CIPP/C Chapter 2 exam study guide questions and answers

Private sector legislation is based on... Private-sector privacy legislation in Canada is based on the 10 fair information principles found in Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). Fair information Principals - Accountability An organization must implement procedures that protect personal information, establish procedures to receive and respond to complaints or questions, train staff and be transparent about all these procedures and practices. More often than not, these obligations culminate in the drafting and posting of a privacy policy—a document that tells customers, potential customers, employees and any other individuals who might have their personal information collected, used or disclosed by the organization what that organization's personal-information-handling practices are. This principle also requires an organization to appoint individuals with primary responsibility for privacy protection and goes further by making organizations responsible for the personal information over which they have either custody or control. Fair information Principals - Identifying Purpose obligation of organizations to identify and document the purposes for the collection of any personal information at or before the time of collection. If, subsequent to the collection and original identification of the purpose for the collection, the organization wishes to use the personal information for a different purpose, it must procure new consent after the new purpose is communicated to the individual. creates challenges for organizations to describe their purposes in ways that are precise enough to provide valuable information to individuals, but broad enough to include potential future purposes so they don't need to obtain consent every time they identify a new use for personal information. Fair information Principals - Consent This principle is so important that each Canadian law, including PIPEDA, deals with the requirement for consent explicitly. it must be informed and meaningful. Fair information Principals - Limiting Purposes requires organizations to collect only the amount and type of personal information legitimately needed to fulfill the identified purpose. It requires that organizations not collect personal information indiscriminately or beyond the scope of services provided. organizations must not collect personal information by misleading individuals or being less than candid about the purpose for the collection. Fair information Principals - Limiting Use, Disclosure and Retention "personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes." Once the purpose for the collection, use or disclosure of the personal information has been fulfilled, this principle directs an organization to destroy the personal information. This requires organizations to address the issue of retention schedules beforehand and to develop guidelines and procedures for the adequate destruction of personal information at the appropriate time. (1) personal information that has been used to make a decision about an individual should be retained long enough to allow the individual access to the information after the decision has been made, and (2) an organization may be subject to legislative requirements with respect to retention periods for certain types of information. notion that collection of excess personal information can become a potential liability Fair information Principals - Accuracy "accurate, complete and up-to-date as is necessary for the purposes for which it is being used." "An organization shall not routinely update personal information, such a process is necessary to fulfill the purposes for which the information was collected." Fair information Principals - Safeguards The security safeguards adopted by organizations must protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification. This obligation transcends media, applying equally to paper-based and electronic data. requires information to be protected according to the sensitivity of the information, such that financial or medical information should receive greater security protection than address information. Fair information Principals - Openness almost single-handedly responsible for the proliferation of privacy policies in the last several years. requires organizations to make readily available to individuals specific information about their policies and practices relating to the management of personal information. Must include: The name or title and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded The means of gaining access to personal information held by the organization A description of the type of personal information held by the organization, including a general account of its use A copy of any brochures or other information that explains the organization's policies, standards or codes The personal information that is made available to related organizations (e.g., subsidiaries) Fair information Principals - Individual Access Organizations must be able to respond to requests from individuals for access to their personal information. This principle incorporates such obligations as the requirement to inform individuals of the existence, collection, use and disclosure of personal information. Moreover, if an individual reviews his or her information and finds inaccuracies, the org