CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) Questions and Answers

The principle of "Openness" in the Personal Information Protection and Electronic Documents Act (PIPEDA) has particularly contributed to the increase in privacy policies in recent years. This principle requires organizations to be open about their policies and practices regarding the management of personal information. They must make this information readily available in a form that is generally understandable. The emphasis on openness has compelled organizations to develop, maintain, and publish detailed privacy policies that outline how personal information is collected, used, disclosed, and protected. This requirement helps to ensure that individuals are informed about the privacy practices of organizations and can make informed decisions regarding their personal information.

Biometric information is considered sensitive personal information primarily because it possesses characteristics that are uniquely and intrinsically linked to the individual. Biometric data such as fingerprints, facial recognition patterns, and DNA are distinctive, largely unique to the individual, unlikely to change over time, and difficult to alter. This inherent nature of biometric data makes it extremely sensitive, as its misuse or unauthorized access can lead to significant privacy invasions and potentially irreversible harm. Therefore, the correct answer is C.

According to the Canadian Standards Association (CSA) Model Code, which has been adopted into PIPEDA, personal information should be retained only as long as necessary to fulfill the purposes for which it was collected. This principle ensures that personal information is not kept indefinitely without a valid reason, supporting data minimization and limiting potential privacy risks associated with unnecessary data retention. This principle is reflected in the CSA Model Code's retention guideline, which emphasizes the need to retain personal information only for the duration required to achieve its intended purpose. Therefore, the correct statement is Option D.

Sensitive personal information is generally defined as data that, if disclosed, could lead to significant harm to the individual, such as identity theft or discrimination. Credit scores, medical histories, and dates of birth are considered sensitive due to their potential use in fraud or as critical identifiers in health and financial contexts. Educational transcripts, while personal, are generally not considered sensitive because they typically do not expose individuals to the same level of risk if disclosed. Thus, the correct answer is D, "Educational transcripts."

The role of Canadian courts in reviewing decisions made by provincial oversight authorities generally involves examining whether there have been specific types of errors in the decision-making process, such as a misinterpretation of a term in the legislation or application of the law. This judicial review focuses on the legality and reasonableness of the decisions, ensuring that oversight authorities correctly interpret and apply the legislative framework governing privacy and data protection. This review does not extend to re-evaluating all investigative notes or comparing decisions across different provincial authorities, as such tasks are beyond the scope of a typical judicial review process. Therefore, Option C correctly describes the court's role.

Under the Privacy Act, government institutions are typically allowed to disclose personal information without the consent of the individual in certain circumstances, such as for law enforcement purposes or in compliance with court orders (e.g., search warrants). Disclosures to a member of parliament to assist in resolving a problem also usually do not require consent if they are for a purpose consistent with the reason the data was initially collected. However, disclosing personal information to a registered charitable organization would not fall under these usual exceptions and would generally require the individual's consent unless another specific exception applies. This ensures that personal information is not shared beyond the scope of its original collection purpose without appropriate authorization.

The Government of Canada’s Directive on Privacy Impact Assessments is designed to ensure that privacy implications are appropriately considered in the delivery of Government of Canada programs and services. This directive typically applies to federal departments and agencies. However, it does not apply to The Cabinet, which is essentially part of the executive branch of government involved in decision-making at the highest levels. Cabinet discussions and materials are often confidential and governed by different sets of rules regarding privacy and security. Thus, the correct answer is D, The Cabinet.

The Canadian Standards Association (CSA) was the primary influence in the development of Canadian privacy principles with the publication of the CSA Model Code for the Protection of Personal Information. This set of eight privacy principles later became part of the Personal Information Protection and Electronic Documents Act (PIPEDA), serving as a foundation for how personal information should be handled by private sector organizations in Canada. The CSA's Model Code includes principles such as accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Therefore, the correct answer is D, "The Canadian Standards Association (CSA)."

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), when an organization transfers personal information to a third party for processing, it remains responsible for that information. It is required to use contractual or other means to provide a comparable level of protection while the information is being processed by the third party. The most appropriate answer here is A, establishing a contract outlining the individual outsourcing arrangement. This ensures that the third party adheres to privacy obligations equivalent to those of PIPEDA. This requirement is directly stated in PIPEDA’s accountability principle, which mandates organizations to use contractual or other means to provide a comparable level of protection while information is being processed by a third party.

Under the Privacy Act, a request for access to one’s personal information can be denied in specific circumstances, such as when the information was collected by the Royal Canadian Mounted Police (RCMP) while performing policing services for a province or municipality. This scenario typically involves information collected for law enforcement, investigation, or security purposes, where releasing it might compromise ongoing operations or the methods used in such operations. The Privacy Act includes provisions to deny access when disclosure could reasonably be expected to prejudice the enforcement of laws, the conduct of investigations, or similar matters related to law enforcement and security.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), there are specific circumstances where a commercial business in Canada is allowed to collect personal information without the knowledge or consent of the individual1. These exceptions include:

• Journalistic or literary purposes (option A): Organizations may collect personal information without consent when it’s for journalistic, artistic, or literary purposes, as these activities are considered to fall under the freedom of expression provisions.
• Interests of the individual (option B): If the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way, for example in emergency situations where the individual’s life, health, or security is threatened.
• Investigative purposes (option D): When the collection with the knowledge of the individual would compromise the availability or accuracy of the information, and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.

However, option C is not one of the exceptions provided under PIPEDA. The act does not allow for the collection of personal information without consent solely on the basis that the collection would lead to the creation of products that would benefit the public and consent would be difficult to obtain. While public benefit is a consideration in the ethical use of personal information, it does not override the requirement for consent under PIPEDA unless the situation falls under other specific exceptions1.

Therefore, the correct answer is C, as it is the exception that is not permitted under the current framework of PIPEDA for collecting personal information without the knowledge or consent of the individual1.

A significant difference between the federal Privacy Commissioner and provincial privacy commissioners in Canada is in their enforcement powers. Provincial privacy commissioners, such as those in Alberta and British Columbia, have the authority to order organizations to take specific actions to comply with provincial privacy laws. This can include orders to stop certain practices or to take corrective measures. In contrast, the federal Privacy Commissioner, overseeing federal statutes like the Personal Information Protection and Electronic Documents Act (PIPEDA), primarily makes recommendations following investigations and must seek court orders to enforce compliance. Thus, the correct answer is A, "Provincial commissioners can order an organization to act."

Under the Privacy Act, which governs the handling of personal information by federal government institutions in Canada, there is a stipulation that the collection of personal information must relate directly to an operating program or activity of the government institution. This requirement ensures that any personal data collected is directly relevant and necessary for a legitimate governmental function or service, thus preventing the unnecessary collection of personal information. This principle is meant to limit government institutions to collecting only that information which is strictly necessary for carrying out their legally authorized functions, aligning with privacy protection objectives. Option C accurately represents this requirement.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and similar provincial privacy laws, there are certain circumstances where the collection of personal information without explicit consent is permitted. One such circumstance is when obtaining timely consent is impractical, and the collection of the information is clearly in the interests of the individual. This could occur in emergency situations where the individual's health or safety is at stake, or where immediate action is required for the individual's benefit, and consent cannot be obtained in a timely manner. Thus, the correct answer is A.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information is defined as information about an identifiable individual. However, information that is publicly available, such as a public official's salary listed on a government website, is excluded from protection under PIPEDA's regulations specifying what constitutes publicly available information. The salaries of public officials, as government transparency measures, are specifically designated as public information. In contrast, the other options listed—telephone numbers in a public directory, photographs taken in public, and court records—although they might seem public, are not explicitly designated as exempt from PIPEDA in the same way, and could still be considered personal information depending on the context.

"Hashing" is preferable to storing a personal identifier, such as a driver’s license number, because it still provides a method for customer identification but in a form that would not reveal the real number. Hashing is a security technique that converts data into a fixed-size string of characters, which is typically a hash code. The hash code represents the original data but does not allow it to be reconstructed or decrypted. In the context of data security, hashing is valuable because it protects sensitive personal identifiers from exposure while still enabling the organization to verify or match the hashed data with incoming hashed inputs for identification purposes.

For a provincial law to be considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA), it must consist of consistency with the ten privacy principles, an independent oversight body, and a redress mechanism. This criterion is set by the federal government to ensure that provincial privacy laws provide a comparable level of protection as PIPEDA. If a provincial privacy law meets these standards, it is declared substantially similar, which allows it to supersede PIPEDA within that province for private sector data handling. This framework helps to maintain a uniform standard of privacy protection across Canada while allowing for regional adaptations.

The Privacy Commissioner of Canada reports to the Parliament of Canada, specifically to both the House of Commons and the Senate. This structure supports the Commissioner's role as an officer of Parliament, emphasizing the independence necessary for overseeing the government's adherence to privacy laws and handling Canadians' personal information. The reporting relationship ensures accountability and enables the Commissioner to report on privacy issues directly to the legislative body that represents the interests of the public.

Work-product information is generally thought of as information that is prepared or collected as part of an individual’s responsibilities or activities in connection to their job. This includes documents, notes, reports, and other materials created as part of an employee's duties or during their employment. The focus here is on the content being directly related to the job functions and responsibilities rather than personal attributes or information unrelated to work tasks. This type of information is distinct from personal information that may be collected for HR purposes and is typically treated differently under privacy laws.