Privacy Laws Flashcards

Question

CSA Model Code Purpose

Answer 1

Balance between legitimate business interests and the individual right to privacy

Answer 2

- Org responsible for PI under its control - Org shall designate individual accountable for org's compliance

Answer 3

- Purpose for collection of PI identified before or at the time of collection

Answer 4

Consent required for collection, use or disclosure of personal information (except where inappropriate)

Answer 5

Collection shall be limited to that which is necessary for the purposes identified by the org. Info shall be collected by fair and lawful means

Answer 6

PI shall not be used for purposes other than those for which it was collected (except with consent or required by law) PI should be retained only as long as necessary

Answer 7

PI shall be accurate, complete, up-to-date as necessary

Answer 8

Security safeguards should be appropriate to sensitivity of the information

Answer 9

Org shall make available specific info about its policies and practices

Answer 10

Upon request, individual shall be informed of existence, use and disclosure of his/her personal information and shall be given access to that information. Individual should be able to challenge accuracy and completeness of info and have it amended as appropriate.

Answer 11

Able to challenge org concerning compliance

Answer 12

Management Notice Choice and Consent Collection Use, Retention, Disposal Access Disclosure to Third Parties Security for Privacy Quality Monitoring and Enforcement

Answer 13

Information more significantly related to the notion of a reasonable expectation of privacy. Medical or financial! Information that could result in identity theft.

Answer 14

* Opaque nature of privacy policies that are the basis of consent * Complex information flows * Business processes that involve a multitude of third-party intermediaries OPC stated that consent model needs to be updated and altered rather than replaced

Answer 15

1. Personal information that has been used to make a decision about an individual should be retained long enough to allow the individual access. 2. An org may be subject to legislative requirements w/r/t retention periods for certain types of information

Answer 16

An org shall not routinely update personal info, unless necessary to fulfill the purposes for which the information was collected

Answer 17

* Name of accountable person * Means of gaining access to personal information * Description of PI held and its use * Brochure that explains policies/standards/codes * The PI that is made available to related orgs

Answer 18

PIPEDA, BC, QC - 30 Days Alberta PIPA - 45 days with liimited right to extend

Answer 19

Reconcile: * Individual right to privacy * Commercial need for access to personal information Express recognition that right to privacy is not absolute Last goal: ensure that Canadian org's could receive data from the EU (which had passed the Directive on Data Protection in 1995)

Answer 20

Applies to the entire private sector - every org that collects/uses personal info in the course of commercial activity OR - is about an employee of a federal work Does not apply to: * gov't institutions covered by Privacy Act * Individual that collects info for personal or domestic purposes * Org that collects info for journalistic, artistic or literary purposes and no other

Answer 21

"Any work that is under the legislative authority of Parliament" Specific examples: - interprovincial/international transport by air or water - airports, aircraft, airlines - telecomms - radio and TV broadcasting - banks - grain elevators - nuclear facilities - offshore drilling - any company subject to any part of the Canada Labour Code NOT Federal: - insurance companies - credit unions

Answer 22

1. Consistent with the Schedule for PIPEDA 2. Independent oversight body like the OPC 3. Contain a redress mechanism for the aggrieved

Answer 23

- Alberta PIPA - BC PIPA - the Quebec Act w/r/t Health Only - Ontario Personal Health Information Protection Act - NB Personal Health Information Privacy and Access Act (wrt health information custodians only) - NL Personal Health Information Act (wrt health information custodians only) - NS Personal Health Information Act (wrt health information custodians only)

Answer 24

Transaction, Act or Conduct that is of a commercial character, including selling/buying donor lists

Answer 25

- Taxable status is not relevant - Mere contractual relationship is not enough - information-gathering in preparation for civil tort action not commercial activity contemplated by PIPEDA - information-gathering by insurance company to defend a lawsuit in part of obligations to insured not covered by PIPEDA - Physician conducting independent medical exam on behalf of insurance company - this is commercial activity

Answer 26

Broad! 2 Part test: 1. What is the core activity of the institution (e.g. if educational, presumed not to have 'commercial character') 2. Presumption against commercial character rebutted if one of the objectives is to earn profit for its owners - emphasis is on transaction rather than enterprise - for the most part, nonprofit associations (incl unions) and private schools operate outside of any commercial activity In: - relaying financial information into and out of Canada for international transactions with Canadian Bakns - bankruptcy trustee collecting PI to be used in administering bankruptcy - day care (even though a nonprofit) - in certain cases, tort litigation, landlord-tenant relationships, online advertising and social networking

Answer 27

- Org can only collect/use info for purposes that a reasonable person would consider appropriate in the circumstances - Burden on org to be prepared to demonstrate it is acting reasonably (even if they obtained consent!) - In Sections 6 to 9 of PIPEDA, some CSA standards modified to be mandatory: - Only collect with consent - consent only valid if person would understand nature, purpose and consequence of PI collection and use - obliged to provide access to personal information

Answer 28

Where Schedule 1 says an org "should" do something, org is not obliged to follow that standard

Answer 29

a) Collection clearly in the interests of the individual and consent cannot be obtained quickly b) collection related to investigating a breach of agreement or law, and collection with consent of individual would compromise information c) contained in a witness statement and collection necessary for adjudicating insurance claim d) produced by the individual in the course of their employment and consistent with that purpose e) journalistic/artistic/literary purposes f) info publicly available and specified by regs g) collection made for purpose of making a disclosure required by law

Answer 30

- if access would reveal info about a third party - specified national security or law enforcement reasons - solicitor-client information - commercially sensitive information - threaten the life or security of another - info gathered as part of formal dispute resolution mechanism - info collected without consent during investigation of a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that information

Answer 31

Orgs may provide access on a cost recovery basis, but cost must be "at minimal or no cost to the individual" Any type of flat fee likely not acceptable; org ought to assess minimal fee and apply it only in exceptional cases

Answer 32

- Other available grievance or review procedures not exhausted - Could be dealt with more appropriately by a procedure under other federal or provincial laws - Not filed in reasonable period of time

Answer 33

- Insufficient evidence to pursue - Complaint is trivial, frivolous or vexatious, or bad faith - Org already provided fair response to complaint - Matter already object of investigation - matter is object of compliance agreement with OPC - matter is subject of a report by OPC - matter already addressed under a procedure in PIPEDA s 12(1)(a) or (b)

Answer 34

- Can apply to feds if recommendations from investigation report are not implemented - Can apply if org fails to live up to commitments in a compliance agreement - Cannot apply to fed court if recommendations in a audit report are not implemented

Answer 35

- Breach Notification and Record-Keeping Requirements (fines of up to $100k) - Update to personal information and business contact information - Update to consent, including new exceptions - Compliance agreements - Public Interest Disclosures broadened

Answer 36

- Investigations/fraud detection - may disclose PI to another org if reasonable to expect that knowledge would compromise investigation - Business transactions - Sale of business, merger, lease of assets - Witness statements in insurance claims - Identifying injured, ill, deceased; communicating with next of kin - Financial abuse - disclose to gov't or next of kin/representative - Employment relationships in federally regulated workplaces - PI produced in course of employment, business, or profession

Answer 37

1. Exclude Work Product from definition of "personal information", as is done in BC PIPA; 2. Consider work product to be personal information, but state that data protection provisions do not apply (similar to approach to PI collected for journalistic/artistic purposes); 3. Include work product in definition of personal information, but state that consent requirements in Sec 7 of PIPEDA don't apply. Currently: personal information that may be work product is subject to the Act and would be addressed on a case-by-case basis.

Answer 38

For these entities, an org can establish personal information codes and thereafter abide by the code instead of all obligations imposed by PIPA

Answer 39

A recommendation-only model for Privacy Commissioners (i.e. like the Federal OPC) rather than the ability to order compliance. Said to be less adversarial and formalistic.

Answer 40

1. Every person who establishes a file on another person must have a serious and legit reason for doing so 2. The person establishing the file may not deny the individual concerned access to the information contained in the file 3. The person must respect certain rules that are applicable to the collection, storage, use and communication of the information

Answer 41

Applies to every "enterprise" that collects/stores/uses/communicates (aka discloses) information about a natural person to third parties.

Answer 42

1. PI collected and used by public bodies; 2. Journalistic material

Answer 43

Carrying on by one or more persons of an organized economic activity, whether or not commercial in nature, consisting of producing, administering or alienating property, providing a service. Not limited to commercial activity, applies to unions, lawyers, doctors, other associations

Answer 44

Similar to EU, enterprise in QC can disclose info to 3rd party outside of QC if: - info will not be used for purposes not relevant to the object of the file or communicated without consent - in case of marketing lists, persons concerned have valid opportunity to refuse to allow their personal information to be used for commercial purposes Third parties include any separate legal entity, so related companies and orgs have to abide by third party rules

Answer 45

A person who, on a commercial basis, establishes files on other persons and prepares and communicates credit reports bearing on reputation or solvency of the persons to whom the info contained in such files relates

Answer 46

1. Rules for sending of commercial electronic messages (CEM) 2. Rules for the installation of computer programs 3. Prohibition on the unauthorized alteration of transmission data

Answer 47

Applies to all forms of electronic messaging, including: - Email - SMS text messages - Messages sent via social networking Applies to all messages sent from or received in Canada Applies to nonprofit orgs and registered charities

Answer 48

- Consent must be obtained before CEM is sent - Express consent cannot be provided by silence or inaction (e.g. a pre-checked box) - must be "opt-in" by positive action to indicate consent - can be orally or in writing

Answer 49

Key information - whether consent was obtained in writing or orally - when it was obtained - why it was obtained - manner in which is was obtained

Answer 50

1. Existing business relationship 2. Existing non-business relationship 3. Recipient conspiciously published electronic address (e.g. on a website) and doesn't say they don't wish to receive messages 4. Recipient has disclosed electronic address directly to the sender and hasn't said they don't want messages - must be related to professional capacity

Answer 51

- sent to a friend or family member - inquiry about a service offered by recipient - provides a requested quote - facilitates a commercial transaction - provides warranty or safety information - information about ongoing subscription or membership - information related to employment relationship or benefit plan - delivers a good or service

Answer 52

Senders must clearly identify themselves, including person (or multiple persons) message sent on behalf of. If not practical to include information in body of CEM, must include a hyperlink to a web page containing this information - must be clearly and prominently set out in the CEM

Answer 53

- link must be functional for minimum 60 days after sending - unsubscribe must be processed without delay, and in any event, no more than 10 days after request - unsubscribe must be "readily performed", and quick, simple and easy for the end user

Answer 54

Record-keeping extremely important when interacting with CRTC / Responding to Notice to Produce Should include: - All evidence of express and implied consent - documented methods through which consent was collected - policies and procedures regarding CASL compliance - all unsubscribe requests and resulting actions

Answer 55

Enforced by CRTC, with related amendments to Competition Act and PIPEDA enforced by Competition Bureau and OPC

Answer 56

- Purpose of penalty - compliance, not punishment - scope, nature, duration of violation - Blackstone ability to pay - Blackstone cooperation - Notice of self-correction - No history of non-compliance - Blackstone made inquiries of regulator

Answer 57

OPC Investigated Compu-Finder for collecting and using business emails to promote business - examined Compu-finder websites - reviewed online media and other public content about org - submissions to CRTC Spam Reporting Centre - Interviewed 8 individuals who complained - Got representations from Compu-Finder OPC concerned with integrity and comprehensiveness of CF representations Found CF was unaware of and did not respect privacy obligations; lacked appropriate consent for use of emails CF implemented OPC recommendations on "without admission" basis - OPC said complaint well-founded and resolved in part/conditionally resolved in part. Entered compliance agreement. CRTC assessed administrative monetary penalty (AMP) of $1.1 million

Answer 58

Protect consumers from programs such as malware that pose a real threat to individuals - enforcement is focused here

Answer 59

- Monitoring client activities - written contracts with clients/suppliers requiring CASL compliance - written CASL policy

Answer 60

- malware installed along with other software - concealed software automatically executed when consumer inserts (for example) a CD or USB

Answer 61

- Cookies - HMTL - JavaScript - An Operating System - Program executable through a program to which end user consented - Software installed to correct a failure (i.e. bug fixes) Telecoms do not need consent to install software to protect security of system Consent only assumed if user doesn't take steps to vitiate - i.e. disabling javascript in the browser

Answer 62

Vendors can: - implement user-installed updates (user must click) - can obtain consent for automatic downloads at point of initial install - can allow automatic downloads to be activated or de-activated via a user setting

Answer 63

No Materiality Requirement: false info in - Sender line - Subject Line - locator information (e.g. URL) Materiality requirement: - False or misleading statement in the content of the electronic message

Answer 64

Consumers can sue for $200 per message that contains false and misleading misrepresentations

Answer 65

- Enforcement agencies issue clear, accessible, regularly updated guidance materials - Parliament amend: 1. Definitions of CEM, "electronic address", "implied consent", "express consent" to clarify them; 2. Increase transparency in how CRTC investigates and penalizes violations; 3. Short title, Electronic Commerce Protection Act (ECPA) Gov't agreed but no changes to law yet. CRTC issued guidelines on implied/express consent and started issuing enforcement advisories in 2018, but most issues in report are unaddressed.

Answer 66

Schedule I - domestic banks Schedule II - Subsidiaries of foreign banks Schedule III - Foreign bank branches of foreign banks

Answer 67

- Transborder Data Flows - Online Behavioural Advertising - Data Breach Reporting - Surveillance

Answer 68

- law and OPC decisions show transfers outside of Canada are permitted - Orgs must still be transparent, receive consent for transfers, and be accountable (i.e. responsible for information held by third party transferees) - OPC had consultation process about proposed changes 1) mandatory consent for cross-border transfer; and 2) require communication of options for opt-out of international transfer; feedback was this was too onerous and the changes were shelved.

Answer 69

Typified by the use of a cookie May be "first party" (placed by website visited), or "third party" (if they are placed by some other party) May be "session" or "persistent" Cookie permits data regarding browser history to be recorded

Answer 70

Covered by PIPEDA or Quebec, Alberta, BC Privacy Laws

Answer 71

OPC says IP address and cookie-related information are personal information. SCC and OCA also comment on privacy interests in browsing history. Obtaining consent in timely and informed way remains a challenge.

Answer 72

Google's online service used sensitive health information to target users with health-related adds, contrary to its own policies and in violation of PIPEDA

Answer 73

Relevant Advertising Program - tracked customer habits and created detailed profiles to be shared with 3rd party advertisers in violation of PIPEDA.

Answer 74

- Description of the circumstances of the breach - Period of breach - Type of Personal Information - Estimated number of individuals - Steps org has taken to reduce risk of harm - Steps org has taken to notify - Name and contact of accountable person

Answer 75

- Circumstances of breach - period of breach - description of personal information - Steps the org has taken to reduce risk of harm - steps individual could take to reduce harm - toll-free number or e-mail address the affected individual can use - information about the org's internal complaint process

Answer 76

Must keep record of every breach of security safeguards for 24 months after the day breach discovered

Answer 77

Fines of up to $100,000 for knowingly violating notification or record-keeping requirements

Answer 78

PIPA Requires notifying commissioner of a breach if there is a real risk of significant harm to an individual. - Description of incident - time period - personal information involved - assessment of risk of harm to individuals - estimated number of individuals - steps taken to reduce harm - contact information

Answer 79

- Sensitivity of personal information - Probability that the personal information will be misused - Any other prescribed factor

Answer 80

- complaint that SWIFT/Canadian banks were turning over information to US government - SWIFT said it was responding to subpoenas from OFAC - SWIFT subject to PIPEDA (operates in Canada) - SWIFT hadn't contravened PIPEDA - must abide by legitimate laws of other countries in which it operates - Banks met their obligations because contractual documentation exists between SWIFT and the banks that ensured comparable level of protection

Answer 81

- TJX company breached - intruder got credit card numbers, names and addresses, and Canadian driver's licenses - Collected DL to prevent fraud - Commissioners considered: 1. Whether the org had a reasonable purpose for collecting info 2. Whether org retained info in compliance with legislation 3. Whether org had reasonable safeguards - determined DL was irrelevant to legitimate purpose; should not be an identifier for the purposes of analyzing shopping-return habits - TJX decided to use hashing to create a unique number that could be stored that wasn't a driver's license - info had been stored indefinitely, in violation of retention periods - used only WEP encryption in stores

Answer 82

- International flow of data will not impede applicability of laws in Canada - Canadian privacy law will not stand in the way of legitimate business uses of personal information - Responsibility will lie with the org to prove it is reasonably safeguarding - Orgs must collect only the personal information necessary to fulfill legitimate purposes

Answer 83

Complaint from University of Ottawa Cybersecurity Group OPC Report - Facebook had not met knowledge and consent obligations under PIPEDA OPC recommended Facebook and Developers - receive no more personal information than necessary - provide users with sufficient notice about which data will be collected - provide opportunity to give meaningful consent

Answer 84

Youth-oriented social networking site; complaints: - Disclosure of user personal information to public did not meet reasonable expectations of the users - Site had inappropriate and unreasonable default privacy settings - users not adequately informed about how info would be shared - Consent not obtained at time of registration for collection of PI - Non-Nexopia users' PI retained without their knowledge and consent - All PI retained indefinitely and w/o an option to request for deletion

Answer 85

In 2010, investigated "inadvertant" collection from unsecured WiFi networks from camera cars doing street images. - gathered PI in excess of the purposes of collection In 2013, complaint about health-related ads - Joint investigation with FTC, OPC identified several shortcomings in systems for monitoring compliance with policies In 2014, more complaints filed when Search App updated to collect PI beyond that required for functionality - OPC concluded that complains were not well-founded - Granting app permissions alone does not liken to consent for collection

Answer 86

Toy manufacturer with web-enabled toys for children age 6-13 to log in and play with virtual version Complaint: collecting and retaining PI of children without adequately explaining purpose or obtaining appropriate consent - shared with third-party advertisers to track and profile children Recommendations: - provide greater clarity during online account registration - importance of involving parents - parental consent - language appropriate to site's user base - updating privacy policy to better reflect actual practices - improve communication of policies

Answer 87

OPC investigated allegations that Apple used Unique Device Identifiers (UDID) for tracking purposes without knowledge and consent of individuals. OPC - UDID considered personal information, disclosed to third-party app developers for targeted advertising purposes - UDIDs considered to be sensitive personal information - Apple replaced UDIDs with Ad IDs and provided option for users to reset their tracking history

Answer 88

OPC found: - Inadequate vulnerability management - Inadequate network segregation - Inadequate implementation of basic information security practices - Inadequate oversight

Answer 89

April 2019 - Facebook and TYDL (This is Your Digital Life) - data in hands of individual who sold PI of American Facebook users to Cambridge Analytica - Users filled out personality quiz and disclosed info about friends - Four major conclusions: 1. Failed to obtain valid and meaningful consent 2. Failed to obtain consent from friends 3. Inadequate safeguards 4. Failed to be accountable

Answer 90

Telus Voiceprint case - 4 employees complained - FCA: characteristics of voice are personal information - weighed privacy rights against TELUS business interests - reasonable person would find use of e.Speak tech to be reasonable in the circumstances

Answer 91

Video Cameras installed in workplace. Test used by court: 1. Is the collection necessary to meet a specific need? 2. Is collection likely to be effective? 3. Loss of privacy proportional to benefit gained? 4. Less privacy-invasive way of achieving the same end? Court determined it was permitted non-consensual collection because tapes would only be viewed in context of an investigation Application was de novo, and OPC report not given much deference

Answer 92

- Individual made request to Blood Tribe for info, OPC sought info during investigation - COURT: OPC does not have the power to compel the production of documents covered by solicitor-client privilege, and cannot even ask an org to otherwise prove that a doc is privileged

Answer 93

Accusearch (ABIKA) brought to court - applicant felt OPC was wrong that they had no jurisdiction over an American org collecting info on Canadians. Court: OPC did have jurisdiction; concerns about ineffectiveness were irrelevant; OPC required to prepare a report, barring the application of certain exemptions

Answer 94

- Authenticate based only on the risks associated with not authenticating - Know the individual and choose the correct level of authentication - Regularly reassess risks and deploy risk mitigation measures - Keep vigilant in relation to "risk creep" - monitor any attempted attacks - give individuals choice

Answer 95

Promulgated by AICPA and CICA 1. Management 2. Notice 3. Choice and Consent 4. Collection 5. Use and Retention 6. Access 7. Disclosure to Third Parties 8. Security for Privacy 9. Quality 10. Monitoring and Enforcement

Answer 96

- Denial of access - Disagreement with fee - Deemed refusal - Advice that extension beyond 30 days is necessary - Denial of request for correction - Someone requesting applicant's personal information

Answer 97

- Collect if info relates to an operating program or activity - No need for dta subject consent - Obligation to collect directly from the individual except where this is impossible, individual has authorized indirect collection, or collection is pursuant to one of the exceptoins

Answer 98

Use of the information in a decision-making process that directly affects that individual

Answer 99

Use requires consent, unless the info is being used for the purpose for which the information was obtained or compiled

Answer 100

Must not disclose PI without consent, with 13 exceptions - for the purpose for which the info was obtained - for any purpose in accordance with an Act of Parliament - complying with subpoena - to the AG for legal proceedings - to an investigative body - under agreement between feds and provinces/foreign states - to a member of Parliament for assisting an individual - internal audit - Library and Archives - research or statistical purposes - any aboriginal government - for purpose of locating individual to collect a debt - any purpose where public interest outweighs invasion of privacy

Answer 101

CRA released info on travelers to Canada Employment and Immigrations Commission to catch people receiving EI while out of the country FCA - breadth of Section 8(2) demonstrated a clear intention on the part of Parliament to allow many non-consensual disclosures Later, tribunal could not release PI in forms/transcripts for use in separate hearings

Answer 102

- Description of class of individuals - Name of gov't institution - title and address of the person to whom requests should be made - statement of purpose of PI collection and uses consistent with those purposes - Details of the retention and disposal standards

Answer 103

- PI obtained in confidence from foreign state - Fed-Provincial Affairs would be injured - Injury to international affairs or national security - Less than 20 years old and relates to the enforcement of laws - injury to enforcement of laws - Injury to security of a penal institution - PI collected by RCMP performing police services - Release of PI would reveal snitch identity - disruption of parole program - threaten the safety of individuals - PI of someone other than the requestor - subject to S-C privilege - Contrary to requestor's interest considering the particular physical or mental health

Answer 104

Personal information holdings consisting of PI obtained by investigative bodies in the course of lawful investigations pertaining to the enforcement of law

Answer 105

No obligation to properly safeguard and retain personal information in the Act, but in the regulations states that info shall be retained for at least 2 years following the last time personal information was used for an administrative purpose

Answer 106

- Broad powers of investigation - can only recommend solutions to gov't institutions that have been found to be noncompliant - if an individual erroneously denied access to personal information, commissioner may proceed to federal court for determination of whether or not info was properly withheld - prereq - commissioner must complete the investigation and issue a report

Answer 107

Commissioners asked - Gov't refer program to Parliament so could be publicly debated - Enact clear legislation setting out criteria - Confer an appropriate oversight body

Answer 108

- Exceptional step, taken only in absence of less privacy-invasive alternative - public advised that surveillance is happening - right of individuals to have their personal info respected - subject to independent audit and evaluation - FIP respected

Answer 109

- inform public of program - notify individuals when recording takes place - safeguard recordings - training and accountability processes - respond to civilian requests - minimize recording of innocent civilians - protect for secondary uses (training and performance evaluation)

Answer 110

- Provinces have concept of "unreasonable invasion of privacy" to have greater protection for some types of info and less for others - BC and Nova Scotia place significant restrictions on public body transfer of information out of that jurisdiction - Most provinces give commissions power to issue orders

Answer 111

- New technologies - Written before development of Fair Information Practices - Does not require same degree of openness and transparency - fails to address transborder data flows - should have accountability when outsourcing - greater recourse to federal court or order-making power

Answer 112

Not a legal document, principles have no enforceable effect

Answer 113

1. Public Sector adopt principles of "necessity and proportionality" 2. Strengthen enforcement mechanisms 3. Demonstrable accountability

Answer 114

Must be commensurate with level of risk; whenever new program or change to program must audit Org that fails might not get required approvals from the Treasury Board

Privacy Laws Flashcards

(138 cards)