CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) Questions and Answers

When an organization responsible for a large number of records considers outsourcing the storage of those records, it is critical to ensure that there is a robust contractual agreement in place between the organization and the records storage company. This agreement should outline the responsibilities of the storage company, the security measures they must adhere to, and the conditions under which they handle the personal information stored on the records1.

A contractual agreement serves several important purposes:

• It defines the scope of services provided by the storage company.
• It sets forth the security standards and privacy protections that must be maintained.
• It establishes the legal obligations of the storage company, including compliance with relevant privacy laws and regulations.
• It provides a mechanism for accountability and recourse in the event of a breach or non-compliance.

While determining if the personal information will be used for data matching (option A) and ensuring that consent was informed and meaningful (option D) are important considerations, they do not directly address the relationship between the organization and the storage company. Conducting a Privacy Impact Assessment (PIA) (option C) is also a valuable step, but it is a preparatory measure that should inform the development of the contractual agreement rather than being the critical factor in the outsourcing decision.

Therefore, the verified answer is B, as establishing a contractual agreement is the most critical consideration to ensure that the outsourced storage of records is managed in a way that protects the personal information and complies with privacy laws and regulations

Sensitive personal information is generally defined as data that, if disclosed, could lead to significant harm to the individual, such as identity theft or discrimination. Credit scores, medical histories, and dates of birth are considered sensitive due to their potential use in fraud or as critical identifiers in health and financial contexts. Educational transcripts, while personal, are generally not considered sensitive because they typically do not expose individuals to the same level of risk if disclosed. Thus, the correct answer is D, "Educational transcripts."

"Hashing" is preferable to storing a personal identifier, such as a driver’s license number, because it still provides a method for customer identification but in a form that would not reveal the real number. Hashing is a security technique that converts data into a fixed-size string of characters, which is typically a hash code. The hash code represents the original data but does not allow it to be reconstructed or decrypted. In the context of data security, hashing is valuable because it protects sensitive personal identifiers from exposure while still enabling the organization to verify or match the hashed data with incoming hashed inputs for identification purposes.

Under Ontario's Personal Health Information Protection Act (PHIPA), health information custodians may rely on implied consent in situations where the information is used for the provision of healthcare unless the patient explicitly opts out. However, private insurance companies do not directly provide healthcare and typically require explicit consent to collect, use, or disclose health information. This is because their primary role involves assessing insurance claims and risk, rather than delivering healthcare services. Long-term care homes, ambulance services, and pharmacies, on the other hand, are directly involved in the provision of care and can typically operate under an implied consent model when sharing information for healthcare purposes.

The Government of Canada’s Directive on Privacy Impact Assessments is designed to ensure that privacy implications are appropriately considered in the delivery of Government of Canada programs and services. This directive typically applies to federal departments and agencies. However, it does not apply to The Cabinet, which is essentially part of the executive branch of government involved in decision-making at the highest levels. Cabinet discussions and materials are often confidential and governed by different sets of rules regarding privacy and security. Thus, the correct answer is D, The Cabinet.

The movement toward comprehensive privacy and data protection laws can largely be attributed to the need to ensure consistency with global laws. This factor is pivotal as it reflects the globalized nature of the digital economy and the cross-border flow of data. Ensuring that local laws are compatible with global standards helps in maintaining international trade relationships, encourages data exchange, and builds trust in digital transactions and interactions worldwide. It also helps countries keep pace with international best practices and meet the expectations of foreign partners and international regulatory requirements.

Under the Privacy Act, which governs the handling of personal information by federal government institutions, the Privacy Commissioner of Canada does not have the authority to order institutions to take remedial action. The Commissioner's powers are limited to investigating complaints, making recommendations, and, where necessary, taking matters to the Federal Court for resolution. While the Commissioner can recommend solutions and proceed to court to seek orders for compliance, direct enforcement powers, such as ordering remedial actions independently, are not granted under the Privacy Act. Thus, the correct answer is B.

In Ontario, as well as in most jurisdictions in Canada, once a patient discloses information to a healthcare provider, the information becomes part of their health record and cannot typically be altered or deleted based on the patient's subsequent regret or preference for privacy. Under privacy laws that apply to health information in Ontario, such as the Personal Health Information Protection Act (PHIPA), a patient does not have the right to have valid medical diagnoses removed or altered in their health record. However, they can request that the disclosure of their health information be restricted to certain persons or for certain purposes. Therefore, the patient would be most successful at pursuing Option B, requesting that the information be restricted from disclosure to other healthcare providers. This is supported by Section 20 of PHIPA, which allows individuals to withhold or withdraw consent for certain uses of their information, with necessary exceptions for emergency situations or other legally mandated disclosures.

British Columbia's health information privacy laws are encapsulated in the Personal Information Protection Act (PIPA) and the E-Health (Personal Health Information Access and Protection of Privacy) Act for electronic health records. Unlike health information privacy acts in some other provinces which cover a wide range of health sector participants, BC’s laws are distinct in not directly including certain types of health facilities like independent laboratories and nursing homes under the same stringent requirements as other health care providers. These facilities may be covered under different aspects of legislation or have specific regulations but are not grouped under the typical health information custodian category in the same way as they are in provinces that use terms like "custodian" extensively. This specificity aligns with the statement in option C.

The primary motivation for a federal government entity to complete a Privacy Impact Assessment (PIA) is to receive program approvals from the Treasury Board of Canada. The Directive on Privacy Impact Assessment states that a PIA is required to ensure that privacy implications are properly addressed and that the program or service conforms with privacy protection requirements. This process is essential for obtaining necessary approvals from the Treasury Board, which oversees government spending and operations. The PIA helps demonstrate that the program respects privacy principles and the legal framework governing personal information handling by federal entities.

Under the Alberta Personal Information Protection Act (PIPA), when a real risk of significant harm (RROSH) from a data breach has been determined, the organization must notify both the individuals affected and the Privacy Commissioner of Alberta. The law requires that notifications include the description of the personal information involved in the breach, the number of individuals affected, and the steps taken to reduce or mitigate harm. However, a description of the steps the organization will take to notify affected individuals is part of the process following the assessment and initial report, not an immediate requirement when notifying the Commissioner of the RROSH itself.

Work-product information is generally thought of as information that is prepared or collected as part of an individual’s responsibilities or activities in connection to their job. This includes documents, notes, reports, and other materials created as part of an employee's duties or during their employment. The focus here is on the content being directly related to the job functions and responsibilities rather than personal attributes or information unrelated to work tasks. This type of information is distinct from personal information that may be collected for HR purposes and is typically treated differently under privacy laws.

In addressing emerging AI issues, frameworks that are specific to product safety, copyright, or criminal behavior may provide some indirect governance, but their applicability is limited compared to more direct regulatory mechanisms. Among the options listed, the Motor Vehicle Safety Act is the least effective in addressing AI issues as this act is specifically targeted towards the safety regulations of motor vehicles and is less applicable to broader AI issues that may involve data privacy, ethical considerations, and other non-vehicle-specific technologies. Therefore, while AI can be involved in vehicle safety, this act is less equipped to broadly address emerging AI issues beyond automotive safety standards. Hence, the correct answer is B, "The Motor Vehicle Safety Act."

The federal Privacy Commissioner of Canada is authorized to initiate a court action in Federal Court after completing an investigation under the Personal Information Protection and Electronic Documents Act (PIPEDA) if there has been a refusal to comply with a recommendation made by the Commissioner or if there is a need to clarify the application of the Act. Specifically, the Commissioner can seek a Federal Court determination when there is a dispute about whether personal information was properly withheld from release. This function aligns with the Commissioner's mandate to oversee compliance with PIPEDA and address complaints regarding the handling of personal information by organizations. This provision is found under Section 14 of PIPEDA.

Alberta's Health Information Act (HIA) is not considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA). While the HIA governs the collection, use, and disclosure of health information specifically within Alberta, it is structured differently and has distinct provisions compared to PIPEDA, which is a federal privacy law applicable to the private sector across all provinces and territories in Canada, except for those areas where provincial privacy laws have been deemed substantially similar. The other provincial acts listed (from New Brunswick, Ontario, and Nova Scotia) are recognized by the federal government as being substantially similar to PIPEDA, meaning they provide similar protections and can supersede PIPEDA within their respective jurisdictions for the handling of health information.

In the scenario described, the most significant procedural flaw at the daycare is their failure to respond to the parent's request about the portal’s security measures within a reasonable time frame. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are required to respond to such requests within 30 days. This timeframe is mandated to ensure transparency and to provide individuals with timely access to information about the handling of their personal data. The daycare’s failure to provide an answer within this period violates PIPEDA's provisions regarding the access to personal information and the accountability of organizations in managing this data securely and transparently.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), when personal information is collected by a Canadian company and shared for purposes other than those for which the customer provided consent originally, additional consent from the customers is required. This is particularly necessary when the information is intended to be used for a new purpose, such as marketing. Therefore, if ABC Corp wishes to send the data sets to a US-based marketing partner for new uses, they must first seek additional consent from their customers, as this involves a new purpose not previously agreed upon by the data subjects. This requirement is fundamental to ensuring compliance with PIPEDA's consent principle, which mandates that consent must be obtained whenever personal information is used for a purpose not previously consented to by the individual.

Personal information is deemed publicly available in specific instances where it is legally available to the public. For example, if you belong to a professional body and your name appears on a registry that meets legal requirements, such as those provided for by professional licensing laws, your personal information is considered publicly available. This is outlined under exceptions in privacy legislations like PIPEDA, which specifically excludes information that is publicly accessible as defined by regulations. The other scenarios listed (B, C, D) do not involve legally required public registries or directories and therefore would not automatically render the personal information publicly available.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), when transferring personal information to a foreign country, an organization must meet the Act’s transparency requirements by advising customers that their data may be accessed by another jurisdiction's courts or law enforcement. This requirement ensures that individuals are aware of the risks associated with the international transfer of their personal information, including potential access by foreign government entities. This transparency is crucial for maintaining trust and helps individuals make informed decisions about their personal information. This guideline is directly stipulated in the guidance provided by the Office of the Privacy Commissioner of Canada, emphasizing the importance of informing individuals about the potential legal exposure their data might face in foreign jurisdictions.