1
378
Guide to FOIP-Chapter 6
Overview
8
The Right of Privacy
9
Privacy as a Charter Right
11
Privacy versus Confidentiality
12
The Threat of Identity Theft
13
10 Fair Information Principles
17
Accountability
19
Identifying Purposes
19
Consent
20
Limiting Collection
20
Limiting Use, Disclosure and Retention
20
Accuracy
21
Safeguards
21
Openness
22
Individual Access
22
Challenging Compliance
22
Need-to-Know Principle
23
Data Minimization Principle
24
De-identified information
25
Necessary, Effective & Proportional
31
Consent Requirements
32
Best Practice Steps for Consent Forms
36
Section 24: Definition of Personal Information
37
What is not Personal Information?
43
Subsection 24(1)(a)
45
Subsection 24(1)(b)
49
Subsection 24(1)(d)
52
Subsection 24(1)(e)
54
Subsection 24(1)(f)
57
Subsection 24(1)(g)
59
Subsection 24(1)(h)
63
Subsection 24(1)(i)
65
Subsection 24(1)(j)
68
Subsection 24(1)(k)
70
Subsection 24(1)(k)(i)
71
Subsection 24(1)(k)(ii)
73
Subsection 24(1.1)
74
Subsection 24(1.2)
76
Subsection 24(2)(a)
78
Subsection 24(2)(b)
81
Subsection 24(2)(c)
82
Subsection 24(2)(d)
85
Subsection 24(2)(e)
87
Subsection 24(2)(f)
90
Subsection 24(2)(g)
93
Subsection 24(3)
94
Section 24.1: Duty of government institution to protect
96
Safeguards
97
Administrative
98
Technical
103
Auditing
106
Encryption
108
Physical
111
Subsection 24.1(a)
114
Subsection 24.1(b)
116
Subsection 24.1(b)(i)
116
Subsection 24.1(b)(ii)
119
Subsection 24.1(b)(iii)
120
Subsection 24.1(c)
123
Section 24.2: Information Management Service Provider
125
Subsection 24.2(1)
126
Subsection 24.2(2)
127
Subsection 24.2(3)
130
Subsection 24.2(4)
131
Section 25: Purpose of Information
132
Over collection
135
Unsolicited Information
137
Section 26: Manner of Collection
139
Subsection 26(1): Direct Collection
140
Subsection 26(1)(a): Indirect Collection
141
Subsection 26(1)(b): Indirect Collection
144
Subsection 26(1)(c): Indirect Collection
145
Subsection 26(1)(c)(i)
146
Subsection 26(1)(c)(ii)
151
Subsection 26(1)(c)(ii)(A)
152
Subsection 26(1)(c)(ii)(B)
153
Subsection 26(1)(d): Indirect Collection
154
Subsection 26(1)(e): Indirect Collection
157
Subsection 26(1)(e)(i)
157
Subsection 26(1)(e)(ii)
160
Subsection 26(1)(f): Indirect Collection
162
Subsection 26(1)(g): Indirect Collection
165
Subsection 26(1)(h): Indirect Collection
167
Subsection 26(2): Inform Individual
170
Subsection 26(3): Exception to Informing
173
Section 27: Standard of Accuracy
175
Section 28: Use of Personal Information
179
Subsection 28(a)
182
Subsection 28(b)
187
“Use” Involving Contracted Third Parties
189
Subcontracting by Outsourcers
190
Section 29: Disclosure of Personal Information
191
Subsection 29(1)
194
Subsection 29(2)(a)
196
Subsection 29(2)(b)
199
Subsection 29(2)(b)(i)
199
Subsection 29(2)(b)(ii)
202
Subsection 29(2)(c)
204
Subsection 29(2)(d)
205
Subsection 29(2)(e)
206
Subsection 29(2)(f)
208
Subsection 29(2)(f)(i)
208
Subsection 29(2)(f)(ii)
210
Subsection 29(2)(g)
211
Subsection 29(2)(h)
213
Subsection 29(2)(h.1)
219
Subsection 29(2)(i)
223
Subsection 29(2)(j)
228
Subsection 29(2)(k)
232
Subsection 29(2)(l)
238
Subsection 29(2)(m)
242
Subsection 29(2)(n)
245
Subsection 29(2)(o)
247
Subsection 29(2)(o)(i)
248
Subsection 29(2)(o)(ii)
255
Subsection 29(2)(p)
256
Subsection 29(2)(q)
258
Subsection 29(2)(r)
261
Subsection 29(2)(s)
263
Subsection 29(2)(t)
264
Subsection 29(2)(u)
267
Subsection 29(3)
270
Subsection 29(4)
272
Section 29.1: Notification
275
Privacy Breaches
278
Best Practice Steps for Breaches
280
Contain the breach
280
Notify
281
Investigate
282
Conducting Root Cause Analysis739F
284
Prevent
287
How IPC Investigations are Initiated
287
Process for Proactively Reported Breaches
288
Section 30: Personal information of deceased individual
289
Subsection 30(1)
289
Subsection 30(2)
291
Section 31: Access to personal information
294
Subsection 31(1)
295
Subsection 31(2)
296
Section 32: Right of correction
302
Subsection 32(1)
303
Subsection 32(2)
306
Subsection 32(2)(a)
308
Subsection 32(2)(b)
312
Subsection 32(2)(c)
314
Subsection 32(3)
315
Section 49: Application for review
316
Subsection 49(1)(a.4): Privacy complaints
316
Subsection 49(1)(c): Correction reviews
319
Subsection 49(2): 1 Year Deadline
320
Section 50: Review or refusal to review
320
Subsection 50(2)(a.6): Insufficient evidence
321
Validity Test
321
Privacy Impact Assessments (PIAs)
322
Records & Information Management (RIM)
326
Basic RIM Concepts814F
326
RIM Best Practices815F
328
Record Retention
340
Record Disposal
343
Best Practices for the Secure Destruction of Personal Information833F
345
Preserving Records
356
Focus on Issues in Privacy
358
Big Data and Predictive Analytics
358
Biometrics and Facial Recognition
361
Body Worn Cameras
362
Data Brokers
364
Personal Email Use for Business
366
Snooping
372
Surveillance
374
Made with FlippingBook
RkJQdWJsaXNoZXIy MTgwMjYzOA==