CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) Question and Answers

Conduct a preliminary PIA before acquiring the service

Complete a PIA in accordance with Treasury Board guidelines.

Publish a privacy statement in newspapers and on the government website.

Determine if the Office of the Privacy Commissioner must be notified of the launch of this new e-service

Is required by an organization to establish an employment relationship.

Includes internal investigation files and complaints filed about an employee.

Includes intellectual property developed within the scope of an employee's job function.

Is prepared or collected as part of that individual’s responsibilities or activities in connection to their job.

Encrypt data in transit.

Anonymize the personal data before sending.

Seek additional consent from their customers.

Ensure the marketing partner has equal or stronger protections than Canada.

The Access to Information Act.

The Children's Online Privacy Protection Act

The Telecommunications Intercept and Access (TIA) Act.

The Personal Information Protection and Electronic Documents Act

All 1000 clients must be sent new letters.

The 500 clients who were impacted must be immediately notified.

The Office of the Privacy Commissioner (OPC) must be immediately notified.

A risk assessment must be completed to determine the real risk of significant harm (RROSH) to the clients.

Inform customers if data is to be transferred outside of Canada and solicit additional consent.

Give individuals with an existing business relationship the right to refuse transfer of their information.

Advise customers that their data may be accessed by another jurisdiction's courts or law enforcement.

Provide new customers with a measure-by-measure comparison of relevant foreign laws with Canadian laws.

Supreme Court of Canada and Prime Minister

House of Commons and the Senate.

Administrative tribunal.

Auditor General.

It scrambles information but can be unscrambled for later use.

It automatically puts a lifespan on any identification that is stored.

It randomizes all permanent identification within an organized database.

It still provides customer identification, but in a form that would not reveal the real number.

It is user specific information that can easily be stored and accessed to identify an individual or group of individuals.

It can be applied broadly to link many pieces of personal information and creates security vulnerabilities.

It is distinctive, unlikely to vary overtime, difficult to change and largely unique to the individual.

It is easy to recognize and reproduce with increasing computer processing power.

Proceed to federal court to determine if the institution improperly withheld information from an individual.

Order an institution to take remedial action if it determines that the Act has been breached.

Recommend solutions to institutions to address identified shortcomings.

Compel institutions to give oral or written evidence.

Employee name and title can only be released if the employee consents

The employee designation is not to be released as it is considered employment history.

Employee name, title, and designation can be released as it is not classified as personal information.

No employee information can be released as it is information that was collected throughout the course of employment.

The Ministry of Health

The Bank of Canada.

Crown Corporations.

The Cabinet.

Equivalency designation.

Attestation designation.

Adequacy designation.

Protection designation.

Health information custodians or trustees be specified only by applicable law or regulation

An individual's consent may be implied unless the individual has refused consent or if the purpose of the disclosure is not to provide health care.

Notification to the individual be made in the event of a data breach of personal health information (PHI) by an organization that is based in Canada

Consent must be expressed or implied when a custodian discloses personal health information (PHI) to another custodian for the purpose of providing health care.

That a correction be made to change the diagnosis based on the patient's wishes.

That the information be restricted from disclosure to other health care providers.

That a copy of the record be kept by the patient for disclosure to physicians.

That details of the diagnosis be deleted from the patient’s health record.

Contributing to the development and application of Al standards.

Sharing information and best practices of Al governance.

Supporting public awareness and education on Al.

Adopting low-risk uses of AI.

Determining if the personal information stored on the records will be used for data matching

Putting into place a contractual agreement between the organization and the records storage company.

Conducting a Privacy Impact Assessment (PIA) prior to establishing a relationship with the storage company.

Establishing that consent gathered from individuals by the organization in order to store their personal information was informed and meaningful.

Consistency with at least eight of the ten privacy principles, an independent oversight body and a complaint handling mechanism.

Consistency with the ten privacy principles, an independent oversight body and a process for accessing information.

Consistency with the ten privacy principles, an independent oversight body and a redress mechanism.

Consistency with the ten privacy principles, an appeal process and a redress mechanism.

When disclosing to a law enforcement body.

When disclosing to comply with a search warrant.

When disclosing to a registered charitable organization.

When disclosing to a member of parliament to assist in resolving a problem.