Privacy Laws Flashcards

1
Q

Charter of Rights and Freedoms

A

Section 7 - Everyone has the right to life, liberty and security of the person

Doesn’t mention privacy, but case law supports view that s. 7 serves as a source of constitutional protection of the right to privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Sources of Law

A
  1. Legislation (PIPEDA, PIPAs, etc.)
  2. Common law
  3. Contracts
  4. Charter
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3 Canadian Perspectives on Privacy

A
  1. Privacy of the individual viz the state
  2. Privacy of the individual viz other individuals
  3. Privacy of the individual viz organizations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3 Canadian Classes of Privacy (as defined by Jurists)

A
  1. Information Privacy - claim to determine for yourself when/how/to what extent info is communicated to others
  2. Personal Privacy (bodily integrity)
  3. Territorial Privacy - limitations on ability of individual to intrude on physical environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Models of Data Protection

A

Comprehensive (Canada, EU)
Sectoral (US)
Self-Regulatory (US, Japan, Singapore)
Seal Programs (TrustArc, BBBOnline, WebTrust, Digital Advertising Alliance)
Technology-Based Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Seal Programs

A

TrustArc - founded in 1997, license agreement
BBBOnline - subsidiary of Better Business Bureaus, from 1999
WebTrust - AICPA and Canadian Institute of Chartered Accountants
Digital Advertising Alliance (DAA) - 2010 self-regulatory org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

5 Key Concepts of Canadian Privacy

A

Personal Information
Employee and Work-Product Information
Public Records and Publicly Available Information
Private and Sensitive Information
General concepts of Fair Information Practices and General
Privacy Principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Federal Privacy Act - Types of Personal Information

A

a) Info relating to race, ethnic origin, religion, age or marital status;
b) information relating to education or medical/criminal/employment history, or info relating to financial transactions
c) identifying number, symbol or particular;
d) address, fingerprints, blood type;
e) personal opinions of individual except when about another individual proposal for a grant, award or prize
f) correspondence sent by gov’t to individual that is of private or confidential nature;
g) Views of another individual about the individual;
h) The views or opinions of another individual about a proposal for a grant/award/prize made to the individual by an institution, but excluding the name of the other individual where it appears with the views or opinions of the other individual
i) The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Federal Privacy Act - Job-Related Information (not personal information)

A

i. The fact the individual is or was an officer or employee of the institution
ii. Title, business address and telephone number
iii. Classification, salary range and responsibilities of the position
iv. The name of the individual on a document prepared by the individual in the course of employment
v. The personal opinions or views of the individual given the course of employment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Employee Information

A

Personal information that is collected/used for the purposes of establishing, managing, or terminating an employment or volunteer relationship.

Does not include personal information about the individual that is unrelated to that relationship.

(from Alberta PIPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Work-product Information

A

Information about an individual that is related to that individual’s position, functions, and/or performance of their job

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Privacy Act - Publicly Available Informaiton

A

Restrictions on gov’t ability to use and disclose personal information does not apply if info is publicly available.

Obligation to collect info in accordance with the act still apply to publicly available info.

Total exception to any information found in a library or museum material, or placed in the Library and Archives of Canada, National Gallery, etc.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

PIPEDA - Publicly Available Information - Regs

A

Org can collect/use/disclose PI without knowledge and consent if it is publicly available and specified by regs:

a) Name, address, number appearing in telephone directory (where the subscriber can opt out)
b) Name, address, number appearing in professional or business directory (where use relates directly to the purpose for which info appears in the directory)
c) PI that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law (where use relates to purpose for which info appears)
d) PI in record or document of judicial or quasi-judicial body (where use relates to purpose…)
e) PI that appears in a publication, including a magazine, book or newspaper, in printed or electronic form (where individual has provided the information)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

PIPEDA - General Principles re: Publicly Available

A
  • merely because an individual appears in public doesn’t automatically forfeit their interest in retaining control over the PI exposed
  • For an org to be exempted from consent requirement, PI must be both publicly available and specified by the regs
  • The exception to the consent requirement doesn’t apply to org that initially collects info for the purposes of making it publicly available
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

OPC Findings - Telephone Directories

A
  • Individual phone number considered PI, even if published in a telephone directory, and subject to the “reasonable person” test.
  • Republishing personal white-pages telephone directory info in online format constitutes publicly available info
  • Telecom can collect info from parent company’s white-pages directory, for its own purposes, without obtaining consent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

OPC Findings - Professional and Business Directories

A

Information about a business collected from Yellow Pages (or other publicly available sources) does not constitute personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

OPC Findings - Public Registries

A
  • the purpose for which information is used is a key element in eval of whether exception to consent requirement applies
  • purpose of use in a public registry must relate directly to the information’s purpose for being in that registry
  • not enough that info is publicly available, must have been collected from source for specific purpose behind subsequent disclosure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

OPC Findings - Court and Tribunal Records

A
  • Court not required to disclose personal information that appears in publicly available court records where disclosure relates directly to advancing a claim in court
  • PI found in court records of ongoing legal proceeding cannot be collected and used without individual consent for purposes unrelated to the legal proceedings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

OPC Findings - Books, Magazines, and Newspapers

A

Publicly available PI can be collected from published books, magazines, and newspapers regardless of the purpose for which the info appears
- consent not required to use a business email for marketing purposes where email was posted on a publicly available website by the individual (decided before CASL that supersedes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Private/Sensitive Info

A

PIPEDA doesn’t distinguish in definitions (although might in RROSH)

Some provincial statutes address the difference between all PI and info that deserves more protection because of its sensitive nature - typically applies when gov’t institutions are working through questions about whether info held by gov’t should be released.

Law (such as that in Nova Scotia) may enumerate types of information which would merit more or less protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Nova Scotia Privacy Law - Unreasonable Invasion of Privacy Examples

A

a) medical information
b) PI related to possible violation of law
c) eligibility for income assistance or social service benefits
d) employment or educational history
e) tax returns or tax info
f) financial information
g) personal recommendations or evaluations
h) race/ethnicity, sexual orientation, religious or political beliefs
i) PI consists of name along with address and phone number and is to be used for mailing lists or solicitations by phone or other means

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

OECD Principles (1981) compared to CSA

A

Accountability
Purpose Specification -> Identifying Purposes
Collection Limitation -> Consent & Limiting Collection
Use Limitation -> Limiting Use, Disclosure and Retention
Data Quality -> Accuracy
Security Safeguards
Openness
Individual Participation -> Individual Access & Challenging Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Canadian Standards Association (CSA) Principles - 1996

A

Model Code for the Protection of Personal Information

Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure and Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CSA Model Code Participants

A

Federal and Provincial Gov’ts
Consumer Advocates
Organized Labour
Security and IT Experts
Industries including:
Financial services
Telecommunications
Cable television
Direct Marketing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CSA Model Code Purpose

A

Balance between legitimate business interests and the individual right to privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

CSA Principle - Accountability

A
  • Org responsible for PI under its control
  • Org shall designate individual accountable for org’s compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

CSA Principle - Identifying Purposes

A
  • Purpose for collection of PI identified before or at the time of collection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

CSA Principle - Consent

A

Consent required for collection, use or disclosure of personal information (except where inappropriate)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

CSA Principle - Limiting Collection

A

Collection shall be limited to that which is necessary for the purposes identified by the org.
Info shall be collected by fair and lawful means

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

CSA Principle - Limiting Use, Disclosure and Retention

A

PI shall not be used for purposes other than those for which it was collected (except with consent or required by law)
PI should be retained only as long as necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

CSA Principle - Accuracy

A

PI shall be accurate, complete, up-to-date as necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

CSA Principle - Safeguards

A

Security safeguards should be appropriate to sensitivity of the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

CSA Principle - Openness

A

Org shall make available specific info about its policies and practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

CSA Principle - Individual Access

A

Upon request, individual shall be informed of existence, use and disclosure of his/her personal information and shall be given access to that information.

Individual should be able to challenge accuracy and completeness of info and have it amended as appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

CSA Principle - Challenging Compliance

A

Able to challenge org concerning compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Generally Accepted Privacy Principles (CICA)

A

Management
Notice
Choice and Consent
Collection
Use, Retention, Disposal
Access
Disclosure to Third Parties
Security for Privacy
Quality
Monitoring and Enforcement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Sensitive Personal Information

A

Information more significantly related to the notion of a reasonable expectation of privacy.

Medical or financial!

Information that could result in identity theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

2016-2017 Parliamentary Report of OPC - Challenges to Consent

A
  • Opaque nature of privacy policies that are the basis of consent
  • Complex information flows
  • Business processes that involve a multitude of third-party intermediaries

OPC stated that consent model needs to be updated and altered rather than replaced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Retention Period - 2 Points to Remember

A
  1. Personal information that has been used to make a decision about an individual should be retained long enough to allow the individual access.
  2. An org may be subject to legislative requirements w/r/t retention periods for certain types of information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

PIPEDA - Accuracy Principle - Updating Personal Information

A

An org shall not routinely update personal info, unless necessary to fulfill the purposes for which the information was collected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

PIPEDA - Openness Principle - Information Made Available

A
  • Name of accountable person
  • Means of gaining access to personal information
  • Description of PI held and its use
  • Brochure that explains policies/standards/codes
  • The PI that is made available to related orgs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Time Limits for Access to Own Information Requests

A

PIPEDA, BC, QC - 30 Days
Alberta PIPA - 45 days with liimited right to extend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

PIPEDA - Purpose of Legislation

A

Reconcile:
* Individual right to privacy
* Commercial need for access to personal information

Express recognition that right to privacy is not absolute

Last goal: ensure that Canadian org’s could receive data from the EU (which had passed the Directive on Data Protection in 1995)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

PIPEDA - Application

A

Applies to the entire private sector - every org that collects/uses personal info in the course of commercial activity OR
- is about an employee of a federal work

Does not apply to:
* gov’t institutions covered by Privacy Act
* Individual that collects info for personal or domestic purposes
* Org that collects info for journalistic, artistic or literary purposes and no other

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

OPC - Federal Work, Business or Undertaking

A

“Any work that is under the legislative authority of Parliament”

Specific examples:
- interprovincial/international transport by air or water
- airports, aircraft, airlines
- telecomms
- radio and TV broadcasting
- banks
- grain elevators
- nuclear facilities
- offshore drilling
- any company subject to any part of the Canada Labour Code

NOT Federal:
- insurance companies
- credit unions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Substantially Similar to PIPEDA - 3 Requirements

A
  1. Consistent with the Schedule for PIPEDA
  2. Independent oversight body like the OPC
  3. Contain a redress mechanism for the aggrieved
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

PIPEDA - Substantially Similar Laws

A
  • Alberta PIPA
  • BC PIPA
  • the Quebec Act

w/r/t Health Only
- Ontario Personal Health Information Protection Act
- NB Personal Health Information Privacy and Access Act (wrt health information custodians only)
- NL Personal Health Information Act (wrt health information custodians only)
- NS Personal Health Information Act (wrt health information custodians only)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

PIPEDA - Commercial Activity

A

Transaction, Act or Conduct that is of a commercial character, including selling/buying donor lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

PIPEDA - Commercial Activity - Court Interpretatoin

A
  • Taxable status is not relevant
  • Mere contractual relationship is not enough
  • information-gathering in preparation for civil tort action not commercial activity contemplated by PIPEDA
  • information-gathering by insurance company to defend a lawsuit in part of obligations to insured not covered by PIPEDA
  • Physician conducting independent medical exam on behalf of insurance company - this is commercial activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Commercial Activity - OPC Interpretation

A

Broad! 2 Part test:

  1. What is the core activity of the institution (e.g. if educational, presumed not to have ‘commercial character’)
  2. Presumption against commercial character rebutted if one of the objectives is to earn profit for its owners
  • emphasis is on transaction rather than enterprise
  • for the most part, nonprofit associations (incl unions) and private schools operate outside of any commercial activity

In:
- relaying financial information into and out of Canada for international transactions with Canadian Bakns
- bankruptcy trustee collecting PI to be used in administering bankruptcy
- day care (even though a nonprofit)
- in certain cases, tort litigation, landlord-tenant relationships, online advertising and social networking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

PIPEDA - Obligations

A
  • Org can only collect/use info for purposes that a reasonable person would consider appropriate in the circumstances
  • Burden on org to be prepared to demonstrate it is acting reasonably (even if they obtained consent!)
  • In Sections 6 to 9 of PIPEDA, some CSA standards modified to be mandatory:
  • Only collect with consent
  • consent only valid if person would understand nature, purpose and consequence of PI collection and use
  • obliged to provide access to personal information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

PIPEDA - NOT Obligations

A

Where Schedule 1 says an org “should” do something, org is not obliged to follow that standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

PIPEDA - Consent Not Required

A

a) Collection clearly in the interests of the individual and consent cannot be obtained quickly
b) collection related to investigating a breach of agreement or law, and collection with consent of individual would compromise information
c) contained in a witness statement and collection necessary for adjudicating insurance claim
d) produced by the individual in the course of their employment and consistent with that purpose
e) journalistic/artistic/literary purposes
f) info publicly available and specified by regs
g) collection made for purpose of making a disclosure required by law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

PIPEDA - Exceptions to Right to Access to PI

A
  • if access would reveal info about a third party
  • specified national security or law enforcement reasons
  • solicitor-client information
  • commercially sensitive information
  • threaten the life or security of another
  • info gathered as part of formal dispute resolution mechanism
  • info collected without consent during investigation of a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

PIPEDA - Right of Access - Cost Recovery

A

Orgs may provide access on a cost recovery basis, but cost must be “at minimal or no cost to the individual”

Any type of flat fee likely not acceptable; org ought to assess minimal fee and apply it only in exceptional cases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

OPC Powers - Decline to Investigate a Complaint

A
  • Other available grievance or review procedures not exhausted
  • Could be dealt with more appropriately by a procedure under other federal or provincial laws
  • Not filed in reasonable period of time
57
Q

OPC Powers - Discontinue an Investigation

A
  • Insufficient evidence to pursue
  • Complaint is trivial, frivolous or vexatious, or bad faith
  • Org already provided fair response to complaint
  • Matter already object of investigation
  • matter is object of compliance agreement with OPC
  • matter is subject of a report by OPC
  • matter already addressed under a procedure in PIPEDA s 12(1)(a) or (b)
58
Q

OPC - When to Federal Court

A
  • Can apply to feds if recommendations from investigation report are not implemented
  • Can apply if org fails to live up to commitments in a compliance agreement
  • Cannot apply to fed court if recommendations in a audit report are not implemented
59
Q

Digital Privacy Act (2015) Updates to PIPEDA

A
  • Breach Notification and Record-Keeping Requirements (fines of up to $100k)
  • Update to personal information and business contact information
  • Update to consent, including new exceptions
  • Compliance agreements
  • Public Interest Disclosures broadened
60
Q

DPA Consent Exceptions

A
  • Investigations/fraud detection - may disclose PI to another org if reasonable to expect that knowledge would compromise investigation
  • Business transactions - Sale of business, merger, lease of assets
  • Witness statements in insurance claims
  • Identifying injured, ill, deceased; communicating with next of kin
  • Financial abuse - disclose to gov’t or next of kin/representative
  • Employment relationships in federally regulated workplaces
  • PI produced in course of employment, business, or profession
61
Q

Possibilities for Work Product under PIPEDA

A
  1. Exclude Work Product from definition of “personal information”, as is done in BC PIPA;
  2. Consider work product to be personal information, but state that data protection provisions do not apply (similar to approach to PI collected for journalistic/artistic purposes);
  3. Include work product in definition of personal information, but state that consent requirements in Sec 7 of PIPEDA don’t apply.

Currently: personal information that may be work product is subject to the Act and would be addressed on a case-by-case basis.

62
Q

Alberta PIPA - Professional Regulatory Bodies

A

For these entities, an org can establish personal information codes and thereafter abide by the code instead of all obligations imposed by PIPA

63
Q

The Ombudsperson Model

A

A recommendation-only model for Privacy Commissioners (i.e. like the Federal OPC) rather than the ability to order compliance.

Said to be less adversarial and formalistic.

64
Q

The Quebec Act - Three Principles

A
  1. Every person who establishes a file on another person must have a serious and legit reason for doing so
  2. The person establishing the file may not deny the individual concerned access to the information contained in the file
  3. The person must respect certain rules that are applicable to the collection, storage, use and communication of the information
65
Q

The Quebec Act - Application

A

Applies to every “enterprise” that collects/stores/uses/communicates (aka discloses) information about a natural person to third parties.

66
Q

The Quebec Act - Exceptions to Application

A
  1. PI collected and used by public bodies;
  2. Journalistic material
67
Q

The Quebec Act - Enterprise

A

Carrying on by one or more persons of an organized economic activity, whether or not commercial in nature, consisting of producing, administering or alienating property, providing a service.

Not limited to commercial activity, applies to unions, lawyers, doctors, other associations

68
Q

The Quebec Act - Communication Outside of Quebec

A

Similar to EU, enterprise in QC can disclose info to 3rd party outside of QC if:
- info will not be used for purposes not relevant to the object of the file or communicated without consent
- in case of marketing lists, persons concerned have valid opportunity to refuse to allow their personal information to be used for commercial purposes

Third parties include any separate legal entity, so related companies and orgs have to abide by third party rules

69
Q

The Quebec Act - Personal Information Agent

A

A person who, on a commercial basis, establishes files on other persons and prepares and communicates credit reports bearing on reputation or solvency of the persons to whom the info contained in such files relates

70
Q

CASL

A
  1. Rules for sending of commercial electronic messages (CEM)
  2. Rules for the installation of computer programs
  3. Prohibition on the unauthorized alteration of transmission data
71
Q

CASL - Application

A

Applies to all forms of electronic messaging, including:
- Email
- SMS text messages
- Messages sent via social networking

Applies to all messages sent from or received in Canada

Applies to nonprofit orgs and registered charities

72
Q

CASL - Obligations - Consent

A
  • Consent must be obtained before CEM is sent
  • Express consent cannot be provided by silence or inaction (e.g. a pre-checked box) - must be “opt-in” by positive action to indicate consent
  • can be orally or in writing
73
Q

CASL - Consent - Proof of Consent

A

Key information
- whether consent was obtained in writing or orally
- when it was obtained
- why it was obtained
- manner in which is was obtained

74
Q

CASL - Implied Consent

A
  1. Existing business relationship
  2. Existing non-business relationship
  3. Recipient conspiciously published electronic address (e.g. on a website) and doesn’t say they don’t wish to receive messages
  4. Recipient has disclosed electronic address directly to the sender and hasn’t said they don’t want messages - must be related to professional capacity
75
Q

CASL - Additional Exceptions to Consent

A
  • sent to a friend or family member
  • inquiry about a service offered by recipient
  • provides a requested quote
  • facilitates a commercial transaction
  • provides warranty or safety information
  • information about ongoing subscription or membership
  • information related to employment relationship or benefit plan
  • delivers a good or service
76
Q

CASL - Identification

A

Senders must clearly identify themselves, including person (or multiple persons) message sent on behalf of.

If not practical to include information in body of CEM, must include a hyperlink to a web page containing this information - must be clearly and prominently set out in the CEM

77
Q

CASL - Unsubscribe Mechanism

A
  • link must be functional for minimum 60 days after sending
  • unsubscribe must be processed without delay, and in any event, no more than 10 days after request
  • unsubscribe must be “readily performed”, and quick, simple and easy for the end user
78
Q

CASL - Record-keeping

A

Record-keeping extremely important when interacting with CRTC / Responding to Notice to Produce

Should include:
- All evidence of express and implied consent
- documented methods through which consent was collected
- policies and procedures regarding CASL compliance
- all unsubscribe requests and resulting actions

79
Q

CASL - Enforcement

A

Enforced by CRTC, with related amendments to Competition Act and PIPEDA enforced by Competition Bureau and OPC

80
Q

CASL - Blackstone Case Study - Why Reduce Fine

A
  • Purpose of penalty - compliance, not punishment
  • scope, nature, duration of violation
  • Blackstone ability to pay
  • Blackstone cooperation
  • Notice of self-correction
  • No history of non-compliance
  • Blackstone made inquiries of regulator
81
Q

CASL - Compu-Finder Case Study

A

OPC Investigated Compu-Finder for collecting and using business emails to promote business
- examined Compu-finder websites
- reviewed online media and other public content about org
- submissions to CRTC Spam Reporting Centre
- Interviewed 8 individuals who complained
- Got representations from Compu-Finder

OPC concerned with integrity and comprehensiveness of CF representations

Found CF was unaware of and did not respect privacy obligations; lacked appropriate consent for use of emails

CF implemented OPC recommendations on “without admission” basis - OPC said complaint well-founded and resolved in part/conditionally resolved in part. Entered compliance agreement.

CRTC assessed administrative monetary penalty (AMP) of $1.1 million

82
Q

CASL - Installation of Computer Programs - Purpose

A

Protect consumers from programs such as malware that pose a real threat to individuals - enforcement is focused here

83
Q

CASL - Computer Programs - Safeguards

A
  • Monitoring client activities
  • written contracts with clients/suppliers requiring CASL compliance
  • written CASL policy
84
Q

CASL - “caused to be installed”

A
  • malware installed along with other software
  • concealed software automatically executed when consumer inserts (for example) a CD or USB
85
Q

CASL - Express Consent without Requesting Installation

A
  • Cookies
  • HMTL
  • JavaScript
  • An Operating System
  • Program executable through a program to which end user consented
  • Software installed to correct a failure (i.e. bug fixes)

Telecoms do not need consent to install software to protect security of system

Consent only assumed if user doesn’t take steps to vitiate - i.e. disabling javascript in the browser

86
Q

CASL - Automatic Downloads with Consent

A

Vendors can:
- implement user-installed updates (user must click)
- can obtain consent for automatic downloads at point of initial install
- can allow automatic downloads to be activated or de-activated via a user setting

87
Q

CASL - Competition Act Materiality

A

No Materiality Requirement: false info in
- Sender line
- Subject Line
- locator information (e.g. URL)

Materiality requirement:
- False or misleading statement in the content of the electronic message

88
Q

CASL - Competition Act - Private Right of Action created by CASL

A

Consumers can sue for $200 per message that contains false and misleading misrepresentations

89
Q

CASL - INDU Recommendations

A
  • Enforcement agencies issue clear, accessible, regularly updated guidance materials
  • Parliament amend:
    1. Definitions of CEM, “electronic address”, “implied consent”, “express consent” to clarify them;
    2. Increase transparency in how CRTC investigates and penalizes violations;
    3. Short title, Electronic Commerce Protection Act (ECPA)

Gov’t agreed but no changes to law yet.

CRTC issued guidelines on implied/express consent and started issuing enforcement advisories in 2018, but most issues in report are unaddressed.

90
Q

Bank Act - Scheduled Banks

A

Schedule I - domestic banks
Schedule II - Subsidiaries of foreign banks
Schedule III - Foreign bank branches of foreign banks

91
Q

Privacy Issues to Consider

A
  • Transborder Data Flows
  • Online Behavioural Advertising
  • Data Breach Reporting
  • Surveillance
92
Q

Transborder Information Transfer

A
  • law and OPC decisions show transfers outside of Canada are permitted
  • Orgs must still be transparent, receive consent for transfers, and be accountable (i.e. responsible for information held by third party transferees)
  • OPC had consultation process about proposed changes 1) mandatory consent for cross-border transfer; and 2) require communication of options for opt-out of international transfer; feedback was this was too onerous and the changes were shelved.
93
Q

Online Behavioural Advertising

A

Typified by the use of a cookie

May be “first party” (placed by website visited), or “third party” (if they are placed by some other party)

May be “session” or “persistent”

Cookie permits data regarding browser history to be recorded

94
Q

Online Behavioural Advertising - Regulation

A

Covered by PIPEDA or Quebec, Alberta, BC Privacy Laws

95
Q

Online Behavioural Advertising - Application

A

OPC says IP address and cookie-related information are personal information.

SCC and OCA also comment on privacy interests in browsing history.

Obtaining consent in timely and informed way remains a challenge.

96
Q

Online Behavioural Advertising - Google Complaint 2013

A

Google’s online service used sensitive health information to target users with health-related adds, contrary to its own policies and in violation of PIPEDA

97
Q

Online Behavioural Advertising - Bell RAP

A

Relevant Advertising Program - tracked customer habits and created detailed profiles to be shared with 3rd party advertisers in violation of PIPEDA.

98
Q

Data Breach Reporting - Notification to OPC in the Digital Privacy Act (2018)

A
  • Description of the circumstances of the breach
  • Period of breach
  • Type of Personal Information
  • Estimated number of individuals
  • Steps org has taken to reduce risk of harm
  • Steps org has taken to notify
  • Name and contact of accountable person
99
Q

Data Breach Reporting - Notification to Individuals

A
  • Circumstances of breach
  • period of breach
  • description of personal information
  • Steps the org has taken to reduce risk of harm
  • steps individual could take to reduce harm
  • toll-free number or e-mail address the affected individual can use
  • information about the org’s internal complaint process
100
Q

Data Breach Reporting - Record Retention

A

Must keep record of every breach of security safeguards for 24 months after the day breach discovered

101
Q

Data Breach Reporting - PIPEDA Penalties

A

Fines of up to $100,000 for knowingly violating notification or record-keeping requirements

102
Q

Data Breach Reporting - Alberta

A

PIPA Requires notifying commissioner of a breach if there is a real risk of significant harm to an individual.

  • Description of incident
  • time period
  • personal information involved
  • assessment of risk of harm to individuals
  • estimated number of individuals
  • steps taken to reduce harm
  • contact information
103
Q

Data Breach Reporting - Risk of Harm Factors

A
  • Sensitivity of personal information
  • Probability that the personal information will be misused
  • Any other prescribed factor
104
Q

Privacy Incidents - SWIFT

A
  • complaint that SWIFT/Canadian banks were turning over information to US government
  • SWIFT said it was responding to subpoenas from OFAC
  • SWIFT subject to PIPEDA (operates in Canada)
  • SWIFT hadn’t contravened PIPEDA - must abide by legitimate laws of other countries in which it operates
  • Banks met their obligations because contractual documentation exists between SWIFT and the banks that ensured comparable level of protection
105
Q

Privacy Incidents - TJX (Winners/Homesense)

A
  • TJX company breached - intruder got credit card numbers, names and addresses, and Canadian driver’s licenses
  • Collected DL to prevent fraud
  • Commissioners considered:
    1. Whether the org had a reasonable purpose for collecting info
    2. Whether org retained info in compliance with legislation
    3. Whether org had reasonable safeguards
  • determined DL was irrelevant to legitimate purpose; should not be an identifier for the purposes of analyzing shopping-return habits
  • TJX decided to use hashing to create a unique number that could be stored that wasn’t a driver’s license
  • info had been stored indefinitely, in violation of retention periods
  • used only WEP encryption in stores
106
Q

TJX/SWIFT - Key Conclusions

A
  • International flow of data will not impede applicability of laws in Canada
  • Canadian privacy law will not stand in the way of legitimate business uses of personal information
  • Responsibility will lie with the org to prove it is reasonably safeguarding
  • Orgs must collect only the personal information necessary to fulfill legitimate purposes
107
Q

Incidents - Facebook 2008

A

Complaint from University of Ottawa Cybersecurity Group
OPC Report - Facebook had not met knowledge and consent obligations under PIPEDA
OPC recommended Facebook and Developers
- receive no more personal information than necessary
- provide users with sufficient notice about which data will be collected
- provide opportunity to give meaningful consent

108
Q

Incidents - Nexopia

A

Youth-oriented social networking site; complaints:
- Disclosure of user personal information to public did not meet reasonable expectations of the users
- Site had inappropriate and unreasonable default privacy settings
- users not adequately informed about how info would be shared
- Consent not obtained at time of registration for collection of PI
- Non-Nexopia users’ PI retained without their knowledge and consent
- All PI retained indefinitely and w/o an option to request for deletion

109
Q

Incidents - Google

A

In 2010, investigated “inadvertant” collection from unsecured WiFi networks from camera cars doing street images.
- gathered PI in excess of the purposes of collection
In 2013, complaint about health-related ads
- Joint investigation with FTC, OPC identified several shortcomings in systems for monitoring compliance with policies
In 2014, more complaints filed when Search App updated to collect PI beyond that required for functionality
- OPC concluded that complains were not well-founded
- Granting app permissions alone does not liken to consent for collection

110
Q

Incidents - Ganz

A

Toy manufacturer with web-enabled toys for children age 6-13 to log in and play with virtual version
Complaint: collecting and retaining PI of children without adequately explaining purpose or obtaining appropriate consent
- shared with third-party advertisers to track and profile children
Recommendations:
- provide greater clarity during online account registration
- importance of involving parents
- parental consent
- language appropriate to site’s user base
- updating privacy policy to better reflect actual practices
- improve communication of policies

111
Q

Incidents - Apple

A

OPC investigated allegations that Apple used Unique Device Identifiers (UDID) for tracking purposes without knowledge and consent of individuals.
OPC - UDID considered personal information, disclosed to third-party app developers for targeted advertising purposes
- UDIDs considered to be sensitive personal information
- Apple replaced UDIDs with Ad IDs and provided option for users to reset their tracking history

112
Q

Incidents - Equifax

A

OPC found:
- Inadequate vulnerability management
- Inadequate network segregation
- Inadequate implementation of basic information security practices
- Inadequate oversight

113
Q

Incidents - Facebook 2019

A

April 2019 - Facebook and TYDL (This is Your Digital Life)
- data in hands of individual who sold PI of American Facebook users to Cambridge Analytica
- Users filled out personality quiz and disclosed info about friends
- Four major conclusions:
1. Failed to obtain valid and meaningful consent
2. Failed to obtain consent from friends
3. Inadequate safeguards
4. Failed to be accountable

114
Q

Legal Developments - Biometric Info

A

Telus Voiceprint case - 4 employees complained
- FCA: characteristics of voice are personal information
- weighed privacy rights against TELUS business interests
- reasonable person would find use of e.Speak tech to be reasonable in the circumstances

115
Q

Legal Developments - Eastmond

A

Video Cameras installed in workplace.
Test used by court:
1. Is the collection necessary to meet a specific need?
2. Is collection likely to be effective?
3. Loss of privacy proportional to benefit gained?
4. Less privacy-invasive way of achieving the same end?

Court determined it was permitted non-consensual collection because tapes would only be viewed in context of an investigation

Application was de novo, and OPC report not given much deference

116
Q

Blood Tribe Case

A
  • Individual made request to Blood Tribe for info, OPC sought info during investigation
  • COURT: OPC does not have the power to compel the production of documents covered by solicitor-client privilege, and cannot even ask an org to otherwise prove that a doc is privileged
117
Q

Contesting OPC Finding - Accusearch

A

Accusearch (ABIKA) brought to court - applicant felt OPC was wrong that they had no jurisdiction over an American org collecting info on Canadians.

Court: OPC did have jurisdiction; concerns about ineffectiveness were irrelevant; OPC required to prepare a report, barring the application of certain exemptions

118
Q

Authentication Guidelines

A
  • Authenticate based only on the risks associated with not authenticating
  • Know the individual and choose the correct level of authentication
  • Regularly reassess risks and deploy risk mitigation measures
  • Keep vigilant in relation to “risk creep”
  • monitor any attempted attacks
  • give individuals choice
119
Q

Model Codes - Generally Accepted Privacy Principles

A

Promulgated by AICPA and CICA
1. Management
2. Notice
3. Choice and Consent
4. Collection
5. Use and Retention
6. Access
7. Disclosure to Third Parties
8. Security for Privacy
9. Quality
10. Monitoring and Enforcement

120
Q

Decisions to Appeal Public-Sector Entity Decision

A
  • Denial of access
  • Disagreement with fee
  • Deemed refusal
  • Advice that extension beyond 30 days is necessary
  • Denial of request for correction
  • Someone requesting applicant’s personal information
121
Q

The Privacy Act - Collection

A
  • Collect if info relates to an operating program or activity
  • No need for dta subject consent
  • Obligation to collect directly from the individual except where this is impossible, individual has authorized indirect collection, or collection is pursuant to one of the exceptoins
122
Q

Administrative Purpose

A

Use of the information in a decision-making process that directly affects that individual

123
Q

The Privacy Act - Use

A

Use requires consent, unless the info is being used for the purpose for which the information was obtained or compiled

124
Q

The Privacy Act - Disclosure

A

Must not disclose PI without consent, with 13 exceptions
- for the purpose for which the info was obtained
- for any purpose in accordance with an Act of Parliament
- complying with subpoena
- to the AG for legal proceedings
- to an investigative body
- under agreement between feds and provinces/foreign states
- to a member of Parliament for assisting an individual
- internal audit
- Library and Archives
- research or statistical purposes
- any aboriginal government
- for purpose of locating individual to collect a debt
- any purpose where public interest outweighs invasion of privacy

125
Q

The Privacy Act - Consistent Use - Revenue Canada

A

CRA released info on travelers to Canada Employment and Immigrations Commission to catch people receiving EI while out of the country
FCA - breadth of Section 8(2) demonstrated a clear intention on the part of Parliament to allow many non-consensual disclosures

Later, tribunal could not release PI in forms/transcripts for use in separate hearings

126
Q

The Privacy Act - Info in Info Source

A
  • Description of class of individuals
  • Name of gov’t institution
  • title and address of the person to whom requests should be made
  • statement of purpose of PI collection and uses consistent with those purposes
  • Details of the retention and disposal standards
127
Q

Right of Access - Denials

A
  • PI obtained in confidence from foreign state
  • Fed-Provincial Affairs would be injured
  • Injury to international affairs or national security
  • Less than 20 years old and relates to the enforcement of laws
  • injury to enforcement of laws
  • Injury to security of a penal institution
  • PI collected by RCMP performing police services
  • Release of PI would reveal snitch identity
  • disruption of parole program
  • threaten the safety of individuals
  • PI of someone other than the requestor
  • subject to S-C privilege
  • Contrary to requestor’s interest considering the particular physical or mental health
128
Q

The Privacy Act - Exempt Banks

A

Personal information holdings consisting of PI obtained by investigative bodies in the course of lawful investigations pertaining to the enforcement of law

129
Q

The Privacy Act - Retention

A

No obligation to properly safeguard and retain personal information in the Act, but in the regulations states that info shall be retained for at least 2 years following the last time personal information was used for an administrative purpose

130
Q

Privacy Commissioner

A
  • Broad powers of investigation
  • can only recommend solutions to gov’t institutions that have been found to be noncompliant
  • if an individual erroneously denied access to personal information, commissioner may proceed to federal court for determination of whether or not info was properly withheld
  • prereq - commissioner must complete the investigation and issue a report
131
Q

Privacy Commissioner - No Fly List

A

Commissioners asked
- Gov’t refer program to Parliament so could be publicly debated
- Enact clear legislation setting out criteria
- Confer an appropriate oversight body

132
Q

Video Surveillance Guidelines

A
  • Exceptional step, taken only in absence of less privacy-invasive alternative
  • public advised that surveillance is happening
  • right of individuals to have their personal info respected
  • subject to independent audit and evaluation
  • FIP respected
133
Q

Body-Worn Cameras

A
  • inform public of program
  • notify individuals when recording takes place
  • safeguard recordings
  • training and accountability processes
  • respond to civilian requests
  • minimize recording of innocent civilians
  • protect for secondary uses (training and performance evaluation)
134
Q

Federal versus Provincial Approaches

A
  • Provinces have concept of “unreasonable invasion of privacy” to have greater protection for some types of info and less for others
  • BC and Nova Scotia place significant restrictions on public body transfer of information out of that jurisdiction
  • Most provinces give commissions power to issue orders
135
Q

Privacy Act - Needed Updates

A
  • New technologies
  • Written before development of Fair Information Practices
  • Does not require same degree of openness and transparency
  • fails to address transborder data flows
  • should have accountability when outsourcing
  • greater recourse to federal court or order-making power
136
Q

Digital Charter - 10 Principles

A

Not a legal document, principles have no enforceable effect

137
Q

OPC 2018-2019 Report

A
  1. Public Sector adopt principles of “necessity and proportionality”
  2. Strengthen enforcement mechanisms
  3. Demonstrable accountability
138
Q

PIA - Privacy Impact Assessments

A

Must be commensurate with level of risk;
whenever new program or change to program must audit

Org that fails might not get required approvals from the Treasury Board