CIPP-C Sample Questions Answers

In Ontario, the handling of personal information in the context of Freedom of Information (FOI) requests is governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) for municipalities, or the Freedom of Information and Protection of Privacy Act (FIPPA) for provincial institutions, including hospitals. These acts typically allow for the disclosure of employment-related information, such as employee name, title, and designation, as this information is considered related to the individual's professional role rather than their personal life. Employee personal cell phone numbers and feedback about the employee from a colleague, however, are considered personal information and are generally protected from disclosure. Therefore, the statement "Employee name, title, and designation can be released as it is not classified as personal information" (Option C) is accurate.

Alberta's Health Information Act (HIA) is not considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA). While the HIA governs the collection, use, and disclosure of health information specifically within Alberta, it is structured differently and has distinct provisions compared to PIPEDA, which is a federal privacy law applicable to the private sector across all provinces and territories in Canada, except for those areas where provincial privacy laws have been deemed substantially similar. The other provincial acts listed (from New Brunswick, Ontario, and Nova Scotia) are recognized by the federal government as being substantially similar to PIPEDA, meaning they provide similar protections and can supersede PIPEDA within their respective jurisdictions for the handling of health information.

When a third country or specified entity ensures an adequate level of protection essentially equivalent to that ensured within the European Union, it is awarded an "adequacy designation." This designation is significant under the EU's data protection framework (GDPR), as it allows for the free flow of personal data from the EU to the third country without additional safeguards being necessary. An adequacy decision affirms that the non-EU country has similar protective laws and practices for personal data as those existing within the EU, thereby simplifying international transactions and data processing operations involving EU citizens' data.

The role of Canadian courts in reviewing decisions made by provincial oversight authorities generally involves examining whether there have been specific types of errors in the decision-making process, such as a misinterpretation of a term in the legislation or application of the law. This judicial review focuses on the legality and reasonableness of the decisions, ensuring that oversight authorities correctly interpret and apply the legislative framework governing privacy and data protection. This review does not extend to re-evaluating all investigative notes or comparing decisions across different provincial authorities, as such tasks are beyond the scope of a typical judicial review process. Therefore, Option C correctly describes the court's role.

Work-product information is generally thought of as information that is prepared or collected as part of an individual’s responsibilities or activities in connection to their job. This includes documents, notes, reports, and other materials created as part of an employee's duties or during their employment. The focus here is on the content being directly related to the job functions and responsibilities rather than personal attributes or information unrelated to work tasks. This type of information is distinct from personal information that may be collected for HR purposes and is typically treated differently under privacy laws.

In Canada, the compliance requirements for private sector organizations subject to a finding by a Canadian federal or provincial privacy authority can vary depending on the jurisdiction. Specifically, in Québec, organizations are required to comply with the findings as a binding decision1. This is due to the legislative provisions set out in “An Act to modernize legislative provisions as regards the protection of personal information,” which was adopted unanimously on September 22, 2021, and came into force on September 22, 20221. The act introduces significant reforms to the private sector privacy laws in Québec, including mandatory breach reporting and administrative penalties for noncompliance1.

The other options provided do not accurately reflect the requirements across all jurisdictions in Canada:

• Option B suggests compliance only with the findings of the Privacy Commissioner of Canada, which does not account for provincial authorities like Québec’s Commission d’accès à l’information du Québec.
• Option C, which states that organizations must adopt and apply the finding within 30 days of the published report in all jurisdictions, is not accurate as the response to findings can differ between federal and provincial levels.
• Option D is specific to Ontario and does not represent a general requirement for all private sector organizations in Canada. It suggests applying for judicial review within a provincial court to accept or refute the finding, which is not a standard procedure across all provinces.

Therefore, the verified answer is A, as it correctly identifies the requirement for private sector organizations in Québec to comply with the findings as a binding decision, in line with the modernized privacy laws of the province1. It is important for organizations to be aware of the specific privacy laws and regulations that apply to their operations within different Canadian jurisdictions, as outlined by the CIPP/C certification program2

When an organization responsible for a large number of records considers outsourcing the storage of those records, it is critical to ensure that there is a robust contractual agreement in place between the organization and the records storage company. This agreement should outline the responsibilities of the storage company, the security measures they must adhere to, and the conditions under which they handle the personal information stored on the records1.

A contractual agreement serves several important purposes:

• It defines the scope of services provided by the storage company.
• It sets forth the security standards and privacy protections that must be maintained.
• It establishes the legal obligations of the storage company, including compliance with relevant privacy laws and regulations.
• It provides a mechanism for accountability and recourse in the event of a breach or non-compliance.

While determining if the personal information will be used for data matching (option A) and ensuring that consent was informed and meaningful (option D) are important considerations, they do not directly address the relationship between the organization and the storage company. Conducting a Privacy Impact Assessment (PIA) (option C) is also a valuable step, but it is a preparatory measure that should inform the development of the contractual agreement rather than being the critical factor in the outsourcing decision.

Therefore, the verified answer is B, as establishing a contractual agreement is the most critical consideration to ensure that the outsourced storage of records is managed in a way that protects the personal information and complies with privacy laws and regulations

In the scenario described, the most significant procedural flaw at the daycare is their failure to respond to the parent's request about the portal’s security measures within a reasonable time frame. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are required to respond to such requests within 30 days. This timeframe is mandated to ensure transparency and to provide individuals with timely access to information about the handling of their personal data. The daycare’s failure to provide an answer within this period violates PIPEDA's provisions regarding the access to personal information and the accountability of organizations in managing this data securely and transparently.

"Hashing" is preferable to storing a personal identifier, such as a driver’s license number, because it still provides a method for customer identification but in a form that would not reveal the real number. Hashing is a security technique that converts data into a fixed-size string of characters, which is typically a hash code. The hash code represents the original data but does not allow it to be reconstructed or decrypted. In the context of data security, hashing is valuable because it protects sensitive personal identifiers from exposure while still enabling the organization to verify or match the hashed data with incoming hashed inputs for identification purposes.

Sensitive personal information is generally defined as data that, if disclosed, could lead to significant harm to the individual, such as identity theft or discrimination. Credit scores, medical histories, and dates of birth are considered sensitive due to their potential use in fraud or as critical identifiers in health and financial contexts. Educational transcripts, while personal, are generally not considered sensitive because they typically do not expose individuals to the same level of risk if disclosed. Thus, the correct answer is D, "Educational transcripts."

In Ontario, as well as in most jurisdictions in Canada, once a patient discloses information to a healthcare provider, the information becomes part of their health record and cannot typically be altered or deleted based on the patient's subsequent regret or preference for privacy. Under privacy laws that apply to health information in Ontario, such as the Personal Health Information Protection Act (PHIPA), a patient does not have the right to have valid medical diagnoses removed or altered in their health record. However, they can request that the disclosure of their health information be restricted to certain persons or for certain purposes. Therefore, the patient would be most successful at pursuing Option B, requesting that the information be restricted from disclosure to other healthcare providers. This is supported by Section 20 of PHIPA, which allows individuals to withhold or withdraw consent for certain uses of their information, with necessary exceptions for emergency situations or other legally mandated disclosures.

In the context of Canadian privacy law and specifically according to the principles derived from PIPEDA and relevant case law such as the Eastman case, video cameras in the workplace begin collecting personal information at the moment a recording occurs. This is because the recording captures identifiable images of individuals, thereby constituting the collection of personal information under privacy legislation. The act of recording, which captures and stores visual data, meets the definition of personal information collection since it involves storing images from which individuals can be identified. Therefore, the correct answer is A, "At the moment a recording occurs."

Québec has specific legislative requirements under its Act respecting access to documents held by public bodies and the Protection of personal information that require government bodies to store and access personal information within Canada, unless an exception applies. This provision is meant to protect the privacy of individuals by controlling and limiting the potential exposure of their personal information to jurisdictions outside Canada, which may not have similar privacy safeguards. Thus, Québec is the province that requires its government bodies to store and access personal information exclusively in Canada unless additional consent is obtained or if outside storage is judged necessary, making the correct answer B, "Québec."

According to the Canadian Standards Association (CSA) Model Code, which has been adopted into PIPEDA, personal information should be retained only as long as necessary to fulfill the purposes for which it was collected. This principle ensures that personal information is not kept indefinitely without a valid reason, supporting data minimization and limiting potential privacy risks associated with unnecessary data retention. This principle is reflected in the CSA Model Code's retention guideline, which emphasizes the need to retain personal information only for the duration required to achieve its intended purpose. Therefore, the correct statement is Option D.

Under the Privacy Act, a request for access to one’s personal information can be denied in specific circumstances, such as when the information was collected by the Royal Canadian Mounted Police (RCMP) while performing policing services for a province or municipality. This scenario typically involves information collected for law enforcement, investigation, or security purposes, where releasing it might compromise ongoing operations or the methods used in such operations. The Privacy Act includes provisions to deny access when disclosure could reasonably be expected to prejudice the enforcement of laws, the conduct of investigations, or similar matters related to law enforcement and security.

Safeguarding and securing sensitive information under privacy legislation generally falls into three main categories: Administrative, Technical, and Physical. Administrative safeguards involve policies and procedures that manage the conduct of the organization's staff and the security of its data. Technical safeguards involve the technology used to protect data and control access to it. Physical safeguards refer to the measures taken to protect physical computer systems and related buildings and equipment from harm and unauthorized physical access. Therefore, the correct answer is B, "Physical," which complements administrative and technical safeguards to create a comprehensive security environment.

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private sector organizations that operate across provincial or national borders in Canada in the course of commercial activities. Therefore, employees of an airline offering flights across Canada would be subject to PIPEDA because their employer operates in a federally regulated sector involving interprovincial transportation. The other examples given—underwriters for a New Brunswick insurance company, clerks at a Montreal credit union, and the IT department of a provincial government office in Saskatchewan—are subject to provincial privacy laws rather than PIPEDA. In the case of the credit union in Quebec and the insurance company in New Brunswick, provincial privacy laws apply to their operations within the province, and provincial public sector privacy laws cover the Saskatchewan Office of Residential Tenancies.

The principle of "Openness" in the Personal Information Protection and Electronic Documents Act (PIPEDA) has particularly contributed to the increase in privacy policies in recent years. This principle requires organizations to be open about their policies and practices regarding the management of personal information. They must make this information readily available in a form that is generally understandable. The emphasis on openness has compelled organizations to develop, maintain, and publish detailed privacy policies that outline how personal information is collected, used, disclosed, and protected. This requirement helps to ensure that individuals are informed about the privacy practices of organizations and can make informed decisions regarding their personal information.

According to the Canadian Standards Association (CSA) Model Code, which forms part of the principles under PIPEDA, when errors in personal information are identified by the individual to whom the data pertains, the organization is required to amend the information as necessary to correct the inaccuracies. This obligation ensures that personal information held by an organization is accurate, complete, and up-to-date, particularly when it is used to make decisions about the individual. Therefore, the real estate firm should amend any information that the woman identifies as erroneous, as stated in option B. This approach ensures compliance with the accuracy principle of the CSA Model Code.