A.1  Business Activity Definition

Based on the PrivaWorks proprietary research methodology, the definition section ensures a clear understanding of the business activity and establishes the scope of the Risk Review. This section provides:

• common definitions;
• examples;
• key terminology;
• an understanding of why the business activity is a source of privacy risk.

Learn more about PrivaWorks.

Example:  Secondary Marketing

The Canadian Marketing Association, in its Code of Ethics, defines marketing as "a set of business practices designed to plan for and present an organization's products or services in ways that build effective customer relationships". Secondary is defined in Webster's Online Dictionary as "that which is incidental to what is original or primary".

Marketers commonly define secondary marketing as the marketing of products and services to current customers or those with whom they have an existing business relationship or alternately, as using personal information obtained from an individual in a goods or services transaction (or inquiry) to market to that individual goods or services unrelated to the original transaction.

In PIPEDA Case Summary #316, the Assistant Federal Commissioner stated as follows: "It was indicated that while the marketing itself may not be secondary in a marketer's technical sense, to the individual customer, there was no doubt that the organization's marketing purposes were secondary to those for which he or she initially provided personal information."

A few examples of secondary marketing are:

• A customer provides personal information to a bank for the purposes of obtaining a credit card. After a credit card has been issued, the bank uses the personal information to solicit the customer to switch their mortgage to the bank.
• A customer purchases an appliance and provides their name and address for delivery purposes. The customer later receives marketing offers for other products carried by the retailer.
• A customer subscribes to a magazine. The magazine shares personal information with an unrelated third party publisher who sends the customer marketing offers for books and videos.

A.2  Privacy Risks

Based on the PrivaWorks proprietary research methodology, an up-to-date list of known vulnerabilities for each business activity is maintained, providing subscribers:

• a quick and complete understanding of the known risks; and
• the ability to determine applicability to their organization.

Learn more about PrivaWorks.

Partial Example:  Cross-border Transfers of Personal Information

Privacy risks associated with transferring data for commercial purposes across provincial or international borders include:

1. customers unwilling to share data due to fears that it may be transferred outside of Canada and available to a foreign government e.g. under the USA Patriot Act;
2. customers concerned that the impact of national security and national and international anti-terrorism initiatives erode an individual's right to control who has access to personal information;
3. organizations at a competitive disadvantage by transferring (or if customers perceive they are transferring) the data to a foreign jurisdiction;
4. complaints that result from notices explaining that personal information is available to foreign governments;
5. failing to provide notice, or adequate notice, of cross-border transfers of data and advising that data may be available to foreign governments leading to complaints;
6. customers or employees who want not only notice of the transfer but to opt-out before their data is transferred cross-border;
7. an employee relying on the "whistle blower" provisions of private-sector privacy laws to notify a privacy commissioner that an organization intends to transfer information abroad and claiming that this is a violation of privacy law;
8. organizations placing unnecessary restrictions on cross-border data transfers resulting in unnecessary cost and complicated business processes;
9. organizations applying PIPEDA provisions to cross-border data transfers not related to commercial activity;
10. transferring data outside of Canada to an affiliate or parent company with lower levels of safeguards;
11. organizations failing to restrict access by foreign subsidiaries to data held in Canada;
12. data transferred to Canada from a foreign location is subject to PIPEDA and thus individuals can make access requests and file complaints;
13. the occurrence of data breaches in jurisdictions where data is transferred and stored;
14. organizations possibly facing a commissioner's audit because of cross-border transfers and the negative perceptions and reactions to it by customers;
15. customers more attentive to what may be happening to their data when it crosses borders possibly leading to an increase in access requests relating to data disclosures.

A.3  Legislative Requirements

PrivaWorks provides a structured list and link to the legislative requirements for the business activities from the:

• federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA);
• British Columbia’s private-sector privacy law, the Personal Information Protection Act (BC PIPA);
• Alberta’s private-sector privacy law, the Personal Information Protection Act (AB PIPA);
• Quebec’s private-sector privacy law, the Act Respecting the Protection of Personal Information in the Private Sector (QC PPIPS).

For each legislative requirement:

• changes in privacy law are documented in red; and
• regulations are presented in blue.

Learn more about PrivaWorks.

Example:  Use of GPS

PIPEDA

• An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances - Section 5(3)
  
• Organizations must identify the purposes for which personal information will be collected - Principle 4.2.2
• When personal information collected for one purpose is to be used for a new purpose, organizations must identify the new purpose and obtain consent - Principle 4.2.4
• Consent is required for the collection and subsequent use or disclosure of personal information. In obtaining consent:
  • organizations must make a reasonable effort to advise the individual of how the personal information will be used - Principle 4.3.2
  • the reasonable expectations of the individual are relevant - Principle 4.3.5
  • organizations may seek implied or express consent depending on the sensitivity of the personal information - Principle 4.3.6
• Organizations shall limit the amount and type of personal information collected to what is necessary to fulfill the purposes - Principle 4.4.1
• Personal information shall not be used or disclosed for purposes other than for which it was collected, unless consent is obtained or as required by law - Principle 4.5
• Organizations shall be open about their policies and practices with respect to the management of personal information - Principle 4.8.1

PIPA BC

• An organization may collect, use or disclose employee personal information without consent if:
  • the collection is reasonable for administering the employee relationship - Section 13(2)(b), Section 16(2)(b), Section 19(2)(b);
  • the organization has notified the employee about the purposes before it collects the information - Section 13(3), Section 16(3) , Section 19(3)

PIPA AB

• An organization may collect, use or disclose personal employee information without consent if:
  • the individual is an employee of the organization - Section 15(1)(a), Section 18(1)(a), Section 21(1)(a);
  • the use is reasonable for the purposes for which it is being used - Section 15(2)(a), Section 18(2)(a), Section 21(2)(a);
  • the information consists only of information related to the employment relationship - Section 15(2)(b), Section 18(2)(b), Section 21(2)(b);
  • the organization has provided reasonable notification to the employee - Section 15(2)(c), Section 18(2)(c), Section 21(2)(c).

PPIPS Quebec

• "Any person collecting personal information to establish a file on another person or to record personal information in such a file may collect only the information necessary for the object of the file" Section 5 .
• A person who collects personal information about another person must inform that person:
  • of the object of the file;
  • of the uses of the information;
  • the categories of person who will have access to the information Section 8.
• Consent to the collection, communication or use of personal information must be manifest, free and enlightened and must be give for specific purposes Section 14.

A.4  Privacy Risk Controls

Based on the PrivaWorks proprietary research methodology, an up-to-date list of known controls for each business activity is maintained, providing subscribers a:

• complete understanding of actions an organization can consider to mitigate privacy risk; and
• structured approach to creating privacy programs.

This section, in conjunction with the Privacy Risks section, allows subscribers to present the threats and solutions to business units for specific business problems.

Learn more about PrivaWorks.

Partial Example:  Records Destruction

Note:  The following are the first thirteen (13) of a total of sixty three (63).

• Establish a records destruction/disposal policy and easily administered procedures, approved by management, for retained personal information taking into account business needs, legal requirements, access requests, statutory, regulatory and recommended retention periods. Note that only useful documents should be retained: (section revised 12/14/2006)
  • the rational for retention will dictate the proper time period for destruction; and
  • the location where operations are carried out is relevant to determine the laws governing the retention program.
• Create comprehensive destruction/disposal schedules for stored records and adhere to a program of routine destruction: (added 12/14/2006)
  • the comprehensive destruction schedule will take into account records that are obsolete, have been superseded, are not to be archived, are no longer required for the purpose for which it was collected, are determined to be prohibited, or other specific trigger point, and purge data not needed for long term business or other relevant purposes (see Records Retention -Risk Review); (revised 01/02/2007)
  • level of security afforded to the records during destruction/disposal procedures must be consistent with the level maintained throughout the records life which must be consistent with the requirements of private-sector privacy laws- See Safeguarding Data -Risk Review. (revised 12/14/2006)
• Establish an annual maintenance of the destruction schedule and update as appropriate; (added 01/02/2007)
• Adopt trade Association's records destruction standards and guidelines if any; (added 01/02/2007)
• Assess whether de-identification vs. destruction/disposal would be appropriate in specific circumstances;
• Implement destruction/disposal authorization procedures with consideration given to two levels of a certified internal approval process prior to any destruction/disposal to ensure that records are no longer required even though their retention periods have been met;
• Ensure records related to an investigation, audit, legal process, claim, complaint or dispute are not destroyed/disposed of: (section revised 12/14/2006)
  • flag these records with a symbol, or other distinguishing mark, which indicates that destruction/disposal is on hold;
  • responsible employees to be made aware of the significance of any selected markings and of any internal escalation process in the event clarification is required.

A.5  GAPP Criteria

The Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants, Inc (AICPA) created the Generally Accepted Privacy Principle (GAPP), which is a listing of criteria used for auditing and creating privacy management frameworks.

The PrivaWorks Risk Review presents the criteria, as defined by GAPP, for each business activity. Subscribers are provided the details of what auditors will be looking for if this business activity were subject to a GAPP privacy audit.

Learn more about PrivaWorks.

Example: Training Employees on Privacy

1.0 Management

1.1.1 Communication to Internal Personnel

Privacy policies and the consequences of noncompliance with such policies are communicated at least annually to the entity's internal personnel responsible for collecting, using, retaining and disclosing personal information. Changes in privacy policies are communicated to such personnel shortly after the changes are approved.

1.1.2 Responsibility and Accountability for Policies

Responsibility and accountability are assigned to a person or group for documenting, implementing, enforcing, monitoring and updating the entity's privacy policies. The names of such persons or group and their responsibilities are communicated to internal personnel.

1.2.5 Supporting Resources

Resources are provided by the entity to implement and support its privacy policies.

1.2.6 Qualifications of Internal Personnel

The entity establishes qualifications for personnel responsible for protecting the privacy and security of personal information and assigns such responsibilities only to those personnel who meet these qualifications and have received needed training.

A.6  Precedents and Supplementary Resources

Based on the PrivaWorks proprietary research methodology, an up-to-date list of known precedents and supplementary resources for the business activity are analyzed and presented in a structured format. Each analysis includes an overview of the resource, identifies the relevance with links to the source document(s).

Precedents and Supplementary Resources include:

• Case law;
• Commissioners’ findings, orders and investigations;
• Legislative amendments;
• Guidelines and standards;
• Best practices identified in corporate initiatives;
• Papers, legal opinion, fact sheets from Nymity and other qualified sources.

Learn more about PrivaWorks.

Partial Example:  Records Destruction

Note:  This represents one(1) of a fourteen(14) Precedents and Supplementary Resources

Vanderbeke v. Royal Bank of Canada

Overview

Further to the "not well founded" finding of the Assistant Federal Privacy Commissioner that Mr. Vanderbeke's (the "Applicant") complaint that the Royal Bank ("RBC') did not properly retain mortgage renewal acknowledgement letters issued in respect of its mortgages, he filed a Notice of Application with the Federal Court pursuant to PIPEDA. The Applicant sought an order that RBC retain copies of all mortgage renewal acknowledgement letters ("letters"), provide access to the letters by persons liable to pay RBC's mortgages and disclose to the Applicant the total content of the letters issued in respect of a 1996 mortgage. The judge dismissed the Application and awarded RBC costs of $5,000. (06/02/2006)

Relevance

Judgment highlights:

Records Retention

• the terms of the mortgage, the mortgage number and the address of the mortgage included in both the Annual Statements and the letters constitutes personal information under PIPEDA;
• RBC, however, is not obliged to retain the letters in light of the fact that all the relevant information contained in them is retained by RBC in other forms or data banks and can be recalled when requested subject to retention periods;
• RBC confirmed by affidavit that the information in the letters exists in several databases maintained by RBC, the entire loan history can be accessed through an online mortgage system and the Enterprise Data Warehouse, all Renewal Agreements are scanned and stored in a software program and the bulk of information contained in the letters are repeated in the Renewal Agreements and the online mortgage system can produce the remainder;
• the Office of the Privacy Commissioner confirmed the same information to the Applicant in response to his complaint and found that the PIPEDA retention requirements had been met by RBC.

www.canlii.org/ca/cas/fct/2006/2006fc651.html

www.privcom.gc.ca/cf-dc/2003/cf-dc_031215_e.asp  Commissioner's Finding- Case Summary #252

Based on the PrivaWorks proprietary research methodology, a monthly report is produced that contains new developments in privacy presented in a structure that allows subscribers to quickly understand the impact each development could have on their organization. 

Example:

Issue 25 - January 2007  PDF Version  HTML Version

C. Resource Materials

PrivaWorks Resource Materials provide second-level support to privacy officers for:

• self-training;
• searches for specific topics, for example ‘SIN numbers’ or ‘work product’;
• creating presentations; and
• research.

The Resource materials include:

• Papers and Guidelines
• Privacy Studies
• Breach Reports
• Corporate Initiatives
• Privacy Interviews
• Quick Reference Guides to privacy laws and GAPP
• Analysis of Commissioners’ findings, orders and investigations;
• Litigation Reviews

PrivaWorks Resource Materials feature business activity analysis.

Partial Example: Analysis of Commissioners' findings, orders and investigations

PIPEDA Act Case Summary #96 - Bank Improperly Disclosed Personal Information; Exception Under Section 7(3)(c) Rejected

Business Activity

• Lawful Disclosure

Overview

An individual complained that a bank disclosed his personal information to the lawyer of the individual's ex-spouse without his knowledge or consent. The bank disclosed the personal information when the lawyer of the complainant's ex-spouse subpoenaed the complainant's bank for monthly statements of credit cards that the complainant had personal or joint interest in over a period of three years. The Commissioner concluded that the complaint was "well-founded". (04/01/2004)

Relevance

Finding highlights:

• according to civil procedure in Quebec, a lawyer may issue a subpoena;
• the subpoena presented indicated that the bank could provide the documents to the lawyer or present them to the court;
• the bank's policy is to prohibit disclosure of personal information unless the relevant consent is obtained or disclosure is made pursuant to a subpoena or is otherwise permitted by law;
• the bank maintained that it had disclosed the personal information as permitted by PIPEDA.

The complainant submits:

• the Quebec rules of civil procedure allow lawyers to issue subpoenas without going to court but they do not have the authority to compel the production of records;
• the bank disclosed his personal information without informing either the court or him;
• the bank was required to inform him of the subpoena and to seek his consent, if the complainant refused the bank would have been compelled to appear before the court so that a judge could rule on the disclosure request;
• contrary to the banks assertion that in a divorce proceeding both parties are required to give a complete account of financial information, the complainant asserted that this was not required when the ability to pay and the amount are not at issue.
  The bank agreed that for any future subpoenas it would provide the requested documents to the court, unless it obtained the individual's consent.

Commissioner's position:

• by responding to the subpoena issued by a lawyer as provided for in the rules of civil procedure in Quebec, the bank relied on section 7(3)(c) to disclose personal information without the complainant's knowledge or consent;
• the lawyer did not have jurisdiction to compel the production of records, only a court could have done so;
• the records in question were not required to comply with the rules of production as in the circumstances of the divorce action the information was not relevant;
• the exception to knowledge or consent the bank relied on for the disclosure of personal information was inapplicable and the bank had contravened PIPEDA.

   

www.privcom.gc.ca/cf-dc/2002/cf-dc_021203_2_e.asp

Personal Information Handling Policies (Including Privacy Policy)

Internal document(s) that define management's intent regarding the organization's handling of personal information.  Policies are supported by specific procedures that define employees involvement in handling personal information, for example, access requests, customer complaints, data breaches, new marketing programs, incident reporting, etc.

Information made available to a customer that outlines organization's information handling policies.  This may be a privacy statement on the organizations website, a brochure, a call script, an entry form and provisions in customer contracts.  Privacy notice is the mechanism for obtaining informed consent.

Training Employees on Privacy

Educating employees about the organization's policies and procedures related to handling of personal information.  Effective employee training reduces the likelihood of privacy breaches and complaints.

Structured assessments of organization's privacy practices to ensure adherence to the organization's policies and procedures.  Privacy audits have multiple benefits including training and establishing accountability.