AB PIPA allows organizations to establish PI codes ad thereafter abide by the code instead of all the obligations imposed by PIPA.

Answer 221

A

A set of rules governing the CUD of PI in a manner that is consistent with the purposes and intent of the AB PIPA.

Answer 222

A

AB PIPA - organizations are required to notify the OIPC of AB when a privacy/security breach results in a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure of their PI.

Answer 223

A

The OIPC - these commissioners are given very broad and powerful powers of investigation. They investigate complaints.

Answer 224

A

Provincial commissioners have the power to order an organization to take an action (under PIPEDA, the federal commissioner only has the power to recommend that an organization take an action.

Answer 225

A

Act Respecting the Protection of Personal Information in the Private Sector (the Quebec Act)

Answer 226

A

The unique nomenclature used. Eg. organizations are called “enterprises” and disclosures are referred to as “communications”.

Answer 227

A

Applies to every enterprise that collects, stores, uses or communicates PI about a natural person to third parties.

Answer 228

A

Those under PIPEDA, as the laws are substantially alike.

Answer 229

A

The Quebec Act’s provision dealing with the communication of PI outside of Quebec.

This provision, which is very similar to the way European data protection laws operate, provides that an enterprise in Quebec can disclose PI to a 3P outside of Quebec only if it is first satisfied that

-info will not be used for purposes not relevant to the object of the file or communicated to 3Ps w/o the consent of the personal concerned

-in the case of marketing lists, that the persons concerned have a valid opportunity to refuse to allow their PI to be used for commercial purposes

Answer 230

A

Is its specific code, which reflects close consultation between the lawmakers and the direct marketing industry.

Answer 231

A

“the commission” - has the obligation of hearing and deciding cases related to the application of the provisions concerning access to or rectification of PI or cases dealing w/ marketing lists.

Has broad powers of inquiry and can order an organization to comply with its orders

Decision can be appealed but its findings of fact are final.

Answer 232

A

Introduced on Jul. 1, 2014, is considered the toughest anti-spam law in the world.

Answer 233

A

The growth of electronic commerce by deterring certain practices that undermine the value of the internet as a medium for commerce.

Answer 234

A

Sending of commercial electronic messages (CEM)

Installation of computer programs

Prohibits the unauthorized alteration of transmission data.

Answer 235

A

Applies to:

-all forms of electronic messaging, including email, SMS test messages, and messages sent via social networking.

-any CEM that is sent from or accessed by a computer system located in Canada.

-senders of CEMs from Canada, as well as to those who send messages into Canada from other countries.

-nonprofit organizations and registered charities (however there are exceptions under the Income Tax Act)

Answer 236

A

Obligations relating to consent, identification and unsubscribing:

Answer 237

A

Express Consent - when requesting express consent, senders cannot consent on behalf of the end user.

Moreover, silence or inaction on the part of the end user cannot be construed as providing express consent. (e.g. a prechecked box cannot be used, as it assumes consent).

Express consent must be obtained through an opt-in mechanism, as opposed to opt-out. This mechanism must prompt the end user to take a positive action in order to indicate their consent.

Answer 238

A

Consent can be obtained either in writing or orally. In both cases, the onus is on the sender of the CEM to prove it has in fact obtained consent in order to send the CEM.

Answer 239

A

Consent may be implied in 4 circumstances:

1) Sender and recipient have an existing business relationship.

2) Sender and recipient have an existing nonbusiness relationship.

3) Recipient has conspicuously published their electronic address (e.g. on a website) and has not expressly stated that they do not wish to receive unsolicited messages. The message must be related to the recipient’s professional capacity.

4) Recipient has disclosed their electronic address directly to the sender and has not expressly stated that they do not wish to receive unsolicited messages. The message must be related to the recipient’s professional capacity.

Answer 240

A

Clearly identify themselves.

if the message is sent on behalf of another person, that person must be identified as well. When a CEM is sent on behalf of multiple persons, all these persons must be identified in teh CEM; this specifically includes persons that play a material role in the sending of the CEM.

Answer 241

A

Senders can include a hyperlink to a web page containing this information. Link must be clearly and prominently set out in the CEM and the web page must be readily accessible at not cost to the recipient of the CEM.

Answer 242

A

Sender must demonstrate that it had the proper consent (implicit or explicit) to send CEMS to recipients. This also includes demonstrating adequate consent where the sender is relying on the existing business or nonbusiness relationship.

Answer 243

A

A functional unsubscribe mechanism that enables the recipient to unsubscribe at no cost.

This must include an unsubscribe link that is functional for a minimum of 60 days.

Unsubscribe requests must be processed without delay and in no event more than 10 days after the request has been made.

An unsubscribe mechanism must be ‘readily performed” - it should be simple, quick and easy for the end user.

Answer 244

A

Administrative monetary penalties (AMPs) for violations of CASL of up to $1M per violation for individuals and $10M per violation for other persons (or businesses).

Answer 245

A

CRTC found that Blackstone committed multiple violations including sending CEMs w/o consent through nine campaigns and targeting Canadian provincial and federal employees.

CRTC found that Blackstone did not demonstrate that it had received consent to send the messages at issue.

CRTC issued a $50K AMP

Answer 246

A

OPC investigation found that Compu-Finder did not have the appropriate consent for the collection and use of email addresses for the purpose of sending out emails promoting its business activities.

CRTC issued a $1.1M AMP.

Answer 247

A

Express consent

That the express consent of an owner or unauthorized user of a computer system be obtained before installing, or causing to be installed, a computer program on that individual’s device.

Answer 248

A

That the purpose of the CASL is to protect consumers from computer program, such as malicious software (malware), that pose a real threat to individuals, and that it would be focusing its enforcement in that direction.

Answer 249

A

Malware - sometimes malware is installed along with other software.

Concealed software

Concealed software may be automatically executed when a consumer purchases a music CD and inserts it in their computer to listen to music or copy songs.

Answer 250

A

When the telecommunications service provider is installing software to protect the security of all or part of an end-user’s network from a current an identifiable threat or updating or upgrading all or part of the network.

Answer 251

A

Cookies
HTML
JavaScript
An operating system
Bug fixes
An executable program to which the end user already consented

However, organizations are only considered to have consent for these types of computer programs as long as the person’s conduct indicates that they consent to it.

Answer 252

A

Applies to the use and disclosure of personal financial information by Schedule I, Schedule II and Schedule II banks. The act oversees the institution’s compliance w/ the protection of customer’s personal and financial information.

Answer 253

A

Canadian privacy laws generally do not prohibit the international transborder flow of PI from Canada to locations outside of Canada, including the US.

There is no language in PIPEDA to suggest there is a prohibition on the transfer of PI outside of Canada. In fact, the law explicitly contemplates transfers of PI.

Answer 254

A

The use of the cookie.

Answer 255

A

Cookies allow web servers to keep track of the end user’s browser activities and connect individual web requests into a session.

Cookies can also be used to prevent users from needing authorization for every password-protected page they access during a session by recording that they have successfully supplied their usernames and passwords already.

Answer 256

A

A cookie placed by the website that is visited.

Answer 257

A

A cookie placed by a party other than the visited website.

Answer 258

A

Cookie that is deleted when a session ends.

Answer 259

A

A cookie that remains for a period of time after a session ends.

Answer 260

A

Cookie permits data regarding browsing history to be recorded and saved to better predict a user’s interests and develop a more accurate marketing profile of the user.

Answer 261

A

(1) An ID that is 18 characters long and unique to the individual’s browser

(2) the date, time and duration of the individual’s visit to the “cookied” website.

Answer 262

A

The cookies will remain on their computers in perpetuity unless the individual removes them.

Answer 263

A

What is PI?

Is the data processor collecting, using or disclosing PI as part of its activities?

Answer 264

A

That they are PI.

Answer 265

A

Is when an unauthorized access, CUD of PI occurs.

Answer 266

A

When PI is hacked, stolen, lost or inadvertently disclosed to the wrong people.

Answer 267

A

That an organization takes steps to address the situation, mitigate harm, and avoid similar future incidents.

Answer 268

A

Introduced new data breach reporting and notification provisions, which include a requirement for organizations to notify the OPC and affected individuals

Answer 269

A

Yes, however this must be equally supported by transparency and an individual’s right to privacy.

Answer 270

A

The Generally Accepted Privacy Principles.

Answer 271

A

The Generally Accepted Privacy Principles framework promulgated by the American Institute of Certified Public Accountants in conjunction with the Canadian Institute of Chartered Accountants.

Answer 272

A

The Privacy Act in 1983

The Access to Information Act in 1985

Answer 273

A

“Freedom of Information and Protection of Privacy” acts.

Answer 274

A

Government entities including crown corporations and education.

Answer 275

A

Enforce transparency around Canada’s public sector.

They enable the public to request and obtain copies of records held by government ministries or the Office of the Premier when those records are not routinely available.

Also, individuals are able to request access to their own information held by public institutions.

Answer 276

A

Applies to government institutions (i.e. ministries, tribunals, Crown corporations etc).

Answer 277

A

Collect PI only if the information relates directly to an operating program or activity of the institution.

Significantly, there is no need for data subject consent prior to the collection of PI.

Answer 278

A

There is a general obligation to collect the PI directly from the individual when the information is going to be used for an administrative purpose unless:

1) this is impossible;
2) the individual authorizes the indirect collection; or
3) the collection is pursuant to one of 13 exceptions specified in the act. (these 13 exceptions mirror those for the nonconsensual disclosure of info.)

Answer 279

A

To use PI, consent is required; however, and importantly, an institution does not need consent to use the information if it is being used for the purpose for which the information was obtained or compiled by the institution, for a use consistent with that purpose, or for a purpose for which the information may be nonconsensually disclosed to the institution.

Answer 280

A

General obligation is that government institutions must not disclose PI w/o consent from the individual to whom the information pertains. (There are 13 situations where nonconsensual disclosure is permitted).

Answer 281

A

There are often requirements that the disclosure be recorded.

Answer 282

A

Contains the requests under the Access to Information Act submitted by individuals to access records under the control of Treasury Board of Canada Secretariat, the replies to such requests, and any other information relevant to the processing of the requests.

Answer 283

A

The Privacy Act provides a right of access to every Canadian citizen or permanent resident. It is a mandatory right that requires government institutions to release the PI under its control to the individual requestor to whom the information pertains.

Access must be granted within 30 days of the request’s receipt by the institution, though extensions of time are permitted in certain circumstances.

Access to PI may be denied only in certain prescribed situations.

Any individual who is granted access to information is also granted the right to request that corrections or notations be made to the PI.

Answer 284

A

Maintains an inventory of applications from individuals requesting employment w/ the Treasury Board Secretariat.

Answer 285

A

The Privacy Act allows for the creation of exempt banks by institutions that have PI holdings consisting predominantly of PI that would be inaccessible b/c it is info that was obtained or prepared by any government institution or part of any gov’t institution that is an investigative body in the course of lawful investigations pertaining to the enforcement of any law of Canada or a province.

Answer 286

A

The Privacy Act does not specify an obligation to properly safeguard and retain PI.

Answer 287

A

The Privacy Act creates the OPC. The role of the OPC is to investigate complaints received by individuals who believe their Privacy Act rights have been violated.

Answer 288

A

To conduct effective investigations. However, the trade off is that at the end of the complaint’s investigation, the commissioner may only recommend solutions to gov’t institutions that may have been found to be noncompliant w/ the Privacy Act.

Answer 289

A

Where an the commissioner finds that the government institution erroneously denied access to PI being requested. In such instances, the OPC may proceed to the federal court for a determination of whether or not the information was properly withheld from release.

Answer 290

A

The no-fly list.

This was a Transport Canada program whereby individual names would be added to a list and then subsequently distributed to airlines operating in Canada.

Answer 291

A

Led to increasing interest in video surveillance for both the private and public sectors. As result, the OPC issued guidelines for video surveillance in both sectors.

Answer 292

A

Discourage the use of video as an initial security option.

Video surveillance should be viewed as an exceptional step, to be taken only in the absence of a less privacy-invasive alternative.

Public should be advised that they will be under surveillance

Video surveillance system should be subject to independent audit and evaluation

Fair information practices should be respected in CUD, retention and destruction of PI

Answer 293

A

Reasonable expectation of privacy limitation.

Answer 294

A

While the federal scheme relies solely on a broad definition of PI, the approach in many provinces is to protect the vast array of data that is included in the definition of PI in some instances, but in other cases to afford less protection to that PI if it does not merit a reasonable expectation of privacy. Especially, when dealing w/ the protections relating to the disclosure of PI.

Answer 295

A

When it does not result in an unreasonable invasion of privacy.

Answer 296

A

BC and NS place significant restrictions on a public body’s transfer of PI outside of their respective jurisdiction.

Answer 297

A

Provincial commissioners have order making powers

Most of the provinces chose to give the commissioners the power to issue orders after they conduct their investigations or inquiries. This power is significant because they have substantially more legal power to force proper privacy protections.

Answer 298

A

Because:

it was written before the full development in Canada of the broad range of fair information practices.

-it does not require the same degree of openness and transparency as private-sector laws.

–it fails to address the issue of transborder data flows in a world where the pressure to disclose to entities and organizations outside of Canada is increasing almost daily.

Answer 299

A

A document meant to signal the direction of future government policy in spheres of the digital economy, data and privacy protection.

It outlines 10 principles.

It is not a legal document and thus its principles have no enforceable effect.

Answer 300

A

In its 2018-2019 Report to Parliament on PIPEDA and the Privacy Act, Commissioner Daniel Therrien announced that the government has finally committed to reforming Canada’s aging privacy legislation.

Answer 301

A

Commissioner called for a rights-based approach that has 3 key impacts on Canada’s public sector privacy framework:

1) For the public sector to adapt the principles of “necessity and proportionality” in its data management practices.

2) Enforcement mechanisms should be strengthened so that federal institutions have the incentive for broad compliance.

3) The requirement of “demonstratable accountability’. Rather than having to engage in lengthy investigations into government institutions to uncover breaches of accountability, the institution would be expected to demonstrate its compliance with the regulator upon request and be required to design for privacy at the planning stages.

Answer 302

A

Required by federal gov

All gov institutions subject to Privacy Act must conduct a PIA

Meant to be sent to the OPC for the commissioner’s involvement

Purpose of the PIA is to evaluate whether program and service delivery initiatives that involve the CUD of PI comply w/ the obligations set out in:

-the Privacy Act
-the government’s Privacy and Data Protection Policy
-The Library and Archives of Canada Act
-Any other program-specific legislation or regulation dealing w/ information management

Answer 303

A

An assessment need only be “commensurate” with the level of risk at hand. Where risk is low, an assessment does not need to be as extensive as where risk is high.

Answer 304

A

Defined by the federal gov as an activity that involves comparing personal data obtained from a variety of sources, including personal information banks, to make decisions about the individuals to whom the data pertains.

It is a specialized activity involving the collection, use and disclosure of PI, wh/ is subject to the various requirements of the Privacy Act.

Answer 305

A

It involves an indirect collection of PI that leads to discovery and new knowledge about individuals. The new info can then be used by the entity that controls the data for new purposes.

Answer 306

A

The collection, analysis, measurement and reporting of data about web traffic and user visits for the purpose of understanding and optimizing web usuage.

Answer 307

A

Market research to improve advertising campaigns and website effectiveness.

Many gov institutions also use web analytics to learn about visitors to their sites in order to better meet the visitor’s needs and deliver more effective services.

Answer 308

A

Various, including:

Mandated privacy notices on institutional websites

Maximum retention periods

Use of strict privacy-protection language in any contracts w/ 3P service providers.

Answer 309

A

Use of web analytics by gov institutions and its associated privacy issues.

Answer 310

A

PI (as defined by the Privacy Act) that is collected, used, retained and disposed of for web analytics.

All institutions that are subject to the Privacy Act are subject to it, including parent Crown corporations and their wholly owned subsidiaries.

Answer 311

A

When IP addresses and other info about browsing behaviour are disclosed to 3Ps located outside of Canada.

Answer 312

A

The sensitivity of the PI

The expectations of the individuals to whom the PI relates

The potential injury if PI is wrongfully disclosed or misused.

Whether a 3P operates only in Canada, subcontracts to parties outside of Canada or operates exclusively outside of Canada.

Answer 313

A

Privacy Act does not restrict the processing of PI by a 3P located outside of Canada.

Canadian business and gov institutions are free to engage in commercial relationships that involve the processing of info in the US as long as doing so is consistent w/ Canadian privacy practices including transparency, notice and application of adequate safeguards.

Answer 314

A

Introduced in 2016.

Amended ON’s PHIPA to assist in improving privacy and accountability by introducing new measures to protect PHI of patients.

Made breach reporting mandatory, increasing transparency, and doubling fines for offences to $100K for individuals and $500K for organizations.

Strengthened the process for prosecuting offences by removing the requirement to prosecute within six months of the alleged offence.

Answer 315

A

Aim to control the CUD of PHI by specified health sector participants.

End goal is to enhance privacy and confidentiality while simultaneously ensuring efficient health service delivery.

Answer 316

A

Trustees - Sask and MB

Custodian or HIC - AB, ON , NB, NFLD & NS

Answer 317

A

Nunavut and Quebec

Answer 318

A

Share PHI through electronic means by providing them w/ IT services.

They are subject to provincial health privacy laws.

Answer 319

A

PHI and define it in similar terms: any info concerning an individual’s physical and mental health.

Answer 320

A

Each law provides that if info is truly anonymized or deidentified, it is not protected by law.

Before an organization can treat the information as not being subject to the law, it must validate that no form of data mining or data manipulation can render the information identifiable.

Answer 321

A

The privacy principles contained in other information protection laws in Canada, w/ the same general obligations fond throughout each law.

Answer 322

A

ON PHIPA
NB PHIPAA
NFLD PHIA
NS PHIA

Answer 323

A

AB and MB

As such the healthcare provider is expected to comply w/ both statutes.

Answer 324

A

Each law provides individuals with the right to access their own health information held by the entities covered by the law. Also, have the right to correct or amend inaccurate info.

Answer 325

A

Each law provides that an independent agency, such as the privacy commissioner, has independent oversight of the entities covered by the law.

Role of the oversight body is, among other things, to review and resolve complaints from individuals who believe their rights were violated.

Answer 326

A

Each law places the onus on the entity covered to remain accountable for the use proper use, retention, safeguarding and disposal of health info under its custody or control. This obligation remains even when the covered entity uses a 3P to outsource some of its functions.

Answer 327

A

Given the vast and varied flows of PHI, the central role of govt in the delivery of heatlhcare services, and the vital and time-sensitive nature of much of the information at issue.

Answer 328

A

Must be meaningful.

Many situations will allow custodian/trustees to infer consent

Generally, the rule is that the individual will be deemed to have implicitly consented to CUD of their information within their circle of care.

Consent will not be implied if the disclosures will be made to non-custodians or to other custodians outside the circle of care.

Answer 329

A

All provincial laws provide obligations on custodians/trustees to properly safeguard the health information under their control and custody.

Answer 330

A

Adopt reasonable administrative, technical and physical safeguards that ensure confidentiality, security, accuracy and integrity of the information.

Answer 331

A

Mandate the custodian to notify the privacy commissioner in situations where a custodian reasonably believes there has been a material breach involving the unauthorized CUD of PHI.

The obligation to notify includes any instance where PHI is handled in a way that does not conform to the custodian’s published policy statement on its information-handling practices.

Answer 332

A

Notify the commissioner of the breach.

Answer 333

A

Generally, the provincial laws do not strictly adhere to the same standards as, for example, PIPEDA in terms of an organization’s obligation to develop comprehensive privacy policies and make them accessible.

Answer 334

A

ON, NFLD and BC.

In these provinces, health data authorities are required to make available information that describes

Answer 335

A

The data authorities’ information practices.
How to contact the appropriate data authority
How to obtain access to or request correction of PHI (except for BC)
How to file a complaint.

Answer 336

A

Created several different Canadian organizations that are tasked specifically w/ providing the proper infrastructure in the health sector that can be used securely.

Answer 337

A

Digital Health Canada

Answer 338

A

Canadian Organization for the Advancement of Computers in Health (COACH), Canada’s health informatics association.

Answer 339

A

To “take health informatics mainstream” through the promotion of health technology systems and the effective use of health information.

They provide practical guidance and measures to ensure appropriate privacy and security in a healthcare context.

Answer 340

A

A publicly funded health data aggregator that focuses on information about Canada’s health system and the heath records of Canadians.

Answer 341

A

To “help improve Canada’s health system and the well-being of Canadians by being a leading source of unbiased, credible and comparable information that will enable health leaders to made better-informed decisions”

Answer 342

A

A HIC. This allows HICs in ON to disclose PHI to the CIHI w/o patient consent, for analysis and management.

Answer 343

A

Occurred in Toronto during the filming of a feature motion picture. Scrap paper was actually medical records. IPC found that clinic was ultimately responsible not the offsite shredding company.
A man’s ex-wife who worked as an X-ray technician in an Ottawa hospital unlawfully accessed the medical files of her ex-husband’s girlfriend to find out whether he was trying to start a family w/ his new partner.
Sale of thousand’s of patients PI by two former hospital employees.
Health Canada disclosed the PHI of over 40K licensees of its Marihuana Medical Access Program when it sent written notices to these individuals outlining changes to its program. The envelopes had MMAP on them visible to anyone.

Answer 344

A

Evaluating the privacy implications associated w/ the collection and use of genetic info.

Answer 345

A

An important step for privacy and human rights as it helps to prohibit genetic discrimination across Canada.

It bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as condition of providing goods or services or entering into a contract.

Answer 346

A

Is the collect and use of the tests results necessary to achieve a legitimate business purpose?
Are the test results likely to be effective in achieving that purpose?
Are the collection and use proportionate to the benefits gained?
Are there less privacy-intrusive alternatives to the collection and use of genetic test results?

Answer 347

A

The European and American approaches.

Answer 348

A

Data protection

Answer 349

A

The protection of privacy as a fundamental human right.

The general rule is to not allow any collection or use of personal data unless permitted to do so by law.

Answer 350

A

Based on the EU providing member states w/ directives that instruct each member state to pass minimum laws that address the instructions found in each directive.

Answer 351

A

the General Data Protection Regulation

Answer 352

A

the EU Data Protection Directive (the Directive) (this one is the most important)

the Privacy and Electronic Communications Directive (ePrivacy Directive)

Answer 353

A

To create a clearer, more certain and trustworthy legal environment for both businesses and citizens, which will in turn increase both competition and innovation in the digital market.

In theory this legal uniformity with also yield less bureaucracy and thus level the playing field for all businesses on the Euromarket.

That said, although a uniform law will provide a certain degree of consistency across the EU, each member state will nonetheless be able to interpret the GDPR through the lens of its own national approaches and idiosyncrasies.

Answer 354

A

Any controller or processor of EU citizen data, regardless of where the controller or processor is headquartered and where the actual processing takes place (even if that is outside of the EU):

Examples

-A telecommunications organization that offers its goods and services through its EU-based regional offices to EU data subjects

-A retailer that offers its goods or services to EU data subjects via its online website

-A marketing agency that monitors the purchasing habits and behaviours of EU data subjects using data-processing techniques to create individual profiles and predict personal preferences, behaviours and attitudes

Answer 355

A

“the purpose limitation” wh/ provides that personal data should only be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible w/ those purposes.”

Answer 356

A

Principles of:
-purpose limitation
-data minimization
-accuracy
-storage limitation
-integrity
-confidentiality

Answer 357

A

-biometric data
-genetic data
-data concerning sexual orientation

As a result, these types of data are now subject to the stricter rules governing processing and consent w/ regard to sensitive personal data

Answer 358

A

By introducing a formal idea of accountability meaning that controllers and processors of data “shall be responsible for and be able to demonstrate compliance with” the law.

Answer 359

A

Controllers and Processors

Answer 360

A

As “the natural or legal person, public authority, agency or any other body wh/ alone or jointly w/ others determines the purposes and means of processing personal data”.

Answer 361

A

As any same such body (as a controller) wh/ processes personal data on behalf of the controller.

Answer 362

A

to implement:
-compliance policies
-data protection by design
-data protection by default
-record-keeping obligations
-data protection impact assessments

engage in prior consultation w/ DPAs in high-risk cases

Answer 363

A

data protection authorities (DPA)

Answer 364

A

a forum for individuals to enforce the rights

Answer 365

A

Receiving complaints, mediating solutions and making orders.

Answer 366

A

civil and criminal enforcement of the data controller’s obligations

Answer 367

A

data processors

Answer 368

A

That a processor may not subcontract its services w/o the prior written or specific consent of the controller.

Data controllers now have extremely detailed requirements to impose contractually on their vendors who act as data processers.

Answer 369

A

The Directive’s notice requirements.

Answer 370

A

The GDPR features more detailed transparency obligations, which require controllers and processors to draft detailed privacy notices

Answer 371

A

Relying on consent to justify the use of PI

Answer 372

A

The Directive allowed controllers to rely on implicit and opt-out consent in some circumstances.

The GDPR requires the data subject to convey agreement by either an express statement or a “clear affirmative act.”

Affirmative consent must be freely given, specific, informed and unambiguous. Can include ticking a box on a website. Accordingly, silence, pre-ticked boxes or inactivity” does not constitute such consent.

If consent is presented as take it or leave it, it is not regarded as being freely given. In addition, consent can no longer be bundled w/ terms and conditions.

Answer 373

A

Removal of the opt-out possibility.

Answer 374

A

The right to withdraw
The specificity requirement
Age of consent deharmonization
Services conditional upon consent

Answer 375

A

Can retract consent at any time

Controllers must give notice of right to w//d before consent is given

Once consent is w/d, data subjects have the right to their personal data being erased

Answer 376

A

Consent must be specific to each data-processing operation and demonstrable upon demand.

Answer 377

A

Children under the age of 16 must get parental approval to give consent.

Answer 378

A

A controller may not make a service conditional upon consent unless the processing is necessary for the actual performance of the service or contract.

Answer 379

A

The right to erasure
The right to data portability

Results in a greater need for data controllers and processors to be ready to honour people’s increased level of control.

Answer 380

A

the right to be forgotten and bestows upon it the new name “right to erasure”

Answer 381

A

Controllers must erase personal data w/o undue delay if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful.

The right is not unlimited - it must be balanced against freedom of expression; the public interest in health, scientific and historical research; and the exercise or defence of legal claims.

Answer 382

A

The controller must take reasonable steps to inform other controllers that are processing the data about the person’s objection, unless it would require “disproportionate efforts”.

Any controller processing the data must then erase copies of it or links to it.

Answer 383

A

If the data was collected when the data subject was still a child in need of parental consent, OR

if the data collected falls into one of the special categories of sensitive PI, even if the data has already been made public.

Answer 384

A

Requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.

Controllers have to provide any information they hold about a data subject free of charge and within one month of request.

Answer 385

A

Only when processing was originally based on the user’s consent or on a contract; it does not apply to processing based on a public interest or the controller’s legitimate interests.

Answer 386

A

Nonmember state countries (“third countries”) that the European Commission has deemed as having an adequate level of personal data protection.

Answer 387

A

GDPR allows transfers also to a territory or specified sector within a third country (ie, a cross border transfer), or to an international organization provided that it has been awarded the Commission’s adequacy designation.

Answer 388

A

That the third country or specified entity ensures “an adequate level of protection essentially equivalent to that ensured within the European Union”

Answer 389

A

Canada’s PIPEDA

However, this adequacy ruling was made before the GDPR so amendments may be required to maintain adequacy status.

Answer 390

A

Yes; allowable if the controller or processor utilizes certain Article 46 safeguards

Answer 391

A

Provide certain information to data subjects when their information is obtained.

The controller must provide disclosure of its intention to transfer personal data to a third country or international organization.

Must also provide either (a) disclosure that the transfer is pursuant to an adequacy decision by the Commission or (b) reference to the appropriate or suitable safeguards and the means for the data subject to obtain them.

Answer 392

A

Directive was silent

GDPR adopts specific breach notification guidelines

Answer 393

A

As a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”

Answer 394

A

Notify the appropriate supervisory authority w/o undue delay and where feasible, not later than 72 hours after having become aware of it.

If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Notification is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”

Answer 395

A

Must “at least” describe:

-the nature of the personal data breach,

-provide the data protection officer’s contact info

-the likely consequences of the personal data breach

-how the controller proposes to address the breach

Info can be provided in phases

Answer 396

A

It must also communicate info regarding the breach to the affected data subjects “without undue delay”

Answer 397

A

the controller; otherwise no notification or reporting obligation

Answer 398

A

Enhanced into first-instance body where citizens of member states can submit complaints about data breaches.

GDPR also strengthens cooperation btw the respective national DPAs, wh/ helps ensure consistency and oversight.

Answer 399

A

The right to compensation for breaches for material or immaterial damage, as well as huge administrative fines.

If either a data processor or a controller is found to be noncompliant, the burden shifts to said defendant to prove it is not responsible for the damage.

Answer 400

A

A noncompliant organization can be fined
-up to $20M or

in case of an undertaking, up to 4% of the company’s total worldwide annual turnover from the preceding financial year, whichever is higher.

Also, citizens an pressure groups have the right to engage in group litigation to recover compensation for mere distress caused by contraventions of the GDPR.

Answer 401

A

Google - fine $50M Euros

Found to have (1) failed to meet the accessibility and transparency requirements and (2) failed to obtain valid consent form users to process their data for ad personalization purposes.

Answer 402

A

A data protection officer (DPO)

Answer 403

A

-For all public authorities

-where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale”

-where the entity conducts large-scale processing of the aforementioned “special categories of personal data that are provided in Article 9

Answer 404

A

GDPR does not establish the precise credentials DPOs must possess, but it does require that they have “expert knowledge of data protection law and practices”.

Level of expert knowledge “should be determined in particular according to the data-processing operations carried out and the protection required for the personal data processed by the controller or the processor”

Answer 405

A

May appoint a single DPO as long they are easily accessible from each establishment.

Answer 406

A

For the performance of their tasks and places no limitation on the length of this tenure.

Answer 407

A

the Privacy and Electronic Communications Directive (ePrivacy Directive)

Answer 408

A

Prior (opt-in) consent

Answer 409

A

Directive allows communications within an established customer relationship.

This exception permits companies to email or send text messages to a mobile phone to market products and services to customers who have purchased similar products or services from the company under the same brand name.

In this case, the company must offer an opt-out so that individuals can discontinue receiving the communications if they choose.

Answer 410

A

The use of cookie files on websites.

Requires transparency about the use of cookies by requiring a display of the terms under wh/ the company uses cookies on its websites.

Answer 411

A

Provides rights for individual subscribers to decide whether or not they want to be listed in subscriber directories and specifically permits value-added services such as location-based advertising to mobile phones provided subscribers have given their informed consent and are informed of the data-processing implications.

Answer 412

A

Is one marketing approach in wh/ a marketer develops an understanding of a consumer through the use of cookies, which can be used to track a user’s preferences and online activities.

Answer 413

A

The EU Cookie Directive

Answer 414

A

Visitor’s consent “having been provided w/ clear and comprehensive info about the purpose of the cookie, before a cookie may be placed on the visitor’s device.

Also provides Europe’s DPAs w/ complementary enforcement powers.

Answer 415

A

When it involves “any form of automated processing of personal data evaluating the personal aspects relating to a natural person”

Answer 416

A

It must involve more than mere tracking; not only does such personal data have to be gathered, but the automated processing of that data must be for the purpose of making decisions about the data subjects.

Answer 417

A

Must inform the data subject at the time the data is collected that profiling will occur, and it must also provide “meaningful info about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

Answer 418

A

Aims to ensure respect for private life, confidentiality of communications, and the protection of personal data in the electronic communications sector.

Aims to ensure free movement of electronic communications data and electronic communications services within the EU.

Will allow for reinforcement of trust and security in digital services and the objectives of the Digital Single Market Strategy.

Answer 419

A

The processing of electronic communications data carried out in connection w/ the provision and the use of electronic communications services and to information related to the terminal equipment of end users.

Answer 420

A

Protection of of Electronic Communications of Natural and Legal Persons and Information Stored in their Terminal Equipment
Natural and Legal Persons Rights to Control Electronic Communications
Independent Supervisory Authorities and Enforcement, and Remedies, Liabilities and Penalties

Answer 421

A

An organization focused on the economic development of the Asia-Pacific region.

Answer 422

A

APEC works as a cooperative by coming to terms on nonbinding agreements. The purpose behind APEC is the enhancement of economic growth for the region.

Answer 423

A

Framework promotes a consistent approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows.

Its distinctive approach is to focus attention on practical and consistent information privacy protection.

It tries to balance info privacy w/ business needs and commercial interests, and at the same time, accords due recognition to cultural and other diversities that exist within member economies.

Sets out nine privacy principles that provide guidance to businesses operating in APEC economies.

Answer 424

A

That many member economies have well-established privacy laws and/or practices, while others may only be considering the issues.

Answer 425

A

the Cross Border Privacy Rules found in the APEC privacy framework

Answer 426

A

Their own internal rules on cross-border data privacy procedures.

In addition, the internal rules must (1) comply w/ minimum requirements based on a set of commonly agreed-upon rules known as the APEC Privacy Framework and (2) be verified by assessment and certification from an independent public or private sector body - an accountability agent.

Answer 427

A

Came into force w/ the aim of protecting PI and individual privacy.

Answer 428

A

The law has a focus on the standardization of collection and usage of PI of Chinese citizens.

Specifically, organizations processing PI of Chinese citizens and information related to national security or both will be required to store data within China. This will make organizations responsible for setting up Chinese-local servers for data and undergoing a security review before any data can be moved outside of China.

Answer 429

A

Chinese crime or security investigators by providing them w/ full access to data and additional support upon request.

Answer 430

A

Very different from approach taken in Europe and Canada

Sectorial approach - results in a number of different laws, each of which address specific issues in specific industries

Answer 431

A

Accurate and relevant data collection by entities that compile consumer reports as well as persons who use consumer reports.

It gives consumers the ability to access and correct their information and limits the use of consumer reports to permissible purposes.

Answer 432

A

Any entity that routinely furnishes consumer reports to third parties for a fee.

Answer 433

A

The Fair Trade Commission, state attorneys general and individual have a private right of action.

Answer 434

A

Is a US law that specifically addresses health information privacy.

Requires the US Department of Health and Human Services to adopt national standards for electronic healthcare information transactions. These are referred to as HIPAA rules (one subset deals w/ privacy, another w/ security and a third set for transactions).

Answer 435

A

The HIPAA privacy and security rules are designed to establish minimum standards (i.e. to set the legal floor).

States are free to develop more rigorous requirements as long as these requirements do not conflict w/ HIPAA.

Answer 436

A

HIPAA governs a covered entity’s management of PHI.

Answer 437

A

Healthcare providers

Health plans

Healthcare clearinghouses

Answer 438

A

the Gramm-Leach-Bliley Act (GLBA), which among other things provided significant privacy and security protections for consumers.

Answer 439

A

Applies to domestic financial institutions, defined to include any US company that is “significantly engaged” in financial activities.

Answer 440

A

Nonpublic financial information

Answer 441

A

An example of a specific legal response to what can be considered a very specific concern: the protection of children in the online environment

Answer 442

A

COPPA applies to the operators of commercial websites and online services (especially those directed to children under the age of 13), though it also applies to general-audience websites and online services if they have actual knowledge that they are collecting PI from children under the age of 13.

Answer 443

A

Choice

In the EU and Canada, laws generally require the consumer to opt-in to marketing programs, while in the US, the laws generally provide for opt-out choice.

Answer 444

A

For-profit organizations and cover charitable solicitations placed by for-profit telefunders.

Answer 445

A

The National Do Not Call Registry - this program provides a means for US citizens to register residential and wireless phone numbers that they do not wish to called for telemarketing purposes.

Answer 446

A

Commercial conduct that intentionally causes substantial injury w/o offsetting benefits and that consumers cannot reasonably avoid.

Answer 447

A

Organizations must be very careful in constructing privacy notices. Organizations must be honest and upfront about their PI handling practices.

Answer 448

A

The California Consumer Privacy Act (CCPA)

Applies to for-profit businesses doing business in California that meet one of three thresholds.