My CIPP/C flashcards

Question 1

What are the Fair Information Principles (FIPs)?

Answer 1

The Fair Information Privacy Principles (FIPs, 1983), guidelines for handling, storing and managing data with privacy, security and fairness, created by the U. S. Department of Health, Education and Welfare.

Question 2

To which organizations does the Privacy Act apply?

Answer 2

The Privacy Act (1983) applies to government institutions, including all ministries, many federal institutes and tribunals, and some Crown corporations, such as the Canada Revenue Agency, the Canadian Human Rights Tribunal, and the Canadian Broadcasting Corporation.

Question 3

What is the purpose of the Privacy Act and Access to Information Act?

Answer 3

They were designed to ensure transparency for Canada’s public sector and gave individuals access to their personal information collected by public entities.

Question 4

Question

Answer 4

Answer

Question 5

What have in common the BC PIPA, Alberta PIPA, the Québec Act and the Ontario PHIPA?

Answer 5

These are private sector laws that were largely similar to PIPEDA, which formed the basis for private sector privacy legislation.

Question 6

What are the 5 different data protection models?

Answer 6

● Comprehensive
● Sectoral
● Self-regulatory
● Seal programs
● Technology-based.

Question 7

What is a Comprehensive model data protection model?

Answer 7

Comprehensive laws that govern the collection, use and dissemination of personal information in public and private sectors overseen by an official or agency (Canada, European Union).

Question 8

What is a Sectoral data protection model?

Answer 8

Laws specific to industry sectors, such as financial and health. No central agency oversees possible overlapping regulations, and technology advances can be slowed by the need for legislation. (United States).

Question 9

What is a Self-regulatory data protection model?

Answer 9

A code of practices set by a group by which companies are required to abide. Challenges of this model include limited data protection and weak mechanisms for enforcement. (United States, Japan, Singapore).

Question 10

What is a Seal programs data protection model?

Answer 10

Certifications and attestations provided by third parties. Participants abide by codes of information practices and adhere to monitoring for enforcement. (e.g., TrustArc, BBBOnline, DAA).

Question 11

What is a Technology-based data protection model?

Answer 11

Companies and consumers use technology to ensure protection of personal information. Security and trustworthiness of technology due to advances and dependency of technology remain a concern.

Question 12

What are the 3 Canadian perspectives on privacy?

Answer 12

Privacy of the individual vis-a-vis
● the state
● other individuals,
● organizations

Question 13

What is privacy vis-a-vis the state?

Answer 13

The extent to which an individual is free to live their life without the state interfering or knowing what the individual is doing

Question 14

What is privacy vis-a-vis other individuals?

Answer 14

The extent to which an individual can live life free from the intrusion of another individual, such as a neighbor, coworker, spouse, parent or child

Question 15

What is privacy vis-a-vis organizations?

Answer 15

The extent to which organizations can collect, use and disclose personal information about an individual and, once they have collected such information, what obligations they have

Question 16

True or false: Administrative tribunals are vehicles of the executive branch.

Answer 16

True (and not part of the judiciary branch).

Question 17

Question

Answer 17

Réponse

Question 18

How the Senate representatives are nominated?

Answer 18

Senate representatives are appointed by the governor in council on the recommendation of the prime minister.

Question 19

What is the system of checks and balances to ensure that each branch of the government remains accountable?

Answer 19

By a division of powers between the executive, the legislature and the judiciary.

Question 20

What are the three main missions of the executive branch?

Answer 20

● Appoints offices of Parliament
● Oversees ministries
● Manage administrative tribunals for specific programs (ex.: CRTC)

Question 21

What composes the executive branch?

Answer 21

The government, composed of:
● the Monarch (represented by the Governor General)
● the Prime Minister (the Head of the Government)
● the Cabinet.

Question 22

What is the legislative branch?

Answer 22

The Parliament, composed of:
● House of Commons
● Senate

Question 23

What are the two primary missions of the legislative branch?

Answer 23

● Introduces, debates, and passes bills and policies
● Oversees the executive branch.

Question 24

How the legislative branch oversees the executive branch?

Answer 24

By appointing several officers of Parliament, like the auditor general or the federal privacy commissioner.

Question 25

What are the three components of the judiciary branch?

Answer 25

● Headed by the Supreme Court of Canada (the highest court in Canada)
● Federal courts (the final court of appeal) and
● Provincial courts

Question 26

What are the 4 areas of jurisdiction of the federal judiciary branch?

Answer 26

● Criminal law
● Banking
● National defense
● Trade and commerce.

Question 27

What do the administrative tribunals do?

Answer 27

As part of the executive branch, they
● interpret laws
● enforce Charter rights (Canadian Charter of Rights and Freedoms)
● administer specific programs (such as managing regulation of broadcasting and telecommunications).

Question 28

What are the roles of the courts?

Answer 28

● Interpret the law
● Review the law
● Review government actions (i.e., examine decisions for possible errors) to ensure they do not violate the rights and freedoms embodied within the Canadian Charter of Rights and Freedoms

Question 29

Where do come the laws of the common law?

Answer 29

Laws are found in statutes (bills that have been introduced, debated and passed by the legislative branch of government) and in case law (jurisprudence).

Question 30

What are the 4 sources of law?

Answer 30

● Legislation
● Common law (or civil law in Québec)
● Contracts
● Constitution and charter

Question 31

To whom the privacy commissioner introduces his annual reports?

Answer 31

To the Parliament (since the commissioner is an officer of Parliament and not a member of the executive branch).

Question 32

What is the Privacy Act?

Answer 32

The Privacy Act (1983) governs the government’s collection, use and disclosure of personal information. Provides the right to access information. Establishes the Office of the Privacy Commissioner.

Question 33

What are contracts?

Answer 33

Contracts are private laws created by parties that agree to be bound by specific terms.

Question 34

What mention section 7 of the Canadian Charter of Rights and Freedoms?

Answer 34

“[E]veryone has the right to life, liberty and security of the person (…)” This suggests a constitutional protection of the right to privacy.

Question 35

What is the Access to Information Act?

Answer 35

The Access to Information Act gives Canadian citizens, permanent residents, and businesses the right to access information in the possession of federal government institutions.

Question 36

Can the OPC order an organization to take action?

Answer 36

No, but the provincial commissioners or ombudspersons can order an organization to take action.

Question 37

In case of a privacy violation, is the OPC the first option for a citizen?

Answer 37

No, the OPC will direct complainants back to the organization to resolve their issues before ordering or recommending remedies.

Question 38

If a privacy violation complaint needs to be remedied, what are the three options?

Answer 38

● Federal Court of Canada
● Provincial court
● Labour arbitrators.

Question 39

What government entity oversees compliance with the Privacy Act and PIPEDA?

Answer 39

The Office of the Privacy Commissioner (OPC).

Question 40

How the Office of the Privacy Commissioner was established?

Answer 40

By the Privacy Act (1983).

Question 41

As part of the executive branch, who manages the regulations of programs, such as the immigration system, and expertly deals with matters that come before them?

Answer 41

An administrative tribunal.

Question 42

True or false? Only the provincial commissioners have the power to order an organization to take an action.

Answer 42

True.

Question 43

Which are the 4 sources of Canadian law?

Answer 43

● Civil or common law
● Legislation
● Constitution and Charter
● Contract.

Question 44

How PIPEDA defines personal information?

Answer 44

Information about an identifiable individual.

Question 45

Does PIPEDA distinguish personal information, employee-related, and work product information?

Answer 45

No.

Question 46

Is information needs to be sensitive to fit within the definition of personal information?

Answer 46

No.

Question 47

What information does PIPEDA consider publicly available?

Answer 47

PI contained in
● telephone directories
● professional or business directories
● public registries
● court and tribunal records
● books, magazines and newspapers
… are considered publicly available information if it is collected, used, and disclosed for the purpose for which the information appears.

Question 48

What are the prerogatives concerning personal information collected by private organizations?

Answer 48

Each individual should always be able to find out:
● What information an organization is collecting
● Why they’re collecting it
● How they use it
● Who they disclose it to

Question 49

CSA principle 1: Accountability

Answer 49

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following CSA principles.

Question 50

CSA principle 2: Identifying purposes

Answer 50

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Question 51

CSA principle 3: Consent

Answer 51

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

Question 52

CSA principle 4: Limiting collection

Answer 52

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Question 53

CSA principle 5: Limiting use, disclosure and retention

Answer 53

Personal information shall not be processed or disclosed for purposes other than those for which it was collected, except with consent or as required by law. It shall be retained only as long as necessary.

Question 54

CSA principle 6: Accuracy

Answer 54

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Question 55

CSA principle 7: Safeguards

Answer 55

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Question 56

CSA principle 8: Openness

Answer 56

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Question 57

CSA principle 9: Individual access

Answer 57

Individuals shall be informed of the existence, use and disclosure of their personal information and given access to it. They shall be able to challenge the accuracy of the information and have it amended.

Question 58

CSA principle 10: Challenging compliance

Answer 58

An individual shall be able to challenge an entity regarding compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

Question 59

Which law or entity defines personals information as information about an identifiable individual, applying to organizations that collect, use and disclose information in the course of a commercial activity?

Answer 59

PIPEDA.

Question 60

True or false? Under PIPA, information is collected, used or disclosed solely for the purposes required to terminate an employment relationship between the organization and that individual.

Answer 60

False.

Question 61

Is consent required when republishing personal white pages telephone directory information in an online format?

Answer 61

No.

Question 62

Is consent required when disclosing information available in court records that relates directly to the purpose?

Answer 62

No.

Question 63

Is consent required when a company collects customer information from its parent company’s white pages for its own purposes?

Answer 63

No.

Question 64

Is consent required when republishing telephone numbers in a staff directory?

Answer 64

Yes.

Question 65

Is consent required when disclosing information from court records of ongoing legal proceedings?

Answer 65

Yes.

Question 66

Is consent required when collecting, using or disclosure information in a public registry that relates to its purpose for being there?

Answer 66

No.

Question 67

Is consent required when collecting public registry information for the purpose of making it publicly available on another website?

Answer 67

Yes.

Question 68

Is consent required when collecting information about a business from publicly available sources like the Yellow Pages?

Answer 68

No.

Question 69

What are the 4 attributes of the CSA accountability principle?

Answer 69

● Protection (privacy policy)
● Procedures (questions or complaints)
● Training and transparency (handling of PI)
● Responsibility

Question 70

What are the 3 attributes of the CSA safeguards principle?

Answer 70

● Protection (data protected against loss, theft, unauthorized access)
● Sensitivity (level of protection)
● Technology (encryption)

Question 71

Is consent needed if it is in the interests of the individuals and consent cannot be obtained in a timely way?

Answer 71

No.

Question 72

Is consent needed if the consent would compromise the availability or accuracy of the information, as in an investigation?

Answer 72

No.

Question 73

Is consent needed if the information was contained in a witness statement and used in the process, assessment or settlement of a claim?

Answer 73

No.

Question 74

Is consent needed if the information was obtained in the course of employment and is consistent with the purpose it was produced?

Answer 74

No.

Question 75

Can an organization block access to PI if it could reveal information about a third party for specified national security or law enforcement reasons?

Answer 75

Yes.

Question 76

Can an organization block access to PI if it could reveal solicitor-client privileged information?

Answer 76

Yes.

Question 77

Can an organization block access to PI if it could reveal commercially sensitive information?

Answer 77

Yes.

Question 78

Can an organization block access to PI if it could threaten the life or security of another individual?

Answer 78

Yes.

Question 79

Can an organization block access to PI if it could hinder a formal dispute resolution mechanism?

Answer 79

Yes.

Question 80

Can an organization block access to PI if it could compromise the integrity of information in the event of a breach of agreement investigation?

Answer 80

Yes.

Question 81

Are PI found on Google or LinkedIn considered publicly available according to PIPEDA?

Answer 81

No.

Question 82

According to PIPEDA, what is considered as information publicly available?

Answer 82

PI contained in:
● Telephone directories
● Professional or business directories
● Public registries
● Court and tribunal records
● Books, and magazines and newspapers (if it is collected, used and disclosed for the purpose for which the information appears).

Question 83

What needs PI to be used by an organisation without consent?

Answer 83

The information must be both publicly available and specified by regulation as to why and how it is collected, used and disclosed.

Question 84

What are an individual’s basic rights regarding personal information collected by an organization?

Answer 84

● What information an organization is collecting
● Why they’re collecting it
● How they use it
● Who they disclose it to.
An individual must be able to access the information and have the option to opt-in or out.

Question 85

What are the two main reasons why an individual might not be able to access their own personal information?

Answer 85

If accessing the PI would mean the revelation of somebody else’s personal information, and if the PI is subject to some sort of privilege and is protected by national security privilege or solicitor/client privilege.

Question 86

Where does PIPEDA apply?

Answer 86

To private-sector organizations collecting, using or disclosing personal information in the course of commercial activity, as well as the “employee of the organization and personal information that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”

Question 87

Where PIPEDA does not apply?

Answer 87

To any government institution to which the Privacy Act applies, such as public-sector organizations. Nor does it apply in personal or domestic situations or for journalistic, artistic or literary purposes. PIPEDA also does not apply when a provincial substantially similar law exists.

Question 88

According to PIPEDA, what is a commercial activity?

Answer 88

Commercial activity is defined by PIPEDA as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists by a private-sector organization.”

Question 89

True or false: An organization that is in litigation does not have to respond to requests for access to personal information.

Answer 89

False. The OPC states that the obligation to provide access cannot be circumvented by the fact that an organization is in litigation with the same individual. It is a common misconception that organizations do not need to respond to access requests since the process eventually leads to the disclosure of information.

Question 90

What are the 5 roles of the OPC in regard to the enforcement of potential violations of PIPEDA?

Answer 90

● Handle complaints
● Investigate
● Submit report
● Apply to federal court for enforcement
● Perform audits.

Question 91

On which 3 occasions the OPC can decline the investigation of a complaint?

Answer 91

● If the complainant has not exhausted other reasonably available grievance or review procedures
● if the complaint could be dealt with more appropriately by a procedure provided via federal or provincial laws, or
● if the complaint was not filed in a timely manner.

Question 92

True or false? Prior consent is needed if it is in the interests of the individuals and consent cannot be obtained in a timely way.

Answer 92

False.

Question 93

True or false? Prior consent is needed if consent would compromise the availability or accuracy of the information as in an investigation.

Answer 93

False.

Question 94

True or false? Prior consent is needed if information was contained in a witness statement and used in the process, assessment or settlement of a claim.

Answer 94

False.

Question 95

True or false? Prior consent is needed if a social media site wants to share the information with a third-party vendor.

Answer 95

True.

Question 96

True or false? Prior consent is needed if the information was obtained in the course of employment and is consistent with the purpose for which it was produced.

Answer 96

False.

Question 97

True or false? The key elements in determining if PIPEDA applies to an organization are: 1.) if the organization is involved in commercial activity or 2.) if the information is about an employee of the organization operating in connection with a federal work, undertaking or business.

Answer 97

True.

Question 98

In a meaningful consent, what are the four key elements to emphasize on?

Answer 98

● What PI is collected
● For what purposes PI is collected, used, or disclosed
● With which parties PI is shared
● Risk of harm and other consequences

Question 99

What is a meaningful risk?

Answer 99

A risk that falls below the balance of probabilities but is more than a minimal or mere possibility.

Question 100

What is comprised in the definition of: “significant harm”?

Answer 100

Significant harm includes:
● bodily harm
● humiliation
● damage to reputation or relationships
● loss of employment, business or professional opportunities
● financial loss
● identity theft
● negative effects on the credit record
● damage to or loss of property.

Question 101

When must organizations obtain express consent?

Answer 101

● If the PI collected, used, or disclosed is sensitive;
● If the collection, use, or disclosure is outside of the reasonable expectations of the individual; and/or,
● If the collection, use, or disclosure creates a meaningful residual risk of significant harm.

Question 102

In the OPC’s authentication guidelines, what is mentioned about the risk involved?

Answer 102

Authenticate based only on the risks associated with not authenticating. If there is no need to authenticate an individual, do not collect identification information.

Question 103

In the OPC’s authentication guidelines, what is mentioned about the level of authentication needed?

Answer 103

Know the individual, then choose the correct level of authentication to be used.

Question 104

OPC’s authentication guidelines: Does the strength of authentication need to be adjusted?

Answer 104

Regularly reassess risks and deploy risk mitigation measures, including adjusting the strength of authentication processes, to address changing threats.

Question 105

In the OPC’s authentication guidelines, what is mentioned about a technology or service change?

Answer 105

Stay vigilant to “risk creep” (la dérive du risque) from changing threats and technology as well as new services added.

Question 106

In the OPC’s authentication guidelines, what is mentioned about the risk of loss if a breakdown occurs?

Answer 106

Monitor any attempted attacks on an organization’s authentication system and evaluate any losses that might result if a breakdown occurs.

Question 107

In the OPC’s authentication guidelines, what is mentioned about the choice each individual has in the choice of authentication methods?

Answer 107

Give the individual some choice when deciding what authentication mechanisms are used.

Question 108

In the OPC’s authentication guidelines, what is mentioned about the methods of authentication?

Answer 108

Be sure to choose authentication methods that are easy enough to remember but difficult for hackers or others to guess.

Question 109

In the OPC’s authentication guidelines, what is mentioned about the PI used for authentication?

Answer 109

Avoid using PI that does not change, such as social insurance numbers and driver’s license numbers.

Question 110

What are the Generally Accepted Privacy Principles (GAPP)?

Answer 110

A framework created by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA).

Question 111

What is CASL?

Answer 111

The Canada’s Anti-Spam Legislation.

Question 112

What does the acronym CEM stand for?

Answer 112

Commercial electronic message.

Question 113

With the CASL, what are the 4 situations considered as implied consent:

Answer 113

● Sender and recipient have an existing business relationship
● Sender and recipient have an existing nonbusiness relationship
● Recipient has conspicuously published their email address and did not express they do not wish to receive messages
● Recipient has disclosed their email address directly to the sender and did not express they do not wish to receive messages

Question 114

With the CASL, what are the 5 situations considered an exception to consent?

Answer 114

● Personal or family relationships
● Inquiry about a product or service offered by the recipient
● Quote or estimate provided upon request
● Ongoing subscription or membership information
● Information related to an employment relationship or benefit plan

Question 115

Which organization enforces the CASL?

Answer 115

The Canadian Radio-television and Telecommunications Commission (CRTC)

Question 116

What the CRTC can do to enforce the CASL?

Answer 116

● Monetary penalties
● Personal liability
● Private right of action to sue for damages

Question 117

How CASL regulates the installation of computer programs?

Answer 117

These regulations require the express consent of the owner or authorized user of a computer system before installation. This protects consumers from malicious software or malware.

Question 118

What are the exceptions regarding the CASL regulation about the installation of computer programs?

Answer 118

● When the program is executable through another program that the user already consented to (cookies, HTML or JavaScript);
● If telecommunications service providers install software to protect the security of an end user’s network or upgrade all or part of the network.

Question 119

What “de novo” means?

Answer 119

It means that parties can file their evidence and arguments afresh from any previous ones from an OPC investigation. There is no obligation by a judge hearing a case to consider a prior OPC decision.

Question 120

What are the 4 questions the federal court used to determine if an organization meets its obligation in PIPEDA to be reasonable?

Answer 120

● Is the collection of the PI necessary to meet a specific need of the organization?
● Is the collection likely to be effective in meeting this need?
● Is the loss of privacy caused by the collection of PI proportional to the benefit gained?
● Is there a less privacy-invasive way of achieving the same end?

Question 121

What does PIPEDA say about PI that is transferred to a third party for processing?

Answer 121

An organization is responsible for PI in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Question 122

True or false: The health information custodian falls within a category of health information custodians that are entitled to rely on assumed implied consent.

Answer 122

True.

Question 123

Which groups (8) are considered health information custodians?

Answer 123

● health care practitioners
● long-term care homes
● community care access centres
● hospitals, including psychiatric facilities
● specimen collection centres, laboratories, independent health facilities
● pharmacies
● ambulance services
● Ontario Agency for Health Protection and Promotion

Question 124

According to the Privacy Act, is this considered personal information: Information relating to the race, national or ethnic origin, color, religion, age or marital status of the individual?

Answer 124

Yes.

Question 125

According to the Privacy Act, is this considered personal information: Information relating to educational, medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved?

Answer 125

Yes.

Question 126

According to the Privacy Act, is this considered personal information: Any identifying numbers, symbols or other particulars assigned to the individual?

Answer 126

Yes.

Question 127

According to the Privacy Act, is this considered personal information: The address, fingerprints or blood type of the individual?

Answer 127

Yes.

Question 128

According to the Privacy Act, is this considered personal information: The personal opinions of the individual except when they are about another individual, about a proposal for a grant, award or a prize to be given to another individual by a government institution or a part of a government institution specified in the regulations?

Answer 128

Yes.

Question 129

According to the Privacy Act, is this considered personal information: Correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence?

Answer 129

Yes.

Question 130

According to the Privacy Act, is this considered personal information: The views or opinions of another individual about the individual?

Answer 130

Yes.

Question 131

According to the Privacy Act, is this considered personal information: The views or opinions of another individual about a proposal for a grant, an award or a prize to be given to the individual by an institution, or part of an institution, but excluding the name of the other individual when it appears with the views or opinions of the other individual?

Answer 131

Yes.

Question 132

According to the Privacy Act, is this considered personal information: The name of the individual when it appears with other personal information relating to the individual, or where the disclosure of the name itself would reveal information about the individual?

Answer 132

Yes.

Question 133

For a government employee, what employment and work-related information is considered PI and protected by the Privacy Act?

Answer 133

● That the individual is, or was, an officer or employee of the government institution
● The individual’s title, business address and telephone number
● The classification, salary range and responsibilities of the position held by the individual
● The name of the individual on a document prepared by the individual during employment
● The personal opinions or views expressed by the individual in the course of employment

Question 134

True or False? The Privacy Act requires government institutions to obtain consent prior to the collection, use or disclosure of personal information.

Answer 134

False.

Question 135

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: For the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.

Answer 135

Yes.

Question 136

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: For any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure.

Answer 136

Yes.

Question 137

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: For the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information.

Answer 137

Yes.

Question 138

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada.

Answer 138

Yes.

Question 139

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed.

Answer 139

Yes.

Question 140

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: Under an agreement or arrangement between the Government of Canada or an institution thereof and the government of a province, the government of a foreign state, (…) for the purpose of administering or enforcing any law or carrying out a lawful investigation

Answer 140

Yes.

Question 141

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem.

Answer 141

Yes.

Question 142

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General or any other person or body specified in the regulations for audit purposes

Answer 142

Yes.

Question 143

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To the Library and Archives of Canada for archival purposes.

Answer 143

Yes.

Question 144

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To any person or body for research or statistical purposes if the head of the government institution

Answer 144

Yes.

Question 145

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To any aboriginal government, association of aboriginal people, (…), for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada.

Answer 145

Yes.

Question 146

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: To any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or make a payment (…).

Answer 146

Yes.

Question 147

Is this a situation that allows for nonconsensual disclosure and transfer of PI under the control of a government institution: For any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or disclosure would clearly benefit the individual to whom the information relates.

Answer 147

Yes.

Question 148

In which situation the government can disclose PI without consent?

Answer 148

If the use is consistent with the purpose for which the government institution collected it.

Question 149

Is the Privacy Act requires the same amount of openness and transparency as private-sector laws?

Answer 149

No, the Privacy Act requires government institutions to report their PI banks and classes of PI in the annual Treasury Board Secretariat publications called Info Source.

Question 150

What is the purpose of Info Source, the annual publication of the Treasury Board Secretariat in which government institutions are required to report their PI banks and classes of PI?

Answer 150

These publications provide information to the public about the PI collected, how it will be handled and retained as well as how individuals can access and correct their information if necessary.

Question 151

True or false? Under the Privacy Act, if a citizen or permanent resident requests access to his or her PI, the requested information must be provided within 30 days.

Answer 151

True.

Question 152

True or False? If a correction must be made to an individual’s PI that has been collected by a government entity, that entity is responsible for updating any agencies with which they have shared that information with over the previous two years.

Answer 152

True.

Question 153

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Information was obtained in confidence from a foreign state and they are insisting on nondisclosure.

Answer 153

Yes.

Question 154

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Reasonable expectation of injury threatens federal-provincial affairs, international affairs, national defense or national security, investigation or security of a penal institution.

Answer 154

Yes.

Question 155

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Information is less than 20 years old and relates to a crime or enforcement of any Canadian or provincial law or activity that may threaten the security of Canada.

Answer 155

Yes.

Question 156

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Information was collected by the Royal Canadian Mounted Police during policing service.

Answer 156

Yes.

Question 157

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Information reveals the identity of the informant.

Answer 157

Yes.

Question 158

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Access disrupts an individual’s institutional, parole or statutory release program

Answer 158

Yes.

Question 159

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Information threatens the safety of others.

Answer 159

Yes.

Question 160

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: Solicitor-client privilege is invoked

Answer 160

Yes.

Question 161

Under the Privacy Act, is this a reason why access to one’s personal information may be denied: The information is regarding an individual’s physical or mental health.

Answer 161

Yes.

Question 162

Although the Privacy Act does not specify proper safeguarding or retention obligations, section 4 states that PI concerning an individual that has been used by a government institution for an administrative purpose shall be retained by the institution for how long?

Answer 162

a) For at least two years following the last time the PI was used for an administrative purpose unless the individual consents to its disposal; and,
b) Where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his rights under the Act.

Question 163

True or false? The OPC has broad powers to conduct privacy audits to ensure organizations are in compliance with current privacy laws and obligations.

Answer 163

True.

Question 164

What does FIPPA stand for?

Answer 164

Freedom if Information and Protection of Privacy Act.

Question 165

FIPPAs apply to which kind of organizations?

Answer 165

Provincial government entities, crown corporations, and educational institutions.

Question 166

Is there a FIPPA for the province of Québec?

Answer 166

No, it’s the Québec Act.

Question 167

What is the purpose of FIPPA?

Answer 167

FIPPA aims to bring access to provincial government-held information and the protection of privacy under the same roof.

Question 168

What is the objective of FIPPAs?

Answer 168

These laws are designed to enable the public to request and obtain copies of records held by provincial ministries or the Office of the Premiers.

Question 169

What are the time limits required by the FIPPA to respond to a request for information?

Answer 169

30 days.

Question 170

If access to PI is denied, what must be provided to the person who requested the access?

Answer 170

Entities must provide:
● the written notice of their decision
● the information on the right to file an appeal with the information and privacy commissioner of their province.

Question 171

How long does a person have to appeal?

Answer 171

30 days after receiving the decision.

Question 172

To whom should a letter of appeal regarding a denied right of access be sent?

Answer 172

To the Provincial Information and Privacy Commissioner.

Question 173

What should a letter of appeal regarding a denied right of access contain (6 elements)?

Answer 173

● Why the appeal is being made
● Explanation of concerns
● Requester’s opinion on a resolution
● Requester’s contact information
● Denying entity’s name and file number of the decision along with a copy of the decision and original request
● Required fee

Question 174

When can a government institution disclose PI without consent?

Answer 174

If the public interest outweighs the resulting invasion of privacy.

Question 175

What is a PIA?

Answer 175

A Privacy Impact Assessment, or PIA, determines whether program and service delivery initiatives that involve the collection, use or disclosure of personal information comply with legislative obligations.

Question 176

When should a PIA be conducted?

Answer 176

For all new proposals and programs that raise privacy concerns, as well as any existing programs and services that are being redesigned.

Question 177

What does a PIA seek to assess?

Answer 177

A PIA seeks to assess whether privacy practices :
● Are commensurate with the level of risk
● Are consistent with legal and policy requirements
● Ensure that public reporting of personal information under the control of government institutions is complete, accurate and up-to-date.

Question 178

What does a privacy impact assessment cover?

Answer 178

● Collection authority
● Direct collection, notification and consent
● Retention
● Accuracy
● Use
● Disclosure
● Administrative, physical and technical safeguards
● Technology and privacy issues that:
o Indicate changes that impact privacy practices
o Determine if IT systems and services are compliant
o Identify awareness activities in new electronic environments

Question 179

To whom are PIAs submitted?

Answer 179

PIA reports are submitted to the Privacy Commissioner of Canada.

Question 180

What happens if a governmental institution fails to conduct an adequate privacy impact assessment?

Answer 180

It may need to explain its actions in its annual report to Parliament. Persistent PIA failure may also lead to action by the president of the Treasury Board. This may include not receiving required approvals for programs from the central agency.

Question 181

What is the Standard on Privacy and Web Analytics, known as “the Standard”?

Answer 181

The Standard addresses the use of web analytics by government institutions and the privacy issues associated with it.

Question 182

What are the 4 requirements imposed by the Standard?

Answer 182

● Mandated privacy notices on websites;
● Maximum retention periods;
● The use of strict privacy protective language in third-party contracts;
● Depersonalization or anonymization tools

Question 183

What happens to institutions that fail to comply with the Standard?

Answer 183

They may be subject to additional reporting by the Treasury Board of Canada Secretariat (TBS).

Question 184

When personal information is managed by an outside organization under a contractual agreement, what are the 3 risk factors to evaluate?

Answer 184

● The sensitivity of the personal information (is it detailed or highly personal) and in what context was it collected
● The expectations of the individuals to whom the personal information relates
● The potential injury if the personal information is wrongfully disclosed or misused, such as identity theft or access by foreign governments

Question 185

Where personal information is managed by an external organization under a contractual arrangement, what right does the government institution have over the service provider?

Answer 185

The right to audit and inspect the service provider.

Question 186

Where personal information is managed by an external organization under a contractual arrangement with a government institution, what requirements (6) are placed on the service providers?

Answer 186

● Right to audit and inspect the service provider
● Segregate data
● Provide data breach notification
● Restrict access to data
● Allow the originating institutions to retain control over the information
● Follow the contract and not disclose the information in any way that is not provided in the contract
● Give prior notice and obtains approval from the government institution before using subcontractors

Question 187

Which provinces have health privacy legislation that is considered substantially similar to PIPEDA, and therefore exempt from PIPEDA’s applicability?

Answer 187

● Ontario’s PHIPA
● New Brunswick’s PHIPA
● Newfoundland and Labrador’s PHIPA
● Nova Scotia’s PHIPA

Question 188

What is personal health information?

Answer 188

Any information concerning an individual’s physical and mental health. This includes information collected about an individual when they register to receive or pay for health services, as well as an individual’s health card number, address and telephone number.

Question 189

When is personal health information (PHI) not protected by law?

Answer 189

When information is truly anonymous, it is not protected by law.

Question 190

What health sector participants are subject to provincial health privacy laws?

Answer 190

Regulated healthcare professionals; hospitals and nursing homes; independent health facilities; laboratories; pharmacies; provincial health departments and ministries; certain community, regional, district and provincial health services; boards, authorities, councils or corporations; even some colleges, universities and school boards

Question 191

True or false? The general rule is that an individual implicitly consents to the collection, use and disclosure of their personal health information within their “circle of care.”

Answer 191

True.

Question 192

What is the Genetic Non-Discrimination Act (GNDA)?

Answer 192

The Genetic Non-Discrimination Act (GNDA, 2017) aims to prohibit genetic discrimination across Canada and further bars any organization from requiring individuals to undergo a genetic test, or disclose the results of a genetic test, as a condition of providing goods or services or entering into a contract.

Question 193

Under Ontario’s health privacy legislation, what are the four conditions for consent to be considered valid?

Answer 193

● Be consent from the individual concerned
● Be knowledgeable, requiring the individual to fully understand the purpose for which the information will be collected, used and disclosed
● Relate to the information at issue
● Not be obtained through deception or coercion

Question 194

The privacy implications of collecting and using genetic information is currently an OPC priority,
especially in the context of what?

Answer 194

Life and health insurance companies.

Question 195

True or false? Provincial and territorial health privacy laws may refer to health sector participants as custodians, health information custodians, trustees or agents?

Answer 195

False.

Question 196

What mention section 8 of the Canadian Charter of Rights and Freedoms?

Answer 196

“[E]veryone has the right to be secure against unreasonable search or seizure.” Here, it is used in a criminal and administrative context to prevent violation of privacy while collecting evidence, or during investigations.