SOSC 3365 Lecture Notes - Lecture 12: Personal Information Protection And Electronic Documents Act, Data Mining, Csa Group
18 Nov 2016
School
Department
Course
Professor
1.14.16
Privacy Law in Canada: PIPEDA
PIPEDA
• Enacted Jan 1, 2001
• Applies to all federally regulated and private industries in Canada
• Provincial regulation in BC, AB and QC is substantially similar to PIPEDA
• PIPEDA is Canadian Patriot Act if the info requested is for national security/law enforcement
• Cannot award damages – no enforcement mechanisms
PIPEDA: Principle #1 Accountability
• Privacy officer must be appointed (or trained)within an organization
• Role: create procedures to safe guard personal information; point of contact for complaints,
trains others
• Responsible for information transferred to third party (via contract, agreement, policy, audits)
PIPEDA: Principle #2 Identifying Purposes
• Organization must identify the purpose of collection of information
• Identify ere means: know the purpose
• Once collected information cannot be used for a different purpose
PIPEDA: Principle #3 Consent
• Personal Information must only be collected with clear consent
• Language must be clear
• Service cannot be refused if personal information is not provided (eg. Postal code queries at
checkout counters)
• Exceptions: emergencies, diminished mental capacity
• It may be written, verbal or inferred from actions
• Can be withdrawn at any time
PIPEDA: Principle #4 Limiting Collection
• Personal information can only be used for the purposes identified
• There must be an information handling policy/procedure
• Personal information must be collected lawfully and without deception
PIPEDA: Principle #5 Limiting Use, Disclosure, and Retention
• Personal info will no be used for any other purpose other than the original purpose
• Personal info should only be retained for as long as it takes to fulfill the original purpose
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
Pipeda: principle #2 identifying purposes: organization must identify the purpose of collection of information, once collected information cannot be used for a different purpose. Pipeda: principle #3 consent: personal information must only be collected with clear consent, service cannot be refused if personal information is not provided (eg. postal code queries at. Language must be clear checkout counters: exceptions: emergencies, diminished mental capacity, can be withdrawn at any time. It may be written, verbal or inferred from actions. Pipeda: principle #4 limiting collection: personal information can only be used for the purposes identified, there must be an information handling policy/procedure, personal information must be collected lawfully and without deception. If purpose changed, the personal info may still be used as long as new consent is obtained this should be developed: the info should be destroyed after the max retention time, data mining: must make the variables anonymous.
