CIPP/C Flashcards

Question

What is the common theme for consent across provincial healthcare laws?

Answer 1

Consent must be meaningful

Answer 2

Private sector organizations collecting, using or disclosing information that is: (1) in the course of a commercial activity, OR (2) about an employee of the organization in connection with the operation of a federal work, undertaking or business

Answer 3

Public sector institutions (Privacy Act or similar applies) Personal or domestic purposes Journalistic, artistic, or literary purposes When there is a provincial law that is "substantially similar" to PIPEDA

Answer 4

Knowledge and consent

Answer 5

Applies to all Commercial Electronic Messages that are (1) sent by or accessed from a computer system in Canada, or (2) sent into Canada Applies to non-profits and charities

Answer 6

Record-keeping Identification Unsubscribe mechanism

Answer 7

Canadian Radio-Television and Telecommunications Commission (CRTC)

Answer 8

Sender and recipient have an existing business relationship. Sender and recipient have an existing non-business relationship Recipient has conspicuously published their email address on a website and did not express they do not wish to receive messages Recipient has disclosed their email address directly to the sender and did not express they did not wish to receive messages

Answer 9

Personal or family relationships Inquiry about a product or service offered by the recipient Quote or estimate provided upon request Ongoing subscription or membership information Information related to an employment relationship or benefit plan

Answer 10

Demonstrate consent CASL compliance Unsubscribe requests

Answer 11

Must be functional, simple, free and quick | Must be processed within 10 days

Answer 12

Privacy Act and PIPEDA

Answer 13

Privacy act | Access to Information Act

Answer 14

Broad. Includes 9 examples under the act: Info relating to the race, ethnic origin, color, religion, age, or marital status; Info relating to educational, medical, criminal, employment history, or financial transactions the individual has been involved in; Number, symbols or other particulars Address, fingerprints or blood type Opinions or views except when they are about another individual Private correspondence between an individual and government institution Views or opinions of another about the individual Views or opinions of another in regard to a grant or award (except when naming someone else)

Answer 15

Information must be related to the operating program of the institution Consent is NOT required Institution must be able to demonstrate information is a necessity

Answer 16

Either (1) with consent, or (2) without consent in these situations: For the purposes for which the information was obtained or compiled by the institution or for a use consistent with that purpose; For any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes the disclosure For the purpose of complying with a subpoena or court order; To the AG of Canada for use in legal proceedings involving the Canadian Government; To an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province caring out lawful investigation Under agreement between the government of Canada and the government of a province, foreign government, international organization, etc. for the purpose of administering or enforcing any law or carrying out a lawful investigation; To a member of parliament for purpose of assisting the individual to whom the information relates in resolving a problem; To officers or employees of the institution for internal audit purposes To the library of archives of canada for archival purposes To any person or body for research or statistical purposes with permission from the head of the government institution NOTE: If consent is not obtained, records must be kept

Answer 17

If future use is consistent with the purpose for which the government collected it, then it can be disclosed without consent

Answer 18

Not much. Government institutions must publish information about their Personal Information Banks in the INFO SOURCE

Answer 19

Reasons for denial include: Obtained in confidence from foreign state who is insisting on nondisclosure Reasonable expectation of injury, national defense, etc. Info is less than 20 years old and may pose security threat Info collected by Police Reveals identity of an informant Disrupts parole release program Information threatens safety of others Attorney-client privilege Health info

Answer 20

Provincial FIPPAs BOTH provide access to the information and protect privacy

Answer 21

Federal government requires via policies that institutions under the Privacy Act conduct PIAs. "Directive on Privacy Impact Assessments" (by Treasury Board)

Answer 22

All new proposals and programs; | any re-designs of existing programs and services

Answer 23

``` Collection authority Direct collection, notification and consent Retention Accuracy Use Disclosure Administrative, physical and technical safeguards Technology and privacy issues ```

Answer 24

The Standard on Privacy and Web Analytics Applies to the government’s use of web analytics (institutions subject to the privacy act) Requires privacy notices on websites, maximum retention periods, and strict privacy protective language in 3rd party contracts; depersonalization or anonymization tools Failure to comply may result in additional reporting by Treasury board of Canada

Answer 25

Any information concerning an individual’s physical and/or mental health

Answer 26

HINPs must: - Conduct PIAs and TRAs (threat risk assessments) - Enter into written agreements with custoidans

Answer 27

When information is shared within the individual's health circle

Answer 28

The result of a merger between ministry of health and long term care with smart systems. Organization planned to complete an integrated health information system for individuals and their healthcare providers, but had large setbacks. Still working towards its goal that was supposed to be accomplished in 2015

Answer 29

Mission is to take health informatics mainstream, through promotion of health technology systems and effective use of health information. Provides practical guidance and measures to ensure appropriate privacy and security in a healthcare context

Answer 30

publicly-funded health data aggregator. Meant to help improve canada’s health system and well-being of canadians by being a leading source of unbiased, credible and comparable information that will enable health leaders to make better decisions

Answer 31

Government institutions listed in a schedule to the act. All ministries; Many federal government institutions (Canada Revenue Agency, etc.) and tribunals (Canadian Human Rights Tribunal);; Some Crown corporations (Canadian Broadcasting Corporation)

Answer 32

Information must be related to the operating program or activity of the institution Does NOT need consent Must collect directly from the individual when the information will be USED for an administrative purpose (unless this is impossible, individual consents, or collection is pursuant to specific exceptions

Answer 33

(1) with consent, or (2) without consent if: - consistent use - in accordance with an act of parliament - to comply with court order - to the AG of Canada for use in legal proceedings involving Canadian Government; - to investigative body in accordance with regulations - Under agreement between governments to enforce or investigate law - To member of parliament to assist the individual in resolving a problem - To internal employees for audit purposes - To library of archives - For research or statistical purposes WITH PERMISSION from head of government institution

Answer 34

Government entities, including crown corporations; and Education

Answer 35

Mandatory notification to OPC for any breach of security safeguards involving PI; Notification to individuals where there is a risk of significant harm; Must keep record of all breaches

Answer 36

``` Accountability; Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, and Retention; Accuracy; Safeguards; Openness; Individual Access; Challenging Compliance ```

Answer 37

Act Reasonably | 10 PIPEDA principles encapsulated into these laws

Answer 38

OIPC of Alberta | OIPC of BC

Answer 39

OPIC can ORDER organizations to take action (not just make recommendations like OPC for PIPEDA)

Answer 40

Disclosures outside of Quebec to a 3rd party is only allowed if the organization is satisfied that: - Information will not be used for any purposes not relevant to the object of the file, or communicated to 3rd persons without consent; - For marketing lists, the person must have valid opportunity to refuse to allow PI to be used for commercial purposes

Answer 41

Express consent to install computer programs Implied consent is okay for: - Cookies - HTML - Javascript - operating system - Any executable through another program where the user already consented - Software installed to correct a bug

Answer 42

Access and right to correct information Accountability Consent (must be meaningful but can be implied unless to a non-custodian or other custodians outside circle of care) Safeguarding and breach notification Openness (not always required, but sometimes recommended that privacy information is provided in print or website

Answer 43

CASL violation for sending CEMs without consent (erroneously relied on implied consent)

Answer 44

PIPEDA violation for collecting and using email addresses without consent OPC found that Compu-finder was either not aware or did not respect its privacy obligations under PIPEDA Entered into a compliance agreement with the OPC

Answer 45

2006 Complaint against 6 Canadian financial institutions for disclosures of personal information to US government authorities OPC determined that SWIFT had not contravened the act when it disclosed the personal information to the US Government OPC did determine that PIPEDA applied -- just because a company operates in multiple jurisdictions doesn't change that Banks involved had adequate contractual provisions to ensure a comparable level of protection once the data was transferred to SWIFT, so the complaint against them was not well-founded

Answer 46

Data was compromised from TJX, including credit card numbers, names, addresses, telephone numbers, and Canadian driver's licenses and other provincial ID numbers and names. TJX notified Federal and provincial privacy commissioners of the breach. Privacy commissioner did not like the collection of DL information, because it was mostly irrelevant to any legitimate purpose of the retailer Thereafter, TJX started to hash DL number

Answer 47

Students at the University of Ontario's cyberlaw clinic filed a complaint with the OPC regarding Facebook's privacy policies and procedures Facebook was providing personal info to app developers without 'meaningful consent' OPC was critical of FB practices. Found FB had not misrepresented or acted deceptively but had not met knowledge and consent obligations under PIPEDA FB adopted OPC recommended that app developers receive no more info than needed, provide better notice, and give users an opportunity to meaningfully consent to transfers of data

Answer 48

Youth-oriented social networking site OPC found Nexopia in breach of PIPEDA obligation and issued 24 recommendations, including adoption of an ability for Nexopia users to permanently delete their personal information

Answer 49

2010: Investigation around inadvertent collection of data from unsecured wi-fi networks as camera cars documented street images for google's mapping service. Issue was tabled because Google agreed to implement OPC recommendations 2013: Google ads used health information to display health-related ads (search history for sleep apnea, etc.). Google committed to providing more information to advertisers and increasing monitoring for possible violations of its policies 2014: Complaint filed when its Search App update required consent to collect information beyond what was required for app's functionality. OPC found in google's favor because granting app permissions does not liken to consent for collection, use or disclosure. OPC nonetheless recommended google to take steps to clarify for its users the meaning and function of permissions

Answer 50

Toy developer with wifi pet used personal information of children without adequately explaining its purpose or obtaining appropriate consent. Issued 11 recommendations, Ganz agreed to implement the recommended measures

Answer 51

2013: OPC initated investigation into Apple's use of unique device identifiers. Apple ID account details for every device user were accessible by apple, so OPC said it was personal information. UDIDs were disclosed to developers for targeted advertising, and OPC said that when used this way it's sensitive personal information due to potential to be used to create detailed user profiles Apple replaced UDIDs with Ad IDs and provided an option for users to reset tracking history or opt out of receiving targeted ads

Answer 52

2013: Globe24h republished court decisions containing personal info on its website, allowing information to be indexed and searched and charging a fee for removal. OPC said Globe24h needed consent to republish court decisions because reasonable person would not thing it was appropriate in the circumstances Globe24h refused to adopt recommendations, but has removed personal information for some complainants. OPC may pursue further.

Answer 53

Tracked internet browsing habits, app usage, TV viewing, and calling patterns of its customers, which could be combined with demographic and account data to create highly detailed, sensitive profiles for third parties to use for a fee. OPC received lots of complaints after the announcements. Bell agreed to make changes to planned program but refused to implement process to obtain consent. Bell decided to withdraw the program and delete user profiles. OPC said it would be paying special attention to targeted advertising moving forward

Answer 54

Breach resulted in access to 140+ million individuals including 19k Canadians. OPC investigated and concluded Equifax failed to compy with PIPEDA because, among other things, breach response measures were inadequate (Equifax Canada wasn't notified even though Equifax Inc knew Canadian data was in scope), there was a lack of clarity of responsibilities and roles, and failure of Equifax Canada to supervise Equifax US

Answer 55

Loblaws had been colluding with other market actors to fix the price of bread. In response, they offered a $25 gift card to use in their stores. To verify eligibility they asked for a utility bill or driver's license. OPC complaint was that this was more than necessary for the purpose

Answer 56

Privacy commissioner of Canada and Alberta published jointly a report summarizing investigation into FB and third party app thisisyourdigitallife. Info was used to generate user profiles and target individuals with political advertising. May have been disclosed to cambridge analytica Conclusions: - FB failed to obtain valid and meaningful consent from installing user and friends of installing users - FB had inadequate safeguards to protect user info - FB failed to be accountable for user information under its control

Answer 57

Privacy commissioner guidance suggests that organizations should: - Guard against authentication for the sake of authentication. If no need, don't do it - Know the individuals they are interacting with, then choose the correct level of authentication - Regularly assess risk and deploy risk mitigation measures, including adjusting the strength of the authentication process - Keep vigilant of 'risk creep' - esp as related to adding new services onto existing services - Monitor attempted attacks - Give individuals some choice when it comes to authentication

Answer 58

PIPEDA applies to organizations operating outside of Canadian borders

Answer 59

Applicant contested OPC's finding that PIPEDA had no authority to take jurisdiction over organization that seemed to be able to collect information of individuals within Canada OPC had initially refused to investigate because PIPEDA did not give them jurisdiction to investigate complaint. In questions of jurisdiction, court reviews DE NOVO. Court said OPC erred by not taking jurisdiction

Answer 60

Employees of railway company objected to video surveillance. Adopted 4 part test now frequently used for reasonableness: 1. Is collection NECESSARY to meet specific need? 2. Is collection likely to be EFFECTIVE in meeting specific need? 3. Is loss of privacy PROPORTIONAL to benefit gained? 4. Is there a LESS-PRIVACY-INVASIVE way of achieving the same end? Court disagreed with OPC. Court reviewed DE NOVO

Answer 61

Deals with power of the OPC under PIPEDA to review documents requested that are subject to solicitor-client privilege Federal court determined that OPC cannot even ask organizations to prove a document is privileged.

Answer 62

Employees of TELUS Communications filed complaint for practice of collecting their voiceprint Court agreed that consent was required to collect voiceprint info, but refused to give an opinion as to whether employees could be disciplined for failing to consent