Guide to FOIP-Chapter 6

Overview 8
The Right of Privacy 9
Privacy as a Charter Right 11
Privacy versus Confidentiality 12
The Threat of Identity Theft 13
10 Fair Information Principles 17
Accountability 19
Identifying Purposes 19
Consent 20
Limiting Collection 20
Limiting Use, Disclosure and Retention 20
Accuracy 21
Safeguards 21
Openness 22
Individual Access 22
Challenging Compliance 22
Need-to-Know Principle 23
Data Minimization Principle 24
De-identified information 25
Necessary, Effective & Proportional 31
Consent Requirements 32
Best Practice Steps for Consent Forms 36
Section 24: Definition of Personal Information 37
What is not Personal Information? 43
Subsection 24(1)(a) 45
Subsection 24(1)(b) 49
Subsection 24(1)(d) 52
Subsection 24(1)(e) 54
Subsection 24(1)(f) 57
Subsection 24(1)(g) 59
Subsection 24(1)(h) 63
Subsection 24(1)(i) 65
Subsection 24(1)(j) 68
Subsection 24(1)(k) 70
Subsection 24(1)(k)(i) 71
Subsection 24(1)(k)(ii) 73
Subsection 24(1.1) 74
Subsection 24(1.2) 76
Subsection 24(2)(a) 78
Subsection 24(2)(b) 81
Subsection 24(2)(c) 82
Subsection 24(2)(d) 85
Subsection 24(2)(e) 87
Subsection 24(2)(f) 90
Subsection 24(2)(g) 93
Subsection 24(3) 94
Section 24.1: Duty of government institution to protect 96
Safeguards 97
Administrative 98
Technical 103
Auditing 106
Encryption 108
Physical 111
Subsection 24.1(a) 114
Subsection 24.1(b) 116
Subsection 24.1(b)(i) 116
Subsection 24.1(b)(ii) 119
Subsection 24.1(b)(iii) 120
Subsection 24.1(c) 123
Section 24.2: Information Management Service Provider 125
Subsection 24.2(1) 126
Subsection 24.2(2) 127
Subsection 24.2(3) 130
Subsection 24.2(4) 131
Section 25: Purpose of Information 132
Over collection 135
Unsolicited Information 137
Section 26: Manner of Collection 139
Subsection 26(1): Direct Collection 140
Subsection 26(1)(a): Indirect Collection 141
Subsection 26(1)(b): Indirect Collection 144
Subsection 26(1)(c): Indirect Collection 145
Subsection 26(1)(c)(i) 146
Subsection 26(1)(c)(ii) 151
Subsection 26(1)(c)(ii)(A) 152
Subsection 26(1)(c)(ii)(B) 153
Subsection 26(1)(d): Indirect Collection 154
Subsection 26(1)(e): Indirect Collection 157
Subsection 26(1)(e)(i) 157
Subsection 26(1)(e)(ii) 160
Subsection 26(1)(f): Indirect Collection 162
Subsection 26(1)(g): Indirect Collection 165
Subsection 26(1)(h): Indirect Collection 167
Subsection 26(2): Inform Individual 170
Subsection 26(3): Exception to Informing 173
Section 27: Standard of Accuracy 175
Section 28: Use of Personal Information 179
Subsection 28(a) 182
Subsection 28(b) 187
“Use” Involving Contracted Third Parties 189
Subcontracting by Outsourcers 190
Section 29: Disclosure of Personal Information 191
Subsection 29(1) 194
Subsection 29(2)(a) 196
Subsection 29(2)(b) 199
Subsection 29(2)(b)(i) 199
Subsection 29(2)(b)(ii) 202
Subsection 29(2)(c) 204
Subsection 29(2)(d) 205
Subsection 29(2)(e) 206
Subsection 29(2)(f) 208
Subsection 29(2)(f)(i) 208
Subsection 29(2)(f)(ii) 210
Subsection 29(2)(g) 211
Subsection 29(2)(h) 213
Subsection 29(2)(h.1) 219
Subsection 29(2)(i) 223
Subsection 29(2)(j) 228
Subsection 29(2)(k) 232
Subsection 29(2)(l) 238
Subsection 29(2)(m) 242
Subsection 29(2)(n) 245
Subsection 29(2)(o) 247
Subsection 29(2)(o)(i) 248
Subsection 29(2)(o)(ii) 255
Subsection 29(2)(p) 256
Subsection 29(2)(q) 258
Subsection 29(2)(r) 261
Subsection 29(2)(s) 263
Subsection 29(2)(t) 264
Subsection 29(2)(u) 267
Subsection 29(3) 270
Subsection 29(4) 272
Section 29.1: Notification 275
Privacy Breaches 278
Best Practice Steps for Breaches 280
Contain the breach 280
Notify 281
Investigate 282
Conducting Root Cause Analysis739F 284
Prevent 287
How IPC Investigations are Initiated 287
Process for Proactively Reported Breaches 288
Section 30: Personal information of deceased individual 289
Subsection 30(1) 289
Subsection 30(2) 291
Section 31: Access to personal information 294
Subsection 31(1) 295
Subsection 31(2) 296
Section 32: Right of correction 302
Subsection 32(1) 303
Subsection 32(2) 306
Subsection 32(2)(a) 308
Subsection 32(2)(b) 312
Subsection 32(2)(c) 314
Subsection 32(3) 315
Section 49: Application for review 316
Subsection 49(1)(a.4): Privacy complaints 316
Subsection 49(1)(c): Correction reviews 319
Subsection 49(2): 1 Year Deadline 320
Section 50: Review or refusal to review 320
Subsection 50(2)(a.6): Insufficient evidence 321
Validity Test 321
Privacy Impact Assessments (PIAs) 322
Records & Information Management (RIM) 326
Basic RIM Concepts814F 326
RIM Best Practices815F 328
Record Retention 340
Record Disposal 343
Best Practices for the Secure Destruction of Personal Information833F 345
Preserving Records 356
Focus on Issues in Privacy 358
Big Data and Predictive Analytics 358
Biometrics and Facial Recognition 361
Body Worn Cameras 362
Data Brokers 364
Personal Email Use for Business 366
Snooping 372
Surveillance 374

RkJQdWJsaXNoZXIy MTgwMjYzOA==