Upgrade to remove ads
Only $2.99/month

CIPP/C - Canadian Privacy Certification - Chapter 1

Terms in this set (65)

Canadian Legal System
Federal - Powers of the Constitution
Trade and Commerce (privacy), Criminal law, banking, national defense.
Provincial - Division of Powers
Civil and Property Rights (privacy), hospitals, education, municipalities
Territorial - Usually fall under federal - do have some public sector privacy laws
Canadian Laws anchored in OECD Principles
Accountability
Purpose Specification
Collection Limitation
Use Limitation
Data Quality
Security Safeguards
Openness
Individual Participation
Canadian Sector Specific Laws
Federal Bank Act
Consumer Credit Reporting Laws
Provincial Laws Governing Credit Unions and Personal Information Collected by Individuals
Provincial Privacy Laws
Personal Information Protection Act - Alberta
Personal Information Protection Act - BC
The Act Respecting the Protection of Personal Information - Quebec
Private Sector Privacy Laws - Purpose and Applicability
Relates to every organization that collects, uses, and discloses personal information in the course of commercial activities
Private Sector Privacy Laws - Not Covered
Public Sector Organizations
Individual's collection of PI for domestic purposes
Collection for journalistic or artistic purposes
Private Sector Privacy Laws - Exemptions to General Legal Obligations
If it is clearly in the interest of the individual
If it is an emergency that threatens life, health or security of an individual
If it is reasonable to assume that collection with the knowledge of the individual would compromise the availability of the information and collection is required to investigate a breach of contract or contravention of law
Private Sector Privacy Laws - Refusal of Access
If it would reveal access to another individual's personal information
If the organization has already disclosed the information to a government institution for national security or law enforcement purposes
Classes of Privacy
Information Privacy
Privacy of the Person
Territorial Privacy
In real life, more than one area of privacy may be relevant.
Information Privacy
Has been defined as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others". Its protection is predicated on the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain as he sees fit.
Privacy of the Person
Protects bodily integrity, and in particular the right not to have our bodies touched or explored to disclose objects or matters we wish to conceal.
Territorial Privacy
Limits the ability of an individual or organization to intrude into another individual's environment. "The house of everyone is to him as his castle and fortress". (workplace, hotels, meeting places, and even some public spaces).
Social Origins of Privacy
Recognized in the Qur'an, Bible, and Jewish law
Some form of privacy in ancient cultures from Greece to China
Origin of the Legal Protection of Privacy Rights
1361 Justices of the Peace Act (England) - Calls for arrest of peeping toms and eavesdroppers
1765 British Lord Camden strikes down a warrant where papers were taken from a house.
1776 Access to Public Records Act (Sweden) - Requires information held by government to be used for legitimate purposes.
1858 France - Prohibits publication of private facts
Mid Century Origins of Privacy
1948 Organization of American States adopt the American Declaration of the Rights and Duties of Man - Every person has the right to the protection of law against abusive attacks upon his private and family life.
1948 The General Assembly of the United Nations adopts the Universal Declaration of Human Rights - No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.
1950 Council of Europe created the European Convention for the Protection of Human Rights and Fundamental Freedoms
Oversight and Redress - General
Privacy Commissioners may:
Investigate complaints
Enter premises
Conduct audits
Summon witnesses
Administer oaths
Use dispute resolution
Oversight and Redress - Federal
Commissioners may issue reports and non-binding findings.
Complainant and
Privacy Basics
Privacy definitions change over time. The definition is still not completely agreed upon, except that all definitions basically agree that privacy is freedom from intrusion.
Contemporary Origins of Privacy
Roots in the 1960s. The increased use of IT systems for data (including personal data) spurred an acute interest in privacy practices and rights.
1970 German state Hesse enacts first modern data protection law.
Canadian Perspectives on Privacy
Privacy of the Individual vis-a-vis the state - The extent to which individuals are free to live their lives without state interference or monitoring.
Privacy of the Individual vis-a-vis other individuals - The extent to which individuals can live their lives free from intrusion from other people.
Privacy of the Individual vis-a-vis organizations - Extent to which organizations can collect, use, and disclose personal information and what obligations for protection of information organizations have.
World Models for Data Protection
Most of the discussion regarding models for data protection surrounds the choices to be made when looking at the privacy of the individual vis-a-vis organizations in the private sector.
Comprehensive Laws (Canada, European Union)
Generally speaking, a country that has enacted comprehensive data protection laws hosts an official or agency responsible for overseeing enforcement.
Enforcement and funding are the critical issues
Move to comprehensive because of need to (1) remedy past injuries (2) promote electronic commerce (3) ensure consistency with pan-European laws.
Sectoral Laws (US)
Enactment of laws that specifically address a particular industry sector.
Can be a compliment to comprehensive laws.
Major drawbacks are (1) technological relevance (2) Oversight (no central agency)
Self-Regulatory Model (US, Japan, Singapore)
Companies must abide by regulations set by a company, group of companies, or industry.
Major issues are (1) adequacy (2) enforcement
Seal Programs - Overview
Requires participants to abide by codes of information practices and submit to some variation of monitoring to be allowed to display the program's privacy seal.
TRUSTe, BBBOnline, Web Trust, Digital Advertising Alliance.
Seal Programs - Programs
TRUSTe - Founded in 1997 by CommerceNet Consortium and the Electronic Frontier Foundation. Nonprofit based in California.
BBBOnline - subsidiary of the Council of Better Business Bureaus started seal program in 1999.
Web Trust - created by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. Licenses qualifying certified public accountants
The Digital Advertising Alliance - Self regulatory organization created by the advertising industry in 2010 - informs users about online behaviour tracking used to generate user-specific advertising
The Technology-Based Model
Consumers can establish privacy protections for their own online activity. Encryption is commonly used by both companies and individuals.
The Canadian Legal System
Canada is a federal state with three levels of government.
Levels of Government
Federal - Parliamentary system
Provincial and territorial - Parliamentary system
Municipal
Federal Level
Two chambers - House of Commons and Senate
A bill must be approved in both houses to become law
Senate
Representatives are appointed by the Governor in Council on recommendation on recommendation of the Prime Minister.
House of Commons
Each representative is elected in general elections that are held at least every 5 years (could be sooner). Each member sits as a representative party (occasionally a member may be an independent)
At the end of an election, the party with the most members makes up the government. The leader of that party becomes the prime minister and makes up the executive.
Executive Branch of Government
The leader of the party with the most members elected to the House becomes the prime minister.
The prime minister chooses party members to form the cabinet. These people (who are usually members of the House) become ministers and are generally given the role of overseeing various ministries.
Major Political Parties in Canada
Conservative Party of Canada
Liberal Party of Canada
New Democratic Party of Canada
Bloc Quebecois
Green Party
Legislative Branch of Government
Made up of members of the House and Senate. They introduce, debate, and pass bills and policies. Plays a role in oversight of the executive branch in a variety of ways, including appointing officers of Parliament.
Officers of Parliament
Report directly to parliament and generally mandated with oversight of the executive branch. Examples are the auditor general and federal privacy commissioner.
Judiciary Branch of Government
Headed by the Supreme Court of Canada and made up of federal and provincial courts.
Division of Power
Separates out respective areas of jurisdiction for both the federal and provincial and territorial governments. This is done through the Constitution Act of 1867
Role of Courts
Interpreting the law
Constitutional authority to review laws and government actions to ensure Canadian Charter of Rights and Freedoms is upheld.
General authority to review government decisions (Judicial reviews)
Administrative Tribunals
Interprets law and in some instances can enforce Charter rights.
Vehicles of the executive branch set up to administer specific programs with expertise (broadcasting,immigration)
Conduct and decisions are government and subject to judicial review.
Federal Privacy Commissioner
An officer of parliament and not a member of the executive branch.
Accountable directly to legislature.
Required to give annual report to Parliament
Conduct and decisions are government and subject to judicial review.
Charter Rights
Rights created by the Canadian Charter of Rights and Freedom. They are constitutional rights and thus are considered to be the most valued rights in Canada. The Charter of Rights and Freedoms was made part of the constitution in 1982.
Common Law
Used in all provinces, except Quebec
Laws are found in statutes and also in case law. This "judge made law" is on equal footing with statute made law.
Civil law
Quebec
Laws are codified into a civil code, thus avoiding the need to search through judicial decisions.
Privacy Act
Federal
Rules that govern the government's collection, use, and disclosure of personal information.
Provides for a right of access to that information
Sets up the Office of the Privacy Commissioner to oversee and enforce the act.
Each province has a similar act.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies to private sector except those organizations that are subject to substantially similar legislation passed by a province
Common Law Relating to Privacy
In its infancy
One SCC decision from late 1990s dealt with plaintiff's right to receive a small amount in damages because a photo of her was used without consent on the cover of a magazine..
No high court decision endorsing a tort-based privacy right because privacy was thought to be protected by nuisance and trespass.
Modern times have seen more judges feel that privacy needs more protection due to advances information technology, especially in government, for the well being of a free and democratic society.
Contracts
Private laws created by parties who agree to be bound by certain terms.
Parties to the contract can agree to respect the confidentiality of the information they become privy to as a result of the contractual arrangement.
Often used in outsourcing situations.
Privacy in the Constitution and Charter
The Charter applies only to government action.
Section 7 states "everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principals of fundamental justice". This serves as constitutional protection of privacy
Section 8 of the Charter states "everyone has the right to be secure against unreasonable search or seizure". Used to prevent government authorities from violating privacy.
Enforcement of Laws
Contracts and tort-based privacy rights generally are enforced through the courts.
Charter based privacy rights arise in actions against the government.
PIPEDA and provincial counterparts are overseen by privacy commissioners (or ombudsmen) who are tasked with investigating government institutions and organizations subject to these laws.
Once a commissioner renders a report, there is often a chance for the matter to proceed to court. In Alberta and BC this is done by judicial review. In Quebec by appeal.
Federally they go forward as brand new hearings (de novo hearings)
Personal Information
Generally, any information about an identifiable individual.
Privacy Act (examples of personal information)
a) Information relating to race, national or ethnic origin, colour, religion, age, or marital status
b) Education, medical, or employment history; financial transactions
c)Any identifying number, symbol, or other particular assigned to the individual
d) The address, fingerprints, or blood type
e) Personal opinions or views, except where they are about another individual or about a proposal for a grant, an award or prize to be made to another individual by a government institution, or a part of a government institution specified in regulations
f) Correspondence sent to a government institution that are implicitly or explicitly private or responses that would reveal the contents of the correspondence
g) The views or opinions of another individual about the individual
h) All the views covered in e) but excluding the name of the other individual where it appears with the views or opinions of the other individual
i) the name of the individual where it appears with other personal information relating to the individual or where the name itself would reveal information about the individual
Privacy Act (opinions about an individual)
Opinions about an individual are the property of the person the opinion is about. This affects right of access, which may reveal the identity of the opinion holder as well.
By using the term "about an identifiable individual" the SCC was being deliberately broad, including all information innocuous, well-known, or private in personal information. Some judges have used this to include job-related information.
Job-Related Information
Judges have used the broad interpretation of "about an individual" in the Privacy Act to include job-related information in the definition of personal information.
In 2001-2002 Annual Report the Federal Privacy Commissioner says "I am inclined to regard information as personal even if there is the smallest potential for it to be about an identifiable individual".
In an attempt to move away from this broad interpretation the Federal Court of Appeal found that personal information should connote concepts of intimacy, identity, dignity, and integrity of the individual. In this case, job-related information was not seen as personal information.
Bureaucrats Working for Public Sector
Information is not protected if it is "Information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
The fact that the individual is or was an employee
The title, business address, & phone number
The classification salary range & responsibilities of the position
The name of the individual on a document prepared by the individual in the course of employment
The personal opinions or views of the individual given in the course of employment.
Public Records and Publicly Available Information (Privacy Act)
One common reason for not protecting personal information is if that information is publicly available.
The Privacy Act does not restrict the government's use or disclosure of publicly available info (the collection restrictions are not affected whether the info is public or not)
The Privacy Act also provides total exception for info found in a library or museum preserved solely for public reference or exhibition purposes.
There is no definition in the Privacy Act to determine what is publicly available.
Public Records and Publicly Available Information (PIPEDA)
Publicly available is defined by a set of categories:
PI consisting of name, address, and phone number of a subscriber that appears in a telephone directory that is available to the public where the subscriber can refuse to have the PI appear
PI including the name, title, address, and phone number appearing in a professional directory available to the public where the collection, use, and disclosure of the personal information relate directly to the purpose of the directory.
PI that appears in a registry collected under a statutory authority and to which public access is authorized by law.
PI appearing in a document by a judicial or quasi-judicial body available to the public.
PI appearing in a publication available to the public where the individual has provided the info.
Private and Sensitive Information
As some commissioners and judges attempt to move away from the SCC broad definition of PI they have tried to argue that for info to be protected it must be in some way related to private or sensitive info. Federally there is no legislation, so the SCC decision stands. Provincially, laws differentiate between all PI and sensitive PI. In particular, these come into effect when government institutions are deciding if info should be released.
Employee Information
Information in respect of an individual who is an employee or a potential employee PI reasonably required by the organization that is collected, used, or disclosed solely for the purposes of establishing, managing or terminating an employment relationship or a volunteer work relationship between the individual and the organization, but does not include info that is unrelated to the relationship
Work Product Information
Information about an individual but that is related to that individual's position, functions, and/or performance of his or her job.
PIPEDA and Employee Information
Does not differentiate between employee info and PI
Several conflicting decisions on whether work product info is protected.
Privacy Act and Employee Information
Exceptions for some employee/work product info for "information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual".
BC and Alberta PIPA and Employee Information
Attempt to define employee-related personal information. Basically information needed to establish employment, but not other information about the individual.
OECD - Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (1981)
Accountability
Purpose Specification
Collection Limitation
Use Limitation
Data Quality
Security Safeguards
Openness
Individual Participation
CSA Privacy Principles
Accountability
Identifying Purpose
Consent
Limiting Collection
Limiting Use, Disclosure, & Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
THIS SET IS OFTEN IN FOLDERS WITH...