Dashboard

+

CIPP/US

Enroll

CIPP/E

Enroll

CIPP/C

Enroll

CIPM

Enroll

CIPT

Enroll

Account Settings

Manage Groups

CIPP/C

0%

Table of Contents

TOC

Welcome

incomplete

I. Introduction to Privacy in Canada

Section A: General Introduction to Privacy Concepts

+

0/4

1. Introduction to Privacy Itself as a Concept

incomplete

2. The Historical Background of Privacy Protection

incomplete

3. Models of Privacy Protection

incomplete

a. Sectoral and Comprehensive Models of Privacy Protection

b. Other Models of Privacy Protection: Market Regulation, Self-Regulation, Co-Regulation, and Technology

i. Market Regulation

ii. Self-Regulatory Model

iii. Co-Regulatory Model

iv. Technological Regulation

c. The Canadian Perspective

Section I.A Review

incomplete

Section B: Canadian Governmental Structure

+

0/4

1. The Basics of the Canadian Government and Legal System

incomplete

a. The Canadian Constitution

b. Political Structure

c. Division of Powers

i. Separation of Federal Powers

ii. Federal vs. Provincial Powers

d. The Role of Courts and Judicial Review

e. The Role of Administrative Tribunals

2. Understanding and Interpreting Canadian Laws

incomplete

a. Civil vs. Common Laws

b. Sources of Law

i. Constitution

ii. Statutory Law (Legislation)

iii. Common Law

iv. Contractual Law

v. International Law

c. Understanding the Scope and Application of Law

3. Privacy Commissioners, Courts, and Remedies

incomplete

a. Scope of the Federal, Provincial, and Territorial Privacy Commissioners

i. The Office of the Privacy Commissioner of Canada

ii. Provincial OIPCs

iii. Quebec’s La Commission d’accèss à l’information

b. Scope of the Federal and Provincial Courts

Section I.B Review

incomplete

Section C: Privacy Basics—Personal Information and Related Topics

+

0/5

1. Introduction to the Concept of Personal Information

incomplete

a. Identified vs. Identifiable Individuals

b. The Role of Encryption, Anonymization, and Pseudonymization

c. Data Subjects, Controllers, and Processors

2. The Varying Interpretations of “Personal Information”

incomplete

a. How Statutes Define “Personal Information”

b. Definition is “Deliberately Broad”

c. Information “About” an Individual

d. “Identifiable” Person

e. Additional Considerations

3. Different Types of Personal Information

incomplete

a. Employee and Work-Related Information

i. PIPEDA

ii. The Privacy Act

iii. Provincial Legislation

b. Public Records and Publicly Available Information

i. PIPEDA

ii. The Privacy Act

4. Private and Sensitive Information

incomplete

a. The Importance of Determining Whether Personal Information is Sensitive

b. The Relationship Between “Personal” and “Sensitive”

c. Determining Whether Personal Information is Sensitive

d. Drivers’ License Numbers and Social Insurance Numbers

Section I.C Review

incomplete

Knowledge Review #1

incomplete

Section D: Privacy Basics—Safeguarding Personal Information

+

0/11

1. Introduction

incomplete

2. Security as a Cornerstone of Privacy Protection

incomplete

a. The CIA Triad

b. Security Controls

i. Purpose of Controls: Preventative, Detective, and Corrective

ii. Types of Controls: Physical, Administrative, and Technical

3. Standards and Frameworks (ISO Standards, NIST)

incomplete

a. ISO Standards 27001, 27002, and 27701

b. NIST Privacy Framework

c. NICE Framework

4. Controls Over Third Parties (Data Processing Agreements)

incomplete

a. Choosing a Third-Party Data Vendor

b. Vendor Contracts

c. Vendor Incident Response

d. Cloud Computing Issues

5. Privacy-Enhancing Technologies

incomplete

a. Identification and De-Identification of Data

b. Anonymization Techniques

c. Aggregation and Differential Privacy

d. Encryption

i. What is Encryption?

ii. Symmetric vs. Asymmetric Encryption

iii. Hashing

6. Cybersecurity and Online Threats

incomplete

a. Types of Online Threats

b. Cybersecurity Threat Management

c. Threat Modeling

d. Best Practices

e. The Role of Human Error

7. Privacy Impacts of the Technological World

incomplete

a. Bring Your Own Device

b. Video Surveillance

i. Private Sector Guidelines

ii. Public Sector Guidelines

c. Online Behavioral Advertising and Tracking Users Online

i. Web Cookies

ii. Tracking Users Across the Internet

iii. Creating Consumer Profiles

iv. Behavioral Modeling

v. OPC Guidance

d. Biometric Data

8. Privacy Incidents and Data Breaches

incomplete

a. Causes of Data Breaches

b. Incident Response Programs

c. Data Breach Incident Response

d. The Importance of Effective Record Keeping

9. Notification of Privacy Incidents to Privacy Commissioners

incomplete

a. PIPEDA “Breach of Security Safeguards”

i. When is Notification Required

ii. How to Report to OPC

iii. Notification to Individuals

iv. Additional Requirements

b. Provincial Notification Requirements

10. Emerging A.I. Laws in All Sectors

incomplete

a. The Privacy Risks of A.I.

b. The Artificial Intelligence and Data Act (AIDA)

c. E.U. Artificial Intelligence Regulation

i. Scope of the AI Act: AI Systems, Providers, Deployers, and Extraterritorial Reach

ii. Categorization of Risk

iii. Accountability and Transparency Requirements

iv. General-Purpose AI Models

v. Enforcement and the European Artificial Intelligence Board

Section I.D. Review

incomplete

Section E: Development of Privacy Principles

+

0/5

1. Fair Information Practices

incomplete

a. Examples of FIPs in International Frameworks

i. Examples in the United States

ii. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (1981)

iii. The Madrid Resolution (2009)

b. Common Themes

i. Individual Data Subject Rights

ii. Organizational Management

2. The Organization of Economic Co-operation and Development (OECD) Guidelines on Protection of Privacy

incomplete

3. Canadian Standards Association (CSA) Model Code for the Protection of Personal Information

incomplete

4. Generally Accepted Privacy Principles (GAPP)

incomplete

Section I.E. Review

incomplete

Section F: International Privacy

+

0/6

1. How International and Regional Laws Impact Canadian Organizations

incomplete

2. Cross-Border Data Transfers and Adequacy Standards

incomplete

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. GDPR Adequacy Decision

d. Private Sector Cross-Border Data Flows

e. Public Sector Cross-Border Data Flows

3. The General Data Protection Regulation (GDPR)

incomplete

a. Scope of the GDPR

b. Data Processing Principles and Lawfulness

c. Individual Data Subject Rights

d. Organizational Obligations

e. Regulatory Enforcement

f. Additional EU Legislation

i. The ePrivacy Directive

ii. The A.I. Act

4. The Asia-Pacific Economic Cooperation (APEC) Privacy Framework

incomplete

5. United States of America Privacy Laws

incomplete

a. Federal Laws

b. State Data Security Laws

c. State Data Breach Notification Laws

d. California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

i. Scope of the CCPA

ii. Individual Data Subject Rights

iii. Controller Obligations

iv. California Privacy Protection Agency

v. Enforcement of the CCPA

e. Other State Comprehensive Privacy Legislation

Section I.F. Review

incomplete

Knowledge Review #2

incomplete

II. Private Sector: Canadian Privacy Laws and Practices

Introduction

incomplete

Section A: The Scope of the Personal Information Protection and Electronic Documents Act (PIPEDA)

+

0/4

1. Introduction to PIPEDA

incomplete

2. What is “Commercial Activity”?

incomplete

a. PIPEDA’s Application to Non-Profits

b. The Exchange of Value

c. The Impact of Third Parties

3. What is “in Connection with a Federal Work, Undertaking or Business”?

incomplete

Section II.A Review

incomplete

Section B: The Foundational Principles of PIPEDA

+

0/11

1. Introduction to Schedule 1 of PIPEDA and the Reasonableness Standard

incomplete

a. The Reasonableness Standard

b. Application of the Reasonableness Standard

2. Accountability

incomplete

a. Schedule 1 Accountability Requirements

b. Policies, Practices, and Procedures

c. Employee Training

d. Third-Party Service Providers

3. Purpose of Collecting Personal Information

incomplete

4. Meaningful and Valid Consent

incomplete

a. Seven Guiding Principles

b. Form of Consent

i. Opt-in vs. Opt-out Consent

ii. Sensitivity of Personal Information

iii. Other Factors to Consider

iv. Obtaining Consent from Minors

c. When Consent is Not Needed

d. Consent to New Purposes

5. Rules Respecting Collection, Use, Disclosure, Retention, and Deletion of Personal Information

incomplete

a. Collection Limitation

b. Use and Disclosure Limitation

c. Retention Limitation

6. Keeping Information Accurate and Up to Date

incomplete

a. As Accurate “as is Necessary”

b. Right to Amend

7. Safeguarding Personal Information

incomplete

a. Reasonably Foreseeable Risks

b. Security Policies and Procedures

c. Ensure Virtual and Physical Storage is Secure

d. Authentication

i. Customer Authentication

ii. Employee Authentication

8. Openness of Policies and Practices of Collecting Personal Information

incomplete

a. Availability, Accessibility, and Clarity

b. Information to Include in a Privacy Notice

c. Designing an Effective Privacy Notice

i. Common Elements

ii. Layered Notices

iii. Just-in-Time Notices

iv. Privacy Dashboards

v. Privacy Icons and Visualization Tools

9. Data Subject Rights

incomplete

a. Right to Access

i. Procedures Should be in Place

ii. What Should be Included in a Response

iii. What Can be Withheld

iv. Who Has Control of the Personal Information

b. Right to Correct

c. Timeliness for Response and Costs

10. Ensure Proper Policies and Procedures to Deal with Compliance Complaints and Investigations

incomplete

a. Compliance Reporting and Record-Keeping Requirements

Section II.B Review

incomplete

Section C: Enforcement of PIPEDA

+

0/5

1. The Role of the Office of the Privacy Commissioner

incomplete

a. Filing of a Complaint

b. Investigatory Powers

c. Report of Findings

d. Court Hearing

e. Compliance Agreements

f. Confidentiality

2. Audits

incomplete

3. Significant Commissioner Rulings

incomplete

a. SWIFT

b. TJX

c. Facebook (2008)

d. Nexopia

e. Google

f. Ganz

g. Apple

h. Globe24h.com

i. Bell

j. Equifax

k. Loblaw

l. Home Depot

4. Relevant Canadian Court Rulings

incomplete

a. TELUS

b. Eastmond

c. Blood Tribe

d. ABIKA

e. Globe24h

f. Facebook

g. Google

Section II.C Review

incomplete

Section D: Applicability of Private Sector Legislation Instead of PIPEDA

+

0/4

1. “Substantially Similar” Laws

incomplete

a. Provinces With “Substantially Similar” Laws

b. When More Than One Law Applies

c. Differences in Scope and Application of Substantially Similar Laws

i. Alberta

ii. British Columbia

iii. Quebec

2. Private Sector Industries—Federal or Provincial

incomplete

a. The Bank Act and Finance Industry

b. Consumer Credit Reporting Laws

3. Differences Between PIPEDA and Provincial Private Sector Laws

incomplete

a. Individual Rights

b. Breach Notification

c. Professional Codes of Conduct (Alberta)

d. Privacy Impact Assessments (PIAs)

e. Profiling Technologies and Automated Decision Making

f. Consent From Minors

Section II.D Review

incomplete

Section E: Canada’s Anti-Spam Legislation (CASL)

+

0/4

1. Application of CASL

incomplete

2. Obligations Under CASL

incomplete

a. Rules of Consent

b. Identification

c. Unsubscribe Mechanism

d. Installation of Computer Programs

3. Enforcement of CASL

incomplete

a. Administrative Monetary Penalties

b. Examples of Administrative Monetary Penalties

i. Couch Commerce Inc. and nCrowd, Inc.

ii. Blackstone Learning Corp.

iii. Compu-Finder

c. Private Cause of Action

Section II.E Review

incomplete

Knowledge Review #3

incomplete

III. Public Sector: Canadian Privacy Laws and Practices

Introduction

incomplete

Section A: Foundational Principles of the Privacy Act

+

0/8

1. Introduction and Application to the Privacy Act

incomplete

a. The Structure of the Privacy Act

b. Government Institutions

c. Personal Information

d. Policy on Privacy Protection and Directive on Privacy Practices

e. Privacy Regulations

f. Relationship to the Access to Information Act

2. Expectations of Consent Governing Personal Information

incomplete

a. Collection of Personal Information

i. Collection Limitation Principle

ii. Collection Directly from Data Subjects

b. Use of Personal Information

c. Disclosure of Personal Information

3. Transparency and Personal Information Banks

incomplete

a. What are Personal Information Banks (PIBs)?

b. Examples of Personal Information Banks

4. Individual Right of Access and Correction

incomplete

a. Comply with Requests Within Applicable Timeframes and in a Helpful Manner

b. Address Corrections to Personal Information

c. Exceptions Where Requests to Access or Correction May be Denied

5. Storage, Retention, and Destruction Requirements

incomplete

6. The Role of the Privacy Commissioner

incomplete

7. Future Reforms

incomplete

a. Canada’s “Digital Charter”

b. 2019 Privacy Commissioner Recommendations

c. Bill C-27: The Digital Charter Implementation Act

Section III.A Review

incomplete

Section B: Additional Federal Policies and Guidelines

+

0/5

1. Privacy Impact Assessments (PIAs)

incomplete

a. What is a PIA?

b. How to Complete a PIA

c. Specific Guidance for Canadian Government Institutions

2. Data Matching

incomplete

3. Web Analytics

incomplete

4. Subcontracting by Government Institutions

incomplete

Section III.B Review

incomplete

Section C: Freedom of Information and Protection of Privacy Acts

+

0/4

1. Applicability in Different Provinces and Territories

incomplete

2. Responsibilities of Public Bodies When Provincially Regulated

incomplete

3. Differences Between the Federal and Provincial Approaches

incomplete

a. “Reasonable Expectations of Privacy”

b. Data Residency Requirements

c. Oversight and Enforcement Models

Section III.C Review

incomplete

Knowledge Review #4

incomplete

IV. Health Sector: Canadian Privacy Laws and Practices

Section A: Application of Provincial and Territorial Health Privacy Acts

+

0/10

1. Introduction and “Substantially Similar” Laws

incomplete

2. Application of Provincial Health Information Privacy Laws

incomplete

a. Personal Health Information (PHI)

b. Employee Data

c. De-identification of PHI

d. To Whom Do Provincial Health Information Privacy Laws Apply

e. British Columbia’s Health Information Bank

3. Necessity of Collecting, Using, and Disclosing

incomplete

4. Right of Access and Correction

incomplete

5. Demonstrate Oversight and Accountability

incomplete

a. Ensuring Proper User, Retention, Safeguarding, and Disposal of PHI

b. Accountability Over Third Parties

6. Meaningful Consent to the Collection, Use, and Disclosure of PHI

incomplete

a. Implied Consent in the Healthcare Context

i. When is Implied Consent Appropriate?

ii. What Constitutes the Circle of Care for an Individual

iii. When is Express Consent Needed?

b. Substitute Decision-Makers

7. Safeguarding PHI and Breach Protocols

incomplete

a. Adopting Reasonable Administrative, Technical, and Physical Safeguards to Ensure Security

c. Notifying Appropriate Privacy Commissioners According to PIPEDA and Provincial Law

8. Openness and Transparency

incomplete

9. Genetic Testing

incomplete

a. Application of PIPEDA

b. Genetic Non-Discrimination Act

Section IV.A Review

incomplete

Knowledge Review #5

incomplete

Conclusion

incomplete

Full Exam #1

incomplete

Full Exam #2

incomplete

Flashcards

Cheat Sheet

Exam HQ

Introduction to Schedule 1 of PIPEDA and the Reasonableness Standard

In the previous Section of this study guide, we answered the question of when the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use, and disclosure of personal information by organizations. We turn now to PIPEDA’s substantive provisions.

Section 5(1) of PIPEDA states: “Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.”1 This provision, and Schedule 1, which it cross-references, are the heart of PIPEDA’s substantive rules. As we noted previously in Module I.E.3, the principles set forth in Schedule 1 are those adopted by the Canadian Standards Association (CSA) as its Model Code for the Protection of Personal Information (“the CSA Code”).2 These principles are further refined and modified by PIPEDA in Sections 6 through 9.3

Principles of PIPEDA

a. The Reasonableness Standard

One of the overarching obligations of PIPEDA is that personal information must be handled in a reasonable manner. Subsection 5(3) is the core of this obligation. It states that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”4 Likewise, in its statement of purpose, PIPEDA attempts to strike a balance between protecting privacy and facilitating the use of personal information by the private sector based upon what “a reasonable person would consider appropriate in the circumstances.”5 Thus, reasonableness is “the overriding standard set out in PIPEDA . . .”6

The Office of the Privacy Commissioner of Canada (OPC) has described Subsection 5(3) and its mandate that organizations process data in a reasonable manner as follows:

quote

Subsection 5(3) of PIPEDA is a critical gateway that either allows or prohibits organizations to collect, use and disclose personal information, depending on their purposes for doing so. It is the legal boundary that protects individuals from the inappropriate data practices of companies. It separates those legitimate information management practices that organizations may undertake in compliance with the law, from those areas in which organizations cannot venture, otherwise known as “No-go zones”.7

This reasonableness standard is applied to the principles set out in Schedule 1. Or put a different way, Subsection 5(3) “is a guiding principle that underpins the interpretation of the various provisions of PIPEDA.”8 The Federal Court of Appeal, for example, found in the case Englander v. Telus Communications, Inc., that “even though Part 1 and Schedule 1 of [PIPEDA] purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the Court must strike a balance between two competing interests. Furthermore, because of its non-legal drafting, Schedule 1 does not lend itself to typical rigorous construction. In these circumstances, flexibility, common sense and pragmatism will best guide the Court.”9 In other words, it is Subsection 5(3) that helps fill the void between the competing interests at play when processing personal information.

In determining whether data practices are proper, “Subsection 5(3) requires a balancing of interests ‘viewed through the eyes of a reasonable person.’”10 It is also an “overarching requirement” that is part of, or superimposed upon, all of an organization’s other obligations under PIPEDA.11 Compliance with this reasonable person standard is, in effect, a necessary baseline for all other practices; it is a necessary but not sufficient condition for complying with PIPEDA and its Schedule 1 provisions.12 For this reason, we will reference the reasonableness standard frequently when discussing PIPEDA’s other substantive provisions in Schedule 1 throughout this study guide.

b. Application of the Reasonableness Standard

In applying the reasonableness analysis to the conduct of organizations processing personal data, an objective view is required. This is a flexible concept. The standard does not strictly look at reasonableness from the perspective of the data controller, nor does it look at it strictly from the subjective perspective of the individual. An analysis must be conducted “in a contextual manner” that looks at all of the surrounding facts related to the collection, use and disclosure of personal information.13 This “suggests flexibility and variability in accordance with the circumstances.”14

Factors to be consider might include, for example, the sensitivity of the information, whether there is a legitimate business need, whether processing is effective in meeting that business need, whether less invasive means of achieving the same end are available, and the potential loss of privacy at issue.15 One court has formulated the analysis as follows: “In considering whether an organization complies with subsection 5(3) of PIPEDA, . . [it should] consider whether (1) the collection, use or disclosure of personal information is directed to a bona fide business interest, and (2) whether the loss of privacy is proportional to any benefit gained.”16

It might be helpful to consider some examples of processing activities that have been found to be unreasonable by either OPC or the courts—what the OPC refers to as “no-go zones” of processing. Examples of activities that would be considered unreasonable include: (1) processing that is otherwise unlawful; (2) profiling that leads to unfair, unethical or discriminatory treatment; (3) processing for purposes that are known or likely to cause significant harm to the individual; (4) publishing personal information with the intended purpose of charging individuals for its removal; (5) requiring passwords to social media accounts for the purpose of employee screening; and (6) surveillance by an organization through audio or video functionality of the individual’s own device.17

Key Points
  • Section 5(1) requires organizations to comply with obligations of Schedule 1, which are adopted from the CSA Model Code
  • Refinements and modifications are contained in Sections 6 through 9 of PIPEDA
  • Reasonableness Standard – An overarching obligation of PIPEDA is that personal information must be processed in a manner that a reasonable person would consider appropriate in the circumstances (Section 5(3))
  • This standard flows through all other obligations of PIPEDA, including the principles in Schedule 1
  • It is a necessary but not sufficient condition for compliance with PIPEDA
  • Application of the reasonableness standard requires an objective view of the facts and circumstances and context; intended as a flexible concept
  • Asks the questions: (1) does the collection, use or disclosure further a bona fide business interest and (2) is the loss of privacy in proportion to the benefit gained?
  • Those areas of processing that are off limits are referred to as “no-go zones” by the OPC
  • Some types of processing are presumptively unreasonable (e.g., processing that leads to discriminatory treatment)
Sources

+

1. Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5 (Can.) § 5(1).

2. Canada Standards Assoc., Model Code for the Protection of Personal Information, CSA Standard CAN/CSA-Q8 30-96 (Mar. 1996).

3. Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5 (Can.) §§ 6-9.

4. Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5 (Can.) § 5(3).

5. Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5 (Can.) § 3.

6. State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736 ¶ 102 (CanLII).

7. Officer of the Privacy Comm’r of Canada, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3), available at https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805.

8. R. v. Spencer, 2 S.C.R. 212 ¶ 63.

9. Englander v. TELUS Communications Inc., 2004 FCA 387 ¶ 46 (CanLII).

10. Officer of the Privacy Comm’r of Canada, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3), available at https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805.

11. Officer of the Privacy Comm’r of Canada, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3), available at https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805.

12. Officer of the Privacy Comm’r of Canada, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3), available at https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805.

13. Eastmond v. Canadian Pac. Railway, 2004 F.C. 852 ¶ 131.

14. Eastmond v. Canadian Pac. Railway, 2004 F.C. 852 ¶ 131.

15. Turner v. TELUS Communications Inc., 2005 FC 1601 ¶ 48.

16. A.T. v. Globe24h.com, 2017 FC 114 ¶ 74.

17. Officer of the Privacy Comm’r of Canada, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3), available at https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805.

Previous

Next