A request for one or more records that is made under the Access to Information Act.

Legislation that provides for a right of access to records under the control of a government institution.

Automatic Dialing-Announcing Devices

With respect to personal information, this means a format that allows a person with a sensory disability to read or listen to the personal information.

Equipment that store and dial telephone numbers automatically and will deliver a pre-recorded or synthesized voice message.

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

A breach is the loss of, unauthorized access to, or disclosure of, personal information.

The loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.

Any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.

Includes:

• the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;
• the merger or amalgamation of two or more organizations;
• the making of a loan or provision of other financing to an organization or a part of an organization;
• the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;
• the lease or licensing of any of an organization’s assets; and
• any other prescribed arrangement between two or more organizations to conduct a business activity.

An independent public authority in charge of regulating and supervising Canadian broadcasting and telecommunications. Commercial electronic message (CEM): any electronic message that contains a marketing message, (i.e. an email that tells customers about a promotion). CEMs must be sent to an electronic address this includes test messages.

Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

The Privacy Commissioner appointed under section 53 of the Privacy Act.

A requirement under the fair information principles. Individuals must consent to the collection of their personal data. Consent may be express or implied.

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Canadian Radio-television and Telecommunications Commission

Any signs, signals, symbols or concepts that are being prepared or have been prepared in a form suitable for use in a computer system.

Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The provision of access to personal data.

An address used in connection with the transmission of an electronic message to:

• an electronic mail account;
• an instant messaging account;
• a telephone account; or
• any similar account.

A message sent by any means of telecommunication, including a text, sound, voice or image message.

The ten guiding privacy principles of PIPEDA that form a significant portion of Canadian privacy law.

Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

General Data Protection Regulation

European Union (EU) and European Economic Area (EEA) regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

The idea that personal information should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

Body that governs the personal information handling. Their mission is to protect and promote the privacy rights of individuals.

Office of the Privacy Commissioner of Canada

An individual, partnership, corporation, organization, association, trustee, administrator, executor, liquidator of a succession, receiver or legal representative.

Any information relating to an identified or identifiable natural person.

With respect to an individual, whether living or deceased, means:

• information concerning the physical or mental health of the individual;
• information concerning any health service provided to the individual;
• information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
• information that is collected in the course of providing health services to the individual; or
• information that is collected incidentally to the provision of health services to the individual.

Information about an identifiable individual.

Federal privacy law for private-sector organizations. It sets out the requirements of how businesses must handle personal information they hold.

Privacy Impact Assessment

Personal Information Protection and Electronic Documents Act

An Officer appointed by the Governor in Council to investigate complaints related to privacy and personal information requests under the Privacy Act, or complaints made under the PIPEDA.

A process for identifying and minimizing the privacy risks within the organization.

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

A risk assessment that takes into account the sensitivity of the information and the probability that it will be misused factor when there is a privacy breach.

Any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things.

Real Risk of Significant Harm

The idea that organizations should retain personal information only as long as necessary to fulfill the stated purpose or where required by law.

Refers to the use of telecommunications facilities to make unsolicited telephone calls to consumers for the purpose of selling or promoting of a product or service. This includes calls made for donations.

Any person or organization who makes telemarketing calls on their own behalf or for someone else.

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Is data that:

• relates to the telecommunications functions of dialling, routing, addressing or signalling;
• either is transmitted to identify, activate or configure an apparatus or device, including a computer program, in order to establish or maintain a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and
• does not reveal the substance, meaning or purpose of the communication.