JWT Privacy Group

Your Full Service Privacy Consultants

Compliance through People, Process and Technology

Frequently Asked Questions

Alberta PIPA

Protects personal information that is collected, used or disclosed by private-sector organizations in the province of Alberta. Balances the rights of individuals and the needs of organizations to collect, use and disclose personal information for reasonable purposes.

Back to Index


Governs within the province of BC the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Back to Index


The Federal Trade Commission Act for Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”), is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. Each separate email in violation of the CAN-SPAM Act is subject to penalties so non-compliance can be costly.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

Back to Index

Can’t I just deal with it if something goes wrong?

Think of it like insurance. You can’t buy a policy to cover something that happened yesterday. It’s best practice to proactively manage privacy and data protection. Being prepared significantly reduces your risk of a data breach and sends a clear message to your customers and staff.

Back to Index


Canada’s Anti-Spam Legislation is the federal law dealing with spam and other electronic threats.  It is meant to protect Canadians while ensuring that businesses can continue to compete in the global marketplace.

Back to Index


The California Consumer Privacy Act gives residents of California more control over the personal information that businesses collect about them and provides guidance on how to implement the law. Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

Back to Index


A Data Protection Impact Assessment is a combination of a Threat Risk Assessment and a Privacy Impact Assessment. It’s designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with privacy regulations. 

Back to Index

Doesn’t my IT person do this already?

No. Cybersecurity is an important component but compliance requires more than technology. You must also align your processes, educate staff, assign responsibilities and have a mitigation plan in case of breach.

Back to Index


Freedom of Information and Protection of Privacy Act (FIPPA) sets out the access and privacy rights of individuals as they relate to the public sector. FIPPA establishes an individual’s right to access records in the custody or control of a “Public Body”, including access to one’s own personal information. In addition to establishing an individual’s right to access records, FIPPA also sets out the terms under which a public body can collect, use and disclose the personal information of individuals. Public bodies are held accountable for their information practices.
FIPPA requires that public bodies protect personal information by making
reasonable security arrangements against unauthorized access, collection, use, disclosure or disposal. There are regulations for provincial and federal public bodies.

Back to Index


The General Data Protection Regulation (GDPR) is a regulation that harmonizes national data privacy laws throughout the EU and enhances the protection of all EU residents with respect to their personal data.

Back to Index


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, requires Health and Human Services and health care professionals to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

Back to Index

I’m busy. How much of my time will this take?

Your commitment is the biggest requirement. Our flexible solutions will be customized to match your availability and your business needs.

Back to Index

Is my company legally required to have a privacy policy?

It depends on your location but also where your customers are located. Customers actively seek out businesses with good data privacy practices so a privacy policy is good for your business.

Back to Index


The Payment Card Industry has developed standards for compliance through adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders’ personal information.

There are 12 main requirements in six overarching goals which a vendor must complete as part of its PCI compliance checklist. This is a prime example of how technology (cyber security) and privacy requirements are inter dependent in order to protect an individual’s personal information.

Back to Index


In America, the HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

In Canada, the appropriate management of personal health information is extremely important. Ontario, Newfoundland and Labrador, New Brunswick and Nova Scotia have laws that apply to personal health information within their specific provinces. BC, Alberta and Quebec have privacy laws that cover the management of all personal information.

If a province or territory doesn’t have specific legislation, the federal law, PIPEDA, governs the management of personal information including personal health information.

When more than one law applies, you must comply with all applicable regulations.

Back to Index


The Personal Information Protection and Electronic Data Act is federal regulation that sets out requirements on how Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards

Back to Index

Privacy Act (Canada)

This Act extends Canadian laws to protect the privacy of personal information held by a government institution and provide individuals with a right of access to that information.

Back to Index

Privacy Act (USA)

The Privacy Act of 1974 establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is under the control of a federal agency. The Act prohibits the disclosure of a record about an individual without their written consent, unless the disclosure is pursuant to one of twelve statutory exceptions. 

Back to Index

Quebec Private Sector Act

Regulates in Quebec the collection, use, and disclosure of personal information by private organizations (referred to as ‘enterprises’).

Back to Index


A Subject Access Request can be requested by anyone who wants to know if you hold their personal data

Back to Index

What is Personally Identifiable Information?

Personally Identifiable Information, that we refer to as PII, is information about an individual that can be used to distinguish or trace an individual’s identity.  Sometimes this is called linked data because it is information that is linked or linkable to an individual.  It can be either a single piece or a combination of information that when used together specifically identifies someone.

Some examples of PII are name, social security or social insurance number, date and place of birth, mother‘s maiden name, biometric records, medical, educational, financial, and employment information. 

Back to Index

Leave a Reply