Index All entries in the index reference page numbers.

Transcription

1 Index All entries in the index reference page numbers. A Audit of organizations, 37-38, Access to personal information by individual, 22, 31, B assistance by organization, Biometrics, palm-vein scanning of test- exceptions, 31 takers, Model Code, principles, 180- privacy implications, refusal to provide with reasonable purpose, 124 reasons, 153 voiceprint is personal third party personal information, 123 information, 154 Federal Court appeal held time limit to respond, 153 employee consent required, 124 written request, 152 reasonable purpose, 124 Accountability, 22, Business continuity, see Accuracy, 22, 30, Disaster recovery Anti-spam legislation, see FISA (Fighting Internet and C Wireless Spam Act) CASL, see FISA Applications service provider Canada Evidence Act (ASP) arrangements, 121- certificate, Canada s Anti-Spam Law Asset purchases, see Mergers, (CASL), see FISA (Fighting acquisitions and asset Internet and Wireless Spam purchases Act) 217

2 PIPEDA Quick Reference 2015 Edition Checklists outsourcing, see Outsourcing health care institution privacy purpose of collection program implementation, 86- identified and reasonable, 21, 90 24, 27, 146, outsourcing or transferring ten privacy principles under personal information across Sch. 1 of PIPEDA for, 22-23, borders, PIPEDA compliance for third-party, 26-27, 29, educational institutions, 102- consents needed, due diligence re consents CIBC decision, and contracts, 65 Collection, use, and disclosure without knowledge or consent, of personal information consent, see Consent Commercial activities definition of personal defined, 16-17, 144 information, 145 outsourcing and, disclosure by Privacy Complaints process, 34-43, Commissioner, , 187 to investigative bodies, challenge to compliance, 23, regulation , grandfathering of, court hearing, limitation of, 22, 29 dispute resolution excessive collection, mechanisms, 35-36, 156, 159 Model Code, principles, hearing in Federal Court, see Federal Court reasonable purpose, 24, 27- information to include in, investigation of complaints sensitive information, discontinuance of, 160 use, disclosure and investigator assigned, 35, retention, 22, mergers, acquisitions and notification of complainant, asset purchases, see Mergers, 157 acquisitions and asset powers of Commissioner, purchases

3 Index Complaints process (cont d) publicly available lodge complaint with Federal information, regulation Privacy Commissioner, , letter of findings, 35 response to subpoena, no direct power of warrant, order of court, 149 enforcement, 35 statistical, or scholarly study report with or research, 151 recommendations, 35, 161 exceptions to, 27, within one year, 37 express, Compliance team, implied, privacy officer, 31 methods of giving, Consent opt-out consent, 25, 27 collection without knowledge principle, Model Code, 182- or consent, collection reasonable to third-party use, 26 investigate breach, 148 use without knowledge or disclosure of purposes consent, required by law, 149, 181- emergency threatening life, 182 health, security, 149 interests of individual, 148 investigation of publicly available contravention of laws of information, 148 Canada, 149 solely for journalistic, publicly available artistic or literary purposes, information, statistical, or scholarly study disclosure without knowledge or research, 149 or consent, Cookies case, see under debt collection by Information technology organization, 149 emergency threatening life, D health, security, 150 Damages government request, 150 humiliation, indictable offences, 43, 71 Data breach,

4 PIPEDA Quick Reference 2015 Edition Data mining, signed consent, 98 point-of-sale data includes without consent, 97 personal information, 117 commercial activities, 94-96, Deep packet inspection (DPI), employee information, 100- access personal information 101 sent over Internet, 118 fundraising, Bell advised to disclose to affinity marketing programs, customers the use of DPI, Disaster recovery, commercial activity or not, Disclosure of information, see Collection, use, and disclosure student records, of personal information access to, private schools, E commercial activities, 101, ebay s detailed privacy policy, correction of records, Education sector, private schools, applicability of PIPEDA, 91- tri-council policy statement 94 protocols, universities and private for- Electronic documents profit educational copies, 177 institutions, 94 defined, 172 archives held by educational institutions, 99 evidence or proof, as, 174 checklist, PIPEDA compliance payments, 173 for educational institutions, regulations Canada Labour Code, collection of personal , information for statistical, Federal Real Property and scholarly or research Federal Immovables Act, purposes, , anonymity on collection, 98 Investigative Bodies, implied consent, 97 6,

5 Index Electronic documents (cont d) PIPEDA application, federal Publicly Available works, undertakings or Information, , 210- businesses, 131, retention, F seals, 175 Facebook privacy signatures, secure, 176, 177, investigation, Federal Court statements under oath, 176- hearing on complaint, order compliance, statutory forms and filing, remedies, 162 addresses, personal order damages, 40-42, see information also Damages monitoring by request for hearing to, 40, 42 employer, 134 FISA (Fighting Internet and Employment relationship, 32- Wireless Spam Act), , G labour arbitrator s jurisdiction, 140 Genetic testing, see Healthcare medical information sector collection, Global positioning systems disclosure permitted for (GPS) installation by appeal process, 139 employer, privacy policy needed, 139 Google Buzz privacy violation, reasonable purpose required, Google s Street View security checks, application, employee consent required, 138 Google Wi-Fi privacy concerns, 119 surveillance, , 136, see also Surveillance of Grandfathering of employees information,

6 PIPEDA Quick Reference 2015 Edition H tri-council policy, Health records, see topics personal health information under Healthcare sector defined, 71-72, 145 Health research, see Healthcare employer collected, sector physicians prescribing Healthcare sector, patterns, sale of information, checklist, privacy program implementation, provincial health information privacy statutes, collection, use, and disclosure of personal health statutory reporting obligations, information, consent, 77 when does PIPEDA apply, exceptions, emergency threatening I patient s life, safety, or security, 78 Imaging technology, patient s interest, 78 Google s Street View required by law, 78 application, fax machines and Internet Individual access, concerns, Information technology commercial activities, biometrics, see Biometrics preponderant purpose test, compliance tips, consent obtained custodians in Ontario, electronically, regulation, , 198 disclosure for subpoena, opt-out form, 109 warrant or court order in civil privacy statement, litigation, 82 cookies, information stored is fundraising activities, 75 personal, 111 genetic testing, cookies, advertising, 107 health research, Cookies case, consent exception, 80 Commissioner s finding of research ethics board breach, 106 (REB), cookies, defined,

7 Index Information technology (cont d) examples of breach of privacy concern, 106 PIPEDA, data mining, see Data mining radio frequency identification deep packet inspection, see device, see Radio frequency Deep packet inspection (DPI) identification device (RFID) disclosure of on-line social networking, see Social information to police during networking sites an investigation, International transfer of imaging technology, see personal information, see Imaging technology under Outsourcing Internet-based marketing, see Internet-based marketing, Internet-based marketing live video streaming, see Live cookies, information stored is video streaming personal, 111 need for compliance, addresses, personal damage to reputation when information, information use practices spyware, likely breach of disclosed, 110 PIPEDA, Federal Court damage order, Investigation of complaint, see 109 Complaints process Google privacy deficiencies and third-party audit, 109- L 110 Live video streaming, PIPEDA non-compliance privacy policy and passwords may affect ability to protection, contract, 110 webcam service at daycare, outsourcing, see Outsourcing 125 payload data collection, see Payload data collection M PIPEDA compliance tips, Mergers, acquisitions and asset purchases, 65-68, see audit, designate privacy also Outsourcing officer, privacy policy, customers and patients consents, 127 consent,

8 PIPEDA Quick Reference 2015 Edition Mergers, acquisitions and asset comparable level of purchases (cont d) protection, 52 employee information to joint no disclosure, therefore no venture partner, consent needed, employee information to guarantees required by potential purchaser, 67 transferring organization from issues to explore by potential agent, 55 purchase re personal information technology information, services, privacy policy inclusion, 66- applications service provider 67 (ASP) arrangements, 121- sale of customer list, share purchase transaction, 68 disaster recovery, business continuity, 122 O transfer of personal Openness principle, information to third party, Outsourcing, transfer vs disclosure, checklist, CIBC decision by Privacy transfer privacy Commissioner, requirements from affirmed in SWIFT outsourcer, decision, 58 transmission of personal CIBC customer concerns re information to third party, U.S. service provider, CIBC transparent about international transfer of policies on outsourcing, 58 personal information, comparable level of Accusearch case, protection found, 57 disclosure of personal customer consent not information without required, consent, 60 Office of the Superintendent PIPEDA breached, of Financial Institutions Privacy Commissioner (OFSI) approval, and U.S. Federal Trade commercial activities, Commission,

9 Index Outsourcing (cont d) data breach, see Data breach affiliated corporations, 62- defined, 19-21, exclusions, advance notice to customers, identifiable individual, 19, 72 comparable level of data outsourcing, see Outsourcing protection, 63 publicly available, regulation, checklist, , comparable level of reasonable expectation of protection, 59 privacy, see Reasonable expectation of privacy KLM case, safeguards (security), 23, 30- failure to provide 31, applicant access to information, 61 Personal Information transparency re outsourcing, Protection and Electronic 59 Documents Act (PIPEDA) notification of outsourcing activities covered by Act, 16- required, 62 17, 32, privacy policy transparent, 58, collected in course of 59 commercial activities, 16-17, 146 P digital signatures, 17 Payload data collection, 119 federal works, undertakings Google Wi-Fi privacy or businesses, 132, 146 concerns, 119 activities not covered by Act, 18-19, 144 Penalties, see Damages employment related Personal information information collected by access by individual to, 22, 31 private sector employers, 16 accuracy, 22 personal information held collection, use, and disclosure, by government covered by see Collection, use, and Privacy Act, 19 disclosure of personal application, 15-16, 129, 146 information education sector, see compliance team, Education sector 225

10 PIPEDA Quick Reference 2015 Edition Personal Information electronic documents, see Protection and Electronic Electronic documents Documents Act grandfathering clause, none, (PIPEDA) (cont d) employment relationship, Model Code for Protection of see Employment Personal Information relationship (Schedule 1), healthcare sector, see origins of the Act, 9-15 Healthcare sector Bill C-12 proposed changes, information and technology intensive businesses, see digitization of information, Information technology 8-9 definitions, European Union privacy alternative format, 144 directives, 9-10 commercial activity, 144 in force January 2001, 2 commissioner, 144 Internet implications, 8-9 Court, 144 OECD principles re privacy data, 172 protection, 9 electronic document, 172 recommended changes to the Act, electronic signature, 172 personal information, defined, federal law, , 145 federal work, undertaking privacy or business, defined, 7 filing, 174 principles, ten, 22-23, 180- organization, personal health provincial privacy legislation information, 145 and, personal information, 145 purpose of Act, record, 145 regulations, see Electronic responsible authority, documents review of Act every five secure electronic years, 10-12, 171 signature, 172 should,

11 Index Privacy Privacy Commissioner s defined, 7 agreement with provinces, policy sample, Quebec, 14 principles, ten, 22-23, relationship to PIPEDA, challenging compliance to, 23 substantially similar to federal, 14-15, Privacy Commissioner, see also Complaints process R agreements with provinces, Radio frequency identification device (RFID), 117 annual report, 169 Ontario Privacy audit of organizations, Commissioner s guidelines, Commissioner, defined, disclosure of information to personal information may be foreign state, associated with, 117 investigative powers, Privacy Commissioner is studying use in Canada, 117 mediation, 35, 159 no power of enforcement, 35 Reasonable expectation of privacy, 21, protection of, role of, Regulations Governor in Council, made solicitor-client privilege, 35- by, , Privacy policy, S officer, 23, 31 Safeguards (security) of openness of, 23, 30-31, 118, personal information, 23, , sample of, Sample privacy policy, Provincial private sector Security checks, privacy legislation, Social networking sites, 112- Alberta, British Columbia, 14 Facebook privacy Ontario, 14 investigations,

12 PIPEDA Quick Reference 2015 Edition Social networking sites (cont d) Google Buzz privacy violation, 116 Solicitor-client privilege, Spam, see FISA (Fighting Internet and Wireless Spam Act) Spyware, likely breach of PIPEDA, Substantially similar federal for violation of employment contract, 137 video recording of picket line crossing, Third party data collection, United States privacy requirement, legislation, 13 Surveillance of employees, USA Patriot Act, 55, Use of personal information, monitoring, 134 see Collection, use, and global positioning systems disclosure of personal (GPS) installation, information appropriate purpose, 135 V implied consent, 133, 135 justification for surveillance Video surveillance, 54, 128, must be reasonable, Canadian Pacific Railway W video camera case, signs must be posted to Whistle-blowing, 170 alert employees of video protection of, 170 cameras, 133 surreptitious, 136 guidelines issued for covert and non-covert video surveillance, 137 T U 228