Certified Information Privacy Professional – Canada (CIPP/C) — Question 12

According to the federal Privacy Commissioner, what protection is missing from the Privacy Act regarding outsourcing of government work that contains personal information?

Answer options

• A. A statement preventing the vendor to whom the information is outsourced to subcontract its processing.
• B. A statement granting the Privacy Commissioner the right to issue orders following an investigation into a possible data breach.
• C. A statement requiring the government agency to complete a Privacy Impact Assessment (PIA) prior to outsourcing to a third party.
• D. A statement indicating that the government institution from which the information is outsourced remains accountable for its security.

Correct answer: B

Explanation

The correct answer is B because it highlights the need for the Privacy Commissioner to have authority to issue orders post-investigation, which is crucial for enforcing compliance. Options A, C, and D do not address the oversight role of the Privacy Commissioner in the context of data breaches, focusing instead on vendor responsibilities and agency accountability.