All entries in the index reference page numbers.
A Audit of organizations, 37-38, 162-163
Access to personal information
by individual, 22, 31, 151- B
154
Biometrics, 123-125 • assistance by organization,
• palm-vein scanning of test-153
takers, 124-125 • exceptions, 31
• • privacy implications, 124-• Model Code, principles,
180-125 191
• • reasonable purpose, 124 • refusal to provide with
• voiceprint is personal reasons, 153
information, 123 • third party personal
• • Federal Court appeal held information, 154
employee consent required, • time limit to respond, 153
124 • written request, 152
• • reasonable purpose, 124 Accountability, 22, 180-181
Business continuity, see Accuracy, 22, 30, 186-187 Disaster recovery Anti-spam legislation, see
C FISA (Fighting Internet and
Wireless Spam Act) CASL, see FISA Applications service provider Canada Evidence Act
(ASP) arrangements, 121- certificate, 146-147 122
Canada’s Anti-Spam Law Asset purchases, see Mergers, (CASL), see FISA (Fighting
acquisitions and asset Internet and Wireless Spam
Checklists • outsourcing, see Outsourcing • purpose of collection
• health care institution privacy
identified and reasonable, 21, program implementation,
86-24, 27, 146, 181-182 90
• ten privacy principles under • outsourcing or transferring
Sch. 1 of PIPEDA for, 22-23, personal information across
178-189 borders, 69
• third-party, 26-27, 29, 64-65 • PIPEDA compliance for
educational institutions, 102- • • consents needed, 65 103 • • due diligence re consents
and contracts, 65 CIBC decision, 55-58
• without knowledge or consent, Collection, use, and disclosure
148-151 of personal information
Commercial activities • consent, see Consent
• defined, 16-17, 144 • definition of personal
• outsourcing and, 53-54 information, 145
• disclosure by Privacy Complaints process, 34-43, Commissioner, 164-165 157-161, 187
• • to investigative bodies, • challenge to compliance, 23, regulation 2001-6, 205-209 191
• grandfathering of, 33-34 • court hearing, 161-162 • limitation of, 22, 29 • dispute resolution
mechanisms, 35-36, 156, 159 • • excessive collection, 27-28
• hearing in Federal Court, see • • Model Code, principles,
Federal Court 185-186
• information to include in, 34 • • reasonable purpose, 24, 27-• investigation of complaints 28 • • discontinuance of, 160 • • sensitive information, 28-29 • • investigator assigned, 35, • • use, disclosure and
157-158 retention, 22, 29
• • notification of complainant, • mergers, acquisitions and
157 asset purchases, see Mergers,
acquisitions and asset • • powers of Commissioner, purchases 158-159
• • publicly available Complaints process (cont’d)
information, regulation • lodge complaint with Federal
2001-7, 210-211 Privacy Commissioner, 34-35
• • response to subpoena, • • letter of findings, 35
warrant, order of court, 149 • • no direct power of
• • statistical, or scholarly study enforcement, 35
or research, 151 • • report with
recommendations, 35, 161 • exceptions to, 27, 148-149 • • • within one year, 37 • express, 25-27
• implied, 25-27 Compliance team, 31-32 • methods of giving, 26-27 • privacy officer, 31 • opt-out consent, 25, 27 Consent
• principle, Model Code, 182-• collection without knowledge
185 or consent, 148-149
• third-party use, 26 • • collection reasonable to
investigate breach, 148 • use without knowledge or consent, 148-149
• • disclosure of purposes
required by law, 149, 181- • • emergency threatening life, 182 health, security, 149
• • interests of individual, 148 • • investigation of
contravention of laws of • • publicly available
Canada, 149 information, 148
• • publicly available • • solely for journalistic,
information, 149 artistic or literary purposes,
148 • • statistical, or scholarly study or research, 149
• disclosure without knowledge
or consent, 149-151 Cookies case, see under • • debt collection by Information technology
organization, 149
D • • emergency threatening life,
health, security, 150 Damages
• • government request, 150 • humiliation, 40-42
• indictable offences, 43, 71 Data breach, 44-45
Data mining, 116-117 • • signed consent, 98 • point-of-sale data includes • • without consent, 97
personal information, 117 • commercial activities, 94-96, 144
Deep packet inspection (DPI),
118 • employee information, 100-101
• access personal information
sent over Internet, 118 • fundraising, 99-100
• Bell advised to disclose to • • affinity marketing programs, customers the use of DPI, 118 100
Disaster recovery, 122-123 • • commercial activity or not, 99-100
Disclosure of information, see
• student records, 101-102 Collection, use, and disclosure
of personal information • • access to, private schools, 101-102
E • • commercial activities, 101, 142
eBay’s detailed privacy policy,
129 • • correction of records, private schools, 101-102 Education sector, 91-103
• tri-council policy statement • applicability of PIPEDA,
91-protocols, 98-99 94
• • universities and private for- Electronic documents profit educational • copies, 177
institutions, 94
• defined, 172 • archives held by educational
• evidence or proof, as, 174 institutions, 99
• payments, 173 • checklist, PIPEDA compliance
• regulations for educational institutions,
102-103 • • Canada Labour Code, 2008-115, 196-197 • collection of personal
information for statistical, • • Federal Real Property and scholarly or research Federal Immovables Act, purposes, 96-99 2004-308, 193-195
• • anonymity on collection, 98 • • Investigative Bodies, 2001-• 2001-• implied consent, 97 6, 205-209
• PIPEDA application, federal Electronic documents (cont’d)
works, undertakings or • • Publicly Available businesses, 131, 144 Information, 2001-7, 210-211 F • retention, 174-175
• seals, 175 Facebook privacy investigation, 112-116 • signatures, secure, 176, 177,
212-215 Federal Court
• statements under oath, 176- • hearing on complaint, 161-162 177
• order compliance, 40-42 • statutory forms and filing,
• remedies, 162 173-174
• • order damages, 40-42, see E-mail addresses, personal
also Damages information
• request for hearing to, 40, 42 E-mail monitoring by
employer, 134 FISA (Fighting Internet and Wireless Spam Act), 12-13 Employment relationship,
32-34, 131-141
G • labour arbitrator’s jurisdiction,
Genetic testing, see Healthcare 140
sector • medical information
collection, 138-140 Global positioning systems (GPS) installation by • • disclosure permitted for
employer, 134-136 appeal process, 139
• • privacy policy needed, 139 Google Buzz privacy violation, • • reasonable purpose required, 116
139
Google’s Street View • security checks, 137-138 application, 118-119 • • employee consent required,
Google Wi-Fi privacy 138
concerns, 119 • surveillance, 132-134, 136,
Grandfathering of see also Surveillance of
H • • tri-council policy, 79-80 • personal health information Health records, see topics
under Healthcare sector • • defined, 71-72, 145
• • employer collected, 138-140 Health research, see Healthcare
sector • physicians’ prescribing patterns, sale of information, Healthcare sector, 71-90
83-84 • checklist, privacy program
• provincial health information implementation, 86-90
privacy statutes, 75-77 • collection, use, and disclosure
• statutory reporting obligations, of personal health
83 information, 77-84
• when does PIPEDA apply, • • consent, 77
73-75 • • exceptions, 78
• • • emergency threatening I patient’s life, safety, or
Imaging technology, 118-119 security, 78
• Google’s Street View • • • patient’s interest, 78
application, 118-119 • • • required by law, 78
Individual access, 189-190 • • fax machines and Internet
concerns, 78-79 Information technology • commercial activities, 73-75 • biometrics, see Biometrics • • preponderant purpose test,
• compliance tips, 127-129 73 • consent obtained • custodians in Ontario, electronically, 108-109 regulation, 2005-399, 198 • • opt-out form, 109 • disclosure for subpoena,
• • privacy statement, 108-109 warrant or court order in civil
litigation, 82 • cookies, information stored is personal, 111 • fundraising activities, 75 • cookies, advertising, 107 • genetic testing, 80-81 • Cookies case, 105-107 • health research, 79-80 • • Commissioner’s finding of • • consent exception, 80 breach, 106 • • research ethics board
• • examples of breach of Information technology (cont’d)
PIPEDA, 128-129 • • privacy concern, 106
• radio frequency identification • data mining, see Data mining
device, see Radio frequency • deep packet inspection, see
identification device (RFID) Deep packet inspection (DPI)
• social networking, see Social • disclosure of on-line
networking sites information to police during
an investigation, 126-127 International transfer of personal information, see • imaging technology, see
under Outsourcing Imaging technology
Internet-based marketing, • Internet-based marketing, see
110-112 Internet-based marketing
• cookies, information stored is • live video streaming, see Live
personal, 111 video streaming
• e-mail addresses, personal • need for compliance, 109-110
information, 110-111 • • damage to reputation when
• spyware, likely breach of information use practices
PIPEDA, 111-112 disclosed, 110
• • Federal Court damage order, Investigation of complaint, see 109 Complaints process
• • Google privacy deficiencies
L and third-party audit,
109-110 Live video streaming, 125-126
• • PIPEDA non-compliance • privacy policy and passwords may affect ability to protection, 125-126
contract, 110 • webcam service at daycare, • outsourcing, see Outsourcing 125
• payload data collection, see
M Payload data collection
• PIPEDA compliance tips, Mergers, acquisitions and 127-129 asset purchases, 65-68, see
also Outsourcing • • audit, designate privacy
officer, privacy policy, • customers and patients consents, 127 consent, 67
• comparable level of Mergers, acquisitions and asset
protection, 52 purchases (cont’d)
• employee information to joint • no disclosure, therefore no venture partner, 66-67 consent needed, 52-53 • employee information to • guarantees required by
potential purchaser, 67 transferring organization from agent, 55
• issues to explore by potential
purchase re personal • information technology information, 65-68 services, 119-123
• privacy policy inclusion, 66- • • applications service provider 67 (ASP) arrangements,
121-122 • sale of customer list, 68
• • disaster recovery, 122-123 • share purchase transaction, 68
• • • business continuity, 122 O • • • transfer of personal
information to third party, Openness principle, 188-189
120-121 Outsourcing, 52-64
• • “transfer” vs “disclosure”, • checklist, 69 120-121
• CIBC decision by Privacy • • • transfer privacy Commissioner, 55-58 requirements from • • affirmed in SWIFT outsourcer, 120-121
decision, 58 • • transmission of personal • • CIBC customer concerns re information to third party,
U.S. service provider, 56 120
• • CIBC transparent about • international transfer of policies on outsourcing, 58 personal information, 59-64 • • comparable level of • • Accusearch case, 60-61
protection found, 57 • • • disclosure of personal • • customer consent not information without
required, 57-58 consent, 60
• • Office of the Superintendent • • • PIPEDA breached, 59-61 of Financial Institutions • • • Privacy Commissioner (OFSI) approval, 56-57 and U.S. Federal Trade • commercial activities, 53-54 Commission, 60
• data breach, see Data breach Outsourcing (cont’d)
• • affiliated corporations, 62- • defined, 19-21, 145 64
• • exclusions, 18-19 • • • advance notice to
• identifiable individual, 19, 72 customers, 63-64
• outsourcing, see Outsourcing • • • comparable level of data
• publicly available, regulation, protection, 63
2001-7, 210-211 • • checklist, 69
• reasonable expectation of • • comparable level of
privacy, see Reasonable protection, 59 expectation of privacy • • KLM case, 61-62 • safeguards (security), 23, 30-• 30-• 30-• failure to provide 31, 187-189 applicant access to Personal Information information, 61
Protection and Electronic
• • transparency re outsourcing,
Documents Act (PIPEDA)
59
• activities covered by Act, 16-• notification of outsourcing
17, 32, 131-141 required, 62
• • collected in course of • privacy policy transparent, 58,
commercial activities, 16-59
17, 146
P • • digital signatures, 17 • • federal works, undertakings Payload data collection, 119
or businesses, 132, 146 • Google Wi-Fi privacy
• activities not covered by Act, concerns, 119
18-19, 144 Penalties, see Damages
• • employment related Personal information information collected by
private sector employers, 16 • access by individual to, 22, 31
• • personal information held • accuracy, 22
by government covered by • collection, use, and disclosure,
Privacy Act, 19 see Collection, use, and
• application, 15-16, 129, 146 disclosure of personal
information • • education sector, see • compliance team, 31-32 Education sector
• electronic documents, see
Personal Information
Electronic documents
Protection and Electronic
• grandfathering clause, none,
Documents Act
33-34 (PIPEDA) (cont’d)
• • employment relationship, • Model Code for Protection of see Employment Personal Information
relationship (Schedule 1), 180-191 • • healthcare sector, see • origins of the Act, 9-15
Healthcare sector • • Bill C-12 proposed changes, • • information and technology- 11-12
intensive businesses, see • • digitization of information, Information technology 8-9
• definitions, 143-145 • • European Union privacy • • “alternative format”, 144 directives, 9-10
• • in force January 2001, 2 • • “commercial activity”, 144
• • Internet implications, 8-9 • • “commissioner”, 144
• • OECD principles re privacy • • “Court”, 144 protection, 9 • • “data”, 172 • • recommended changes to • • “electronic document”, 172 the Act, 11-12 • • “electronic signature”, 172
• personal information, defined, • • “federal law”, 172 19-21, 145
• • “federal work, undertaking • privacy or business”, 144-145
• • defined, 7 • • “filing”, 174
• • principles, ten, 22-23, 180-• 180-• “organization”, 145 191
• • “personal health • provincial privacy legislation information”, 145 and, 75-77
• • “personal information”, 145 • purpose of Act, 145-146 • • “record”, 145 • regulations, see Electronic
documents • • “responsible authority”,
172-173 • review of Act every five years, 10-12, 171
• • “secure electronic signature”, 172 • • “should”, 148
Privacy • Privacy Commissioner’s agreement with provinces, • defined, 7 166-167 • policy sample, 45-50 • Quebec, 14 • principles, ten, 22-23, 180-191 • relationship to PIPEDA, 75-77 • • challenging compliance to,
• “substantially similar” to 23
federal, 14-15, 75-77 Privacy Commissioner, see
also Complaints process R
• agreements with provinces, Radio frequency identification 166-167 device (RFID), 117
• annual report, 169 • Ontario Privacy
Commissioner’s guidelines, • audit of organizations, 37-38
117 • Commissioner, defined, 144
• personal information may be • disclosure of information to
associated with, 117 foreign state, 167-168
• Privacy Commissioner is • investigative powers, 35-36
studying use in Canada, 117 • mediation, 35, 159 Reasonable expectation of • no power of enforcement, 35 privacy, 21, 132-134 • protection of, 165-166 Regulations • role of, 34-43
• Governor in Council, made • solicitor-client privilege,
35-by, 169-170, 176-177 37
S Privacy policy, 23-24
• officer, 23, 31 Safeguards (security) of
personal information, 23, 30-• openness of, 23, 30-31, 118,
31, 187-188 188-190
• sample of, 45-50 Sample privacy policy, 45-50 Provincial private sector Security checks, 137-138
privacy legislation, 14-15
Social networking sites, 112-• Alberta, 14 116
• British Columbia, 14 • Facebook privacy • Ontario, 14 investigations, 112-116
• • for violation of employment Social networking sites (cont’d)
contract, 137 • Google Buzz privacy
violation, 116 • video recording of picket line crossing, 136-137
Solicitor-client privilege, 35-37
Spam, see FISA (Fighting T
Internet and Wireless Spam
Third party data collection, Act)
64-65 Spyware, likely breach of
PIPEDA, 111-112 U
“Substantially similar” federal United States privacy requirement, 14-15 legislation, 13
Surveillance of employees, USA Patriot Act, 55, 62 132-137
Use of personal information, • e-mail monitoring, 134 see Collection, use, and • global positioning systems disclosure of personal
(GPS) installation, 134-135 information • • appropriate purpose, 135
V • implied consent, 133, 135
Video surveillance, 54, 128, • justification for surveillance
132-136 must be reasonable, 132-133
• • Canadian Pacific Railway W video camera case, 132-133
Whistle-blowing, 170 • • signs must be posted to
• protection of, 170 alert employees of video
cameras, 133 • surreptitious, 136
• • guidelines issued for covert and non-covert video surveillance, 137