CIPP Guide » PIPEDA

Secure Flight & Privacy Rights

hannah — Tue, 07 Sep 2010 12:00:16 +0000

The US Secure Flight Program has garnered much public concern and disapproval in Canada, where many Canadians are finding themselves subject to the controversial regulations when flying over US airspace. Aviation security is a high priority issue for the Canadian federal Privacy Commissioner, who earlier this year carried out an investigation of airport security scanners being installed in Canadian airports. While security is an issue in the aviation industry, the Privacy Commissioner, along with other privacy watchdogs, insist that security measures must also respect the privacy and personal dignity of travelers in Canadian airports.

US Secure Flight Program

The US Transport Security Administration’s Secure Flight Program was launched in August 2009 and has been phasing in new regulations since. The TSA explains Secure Flight as a “behind the scenes” program, aimed at enhancing security of domestic and international air travel. The program was initially developed by the Department of Homeland Security in response to 9/11 Commission Recommendations.

The Secure Flight program began with the Secure Flight Passenger Data check, which required passengers to provide personal information to their airline when making a reservation. This information included their name as it appears on government-issued identification; date of birth; gender; and redress number, if necessary. The information would then be transmitted to TSA’s Secure Flight and crosschecked with federal government watch lists. The results of this check would then be transmitted to the airline. The TSA has access to all US government databases.

According to the TSA, the goals of watch list matching include:

Decreasing the chances of compromised watch lists; limiting distribution of watch lists.
Early identification of potential matches, meaning expedited notification of law enforcement authorities and threat management.
Developing a fair, equitable and consistent matching process for all airlines.
Reducing instances of misidentified individuals.
Consistent application of redress process for misidentified individuals.

Individual privacy has been a prominent concern during the implementation of the Secure Flight program. The TSA has developed a Secure Flight Privacy Program, which includes the following elements:

Foundation privacy principles
Privacy organization, including a privacy officer and supporting staff
Secure Flight privacy policies
Systems development and security to manage privacy risks throughout the Secure Flight system
Awareness and training programs
Monitoring and compliance procedures
Redress and response processes
Privacy risk management technique

The TSA set out objectives of checking 100 percent of domestic flight passengers by early 2010. It also states intentions of vetting 100 percent of passengers on all international commercial flights into, out of, or over the US by the end of 2010.

Objections

The TSA’s Secure Flight objectives raised public outcry in Canada and Europe. The application of Secure Flight on airlines flying over US airspace was seen as an unprecedented assertion by the TSA. Once the program launches globally in December 2010, the TSA can prevent passengers from boarding flights, even if they are only flying in US airspace. For instance a passenger may be denied boarding an aircraft in Canada, headed to Mexico, if they have not passed the Department of Homeland Security screening. The Secure Flight program applies to flights to, from, or over the US. About eighty percent of Canadian flights to the Caribbean, to other southern points and to Europe fly over the US.

Secure Flight requires that Canadian airlines transfer travelers’ personal information to the Department of Homeland Security at least seventy-two hours before departure. Using Infoglide, a package of fifty identity resolution algorithms, it checks passenger identities. The Department also has access to data collected in Canada, such as police records.

In the case that the search results in “no match,” the airline will be informed and the passenger can be issued a boarding pass. In these situations, the personal information will be purged from the Department of Homeland Security system after seven days. However, a potential match (according to the Department, this is someone who has not been determined as an exact match, but has the potential to match some data elements) can be kept in the system for seven years. Positive, or exact, matches are kept in the Secure Flight system for ninety-nine years. It will take around fifty to sixty days to resolve false positives.

Many privacy watchdogs and advocates are wary of this new program as it requires non-US airlines to release passengers’ personal information to US government departments. It is unacceptable to many, as Canadian Parliament never adopted or even discussed the Secure Flight program. The European Parliament has raised a number of objections to the program.

Most airlines do not host their own passenger name records (PNR). This is often outsourced to a third-party computerized reservation system (CRS). PNR data is entered through travel agencies, tour operators and travel websites and is stored as a master copy in the CRS. It is the CRS that sends the PNR data to the Department of Homeland Security.

However, there is no data protection law for CRSs in the US. Once a CRS has PNR data, they are legally able to use, disclose, transfer or sell that data, without notice or consent. Currently, CRSs in the US share data with data mining and marketing companies, as well as with PNR processing companies. Since the CRS does not keep as access log on who retrieves the PNRs, it is impossible to determine who has seen passenger information.

Security vs. Privacy?

Canadian airlines currently check all flight manifests against the US no-fly list, a watch list compiled by the FBI and distributed amongst airlines worldwide. This no-fly list contains the names of 16,000 people suspected of terrorist involvement by the US government. According to the Canadian Charter of Rights and Freedoms, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), it would be difficult to introduce measures such as Secure Flight without considering the following:

The right to privacy is a fundamental right. It cannot be infringed unless it is necessary for the public good.
Collection of personal information can only occur when proven necessary.
Necessity of collection must be assessed continually.
Less privacy-invasive alternatives that fulfill the same purpose should always be considered.

From the Canadian Privacy Commissioner’s perspective, shifting responsibility for checking the passenger manifest from the airlines to the Department of Homeland Security brings privacy safeguards as well as privacy risks. After investigating the Secure Flight program, the Commissioner made the following recommendations to the Canadian government:

Negotiate with US authorities on the collection of minimal personal information.
Determine if the retention periods (seven days, seven years, ninety-nine years for negative, potential and positive matches, respectively) are necessary.
Negotiate robust and accessible redress mechanisms in the case of false positive matches.
Implement measures to support Canadians who must use those redress mechanisms.
Inform Canadian passengers on the scope of information collected and disclosed under the Secure Flight program.
Clarify Canadian law regarding the conditions for disclosure of personal information, in order to ensure public debate and legal certainty.

According to the Privacy Commissioner, the issues of privacy and security are not at odds. They can both be supported at the same time, since privacy protection deems the collection of personal information be kept to a minimum, while the efficacy of security depends on the collection of only relevant information.

Summary

This article explores the issue of aviation security and privacy protection issues in trans-border data sharing. The US Transport Security Administration (TSA), a branch of the Department of Homeland Security, proposed the Secure Flight program, which collects and crosschecks passenger data for all flights to, from or over the US. While it is currently implemented domestically, the TSA intends to launch the program internationally in December 2010. This stands to significantly impact Canadian travelers. The article examines privacy concerns and objections to the Secure Flight program. The Canadian Privacy Commissioner’s responses and recommendations are also highlighted.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Co-regulatory model of privacy protection (II.B.a.)
Regulating activities: processing, transfers, data sharing (II.B.d.)
Enforcement agencies & powers (II.B.e.i.)

RFID Technology

hannah — Tue, 27 Jul 2010 12:00:26 +0000

In recent years, RFID (radio frequency identification) has caught the attention of privacy watchdogs, civil organizations and the general public. Its ability to identify and track items as well as individuals raises a number of privacy and security concerns, while the potential for integration into numerous contexts has increased with the development of technology. Discussion and integration of RFID in the workplace, retail situations and other environments should be informed by a number of privacy-respecting practices that will be explored in this article.

What is RFID?

RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.

There are three components in an RFID system:

Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.

Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.

Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.

How can RFID be used?

RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:

Product Integrity – to ensure that products are authentic and untampered with
Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)

Privacy Issues

According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.

However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:

Repeated collection of information

Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.

Tracking Movements

If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.

Profiling Individuals

RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.

Secondary Use

Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.

Massive Data Aggregation

RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.

OPC Responses

The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:

Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.

Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.

Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.

After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:

If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.

Summary

This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

CSA Model Code for the Protection of Personal Information (II.A.a.i.)
Radio Frequency Identification (RFID) (V.A.a.5.)
Security threats and vulnerabilities (V.A.b.)
Information management (V.c.i.)

Consumer Authentication in Canada

hannah — Thu, 15 Jul 2010 12:00:44 +0000

Electronic authentication is common in this information-driven society, as daily transactions through electronic services and the Internet require remote electronic authentication. Online transactions are increasingly seamless through the connection of multiple devices which offer services to consumers that were previously unattainable. Many authentication systems collect and use the personal information of users in a way that compromises their privacy and security. Authentication systems must be designed to give consumers more control over their personal information, promoting user security and effective privacy protections.

What is authentication?

Authentication in this context refers to the verification of user identities in an electronic information system. Authentication can be discussed in terms of three factors, or authenticators:

Something that is known by the individual (e.g. a password, personal identification number, account number, etc.)
Something that the individual has (e.g. a bankcard, token, identity card, digital certification, etc.)
Something that the individual is or does (e.g. a biometric, such as a facial image, retinal scan, voice print; or a person’s signature)

Single-factor authentication is the traditional security process. In this type of authentication, the user must provide an authenticator in one of the above categories. For instance, before a user has access to an account, he/she must provide a username and a password. Single-factor authentication is more likely to result in compromised privacy or security.

Two-factor, or multi-factor authentication requires authenticators from two or more of the above categories. For instance, before accessing a system, a user must provide a physical token, such as an identity card and a security code. Authentication that is based on more than one authenticator from the same category is known as multi-layer authentication.

Electronic Authentication in Canada

A 2008 study conducted by the Public Interest Advocacy Center (PIAC) focused on electronic authentication of consumer financial transactions. It established that Canadian consumers were particularly attentive to electronic authentication methods in their daily transactions, which included banking and financial services, airport check-in and online shopping. While many online banking services required two-factor authentication, the most common online authentication is single-factor authentication with a username and password.

A 2004 study revealed consumer frustration with the lack of security provided by online banking services and online retailers. A later 2005 study showed that Canadian consumers were more concerned about security and privacy than their American counterparts; 40% of Canadians avoided online shopping due to security issues, compared to 24% of Americans. The Privacy Commissioner of Canada continues to note concerns with the increasing trend of collection, use and retention of personal data.

Authentication Principles

In May 2004, Industry Canada released the Principles for Electronic Authentication to provide guidance for the development, implementation and use of authentication services and produces in Canada. The Principles complement existing authentication governance through establishing benchmarks for products and services. They also ensure compatibility with international developments in authentication.

The Principles for Electronic Authentication are outlined below:

1. Responsibilities of Participants

Participants in authentication processes should be aware of their functions and responsibilities. Responsibilities should be proportional to the degree of knowledge and control they can reasonably be expected to have. Functions may include: administration, specification, end use, standards development, compliance assessment and infrastructure provision.

2. Risk Management

Any risks associated with authentication processes should be identified, assessed and managed in a reasonable, fair and efficient manner. Risks may include financial risks, loss of confidentiality or privacy, damages to reputation or identity theft. Assessment should be done in the context of the six functions listed in the previous principle.

3. Security

Participants in authentication processes should be responsible and accountable for security. A security incident that only affects a single participant may have implications for all participants. Participants have a responsibility to mitigate risks through sound security practices, but most of this responsibility lies with infrastructure providers and authentication administrators. Review and assessment is essential in ensuring the ongoing efficacy of security programs.

4. Privacy

Organizations involved in the design or operation of authentication processes should comply with data protection regulations set out in privacy legislation. The collection, use and disclosure of personal information in the context of authentication should be minimized. For instance, the authentication of a business should be focused on business attributes, rather than personal attributes of individual employees.

5. Disclosure Requirements

Organizations offering authentication services should disclose information, such as policies, practices and procedures, to other participants. This will ensure that all participants are aware of the risks and responsibilities associated with participation. Disclosure should not include any information that would introduce vulnerabilities or increase risk. The extent and nature of the information disclosed may vary, depending on whether the end user happens to be an individual or an organization.

6. Complaints Handling

Organizations that implement authentication processes should establish a complaints-handling process in order to enable participants to effectively resolve complaints and respond appropriately to non-compliance issues. Adequate complaints-handling processes should reflect the following characteristics: visibility; accessibility; responsiveness; fairness and objectivity; free of charge; confidentiality and privacy; accountability; continual improvement; and third-party dispute resolution processes for unresolved complaints.

Authentication Initiatives Since 2004

Since the publishing of the Authentication Principles, governments and consumer groups have been involved in several electronic authentication initiatives:

The Data Protection Working Party adopted a working document on online authentication services. It studies the efficacy of the Microsoft .NET passport, which reduces the number of accounts a user needs to create and makes more services accessible through a single authentication process.
In June 2007, the OECD released their Recommendation on Electronic Authentication as well as the OECD Guidance for Electronic Authentication, which lists a number of foundational principles for authentication.
In September 2007, the Department of Finance began discussions regarding the expansion of the Debit Card Code to cover a broader array of electronic payments.

Authentication Principles, Revisited

In October, 2008, the PIAC released a report calling for a substantial overhaul to Industry Canada’s Authentication Principles. The report cited the Principles’ widespread failure to provide adequate protection when conducting online business transactions. While consumers are becoming increasingly careful around security and privacy risks online, the report urges federal and provincial governments to play a greater role in the regulatory process.

The following is an outline of some of the criticisms and recommendations made by the PIAC regarding the Authentication Principles:

Criticism: The Authentication Principles provide insufficient assurance of consumer security. Principle #3 is based on security, but it is too vague to be meaningful as it does not indicate how an organization might achieve appropriate security.

Recommendation: Authentication should move beyond multi-layer single-factor techniques. Two-factor authentication provides only minimal security for highly sensitive transactions. One-time-passwords can be provided to the consumer through the financial institution or retailer. This strategy has been implemented internationally, but has yet to be introduced in Canada.

Criticism: The Principles do not clarify who is liable for losses. Consumers should not be held liable.

Recommendation: Standard form contracts must make clear who bears the liability for losses. Banks and retailers should bear the burden of responsibility for unpreventable losses.

Criticism: The Principles fail to adequately protect consumer privacy, especially in light of continually evolving security breaches.

Recommendation: Prioritizing consumer privacy would help to minimize the harm that results from security breaches related to authentication. The Principles should tie in corresponding sections of the Personal Information Protection and Electronic Documents Act (PIPEDA) fair information practices. Sensitive personal information should be used as authenticators only in very limited situations. Consumers should be able to choose the pieces of personal information they use as authenticators.

Criticism: The Principles must mandate full public disclosure and consumer education.

Recommendation: Implementation of authentication processes should be transparent. This includes notifying consumers if the authentication system has changed; making information available before the user creates an account; providing full public disclosure of audits and compliance reviews; providing security breach notification; and providing consumer education.

Criticism: Consumers are not guaranteed protection in a voluntary framework. Consumers need a better regulatory framework to address electronic authentication.

Recommendation: Regulate authentication through sectoral regulation. Strengthen online authentication through implementing two-factor authentication. Regulate authentication in the retail sector. The Privacy Commissioner of Canada should oversee authentication practices.

Summary

This article examines the concept of electronic authentication in a consumer context. Single-factor, two-factor and multi-factor authentication are explored. Industry Canada’s Principles for Electronic Authentication are defined and later criticisms and recommendations are raised. The article also looks at other authentication initiatives that have developed in Canada since 2004.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Security Controls: Authentication (V.A.a.i.)

Youth Privacy in Canada

hannah — Thu, 08 Jul 2010 12:00:36 +0000

Youth privacy is increasingly important, especially in light of how young people adeptly integrate the Internet and online serves into their daily lives. Under the United Nations 1989 Convention on the Rights of the Child, privacy is a basic human right for everyone under the age of 18. In the United States, the FTC passed the Children’s Online Privacy Protection Act in 1998, specifically protecting children under age 13. Canadian privacy legislation – the PIPEDA and the Privacy Act – also ensure that children’s privacy is protected in the private and public spheres. The Canadian Privacy Commissioner has made youth privacy one of the issues to focus on for 2010.

Beliefs & Behaviors

Online environments often raise issues of youth privacy and awareness. Studies have documented that many young Canadians frequently reveal personal information online without thinking of the potential consequences. According to the Media Awareness Network, 80% of youth use the Internet alone. A 2008 Kids Help Line study revealed that 40% of youth were willing to give personal information to someone they only knew online.

A federal Privacy Commissioner’s survey found that almost half of Canadian youth admit that they do not read privacy policies on websites. The majority of youth believe that if a website has a privacy policy, users are assured that the information they provide will not be shared with third parties. Many are unaware that online services may be used to monitor their behavior, or that personal information can be stored and sold to third parties. Although the Commissioner’s study found that many young Canadians do not agree with increased censorship or surveillance, they do want the ability to make more informed decisions about the sites they visit and their online activities.

Privacy Issues: Facebook

In July 2009, the federal Privacy Commissioner completed an investigation of the popular social networking site, Facebook. The investigation was prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC), which identified serious privacy gaps and violations of Canadian privacy legislation. This was an overarching concern for the Commissioner, especially since 12 million Canadians are registered on Facebook, many of them youth.

The Commissioner issued a report identifying a number of key privacy issues with Facebook:

Third-party application developers (of which there are almost 1 million worldwide) have access to personal information beyond what was necessary to run an application. Developers are also allowed to retain users’ personal information even after the user deletes the application.

The option of account deletion was inaccessible to users, which means that Facebook could still retain information in user profiles. Many users confuse account deactivation with account deletion. In situations of account deactivation, Facebook does not inform users that their information is being retained for future use.

Facebook does not obtain the consent of non-users before uploading their personal information to the site (e.g. through photos, videos and wall posts). Non-users are not notified if their personal information is provided to Facebook. When users send invitations to non-users, Facebook collects and retains the email addresses of the non-user indefinitely, without knowledge and consent from the individual.

Users do not have the ability to opt-out of posthumous displays of their profile. Relatives of a deceased user are unable to remove their family member’s profile. Facebook does not clearly explain that user profiles are kept active after death, in order to allow friends to post comments and memorialize the individual.

As a result of the Commissioner’s report, Facebook agreed to make significant technological and policy changes to help its users better understand how their personal information is used and to make more informed decisions about sharing the information. The Commissioner felt that Facebook’s response was a positive step and agreed with its one-year timetable for implementing changes. The Facebook investigation sets expectations for the privacy practices of other social networking sites.

Privacy Issues: Nexopia

A privacy complaint was filed against the Canadian social networking site Nexopia in January 2010. The Public Interest Advocacy Centre (PIAC), an Ottawa-based consumer advocacy group brought the attention to the federal Privacy Commissioner in a 35-page complaint, which identified six violations of the PIPEDA by Nexopia privacy practices. Under the PIPEDA, the Privacy Commissioner has one year to investigate the complaint and deliver findings. The six violations are outlined below:

User profiles and personal information are disclosed to the general public. Non-member visitors can easily access sensitive information, including personal information, comments, blogs, messages and photos. Even with the highest privacy-protective setting on Nexopia, some person information (i.e. username, age, sex and location) will always be available to the public.

Members cannot opt-out of being searchable; the “visible to all” default setting is beyond reasonable expectations and violates the PIPEDA.

Without providing Nexopia with personal information (i.e. username, email address, birth date, sex and location), a user cannot join the Nexopia community. Users are not directed to the Privacy Policy and are not made aware of the ways in which their personal information can be used or disclosed.

While Nexopia uses targeted advertising to generate income, it does not adequately explain its advertising practices. Users do not have meaningful consent as to how their personal information will be used or disclosed. Users do not have the ability to opt-out of the targeted advertising program. According to the Canadian Marketing Association’s (CMA) Code of Ethics, collecting contact information from teens aged 13 to 16 requires opt-in consent. Nexopia fails to incorporate this practice into its information collecting procedures.

Current Nexopia practices regarding the transferring and sharing of personal information with third parties is not transparent.

Nexopia’s information retention policies violate the PIPEDA. For instance, if Nexopia members send email invitations to their non-member friends, Nexopia stores the email addresses the members provide for future use, although the non-members have not given consent to the collection and use of their email addresses. They also do not have the option to unsubscribe from Nexopia invitations or emails. Further, Nexopia reserves the right to retain members’ personal information indefinitely.

Nexopia’s extremely advanced search function presents additional privacy concerns. The PIAC noted that the member search engine is a worrisome tool, as it permits a fine-grained search of its members. For example, the advanced search can allow an individual to search for females between the ages of 13 and 16 who live in a particular city, or attend a specific school and have certain interests. It is clear that the search tool does not respect youth privacy.

Joint Resolution

In response to child and youth privacy concerns, the federal Privacy Commissioner and provincial privacy oversight officials issued a joint resolution, expressing commitment to improving online privacy standards for children and youth. The resolution, released on June 4, 2008, reinforced children’s rights to privacy and described the actions that the Privacy Commissioner and provincial ombudsmen would take. The Offices advocated an education-based approach that would be upheld by partnerships between commissioners, governments, industry and organizations. Some of the steps to be taken included:

Collaboration between Commissioners and ombudsmen on public education activities.
Recommendations on privacy education tools to governments, industry, child/youth advocates, parents and teachers.
Increase stringency of private sector privacy laws regarding online environments for youth/children.
Websites for children/youth to offer privacy policies and user agreements that are clear, simple and easy to understand.
Industry guidance for better privacy practices.
Commissioners and ombudsmen should be accessible to children/youth to lodge a complaint and seek the appropriate resolution.
Collaboration with privacy protection regulators worldwide.

On the same day the resolution was released, the Office of the Privacy Commissioner launched Youth Privacy, an interactive website that offers resources to youth to protect their personal information and their online activities.

Summary

This article introduces the issue of child and youth privacy in Canada. It presents a background of youth beliefs regarding online privacy and their privacy protecting behaviors. The article explores two online social networking sites that compromise youth privacy – Facebook and Nexopia. Finally, the article discusses the federal Privacy Commissioner’s and provincial ombudsmen’s responses to issues of youth privacy protection.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Personal Information Protection and Electronic Documents Act of Canada: PIPEDA (III.A.a.)
Canadian Private Sector Laws & Practices: privacy incidents (III.B.g.)
Online Privacy: online data collection (V.B.C.)
Children’s online privacy: parental consent, age restrictions (V.B.f.)

CSA Model Code

hannah — Tue, 29 Jun 2010 12:00:41 +0000

In March 1996, the Canadian Standards Association (CSA) published the Model Code for the Protection of Personal Information. Canada was the first country in the world to establish a voluntary, national standard for personal information protection.

The Model Code was largely based on the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the Organization for Economic Cooperation and Development (OECD). While the Code remains a voluntary standard, it enjoys strong support and endorsement by a variety of Canadian companies as the national standard on privacy protection.

In April 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) became law. The CSA Model Code forms an important component of the PIPEDA.

What is the CSA?

The CSA is an independent, not-for-profit association that aims to serve national and international businesses, industries, governments and consumers. As a leader in standards development, the CSA involved with product certification; quality and environmental management systems registration; and information products. The CSA is a membership organization governed by a Board of Directors who are both elected and appointed.

Standards are written and developed by volunteer committees made up of representatives from government, industry, consumer groups and users. Committees are facilitated by CSA employees and use a consensus-based approach to decide on the contents of a standard and to determine if the standard will be published.

Developing the Code

The Code intends to balance the privacy rights of individuals with legitimate data requirements of industries, businesses and institutions. It was developed by a 45-member committee with representatives from the main groups concerned with personal privacy issues in Canada. Committee representatives included:

Federal and provincial governments
Consumer advocates
Organized labor
Security and IT experts
Industries including:
- Financial services
- Telecommunications
- Cable television
- Direct marketing

What does the Code say?

The Code outlines basic guidelines for the protection of personal data. It addresses two main issues:

I) How organizations collect, use, disclose and protect personal information.

II) How individuals access and correct personal information collected by the organizations.

Organizations who choose to follow the Code demonstrate that they are handling the information they collect fairly. The Code offers consumers, employees and other data subjects a means for challenging an organization’s practices.

The Code is based on ten interrelated principles:

1. Accountability

This principle states that an organization is responsible for personal information under its control. The organization should designate an individual or individuals to be accountable for the organization’s compliance with the principles stated in the Code. An organization needs to implement policies and practices that will help them respect the principles.

2. Identifying Purposes

An organization should identify the purposes for collecting information at or before the time of collection. This will enable the organization to determine which information needs to be collected in order to meet their needs. This goes hand in hand with the Limiting Collection principle (#4). Depending on the manner in which information is collected, this principle can be fulfilled orally or in writing. For example, an application form may explain the purposes of information collection to an individual.

3. Consent

Where it is appropriate, an individual must have knowledge of and give consent to the collection, use or disclosure of personal information. An organization should make a reasonable effort to inform individuals of the purposes for collecting information. Consent should be meaningful; the purposes should be explained in such a way that the individual can reasonably understand the use and disclosure of their personal information. Individuals are entitled to withdraw consent at any time.

4. Limiting Collection

Personal information should only be collected as necessary for the purposes that the organization has identified. This includes limiting the amount and type of information. The information should be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention

An organization should not use personal information for new purposes, unless it has the consent of the individual, or as required by law. Personal data should only be retained as long as is necessary to fulfill the organization’s stated purposes. An organization should develop specific guidelines and procedures governing the destruction of personal information.

6. Accuracy

In order to meet the intended purposes, personal information should be accurate, complete and up-to-date. This principle aims to minimize the possibility that incorrect information is used to make a decision about an individual. This also applies to information disclosed to third parties.

7. Safeguards

An organization should implement appropriate security safeguards to protect the personal information collected. The appropriate safeguard should be determined by the sensitivity, amount, distribution, format and method of storage of the information. Employees in the organization should be aware that confidentiality of personal information should be maintained.

8. Openness

An organization should be open about its personal information policies and practices. Individuals should be able to access an organization’s policies and practices relatively easily. The method of disseminating such information depends on the nature of the organization. This may include brochures, mail to customers, online access or toll-free information lines.
9. Individual Access

Individuals should be informed of the existence, use and disclosure of their personal information. Individuals should have access to their personal information and be able to question and correct the accuracy and completeness of this information.

10. Challenging Compliance

Individuals should be able to challenge an organization’s compliance with the above principles. The person accountable for an organization’s compliance will be responsible for dealing with inquiries, challenges or complaints. An organization should investigate all complaints and if it is necessary, adjust its policies and practices appropriately.

Implementation

The Code is meant to be used by any organization that collects or uses personal information. Such organizations may include:

Financial institutions
Service providers
Retailers
Direct marketers
Telecommunications companies
Product manufacturers
Schools
Universities
Hospitals
Government agencies

As organizational compliance with the Code is purely voluntary, organizations may incorporate the ten principles in its policies to varying degrees. The Quality Management Institute (QMI) has a program that recognizes three levels of compliance:

Tier 1: Declaration

An organization declares its compliance with the code by signing a code of ethics or statement of their information protection principles.

Tier 2: Verification

An organization submits documented policies and procedures to the QMI, which may conduct on-site audits in order to confirm compliance with the Code.

Tier 3: Registration

The QMI reviews the organization’s documentation and carries out an audit. This establishes compliance with the CSA Model Code and with ISO 9001 or 9002.

Blind Spots

Since its introduction, a number of critiques of the Code have arisen. Many of these critiques point to the vagueness in interpretation, which have led to confusion, loss of confidence and decreased utility of the Code. Due to differences in meaning and application of the Code, a number of cases have been taken to the Canadian Privacy Commissioner. This process is slowly eliminating some uncertainties in the Code.

Some gray areas of the Code include:

The issue of collecting personal information from or about children is not mentioned.
Different types of consent are not distinguished (e.g. express, implied and deemed consent).
The Code does not elaborate upon the issue of notice. What constitutes a reasonable effort to advise an individual on collection of personal information?
It is unclear if retention of personal information constitutes a “use” under the Code. If so, retention would require consent from the individual.
The Code does not require businesses to explain the purposes of personal information collection to its customers. This has led to widespread failure of customer service representatives to reasonably explain the purposes of information collection to the ordinary consumer.
The principle of openness is only encouraged, rather than required.

Summary

The CSA Model Code for the Protection of Personal Information presented a foundation for Canadian privacy protection legislation, such as the PIPEDA. A number of Canadian businesses and organizations have modeled their own privacy codes, policies and practices on this standard. Individuals have also used the Code to understand their privacy rights and protect their personal information. Over time, provisions in need of greater clarity or strengthening have been identified in the CSA Code.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Canadian Standards Association (II.A.a.)
Model Code for the Protection of Personal Information: CAN/CSA-Q830-96 (II.A.a.i.)

Personal Health Information Protection Act (PHIPA)

hannah — Tue, 22 Jun 2010 12:00:43 +0000

The Personal Health Information Protection Act (PHIPA) represents a comprehensive model for the protection of personal health information in the province of Ontario. The PHIPA is one of parts of the Health Information Protection Act, the other being the Quality of Care Information Protection Act.

About the PHIPA

The PHIPA was enacted November 1, 2004 and outlines privacy policies and practices for health information custodians in the province of Ontario. It was necessary to develop the appropriate legislative provisions for Ontario health care providers to ensure the privacy of personal health information in a way that is consistent with effective health care services. The purposes of the PHIPA are as follows:

To establish regulations for the collection, use and disclosure of personal health information in a manner that protects the confidentiality of the information and the privacy of the individuals in question.
To provide individuals with the right to access personal health information about themselves and to correct or amend such information, subject to certain exceptions.
To provide independent review and resolution of personal health information complaints.

Under the PHIPA, personal health information is defined as identifying information about an individual, whether it is recorded or unrecorded. This may include information regarding:

Physical or mental health records of the individual
Family health history
Identification of an individual as a health care provider
Plan of service
Payments or eligibility for health care
Donation of body parts or bodily substances
Individual’s health number
Identification of individuals’ substitute decision-maker

The PHIPA primarily applies to the management and safeguarding of personal health information under the responsibility of health information custodians. A health information custodian is defined under the PHIPA as:

Health care practitioners, as individuals or a group practice (e.g. a physician, dentist, nurse, social workers; any person whose primary function is to provide health care for payment)
Persons or organizations that provide a community health service
Community care access centers
Public or private hospitals
Psychiatric facilities
Long-term care facilities
Pharmacies
Laboratory or specimen collection center
Ambulance service
Board of health
Ministry of Health and Long-Term Care

Agents of health information custodians are individuals authorized by the custodian to fulfill functions related to the personal health information. Agents may work on a paid or voluntary basis. Agents of health information custodians may include:

employees
independent contractors engaged by the custodian
volunteers
students

Responsibilities for Health Information Custodians

Under the PHIPA, all health information custodians are held responsible for protecting personal health information under their control. This means that custodians and their agents may only collect, use, disclose, retain or dispose of personal health information as it is permitted under PHIPA.

For health information custodians who are not individuals (e.g. hospitals, community centers, pharmacies), a contact person must be designated to be responsible for PHIPA compliance. This individual is responsible for the proper oversight and accountability of health information privacy practices and policies.

A written statement from the custodian must be made available and accessible to the public. This statement must describe:

The custodian’s information practices
How to contact the privacy contact person
How to gain access to or request correction of a health record
How to make a complaint under the PHIPA

The health information custodian must take reasonable precautions to ensure that the personal health information is protected against theft, loss, unauthorized use or unintended disclosure. The information must also be protected against unauthorized copying, modification or disposal. In the case of such events, the health information custodian must take steps to inform the individual of the occurrence at the first reasonable opportunity.

Obtaining Consent

Before collecting, using or disclosing personal health information, the custodian is obliged under the PHIPA to obtain the individual’s consent. Such consent is described as:

Being from the individual or authorized substitute
Knowledgeable, meaning that the individual reasonably knows the purpose for the collection, use and disclosure of the information, as well as his/her right to withhold consent
Related to the information
Not obtained through deception or coercion

The consent may be express or implied. In situations of implied consent, a health care custodian assumes that the individual has given consent for the sharing of his/her health information in order to provide health care. In such situations, no consent form is required. In practice, the PHIPA permits health care custodians to assume implied consent to collect, use or disclose health information, unless the individual states otherwise.

In other situations, health care custodians are required to request oral, written or electronic consent before sharing personal health information. This is referred to as express consent. The PHIPA does not require a specific form of express consent. However, an individual may withdraw his/her consent at any time. His/her withdrawal cannot have retroactive effects.

Interaction with other Legislation

Although the federal Personal Information Protection and Electronic Documents Act, the PIPEDA was passed just a few months before the PHIPA, it was noted that the provisions made in the PIPEDA were especially problematic for health sector stakeholders. The PIPEDA was not developed with consideration for the needs of health care or for the organizations that collect, use or disclose personal health information.

The general rule is that where there are conflicts between the PHIPA and any other legislation, the PHIPA will prevail, unless both legislations can be upheld, or unless otherwise specified. However, there are certain situations that the PHIPA does not interfere with:

Legal privileges, such as lawyer-client privilege or mediation privilege.
Law of evidence.
Power of a court of tribunal to compel testimony or evidence.
Law or court orders prohibiting publication of information.
Regulatory activities of a body of a health profession or social workers.

In December 2005, the PHIPA was declared to be substantially similar to the PIPEDA, which exempted health information custodians in Ontario from the regulations and provisions of the PIPEDA, regarding the collection, use and disclosure of personal information.

Substantially similar legislation provides privacy protection that is consistent with and to an equal or higher level as the federal PIPEDA. Such legislation incorporates the ten principles outlined in the PIPEDA (i.e. accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance).

Filing Complaints

Individuals who are dissatisfied with a health information custodian’s management of their personal information may choose to file a complaint with the Information and Privacy Commissioner of Ontario (IPC). The IPC of Ontario is an independent and non-partisan body appointed by the Ontario Legislature. The Commissioner is responsible for ensure that health information custodians are upholding the PHIPA and other provincial privacy legislation.

The IPC of Ontario has the authority to investigate and make rulings about complaints. The following are possible reasons for filing a complaint under the PHIPA with the IPC:

Health information custodians or their agents have collected, used or shared personal health information in a manner that is contrary to the PHIPA.
An individual’s request to access his/her personal health record has been denied.
An individual’s request to correct his/her personal health information has been denied.

While health information custodians are obliged under PHIPA to correct incomplete or inaccurate health records, they are not required to change processional health opinions or to correct records created by other health care providers.

After receiving the complaint, the IPC may choose to take the following steps:

Encourage the individual to resolve the complaint directly with the health information custodian.
Authorize a mediator to review the complaint and attempt to negotiate a settlement.
Review the complaint if there are reasonable grounds. The IPC may receive evidence and information necessary for review.
Make orders requiring compliance with the PHIPA, to grant an individual access, to make a requested correction or to implement a specific health information practice.

Only the Attorney General may initiate a prosecution for an offence under the PHIPA. Such offences include:

Collecting, using or disclosing personal health information in violation of the PHIPA.
Disposing personal health records in order to evade a request for access.
Obstructing the IPC or an agent of the IPC from carrying out his/her functions.
Making false statements to the IPC.
Failing to comply with an IPC order.
Requesting access to or correction of a health record under false pretences.

Offences against the PHIPA can result in fines up to $50,000 for individuals and up to $250,000 for corporations.

Summary

This article discusses the Personal Health Information Protection Act, or PHIPA (2004), which applies to the collection, use and disclosure of personal health information by health care providers in the province of Ontario. The article describes the responsibilities of providers and rights of individuals under the PHIPA and examines the procedure and policies enabling recourse under the PHIPA.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Health Information Privacy and the Private Sector: The Personal Health Information Protection Act (III.C.)

Provincial Privacy Legislation

hannah — Thu, 17 Jun 2010 12:00:50 +0000

The Privacy Commissioner of Canada is mandated to oversee compliance with the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), a number of provinces have had their own private sector privacy legislation declared as substantially similar to federal statutes. A number of provinces have Privacy Commissioners Offices and Ombudsmen who work in conjunction with the federal Privacy Commissioner of Canada. They are responsible for the protection of personal information rights of Canadians under specific provincial legislation. Thus, provincial Commissioners must negotiate concurrent or overlapping jurisdiction with the federal Privacy Commissioner.

Alberta PIPA: About

The Personal Information and Protection Act (PIPA) of Alberta was enacted January 1, 2004 and declared substantially similar to the PIPEDA on October 12, 2004. This legislation aims to protect personal information in the private sector. The Government of Alberta recognized that private sector privacy legislation had come to the forefront, as a result of numerous technological advances that allowed organizations to store and manipulate large amounts of personal information. As there already had been legislation in place to regulate the privacy in the public sector, it became increasingly important to ensure that the private sector abides by similar guidelines.

In the process of creating the PIPA, 100 organizations and business associations were consulted. The following needs were established as a result of the consultations:

industry and government to work together
harmonize legislation across jurisdictions
regulate management of employee information
minimize cost of implementation
government to provide resource materials

Public opinion polls were also conducted during 2002, showing strong support for such legislation.

Alberta PIPA: Purposes

The purpose of the PIPA is to regulate collection, use and disclosure of personal information by organizations in a way that recognizes the individual’s rights as well as meeting the organization’s reasonable needs.

The PIPA applies to any personal information that is not under the control of a public body. For instance, the PIPA does not apply to collection, use or disclosure of personal information that is:

for personal or domestic purposes only
for artistic, journalistic or literary purposes
health information
information contained in a court file, record of a judge, master in chambers, a justice of the peace
information about an individual who has been dead for at least 20 years

The PIPA of Alberta does not apply to all organizations in the same way. Non-profit organizations in Alberta are only subject to the PIPA for their commercial activities. The PIPA also specifies provisions for an approved privacy code to apply to specific professional regulatory organizations. These privacy codes replace certain sections of the PIPA. In the case of transborder flows of personal information, this would be under the jurisdiction of the PIPEDA.

Alberta PIPA: Requirements & Redress

In order to ensure compliance with the PIPA, organizations must have at least one individual that is responsible for compliance with the PIPA. The organization must also develop and implement reasonable policies and practices to help meet its responsibilities under the Act.

Other key requirements of the PIPA include:

Organizations may only collect personal information to an extent that is reasonable for the purposes it is being collected.
Organizations may use or disclose personal information for the purposes that it was originally collected, unless they obtain consent from the individual.
Organizations must ensure the information is complete and accurate.
Organizations must make reasonable security arrangements to protect the information.
Organizations must allow the individual access to the personal information, and make corrections, for a reasonable fee.

If an individual believes that their personal data has been collected, used or disclosed in a manner that contradicts the PIPA, this individual can make a formal complaint to Alberta’s Information and Privacy Commissioner, who has general oversight of the PIPA. The Commissioner has the authority to conduct investigations, hold inquiries and issue binding orders. The Commissioner also oversees compliance with other provincial privacy legislation – the Freedom of Information and Protection of Privacy Act and the Health Information Act.

Under the PIPA, there are three processes of redress.

The individual can file a complaint to the Office of the Information and Privacy Commissioner against the organization. The Office staff would then investigate and attempt to mediate the situation. If a solution cannot be found through mediation, then the Commissioner may decide to hold an inquiry. Out of this, the Commissioner will issue an Order, determining if the organization is at fault. It is most common for complaints to be dealt with in this manner.
Under the PIPA, fines may be assessed by the provincial courts. Fines would only be imposed if the organization or individual is found guilty of an offense under the PIPA. Such offenses would include deliberate actions to violate the PIPA, for example, hacking into a database to access clients’ credit card numbers.
An individual may choose to sue an organization or another individual for damages of loss or injury. This would take place after the Commissioner has made an Order against the organization in question. An individual can only sue for damages if they have been convicted of an offense under the PIPA.

British Columbia PIPA: About

British Columbia has had its own provincial privacy legislation – the Freedom of Information and Protection of Privacy Act (FOIPPA) – since 1993. The FOIPPA regulates collection, use and disclosure of personal information by public bodies. Concern was raised that the province also required a separate legislative framework that applied to the protection of personal information for the private sector.

In response to the federal government’s enactment of the PIPEDA, the province of British Columbia decided to introduce its own Personal Information Protection Act (PIPA) which regulates collection, use and disclosure of personal information by private organizations. The PIPA of British Columbia was declared substantially similar to the PIPEDA on October 12, 2004.

British Columbia PIPA: Redress

Should there be a dispute as to the application of the PIPA an individual may decide to file a complaint with the Information and Privacy Commissioner of British Columbia. The Commissioner is responsible for monitoring how the PIPA is being administered to ensure it achieves its purposes. The mandate of the Commissioner includes the following authorities:

complaints against organizations
reviews of decisions made by organizations
inquiries relating to complaints and reviews
extend the period of time for responding to requests for access to or correction of personal data
authorization to disregard requests for access or correction of personal information

The Commissioner’s central objective is to achieve direct communication between the individual and the organization in question. This method of resolution will be the initial and priority method in the case of complaints under the PIPA.

Similarities & Differences

The PIPAs of Alberta and British Columbia share many similarities and key requirements. Both pieces of legislation apply to provincially-regulated private sector organizations. Both also cover employee information that is held by provincially-regulated organizations.

Unlike the PIPA of Alberta, the PIPA of British Columbia applies in the same way to all organizations that are subject to it. However, in the case of transborder personal information flows, these would fall under the jurisdiction of the PIPEDA.

Managing Interprovincial Transborder Data Flows

Interprovincial transborder data flows occur when personal information is transmitted from one province to another. Some examples may include:

Selling a mailing list from one province to another
Sending customer data to a loyalty program in another province
Processing client accounts in at a branch located in another province

The federal PIPEDA applies to organizations conducting commercial activities internationally. The PIPEDA will not apply to organizations if the organization:

Operates in a province with private sector privacy legislation (e.g. Alberta, British Columbia).
Has other operations which are not commercial in nature.
Is not a federal work, undertaking or business and the information is the personal data of employees.

In certain cases, the collection, use or disclosure of personal information may be subject to both provincial privacy legislation as well as the PIPEDA. For instance, one part of a transaction (e.g. the collection of information) falls under the Alberta PIPA, while another part of the transaction (e.g. the use) is subject to the PIPEDA. The organization would have to compare the provincial and federal legislation. Usually there will be one that is more stringent. The rule of thumb is to comply with the more stringent requirement, as it would likely ensure compliance with both federal and provincial legislations.

In the event that a complaint falls under the jurisdiction of more than one Privacy Commissioner’s Office, the Offices are responsible for coordinating efforts to ensure that there is a productive, harmonized approach to conflict resolution. The federal Office has a Memorandum of Understanding with the Offices in Alberta and British Columbia to ensure cooperation and collaboration, and to prevent duplication of efforts.

Summary

This article discusses two substantially similar provincial legislations that protect private sector privacy rights. These are the PIPA of Alberta and the PIPA of British Columbia. The article describes the purposes, regulations and means of redress for each piece of legislation. It also explores situations which may be regulated by a number of laws, such as transborder data flows.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Personal Information Protection Act of Alberta (III.A.b.)
Personal Information Protection Act of British Columbia (III.A.c.)

Provincial & Territorial Privacy Commissioners

hannah — Tue, 15 Jun 2010 12:00:35 +0000

In addition to Canadian Federal privacy legislation – the Privacy Act and the Personal Information Protection and Electronic Documents Act, or PIPEDA – a number of Canadian provinces have also established their own substantially similar privacy statutes. Organizations operating in these provinces must respect the provincial legislation with respect to the collection, use or disclosure of personal information as well as the other federal regulations.

Provincial & Territorial Privacy Laws

As Canada’s privacy protection model takes a co-regulatory approach, a number of provinces and territories have established legislation with respect to the collection, use or disclosure of personal information within private sector organizations in that specific province or territory. While federal governments have jurisdiction over matters that are national, international or interprovincial, the provincial and territorial governments are responsible for exercising jurisdiction over local matters.

While certain provincial laws apply to the provincial public sector, some provinces have developed laws that apply to the private sector as well. Below is an outline of the provinces and territories with privacy protection legislation:

Alberta

Freedom of Information and Protection of Privacy Act (2000)
Health Information Act (2001)
Personal Information Protection Act (2004)*

British Columbia

Freedom of Information and Protection of Privacy Act (1996)
Personal Information Protection Act (2004)*
Privacy Act (1996)
Personal Health Information Access and Protection of Privacy Act, or Bill 24: E-Health Act (2008)

Manitoba

Privacy Act (2008)
Freedom of Information and Protection of Privacy Act (1997)
Personal Health Information Act (1997)

New Brunswick

Protection of Personal Information Act (1998)

Newfoundland & Labrador

Access to Information and Protection of Privacy Act (2002)
Privacy Act (1990)
Personal Health Information Act (to be proclaimed)

Nova Scotia

Freedom of Information and Protection of Privacy Act (1993)

Ontario

Prince Edward Island

Freedom of Information and Protection of Privacy Act (2001)

Quebec

Saskatchewan

Freedom of Information and Protection of Privacy Act (1990)
Health Information Protection Act (1999)
Local Authority Freedom of Information and Protection of Privacy Act (1990)
Privacy Act (1978)

Northwest Territories

Access to Information and Protection of Privacy Act (1994)

Nunavut

Access to Information and Protection of Privacy Act (1994)

Yukon

Access to Information and Protection of Privacy Act (2002)

Substantially Similar Legislation

In the list above, provincial legislation marked with an asterisk (*) have been declared substantially similar to the PIPEDA, which is the federal legislation that governs the collection, use or disclosure of personal information by private sector organizations. According to the declaration, substantially similar laws provide privacy protection consistent with and to an equivalent level as the PIPEDA.

This means that these provincial legislations must incorporate the ten principles in the PIPEDA (i.e. accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance).

Substantially similar laws also must establish an independent and effective oversight body, a Privacy Commissioner, with the authority to investigate violations, seek redress and restrict the collection, use and disclosure of personal data.

Organizations in Alberta, British Columbia, Ontario and Quebec are subject to provincial privacy protection legislation, thus are exempt from parts of the PIPEDA. However, the PIPEDA continues to govern the collection, use and disclosure of personal data with regards to federal work and information outside of those provinces.

In order to qualify as substantially similar, provincial legislation must undergo evaluation by the federal Privacy Commissioner. The Privacy Commissioner rules if the legislation is equal to or superior to the federal law in terms of the quality of privacy protection it can provide. The federal law represents the threshold.

Provincial Privacy Commissioners: Roles & Responsibilities

Provincial Privacy Commissioners and their respective Offices are established to fulfill the mandates created under provincial privacy legislation. They function independently and offer resources, information and assistance to the public in privacy protection and access of personal information. Privacy commissioners have regulatory powers and oversight responsibilities for provincial privacy legislation.

Provincial Privacy Commissioners are appointed by their provincial Legislative Assembly. As officers of their provincial Legislature, they are responsible for reporting to the Assembly. Privacy commissions function independently from the government.

Under substantially similar privacy legislation in the provinces of Alberta, British Columbia, Ontario and Quebec, provincial Privacy Commissioners have the authority to:

Investigate, mediate and resolve access to information disputes and privacy complaints.
Investigate the ways in which personal data is collected, used and disclosed to ensure compliance with privacy legislation.
Issue binding orders.
Conduct audits to ensure compliance with privacy legislation.
Authorize collection of personal information.
Research areas of information access and privacy rights.
Analyze access and privacy implications of proposed legislation, programs and policies.
Issue findings on privacy implications of new technologies.
Increase public awareness on information access and privacy rights.

Ombudsman Legislation

Provinces without substantially similar privacy legislation, or without Privacy Commissioners, rely on an Ombudsperson and his/her Office to resolve privacy issues. Provinces with an Office of the Ombudsman include Manitoba, New Brunswick and Yukon Territory.

The Ombudsperson is appointed by a committee of their provincial Legislature. This person functions as an independent, non-partisan Officer of their provincial Legislative assembly. He or she is responsible for:

Investigating privacy complaints made by individuals who believe they have been unfairly dealt with. Such investigations may be conducted of government departments, municipalities, school districts, district education councils, regional health authorities, Crown agencies and provincial agencies. Investigations are independent and confidential in nature.
Resolving complaints informally, if and when appropriate. If complaints cannot be resolved informally, the Ombudsperson must make a recommendation to the appropriate authorities.
Conducting a systemic review on principles of administration and compliance with access to information and privacy rights.
Promoting principles of fairness, equity, openness and accountability in governing bodies with regards to privacy protection.

As a result of investigations or reviews, the Ombudsperson has the authority to make a finding, facilitate a resolution or make a recommendation for corrective actions. However, the Ombudsperson cannot require the government to act. Furthermore, the Ombudsperson is not authorized to investigate complaints regarding any of the following areas:

Federal government
Judges and functions of any court
Criminal matters
Private companies and individuals
Matters of the Executive Council, or related committees

Collaboration

The federal Office of the Privacy Commissioner, the Information and Privacy Commissioner of Alberta and the Information and Privacy Commissioner of British Columbia share responsibilities for private sector privacy legislation. As of 2008, they have agreed upon a Memorandum of Understanding, which supports federal and provincial collaboration and cooperation. This enables the federal and provincial Privacy Commissioners to achieve the following objectives:

Leverage the resources of all three Offices to maximize ability and impact and reduce overlap and inefficiencies.
Improve knowledge sharing and develop relationships between the Offices to provide consistent, coordinated, efficient oversight of private sector privacy.
Carry out Privacy Commissioners’ joint instructions.

Collaboration between the Offices is focused on the following four areas:

1. Enforcement

The Offices will identify and respond to enforcement issues through a process of coordinated consultation.

2. Policy

The Offices will identify common principles and areas of mutual policy interest.
The Offices will consult with each other to develop and implement appropriate strategies.
The Offices will focus on emerging privacy issues to ensure relevant, proactive and consistent responses as much as possible.

3. Public Education and Compliance Resources

Public education initiatives will be developed in a collaborative manner, where appropriate and where resources allow.
This will ensure consistency in private sector privacy compliance.

4. Information Sharing

This will take place on areas of mutual interest to increase knowledge and understanding.

In order to achieve the above objectives, the Offices have set up the Private Sector Privacy (PSP) Forum. Each Office is committed to sending representatives to participate in the Forum’s monthly and annual meetings. The PSP Forum is responsible for carrying out the following activities:

Develop protocols for information sharing; determining jurisdiction; transferring complaints; carrying out parallel and joint investigations.
Find opportunities to develop collaborative policy and public education programs.
Identify opportunities for collaborating on internal protocols, including templates, reporting formats and case management systems.
Consult on issues of jurisdiction between Offices, regarding dispute resolution.
Participate in staff exchanges.
Sponsor, support and participate in conferences and other training events.

Summary

This article discusses the roles, responsibilities and mandates of provincial Privacy Commissioners and their Offices. It examines how their jurisdiction is different from the Federal Privacy Commissioner and the OPC. The concept of “substantially similar” legislation is defined and outlined. Finally, the article explores areas and mechanisms for collaboration between provincial and federal privacy commissioners.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Canadian government and legal system; division of powers (I.A.a.ii.)
Office of the Federal Privacy Commissioner (II.B.e.i.1.a.)
Provincial and Territorial Privacy Commissioners (II.B.e.i.1.b.)
Canadian Private Sector Laws (III.A.)

Personal Information Protection and Electronic Documents Act (PIPEDA)

hannah — Thu, 10 Jun 2010 12:17:21 +0000

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal legislation governing the collection, use and disclosure of personal information by private sector organizations. It also regulates the use of electronic documents while supporting e-commerce.

About the PIPEDA

The PIPEDA was enacted on April 13, 2000 in order to promote and support consumers in e-commerce. The PIPEDA was based on the Canadian Standards Association’s Model Code for the Protection of Personal Information. It also intended to reinforce the privacy protection mechanisms and practices which reflected European Union privacy directives. The PIPEDA was implemented in a number of phases over a three-year period beginning in January 2001. It has been fully in force since 2004.

The PIPEDA applies to every organization with respect to the collection, use and disclosure of personal information in commercial activities. It also applies to federal works, with respect to personal information of employees. It requires organizations to comply with ten key principles:

Accountability
Identifying purposes
Consent
Limiting collection
Limiting use, disclosure and retention
Accuracy
Safeguards
Openness
Individual access
Challenging compliance

However, certain provincial legislation in Alberta, British Columbia, Quebec and Ontario has been deemed substantially similar to the PIPEDA. As a result, privacy issues in the private sector of these provinces fall under the jurisdiction of provincial legislation. In these provinces, the privacy protection of personal information is subject to provincial legislation, unless:

a) the organization is a federal department, work or business

b) the information is disclosed outside of the originating province throughout the course of the commercial activity

Even in Alberta, British Columbia, Quebec and Ontario, the PIPEDA still applies to organizations under federal jurisdiction including companies in:

agriculture
banking
transportation
telecommunications

The PIPEDA defines personal information as:

Factual or subjective information, recorded or unrecorded, about an identifiable individual
Name, race, ethnicity, religion, marital status, education level
E-mail addresses, e-mail messages, IP addresses
Medical records: age, height, weight, blood type, DNA code, fingerprints, voiceprint
Financial information: income, purchases, spending habits, credit/debit card data, banking information, tax returns, credit reports
Social Insurance Number (SIN), or other identification numbers

Organizations’ Responsibilities under PIPEDA
Under the PIPEDA, organizations are obliged to follow a code regarding the protection of personal information. These provisions include, but are not limited to:

1. Accountability

Complying with all ten principles of the PIPEDA.
Appointing an individual to be responsible for compliance with privacy.
Protecting information transferred to a third-party.
Developing and implementing privacy policies and practices in line with the PIPEDA.

2. Identifying purposes

Identify and document the purpose and usage of personal information.
Inform the individual about the purpose and usage of the personal information.
New purposes for the information should be identified and consented to.

3. Consent

Ensure the individual is informed of the purposes, use or disclosure of the personal information in a meaningful way.

4. Limiting collection

Personal information should not be indiscriminately collected.
Individuals should not be deceived or misled regarding the purposes for collecting their personal information.

5. Limiting use, disclosure and retention

Personal information should be held only as long as necessary to meet the stated purposes.
Appropriate guidelines and procedures should be designed and implemented for retaining and destroying personal information.
Personal information used to make decisions about individuals should be held for a reasonable time, in order to allow the person to access or change the information.

6. Accuracy

Minimize incorrect information by keeping personal information databases accurate, complete and up to date.

7. Safeguards

Protect personal information databases against loss of theft.
Prevent unauthorized access, disclosure, copying, use or modification of personal information, regardless of the format in which it is held.

8. Openness

Inform stakeholders of privacy policies and practices.
Ensure policies and practices are available and accessible.

9. Individual access

Individuals should be informed if personal information about them is held, for what purposes and the scope of disclosure.
If requested, individuals should have access to information and be able to correct or complete personal information records.

10. Challenging compliance

Complaint procedures should be simple and accessible.
All complaints should be investigated.
Appropriate measures should be taken to correct privacy policies and practices.

Individuals’ Rights under PIPEDA

Although many private sector organizations must legitimately collect personal information, they are also obliged to manage such information in a way that safeguards clients’ and employees’ privacy. The PIPEDA was designed and enacted in order to enable individuals to find and maintain a certain level of control over their personal information in the private sector.

The following rights of the individual are protected under PIPEDA:

Individuals have the right to know and understand the reasons why a private sector organization collects, uses or discloses their personal information. The purposes for information collection should be reasonable.
Individuals can also expect such an organization to collect, use or disclose their personal information in a reasonable and appropriate manner.
Organizations are only authorized to collect personal information with the consent of the individual in question.
Individuals can expect organizations to protect personal information with the appropriate security safeguards and to destroy the information when it is no longer necessary for the original, stated purposes.
Individuals have the right to access their personal information and to change it if it is no longer accurate, complete or up to date.

Filing Complaints under PIPEDA

The PIPEDA gives individuals the right to file a complaint in situations where the organization may be violating any aspect of the PIPEDA. This may mean that an individual is denied access to his/her personal information, or if the organization chooses not to correct outdated or incomplete personal information, or if the individual believes that his/her personal information has been improperly collected, used or disclosed.

The following outlines the necessary steps an individual should take to file a complaint under the PIPEDA:

The individual should attempt to settle the disagreement directly with the organization in question. Under the PIPEDA, organizations are required to have a member of staff responsible for privacy protection and privacy-related complaints.
The individual should file a complaint with the organization’s industry association (e.g. the Canadian Marketing Association, the Canadian Institute of Chartered Accountants, etc.). Usually, these associations have an ombudsperson or complaints office.
The federal Privacy Commissioner is an independent ombudsman who resolves privacy disputes through the processes of negotiation, mediation and conciliation. Filing a complaint with the Privacy Commissioner will begin the process of investigation and resolution.
The Commissioner has the authority to request personal information or adjust personal information held by the organization. The Commissioner can also recommend that the organization correct its privacy practices and policies.
Finally, if the individual’s concerns have not been satisfactorily resolved, he/she may choose to take the complaint to the Federal Court of Canada. Alternatively, the Privacy Commissioner may take the complaint to court on behalf of the individual. The Court may award compensation for damages to the individual.

Recent Developments of PIPEDA

In 2008, the Privacy Commissioner published a number of findings regarding the PIPEDA. These were based on research and court decisions and reflect the manner in which the PIPEDA has been applied since its enactment. Most of these findings involved the following themes:

Scope of Application

Since its enactment in 2001, the definition of “personal information” has evolved and now includes photographs, business e-mail addresses; employee identification numbers.
The definition of “commercial activity” was also expanded and is now determined by the institution’s core activity and whether or not one of its objectives is to earn a profit for the owners.

PIPEDA Beyond Canada

Such concerns were raised as a result of increasing cross-border activities, including outsourcing arrangements and the disclosure of banking information to international institutions.

Surveillance Phenomena

This is one of the more contentious issues under the PIPEDA.
Organizations often use surveillance to prevent or deter crime or employee misconduct. This is problematic given the provisions for consent, as well as demonstrating their purpose for collection of personal information.

Emerging Technologies

The PIPEDA does not address specific types of technologies.
A number of concerns have arisen around developing technologies, such as biometrics and GPS.

Data Breaches & Security Measures

A number of high-profile data breaches have recently come into the focus of the public eye.
While the PIPEDA requires organizations to implement safeguards appropriate to the sensitivity of the personal information, it does not specify the nature and level of security required.

Careless Disclosures & Ongoing Employee Training

Employee training should focus on comprehensive security policies and procedures.
Employees should be made aware of the techniques used by sophisticated fraudsters or hackers, in order to prevent unauthorized disclosures of personal information.

Collecting Too Much Information

The PIPEDA limits the collection of personal information to that which is necessary to fulfill organizational purposes.
The issue of defining “reasonableness” has become a greater challenge since the PIPEDA has been enacted.

Meaningful Access

Access to personal information should be granted within a reasonable time period (no later than 30 days) and should be a minimal or no cost to the individual.

Secondary Marketing Purposes

While secondary marketing can be a profitable endeavor for an organization, it may not be acceptable from their customers’ point of view.
Opt-in/opt-out consent and reasonable expectations of the individual must be considered under the PIPEDA.

Such findings and recommendations from the OPC can offer organizations a richer understanding of the application and court decisions made under the PIPEDA.

Summary

This article explores the Personal Information Protection and Electronic Documents Act (PIPEDA), in terms of private sector responsibilities and individuals’ privacy rights. Subsequent recommendations and findings are also discussed.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Canadian Private Sector Laws & Practices (III.A.a.)

Privacy Commissioner of Canada

hannah — Thu, 03 Jun 2010 17:11:13 +0000

The Privacy Commissioner of Canada is an officer of Parliament responsible for investigating violations against the Privacy Act (1983) and the Personal Information Protection and Electronic Documents Act, or PIPEDA (2000).

The Privacy Commissioner and those assisting the Office of the Privacy Commissioner (OPC) act as advocates for Canadians’ privacy rights. The OPC takes and investigates privacy violations and brings citizens’ concerns to the federal government. Like all federal government agencies, the OPC is funded through the Treasury Board Secretariat, which enables it to fulfill its responsibilities under the Privacy Act as well as the PIPEDA.

Organizational Structure

The OPC is headed by the Privacy Commissioner and two Assistant Commissioners. Canada’s current Privacy Commissioner is Jennifer Stoddart, who oversees investigations and reports directly to the House of Commons and the Senate. The Privacy Commissioner is appointed for a seven-year term. The Privacy Commissioner is assisted by two Assistant Commissioners – Chantal Bernier and Elizabeth Denham, responsible for the Privacy Act and the PIPEDA, respectively.

The OPC is organized into seven branches, whose responsibilities are as outlined below:

Investigations & Inquiries

Investigates individual complaints under the Privacy Act and the PIPEDA, as well as complaints not filed under those provisions.
Assists federal government departments and organizations in preventing violation of privacy legislation.

Audit & Review
- - Conducts audits to assess organizations’ compliance with the Privacy Act and PIPEDA.
  - Provides recommendations on privacy impact assessment reports (PIAs).
  - Research, Education & Outreach
    - Conducts research on privacy and technology concerns and the promotion of protecting personal data.
    - Supports policy development, investigation, audit and public education programs.
    - Communications
      - Provides strategic advice.
      - Supports communication and public education activities.
      - Plans and implements public education activities through media monitoring, public opinion polling, media relations, publication and special events.
      - Legal Services, Policy & Parliamentary Affairs
        Provides strategic legal and policy expertise and legal advice and support to the OPC.
        Represents the OPC before Canadian and international courts.
        Monitors legislative and government initiatives.
        Human Resources
        Provides strategic advice, management and delivery of HR programs.
        Corporate Services
        Provides advice and administrative services, including corporate planning; resource management; financial management; IT and general administration.

In addition, the OPC regularly consults with an External Advisory Committee, which offers multiple perspectives on public policy and privacy issues. The External Advisory committee is made up of professors, industry association leaders, privacy consultants and other experts.

There is also an Internal Audit Committee, which provides advice and recommendations to the Commissioner regarding the quality and efficacy of the OPC. The Audit Committee oversees core areas of OPC responsibilities and accountability. It takes these findings and integrates them into the OPC strategic planning and priority setting processes. This reinforces the audit regime promoted by the OPC, thus strengthening the independence and accountability of the OPC.

Responsibilities

The mission of the OPC is to protect and promote privacy rights of individuals. The OPC is responsible for overseeing compliance with federal privacy legislation: the Privacy ACT and the PIPEDA. Although the OPC reports to the federal government, it functions independently from any other part of the government and often carries out investigations regarding the federal public sector.

The OPC also has the jurisdiction to investigate matters regarding personal data in the private sector, except in provinces that have established substantially similar privacy legislation. These provinces are Quebec, British Columbia, Alberta and, to a certain extent, Ontario. The OPC functions at the federal level, which means it provides advice and recommendations only. Provincial privacy commissioners’ advice is binding.

While the Privacy Commissioner aims to resolve issues through negotiation, mediation and conciliation, the Commissioner also has the authority to summon witnesses, administer oaths and demand evidence, in situations where this would be appropriate, or if cooperation is withheld. The Commissioner also has the authority to take investigations to the Federal Court for resolution.

The Commissioner, supported by the OPC is responsible for carrying out a number of advocacy activities, which include:

Investigating complaints made under the Privacy Act and PIPEDA.
Issuing reports in response to federal government departments and private sector organizations.
Bringing unresolved matters to Federal Court.
Providing individuals (i.e. citizens, permanent residents, corporations) with access to personal information records under the Access to Information Act.
Creating new and revise existing privacy impact assessments.
Engaging with government institutions, industry associations, academia, legal community, professional associations to proactively promote public awareness on privacy issues.
Partnering with privacy stakeholders throughout Canada and internationally to identify and respond to global privacy issues arising from transborder data flows.

The OPC helps individuals gain access to personal information held by the federal government. One resource is Info Source, a public directory that enables individuals to identify which government agency has personal information, what type of information as well as the contact information for requesting or correcting the personal data. The goal of Info Source is to enable individuals to exercise their rights under the Privacy Act and the Access to Information Act. Using Info Source is part of the procedure for filing formal requests under the Privacy Act.

In order to promote privacy safeguarding practices, the OPC hosts consultations with Canadians on a number of key challenges. The purpose of these consultations is to learn about industry practices, explore privacy implications, learn about Canadians’ privacy expectations and promote discussions on privacy implications that arise as a result of new technological developments. Consultations consist of a series of one-day panel discussions presenting the broadest perspective as possible.

OPC Complaint Process

The Privacy Commissioner has the authority to investigate all complaints made by individuals under the PIPEDA or the Privacy Act. Such complaints may include challenges accessing personal information from an organization or government department, or an individual believing that unnecessary personal data is being collected.

The Investigations & Inquiries branch of the OPC handles thousands of public inquiries annually. Filing a complaint is free for the public and all consultation is provided by the OPC. The Commissioner works independently to investigate potential violations, thus the Commissioner does not act as advocate for personal privacy rights.

The investigation process includes:

Clarification of complaint.
Communication with the respondent organization to determine if there have been corrective actions taken or proposed.
Examination of records and carry out interviews.
Analysis of information obtained.
Determine if there is a basis for making findings or recommendations.

If the OPC determines that the complaint is well-founded, then it will make a post-investigation report, which includes:

Summary of both parties.
Findings and recommendations
Determining if an agreement has been reached.
Request of proposed recommendations and actions to be taken by the organization, if necessary.
Recourse to the Federal Court, if appropriate.

Areas of Focus

In recent years, there have been a number of notable investigations and areas of focus for the OPC, under the leadership of Commissioner Stoddart. These include:

Online Social Networking
- Social networking sites, like Facebook, MySpace, or LinkedIn often do not comply with Canadian privacy policies and practices.
- The OPC has conducted numerous public opinion polls and events to raise public awareness regarding the privacy implications of online social networking.
- As a result of OPC investigations, Facebook has agreed to make the appropriate changes to their privacy policies and practices in order to comply with Canadian privacy legislation.

TJX Data Breach
- TJX is an American retail corporation which operates outlets in Canada as well as Puerto Rico, the UK and Ireland.
- In 2007, the OPC investigated a major data breach involving a network computer intrusion which affected 45 million payment cards worldwide.
- The OPC maintained that every organization in Canada will be held to the principles established in the PIPEDA or other provincial privacy legislation.
- Recommendations from this investigation included: implementing multiple layers of security; keeping up to date with technological advances; and, most importantly, not collecting or retaining personal information unnecessarily.

Increase private sector awareness
- The OPC has published numerous resources and conducts regular training and education programs to ensure that the private sector is aware of its responsibilities under the PIPEDA.
- One concern is ensuring that small and medium businesses are also kept abreast of privacy policies and practices. The OPC helps support such businesses in complying with privacy legislation by promoting the business benefits of doing so.

Promote youth privacy online
- OPC research has shown that the majority of Canadian youth ignore the privacy settings and security rules on online social networks.
- As a result, the OPC has launched an online resource to educate youth about privacy practices and to generate discussion regarding the effects of new technologies and social networking tools on their privacy.

Summary

This article gives an overview of the role of the Privacy Commissioner of Canada as well as the Office of the Privacy Commissioner (OPC). It introduces the legislation which protects Canadian privacy rights: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC’s responsibilities, services and complaint procedures are also described.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

Canadian government and legal system (I.A.a.)
- Office of the Federal Privacy Commissioner (II.B.e.i.1.a.)