CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) Questions and Answers

Oversight authorities generally allow various forms of consent including implied consent, verbal consent, and written consent specific to the purpose for which the information is collected. However, they do not typically accept a "general consent" that covers all activities associated with the personal information. Consent must be specific and informed, clearly relating to the particular context in which personal information is to be used or disclosed. General consent fails to meet the specificity required under privacy laws like PIPEDA, which necessitates that consent be explicit for particularly sensitive information or whenever there is a significant change in the use of the information.

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private sector organizations that operate across provincial or national borders in Canada in the course of commercial activities. Therefore, employees of an airline offering flights across Canada would be subject to PIPEDA because their employer operates in a federally regulated sector involving interprovincial transportation. The other examples given—underwriters for a New Brunswick insurance company, clerks at a Montreal credit union, and the IT department of a provincial government office in Saskatchewan—are subject to provincial privacy laws rather than PIPEDA. In the case of the credit union in Quebec and the insurance company in New Brunswick, provincial privacy laws apply to their operations within the province, and provincial public sector privacy laws cover the Saskatchewan Office of Residential Tenancies.

When an organization responsible for a large number of records considers outsourcing the storage of those records, it is critical to ensure that there is a robust contractual agreement in place between the organization and the records storage company. This agreement should outline the responsibilities of the storage company, the security measures they must adhere to, and the conditions under which they handle the personal information stored on the records1.

A contractual agreement serves several important purposes:

• It defines the scope of services provided by the storage company.
• It sets forth the security standards and privacy protections that must be maintained.
• It establishes the legal obligations of the storage company, including compliance with relevant privacy laws and regulations.
• It provides a mechanism for accountability and recourse in the event of a breach or non-compliance.

While determining if the personal information will be used for data matching (option A) and ensuring that consent was informed and meaningful (option D) are important considerations, they do not directly address the relationship between the organization and the storage company. Conducting a Privacy Impact Assessment (PIA) (option C) is also a valuable step, but it is a preparatory measure that should inform the development of the contractual agreement rather than being the critical factor in the outsourcing decision.

Therefore, the verified answer is B, as establishing a contractual agreement is the most critical consideration to ensure that the outsourced storage of records is managed in a way that protects the personal information and complies with privacy laws and regulations

Safeguarding and securing sensitive information under privacy legislation generally falls into three main categories: Administrative, Technical, and Physical. Administrative safeguards involve policies and procedures that manage the conduct of the organization's staff and the security of its data. Technical safeguards involve the technology used to protect data and control access to it. Physical safeguards refer to the measures taken to protect physical computer systems and related buildings and equipment from harm and unauthorized physical access. Therefore, the correct answer is B, "Physical," which complements administrative and technical safeguards to create a comprehensive security environment.

Work-product information is generally thought of as information that is prepared or collected as part of an individual’s responsibilities or activities in connection to their job. This includes documents, notes, reports, and other materials created as part of an employee's duties or during their employment. The focus here is on the content being directly related to the job functions and responsibilities rather than personal attributes or information unrelated to work tasks. This type of information is distinct from personal information that may be collected for HR purposes and is typically treated differently under privacy laws.

The collection and use of the individual’s name and email address by a British Columbia-based wellness app that has various non-healthcare related uses would fall under the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to private sector organizations across Canada that handle personal information in the course of commercial activities, regardless of the province where the data is stored or the organization is based, as long as the activity is not exclusively within a province that has substantially similar provincial legislation to PIPEDA. Since the app is used for purposes beyond health care and operates inter-provincially, PIPEDA is the applicable legislation.

Alberta's Health Information Act (HIA) is not considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA). While the HIA governs the collection, use, and disclosure of health information specifically within Alberta, it is structured differently and has distinct provisions compared to PIPEDA, which is a federal privacy law applicable to the private sector across all provinces and territories in Canada, except for those areas where provincial privacy laws have been deemed substantially similar. The other provincial acts listed (from New Brunswick, Ontario, and Nova Scotia) are recognized by the federal government as being substantially similar to PIPEDA, meaning they provide similar protections and can supersede PIPEDA within their respective jurisdictions for the handling of health information.

British Columbia's health information privacy laws are encapsulated in the Personal Information Protection Act (PIPA) and the E-Health (Personal Health Information Access and Protection of Privacy) Act for electronic health records. Unlike health information privacy acts in some other provinces which cover a wide range of health sector participants, BC’s laws are distinct in not directly including certain types of health facilities like independent laboratories and nursing homes under the same stringent requirements as other health care providers. These facilities may be covered under different aspects of legislation or have specific regulations but are not grouped under the typical health information custodian category in the same way as they are in provinces that use terms like "custodian" extensively. This specificity aligns with the statement in option C.

Under the Privacy Act, which governs the handling of personal information by federal government institutions, the Privacy Commissioner of Canada does not have the authority to order institutions to take remedial action. The Commissioner's powers are limited to investigating complaints, making recommendations, and, where necessary, taking matters to the Federal Court for resolution. While the Commissioner can recommend solutions and proceed to court to seek orders for compliance, direct enforcement powers, such as ordering remedial actions independently, are not granted under the Privacy Act. Thus, the correct answer is B.

Under the federal Privacy Act, which governs how federal public-sector organizations manage personal information, the law specifies conditions under which personal information may be collected. These include when the collection directly relates to and is necessary for an operating program or activity of the institution (Option A), when it is for the purposes of law enforcement (Option B), or when it is expressly authorized under another act (Option C). However, the Privacy Act does not include a general provision that allows for the collection of personal information based solely on consent (Option D). The Act is designed to limit the collection of personal information to what is strictly necessary for government functions, without relying on the consent of the individual as a basis for collection. Therefore, Option D is the correct answer as it is not a requirement under the federal Privacy Act.

Before an individual requester can commence a court application relating to the denial of access to personal information under the control of a federal government institution, the Privacy Commissioner of Canada must have completed an investigation and issued a report. This procedural step is crucial because it ensures that the administrative avenues for resolving access disputes are exhausted before judicial intervention is sought. The Privacy Commissioner's report may provide findings and recommendations that could resolve the matter without the need for court proceedings, or it might clarify the issues and the reasons behind the denial, thereby informing any subsequent legal challenges.

From the Blood Tribe case, it can be concluded that the Privacy Commissioner of Canada can officially request proof that the information sought in an investigation is subject to solicitor-client privilege. The Supreme Court of Canada held in this case that while the Commissioner has significant investigative powers, these do not automatically override the solicitor-client privilege. The decision clarifies that any organization claiming such a privilege must substantiate its claim, and the Commissioner has the authority to challenge and request proof of this claim, ensuring the privilege is not used improperly to withhold information.

The Office of the Privacy Commissioner of Canada’s (OPC) four-point test for determining the necessity and reasonableness of collecting, using, or disclosing personal information does not include questioning the validity and accuracy of the information as a direct component. The four-point test includes examining whether the measure is necessary to meet a specific need; whether it is likely to be effective in meeting that need; whether the loss of privacy is proportional to the benefit gained; and whether there are less privacy-invasive ways to achieve the same end. Therefore, option C, "Are the validity and accuracy of individual test results guaranteed to be accurate?" is not part of this test, as it concerns the technical and scientific reliability of the tests rather than the privacy implications of accessing or sharing the results.

Under Ontario's Personal Health Information Protection Act (PHIPA), health information custodians may rely on implied consent in situations where the information is used for the provision of healthcare unless the patient explicitly opts out. However, private insurance companies do not directly provide healthcare and typically require explicit consent to collect, use, or disclose health information. This is because their primary role involves assessing insurance claims and risk, rather than delivering healthcare services. Long-term care homes, ambulance services, and pharmacies, on the other hand, are directly involved in the provision of care and can typically operate under an implied consent model when sharing information for healthcare purposes.

The main reason a country might adopt an "ombudsman" model of privacy oversight is to reduce the perception that compliance is a confrontational process. The ombudsman model focuses on mediation and resolution rather than enforcement, aiming to resolve issues through dialogue and negotiation rather than punitive measures. This approach helps to foster a cooperative relationship between the regulator and the entities they oversee, which can lead to more effective compliance and less adversarial interactions. This model contrasts with more regulatory or enforcement-driven models, which might focus on sanctions and formal adjudications.

Under PIPEDA, any breach of security safeguards involving personal information that poses a real risk of significant harm (RROSH) requires reporting to the Office of the Privacy Commissioner of Canada (OPC). In the scenarios given, sending a sales report with aggregated information (option A) or a file with client data to wrong processors who cannot identify the clients (option B), or blocking an attempted hack (option C), may not necessarily pose a RROSH. However, a nursing home releasing an email with everyone's email address in the "to" section unredacted during a freedom of information request (option D) potentially exposes individuals to a risk of spam, phishing, and other malicious activities, thereby posing a real risk of significant harm. This constitutes a breach requiring reporting to the OPC.

Under the Alberta Personal Information Protection Act (PIPA), when a real risk of significant harm (RROSH) from a data breach has been determined, the organization must notify both the individuals affected and the Privacy Commissioner of Alberta. The law requires that notifications include the description of the personal information involved in the breach, the number of individuals affected, and the steps taken to reduce or mitigate harm. However, a description of the steps the organization will take to notify affected individuals is part of the process following the assessment and initial report, not an immediate requirement when notifying the Commissioner of the RROSH itself.

Under the Privacy Act, government institutions are typically allowed to disclose personal information without the consent of the individual in certain circumstances, such as for law enforcement purposes or in compliance with court orders (e.g., search warrants). Disclosures to a member of parliament to assist in resolving a problem also usually do not require consent if they are for a purpose consistent with the reason the data was initially collected. However, disclosing personal information to a registered charitable organization would not fall under these usual exceptions and would generally require the individual's consent unless another specific exception applies. This ensures that personal information is not shared beyond the scope of its original collection purpose without appropriate authorization.

The federal Privacy Commissioner of Canada is authorized to initiate a court action in Federal Court after completing an investigation under the Personal Information Protection and Electronic Documents Act (PIPEDA) if there has been a refusal to comply with a recommendation made by the Commissioner or if there is a need to clarify the application of the Act. Specifically, the Commissioner can seek a Federal Court determination when there is a dispute about whether personal information was properly withheld from release. This function aligns with the Commissioner's mandate to oversee compliance with PIPEDA and address complaints regarding the handling of personal information by organizations. This provision is found under Section 14 of PIPEDA.