Privacy Study Cards Flashcards
1
Q
Definition: in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating: (i) an employment relationship; or, (ii) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.
A
personal employee information
2
Q
Definition: information about an individual that is related to that individual’s position, functions and/or performance of their job.
A
Work-product information
3
Q
Which principle: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
A
Accountability
4
Q
Which principle: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
A
Identifying Purposes
5
Q
Which principle: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
A
Consent
6
Q
Which principle: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
A
Limiting Collection
7
Q
Which principle: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
A
Limiting Use, Disclosure, and Retention
8
Q
Which principle: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
A
Accuracy
9
Q
Which principle: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
A
Safeguards
10
Q
Which principle: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
A
Openness
11
Q
Which principle: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
A
Individual Access
12
Q
Which principle: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
A
Challenging Compliance
13
Q
Which principle: This principle also requires an organization to appoint individuals with primary responsibility for privacy protection and goes further by making organizations responsible for the personal information over which they have either custody or control.
A
Accountability
14
Q
Which principle: An organization must implement procedures that protect personal information, establish procedures to receive and respond to complaints or questions, train staff, and be transparent about all these procedures and practices. More often than not, these obligations culminate in the drafting and posting of a privacy policy.
A
Accountability
15
Q
Definition: Information that is more significantly related to the notion of a reasonable expectation of privacy. E.g. Medical or financial information and pieces of information that, if procured by the wrong individuals, could result in serious cases of identity theft.
A
Sensitive personal information
16
Q
Definition: Exercises performed internally or by independent third parties to ensure that an organization holds personal information in compliance with the various privacy obligations to which the organization may be subject and with internal privacy standards established by the organization, such as commitments specified in an online privacy notice for customers.
A
Privacy audits or assessments
17
Q
Definition: the appropriate level of security applicable to the sensitivity of the personal information
A
data classification
18
Q
Which principle: This principle is almost single-handedly responsible for the proliferation of privacy policies in the last several years.
A
Openness
19
Q
Which principle: This principle requires organizations to make readily available to individuals specific information about their policies and practices relating to the management of personal information.
A
Openness
20
Q
Which principle: Organizations must be able to respond to requests from individuals for access to their personal information. This principle incorporates such obligations as the requirement to inform individuals of the existence, collection, use and disclosure of personal information. Moreover, if an individual reviews their information and finds inaccuracies, the organization must be prepared to record this appropriately.
A
Individual Access
21
Q
Are insurance companies and credit unions subject to PIPEDA?
A
No - they are not federal works.
22
Q
Seven statutes that are “substantially similar” to PIPEDA
A
Alberta’s Personal Information Protection Act (“Alberta PIPA”)
British Columbia’s Personal Information Protection Act (“BC PIPA”)
Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“the Quebec Act”)18
Ontario’s Personal Health Information Protection Act of 2004 (PHIPA)
New Brunswick’s Personal Health Information Privacy and Access Act (PHIPAA), with respect to personal health information custodians
Newfoundland and Labrador’s Personal Health Information Act (PHIA), with respect to personal health information custodians
Nova Scotia’s Personal Health Information Act (PHIA), with respect to health information custodians
23
Q
If an insurance party has to step in to defend a lawsuit as part of its obligations to the insured, is the information collected by the insurance company in the defence of the litigation considered information subject to PIPEDA’s obligations?
A
No
24
Q
Is information-gathering in preparation for a civil tort action the type of commercial activity contemplated by PIPEDA, even when third parties, such as private investigators, are used to collect the personal information?
A
No
25
If a physician conducts an independent medical examination on an individual on behalf of an insurance company for the purpose of processing a claim for insurance benefits, is the information collected subject to PIPEDA's obligations?
Yes
26
Does PIPEDA apply to charities if those charities sell or rent donor lists across boundaries?
Yes
27
For the most part, does PIPEDA apply to nonprofit associations (including unions) and private schools?
No - but the emphasis is on the nature of the transaction rather than the nature of the enterprise.
28
What is the two-part test for determining whether PIPEDA applies to private schools? i.e. whether the school operates as a "commercial activity"
1. What is the core activity of the institution? If the core activity is educational services, then the activities are presumed to not have a “commercial character.”
2. The presumption against “commercial character” is rebutted if one of the objectives of the institution is to earn a profit for its owners.
29
In Schedule I to PIPEDA, where the Schedule suggests an organization adhere to some standard through the use of the word should, is the organization obliged to follow that standard?
No, except for when they are modified by Sections 6 to 9 of PIPEDA
30
How do Sections 6 to 9 of PIPEDA modify Schedule I to make a standard mandatory?
PIPEDA makes it mandatory that an organization collect, use and disclose personal information only with consent.
31
PIPEDA requires organizations to collect, use or disclose personal information only for purposes that ___.
a reasonable person would consider appropriate in the circumstances
32
Do organizations in litigation with individuals need to respond to requests for access to personal information.?
Yes - the obligation to provide access to personal information cannot be circumvented by the fact that an organization is involved in litigation with the same individual.
33
True or False: The OPC has extensive powers of investigation that include the power to subpoena and compel the giving of evidence. In pursuit of an investigation of a complaint, at any reasonable time it may enter any premises occupied by an organization.
True
34
Does the OPC have the power to insist on seeing a document subject to solicitor-client privilege?
No - the OPC should not even ask the organization to otherwise prove that a document was privileged.
35
True or False: The commissioner must provide notice to the parties indicating that the OPC has declined to investigate or has discontinued an investigation.
True
36
True or False: The OPC has the discretion to reconsider a decision to decline an investigation where there are compelling reasons.
True
37
Is the OPC's investigation report binding on the organization?
No
38
If an organization does not implement the recommendations contained in the OPC's investigation report, can the OPC enforce the implementation of the recommendations?
Yes - the OPC can apply to the federal court to request a court order enforcing the implementation of the recommendations.
39
If an organization does not implement the recommendations contained in the OPC's audit report, can the OPC enforce the implementation of the recommendations?
No - the OPC cannot apply to the federal court to request a court order enforcing the implementation of the recommendations.
40
True or False: Consent is considered valid only if it is reasonable to expect that individuals to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.
True
41
Under PIPEDA, is consent required for the collection, use or disclosure of personal information where necessary to establish, manage or terminate an employment relationship in federally regulated workplaces?
No
42
Under PIPEDA, can personal information produced by an individual in the course of an individual’s employment, business or profession be collected, used or disclosed without the individual’s consent?
Yes
43
Does entering into a compliance agreement preclude the OPC from commencing or continuing a court application under PIPEDA with respect to any matter covered by the agreement?
Yes, but if an organization fails to live up to commitments in an agreement, the OPC could, after notifying the organization: (1) apply to the court for an order requiring the organization to comply with the terms of the agreement, or (2) commence or reinstate court proceedings under PIPEDA, as appropriate.
44
Can the OPC make public any information that comes to its knowledge in the performance or exercise of its duties or powers under the PIPEDA if it deems that doing so is in the public interest?
Yes
45
Under Alberta PIPA and BC PIPA, can employee personal information be collected without consent if the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual?
Yes
46
Is the term "work product" used or defined in PIPEDA?
No - but, the OPC has issued guidance on work product, deeming personal information that may be work product as subject to the act.
47
Does PIPEDA distinguish between regular personal information and employee-related information or work-product information?
No
48
Does the Privacy Act distinguish between regular personal information and employee-related information or work-product information?
Yes - the Privacy Act does carve out some employment- and work-product-related information from the definition of personal information.
49
Under PIPEDA, does the OPC deem personal information that may be work product as subject to the act?
Yes - the OPC suggests work-product issues be addressed on a case-by-case basis.
50
Is the term "work product" used or defined in Alberta PIPA?
No
51
Is the term "work product" used or defined in BC PIPA?
Yes - work product is specifically excluded from “personal information” treatment, thereby removing this information from protection under the act.
52
A body enacted pursuant to an act under which a professional or occupational group or discipline is organized, and that provides for the membership in and the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.
Professional Regulatory Body
53
Does Alberta PIPA allow organizations to establish personal information codes and thereafter abide by the code instead of all the obligations imposed by PIPA?
Yes - a code is defined as a set of rules governing the collection, use and disclosure of personal information in a manner that is consistent with the purposes and intent of the Alberta PIPA.
54
True or False: Organizations subject to the Alberta PIPA are required to notify the OIPC of Alberta when a privacy/security breach results in a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure of their personal information.
True
55
True or False: A difference between the federal and provincial commissioners (BC, AB, Quebec) is that the provincial commissioners have the power to order an organization to take an action.
True (of course, under PIPEDA, the federal commissioner only has the power to recommend that an organization take an action (and later try to take the organization to federal court if the organization refuses to implement the recommendation).
56
Advocates for the recommendation-only model to enforcement of OPC investigation reports believe the proper approach to privacy compliance is more easily achieved through a less adversarial, less formalistic model. Often, this is referred to as the ______ model.
Ombudsperson
57
Under the Quebec Act, organizations are called ______ and disclosures are referred to as ______.
1. enterprises
| 2. communications
58
What are the two exceptions to the application of the Quebec Act?
1. personal information held by public bodies
| 2. personal information held as journalistic material
59
Is the Quebec Act limited to the collection, use and disclosure as part of commercial activity?
No
60
Does the Quebec Act apply to labour unions, lawyers, physicians and certain associations?
Yes
61
True or False: CASL applies to nonprofit organizations and registered charities.
True, but there are exemptions under the Income Tax Act.
62
True or False: Under CASL, express consent must be obtained through an opt-in mechanism, as opposed to opt-out.
True
63
Every CEM must contain a functional unsubscribe mechanism that enables the recipient to unsubscribe at no cost. This must include an unsubscribe link that is functional for a minimum of ___ days. Unsubscribe requests must be processed without delay, and in no event, more than ___ days after the request has been made.
1. 60
| 2. 10
64
Which government institution enforces CASL?
CRTC
65
The CRTC can impose administrative monetary penalties (AMPs) for violations of CASL of up to $___ per violation for individuals and $___ per violation for other persons (or businesses).
The largest fine that can be issued under PIPEDA is $___ for the failure to meet breach notification requirements.
1. $1 Million
2. $10 Million
3. $100,000
66
Can implied consent of an owner or authorized user of a computer system be obtained before installing, or causing to be installed, a computer program on that individual’s device?
No - consent must be express
67
Under the Competition Act, which of the following include a materiality requirement:
- sender information
- subject matter information (e.g., an email subject line),
- locator information (e.g., a URL)
- content of an electronic message
content of an electronic message
68
Does the sharing of information with a third-party service provider constitute a “use” for the purposes of PIPEDA?
Yes
69
Under PIPEDA, organizations must keep and maintain a record of every breach of security safeguards involving personal information under their control and produce the record to the OPC upon request. To satisfy the record-keeping requirements, organizations must maintain a record of every breach of security safeguards for a period of ____ after the day on which the organization determines the breach has occurred.
24 months
70
Which case stands for the principle that PIPEDA allows an organization to abide by the legitimate laws of other countries in which it operates, and an organization may disclose personal information without knowledge or consent in response to a subpoena issued by a court, person or body with jurisdiction to compel the production of information.
SWIFT
71
Which case stands for the principle that organizations operating in and connected in a substantial way to Canada are subject to PIPEDA. If organizations cross into Canada to collect, use or disclose personal information, they must abide by PIPEDA. Simply because an organization might operate in two or more jurisdictions will not alleviate it of its obligations to comply with Canadian law.
SWIFT
72
In which case did the commissioners conclude that while names and credit card information were necessary for transacting business as a retailer, the collection of driver’s license numbers were seen as irrelevant to any legitimate purpose of the retailer.
TJX (Winners, Homesense)
73
Which year was this case: In practice, Facebook had been providing personal information to third-party application developers without users’ “meaningful consent,” relying instead on permissive preset privacy settings. In addition, the CIPPIC contended that Facebook was not meeting its obligations to inform users about the type of information being collected, how that information was being used, or how personal information was affected by the default privacy settings.
Facebook: 2008
74
Which year was this case: The complainant had visited sites to research medical devices to treat his sleep apnea, resulting in cookies being placed on his browser and subsequently triggering ads for sleep apnea devices when he visited sites that utilized Google Ads. Google’s privacy policy stated that cookies would not be associated with sensitive categories like health information. In a joint investigation with the U.S. Federal Trade Commission (FTC), the OPC identified several shortcomings in Google’s systems for monitoring compliance with its policies, and, as a result, Google committed to providing additional information to advertisers, increasing monitoring for possible violations of its policies, offering more training to its staff, and upgrading its automated review system.
2013
75
Which year was this case: The OPC launched an investigation into Google’s allegedly inadvertent collection of data from unsecured Wi-Fi networks as camera cars documented street images for Google’s mapping services over the course of several years. Similar to the data protection violation in the Facebook decision, Google had gathered personal information in excess of the purpose for which it was being collected and had failed to provide adequate disclosure or solicit consent from the data subjects.
2010
76
Which case and year was this: The OPC complaint alleged that ____ was collecting, using, disclosing and retaining the personal information of children without adequately explaining its purpose or obtaining appropriate consent, contrary to its obligations under PIPEDA. The information was shared with third-party advertisers to track and profile children for targeted online behavioral advertising.
The OPC issued 11 recommendations including:
1. Communicating to children the importance of involving their parents in the registration
2. Obtaining parental consent
3. Using language appropriate to the site’s user base
Ganz: 2012
77
In 2013, the OPC investigated allegations that Apple used and shared personal information in the form of unique device identifiers (UDID) for tracking purposes, without the knowledge and consent of the individual. (Prior to sale, Apple assigned a UDID to each of its devices.) Apple contended that the UDIDs were not personal information because they alone could not be used to identify a user. Did the OPC agree?
No - Apple ID account details for every device user were accessible by Apple. Therefore, the UDIDs were considered to be personal information. Furthermore, the UDIDs were disclosed to third-party app developers for targeted advertising purposes. The OPC concluded that, when used in this way, UDIDs are to be considered sensitive personal information due to their potential to be used to create detailed user profiles.
78
In 2013, the OPC received complaints that the operator of Globe24h.com (“Globe24h”) had collected, used and disclosed personal information for inappropriate purposes and without consent. Specifically, Globe24h republished court decisions containing personal information on its website, allowing the information to be indexed by search engines and charging a fee for its removal. What did the OPC conclude with respect to Globe24h's purposes for republishing the information?
The OPC concluded that Globe24h’s purposes for republishing the information were not ones that a reasonable person would consider to be appropriate in the circumstances.
79
In August 2014, Bell announced the launch of RAP, a targeted advertising initiative that involved the tracking of internet browsing habits, app usage, TV viewing, and calling patterns of its customers. The data would then be combined with demographic and account data to create highly detailed, and sensitive, profiles for third parties to use in delivering targeted advertisements to Bell’s customers for a fee. Did Bell’s opt-out process fully respect individual choice on whether or not to participate in the program?
No
80
What were the three issues in the Equifax case?
1. safeguards
2. accountability
3. consent for the transfer of personal information from Equifax Canada to Equifax Inc. in the United States.
81
In 2018, it was revealed by a Competition Bureau investigation that Loblaws had been colluding with other market actors to fix the price of bread. In response, Loblaws offered its customers a $25 Loblaw card that could be used in its stores. As part of its process to determine each card was going to an eligible individual, it asked for either a utility bill or a copy of the individual’s driver’s license. One affected individual made a complaint to the OPC, alleging what two issues? Were they well founded?
1) the information contained in these documents was broader than what Loblaws actually required for its purposes - well founded. Loblaws ought to have specifically informed its customers that they could submit the ID in redacted form with some of the information removed.
2) the information was being inappropriately shared with program administrators in the United States - not well founded. Loblaws’ contractual provisions were sufficiently detailed, and its use of the information was within the use explained to its applicants. Loblaws was also sufficiently transparent about the cross-border transfers through its written communications with applicants for the Loblaws card.
82
What were the four issues in the Facebook: 2019 case?
1. Facebook failed to obtain the valid and meaningful consent of its installing users
2. Facebook failed to obtain meaningful consent from friends of installing users
3. Facebook had inadequate safeguards to protect user information
4. Facebook failed to be accountable for the user information under its control
83
In the Eastmond case, the federal court outlined the test to be used when determining if an organization meets the overriding obligation in PIPEDA to be reasonable when an organization decides to install video cameras. This test, or slight variations of it, is now used in most cases dealing with whether an organization meets the overriding obligation to be reasonable when collecting personal information. The test asks four questions:
1. Is the collection of the personal information necessary to meet a specific need of the organization?
2. Is the collection likely to be effective in meeting this specific need?
3. Is the loss of privacy caused by the collection of personal information proportional to the benefit gained?
4. Is there a less privacy-invasive way of achieving the same end?”
84
In the Eastmond case, did the federal court come to the same conclusion as the OPC?
No - the federal court held that because a tape would only be viewed in the course of an investigation of wrongdoing, the exception in PIPEDA that allows for nonconsensual collection of personal information in instances where the organization is conducting such an investigation would apply.
85
Are court applications heard under PIPEDA de novo? Is deference given to the OPC's decision?
Yes - they are de novo which can result in a significantly different set of arguments and evidence being put before the court than those presented before the OPC. In addition, the OPC’s report is not to be given much deference, if any at all, because the proceeding is de novo. The court will accept the OPC’s report and admit it into evidence, but ultimately, how much attention the report receives will be left up to the judge hearing the case.
86
Which case stands for the principle that solicitor-client privilege limits the OPC’s attempts to conduct an investigation by prohibiting access to documents that are subject to solicitor-client privilege.
The Blood Tribe Case
87
In which case did the court rule that the OPC had jurisdiction under PIPEDA to investigate a complaint relating to the transborder flow of personal information and further find that the location of the website and the geographical jurisdiction in which the organization was incorporated was not all-controlling, given that the collection and communication of private information occurred in both Canada and the United States.
Accusearch (ABIKA) - this case was decided by the court about half a year before the OPC conducted the investigation in the SWIFT matter; this case was instrumental in helping the OPC decide there was jurisdiction over SWIFT.
88
In Globe24h, what test did the court apply to determine the extraterritorial application of Canadian laws? Did the court find that extraterritorial application of Canadian law applied?
The test for the extraterritorial application of Canadian laws is whether the conduct in question has a “real and substantial” connection to Canada.
The court concluded that it did, because Globe24h presented information copied from Canadian websites and targeted and advertised its product toward a Canadian audience and because the impact of the website’s activities was felt by Canadians.
89
Under the Privacy Act, Access to Information Act and the provincial counterparts, public entity must respond to requests for access to information within ___ days.
30 days.
90
The Privacy Act requires government institutions to collect personal information only if the information relates directly to ____.
an operating program or activity of the institution.
91
Under the Privacy Act, is there a need for data subject consent prior to the collection of personal information?
No
92
"_______," in relation to the use of personal information about an individual, means the use of that information in a decision-making process that directly affects that individual.”
Administrative purpose
93
Under the Privacy Act, if an institution discloses personal information to an investigative body without consent, the institution must keep a record of that disclosure for a period of ____.
2 years
94
Under the Privacy Act, government institution must publish yearly all the personal information banks maintained by the institution. This publication is called _____.
Info Source
95
Under the Privacy Act, which type of personal information is completely inaccessible? (i.e. in an exempt bank)
Information that was obtained or prepared by any government institution or part of any government institution that is an investigative body in the course of lawful investigations pertaining to the enforcement of any law of Canada or a province. Whenever an institution does employ exempt banks, the privacy commissioner will audit use of the bank.
96
Under the Privacy Act (not the Regulations), is there a requirement to properly safeguard and retain personal information?
No
97
Under the regulations to the Privacy Act, how long is the requirement to retain personal information?
At least 2 years following the last time the personal information was used for an administrative purpose unless the individual consents to its disposal.
98
Which Act creates the OPC?
Privacy Act
99
With one exception, at the end of a complaint’s investigation, the commissioner may only recommend solutions to government institutions that may have been found to be noncompliant with the Privacy Act. What is the exception?
If the commissioner finds that the government institution erroneously denied access to personal information being requested. In such instances, the commissioner (as well as the requestor) may proceed to the federal court for a determination of whether or not the information was properly withheld from release. In fact, the individual requestor is always free to begin such a court application—even in instances where the commissioner agrees with the institution’s withholding of the personal information. The only prerequisite to commence the court application is that the commissioner must complete the investigation and issue a report.
100
Of the two approaches, which is the federal (i.e. Privacy Act) and which is the provincial in respect of protecting public sector privacy interests?
1. This approach relies solely on a broad definition of personal information. The notion of an invasion of privacy is mentioned only once with respect to a single instance where the disclosure of personal information without consent is permitted.
2. This approach is to protect the vast array of data that is included in the definition of personal information in some instances, but in other cases to afford less protection to that personal information if it does not merit a reasonable expectation of privacy. This is particularly the case when dealing with the protections relating to the disclosure of personal information. This approach often allows the nonconsensual disclosure of personal information if the release of the information would not result in an unreasonable invasion of privacy.
1. Federal (Privacy Act)
| 2. Provincial
101
Partly in response to the USA PATRIOT Act and a foreign entity’s search and seizure laws, which two provinces place significant restrictions on a public body’s transfer of personal information outside of their respective jurisdictions?
BC and Nova Scotia
102
Which fair information principle is absent from the Privacy Act?
Limiting collection of personal information except when necessary.
103
Does the Privacy Act require openness of policies to the same degree as PIPEDA?
No - individuals seeking information regarding how their personal information is collected, used or disclosed by a government institution must navigate a legacy 1983 InfoSource system.
104
Does the Privacy Act make clear that when outsourcing government work, the government institution remains accountable for personal information which remains under its control?
No
105
The federal government requires all government institutions subject to the Privacy Act to conduct privacy impact assessments (PIAs). Under the Directive on Privacy Impact Assessment, an important addition to the PIA framework is that an assessment need only be “______” with the level of risk at hand.”
commensurate - where risk is low, an assessment does not need to be as extensive as where risk is high.
106
Before the Directive on Privacy Impact Assessment came into force in 2010 were PIAs required?
No. However, the 2010 Directive clearly stipulates that PIAs must be performed for all proposals and new programs that raise privacy issues. Moreover, any substantial redesign of an existing program or service must also go through a PIA.
107
Does the 2010 Directive on Privacy Impact Assessment apply to the development of new legislation?
No
108
What is the one and only real enforcement mechanism that forces government institutions to comply with conducting adequate PIAs?
Without a completed PIA, the program or service is at risk of not receiving the required approvals from the Treasury Board of Canada.
109
Definition: an activity that involves comparing personal data obtained from a variety of sources, including personal information banks, to make decisions about the individuals to whom the data pertains.
Data matching
110
Definition: the collection, analysis, measurement and reporting of data about web traffic and user visits for the purpose of understanding and optimizing web usage.
Web analytics
111
Under the Privacy Act, if personal information is to be subject to a contract by which the management of a government program or service is outsourced to a company, the government institution must evaluate what three risk factors?
1. The sensitivity of the personal information
2. The expectations of the individuals to whom the personal information relates
3. The potential injury if personal information is wrongfully disclosed or misused
112
Which two provinces have decided to address the issue of outsourcing through the enactment of specific legislation (as opposed to the federal approach to provide policy guidance on what to consider when the personal information may be subject to the reach of a foreign jurisdiction)?
British Columbia and Nova Scotia
113
Does the Privacy Act restrict the processing of personal information by a third party located outside of Canada?
No
114
True or False: Although there are several specific exceptions, the general rule for public bodies in Nova Scotia is that personal information must be stored in Canada and accessed only in Canada.
True
115
Which two provinces do not have their own laws dealing specifically with health information privacy?
Nunavut and Quebec
116
What are the three names of health sector participants that are caught by the provincial health laws?
1. Trustees
2. Custodian
3. Health information custodian
117
Which province's health law designates a patient database as a “health information bank” into which patient data is to be submitted?
BC
118
______ enable custodians to share personal health information through electronic means by providing them with IT services.
Health Information Network Providers (HINPs)
119
What is the general definition of personal health information in provincial health laws?
any information concerning an individual’s physical and mental health
120
True or False: Each provincial health law provides that if information is truly anonymized or deidentified, it is not protected by the law.
True
121
True or False: Where a provincial health privacy statute has not been declared to be substantially similar to PIPEDA, the healthcare provider is expected to comply with both statutes.
True
122
One common theme among provincial health laws is that consent must be ____.
meaningful
123
True or False: In provincial health laws, generally, the rule is that the individual will be deemed to have implicitly consented to the collection, use and disclosure of their information within their circle of care (e.g. an individual’s substitute decision-maker, another health information custodian, or a religious or other organization with which the individual is affiliated).
True
124
True or False: In provincial health laws, consent will be implied if the disclosures will be made to noncustodians or to other custodians outside the circle of care.
False
125
Under provincial health privacy statutes, when are custodians required to notify the privacy commissioner in case of a breach?
Where a custodian reasonably believes there has been a material breach involving the unauthorized collection, use or disclosure of personal health information.
The obligation to notify includes any instance where health information is handled in a way that does not conform to the custodian’s published policy statement on its information-handling practices.
126
True or False: Generally, the provincial health laws do not strictly adhere to the same standards as PIPEDA in terms of an organization’s obligation to develop comprehensive privacy policies and make them accessible (i.e. openness).
True
127
Which act bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services or entering into a contract?
Genetic Non Discrimination Act
128
True or False: Under PIPEDA, an insurance company must receive consent from an individual before it can collect or use their genetic test results for underwriting purposes.
True
129
In addition to the 27 EU member states, the GDPR also applies to which four other countries?
Iceland, Liechtenstein and Norway (part of the European Economic Area (EEA)) and UK until Brexit.
130
What is the name of the EU authority that oversees specific privacy issues and comprises data protection authorities (DPAs) from the various member states?
European Data Protection Board (EDPB)
131
What is the name of the EU counterparts to the roles played by the federal and provincial privacy commissioners in Canada?
Data Protection Authorities (DPAs)
132
What are the two things that the GDPR applies to?
Any controller or processor of EU citizen data
133
True or False: The GDPR applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered and where the actual processing takes place (even if that is outside the EU).
True
134
Under the GDPR, which term has the following meaning: “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”
controller
135
Under the GDPR, which term has the following meaning: “the natural or legal person, public authority, agency or any other body which alone or jointly with others which processes personal data on behalf of the controller.”
processor
136
True or False: While the Directive allowed controllers to rely on implicit and opt-out consent in some circumstances, the GDPR requires the data subject to convey agreement by either an express statement or a “clear affirmative act."
True
137
True or False: Under the GDPR, the standard of unambiguous affirmative consent (e.g. ticking a box on a website) is inadequate for the processing of any of the special categories of personal data; such sensitive personal data requires explicit consent from the data subject.
True
138
Under the GDPR, what is the minimum age at which a person must get parental consent?
Children under the age of 16 must get parental approval to give consent. This requirement, however, is at the discretion of each member state to some degree. The GDPR allows a member state to pass a law to lower this age limit from 16, though it cannot be lower than 13.
139
What case led the EU to codify the "right to erasure" (stemming from the "right to be forgotten")?
Google Spain
140
Under the GDPR, what are the two situations where the right to erasure automatically applies?
1. If the data was collected when the data subject was still a child in need of parental consent
2. The data collected falls into one of the special categories of sensitive personal information, even if the data has already been made public.
141
True or False, Under the GDPR, notification of a data breach is not required if the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.
True
142
Under the GDPR, what is the time period by which data controllers must notify the appropriate supervisory authority of a data breach?
72 hours
143
Definition under the GDPR: any form of automated processing of personal data evaluating the personal aspects relating to a natural person.
profiling
For an activity to constitute profiling, it must involve more than mere tracking; not only does such personal data have to be gathered, but the automated processing of that data must be for the purpose of making decisions about the data subject(s).
144
Which principle is this: The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, this principle has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Accountability
145
Which Act is this: This Act came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.
Act Respecting the Protection of Personal Information in the Private Sector (Quebec Act)
146
A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures ___________ by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.
An Adequate Level of Protection
147
Under the Fair Credit Reporting Act, the term “____” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion.
adverse action
No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.
148
A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.
Alberta PIPA
149
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust
American Institute of Certified Public Accountants
150
This organization focuses on the economic development of the Asia-Pacific region and consists of the following countries: Australia, Brunei Darussalam, Canada, Chile, the People’s Republic of China, Hong Kong, Indonesia, Japan, the Republic of Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, Philippines, Russia, Singapore, Chinese Taipei, Thailand, the United States, and Vietnam.
Unlike the EU and its mandatory “Directive” approach, this organization works as a cooperative by coming to terms on nonbinding agreements. The purpose behind this organization is the enhancement of economic growth for the region.
The Asia-Pacific Economic Cooperation (APEC)
151
True or False: China’s Cybersecurity Law requires that organizations processing personal information of Chinese citizens and information related to national security or both to store data within China.
True
152
What is the major contrast between U.S. and international approaches (EU and Canada) to marketing communications?
Choice - in the EU and in Canada, laws generally require the consumer to opt in to marketing programs, while in the United States, the laws generally provide for opt-out choice.
153
What US program is responsible for the creation of the National Do Not Call Registry?
Telemarketing Sales Rules (TSR)
154
What is the difference between unfair trade practices and deceptive trade practices?
There is no intent requirement for deceptive trade practices.
155
True or False: If the company is subject to any part of the Canada Labour Code, it is probably a federal work, undertaking or business.
True
156
Which two of the following are not subject to PIPEDA:
- inter-provincial or international transportation by land or water
- insurance companies
- airports, aircraft or airlines
- telecommunications
- radio and television broadcasting
- banks
- credit unions
- grain elevators
- nuclear facilities
- offshore drilling operations
- insurance companies
| - credit unions
