Answer ... (a) Data processing
Not defined. Practically speaking, any collection, use, or disclosure of personal information will be the equivalent of ‘data processing’.
(b) Data processor
Not defined. The Personal Information Protection and Electronic Documents Act (PIPEDA) s 4.1.3 provides that an organisation remains responsible for personal information that has been transferred to a third-party data processor. This means that there is no meaningful distinction between ‘data processor’ and ‘data controller’. Alberta’s privacy legislation, on the other hand, distinguishes between ‘custody’ and ‘control’, imposing somewhat different obligations on each.
(c) Data controller
Not defined. See above question 3.1(b)
(d) Data subject
The equivalent term used in Canadian privacy law is ‘individual’, which refers to anyone whose personal information is collected, used or disclosed.
(e) Personal data
‘Personal information’ is any information about an identifiable individual. This includes information such as name, email address, phone number, age, income, identification number and even blood type.
(f) Sensitive personal data
Not defined. However, PIPEDA provides that the form of consent sought by organisations may vary depending on the sensitivity of the information. Medical records and tax information will typically be considered sensitive, whereas postal codes and email addresses will not.
(g) Consent
With some exceptions, any collection, use or disclosure of personal information requires valid consent. Valid consent can be implied or express. Express consent is required for sensitive information, whereas implied consent will generally suffice for less sensitive information.