CSCI 4101 Dalhousie University Privacy Impact Assessment for Gym Database PIA Project ALL of the requirements are in the files I Uploaded. And check this v

CSCI 4101 Dalhousie University Privacy Impact Assessment for Gym Database PIA Project ALL of the requirements are in the files I Uploaded. And check this video before getting started https://ca-lti.bbcollab.com/collab/ui/session/playback(open it with google chrome) Assignment #1 – PIA – CSCI4101
due: June 7, 2020 – 10%
Instructions:

using the PIA template provided, complete a privacy impact assessment on the
proposed client database, as defined below in the case study

a video recording on how to complete the PIA template will be posted in the
course Brightspace page on May 28th
Case Study for Assignment #1
Your client operates a local gym, ‘Work the Workout’, and has asked you to develop a
database to track their members. As well as containing the membership information,
they want the database to track workout sessions and class attendance (yoga and
cardio classes). Some of the members are teenagers signed up for a summer fitness
program.
A] The intent of the database is to track:
– name and contact information of members
– financial fee payments
– health information, if necessary
– attendance/enrollment use
B] Programs
There are four program options, with the option to create reports with aggregated
enrollment stats:
– basic gym membership (no classes)
– cardio classes
– yoga classes
– youth summer fitness program
B] Assumptions:
– parental consent is required for participants under 15 years of age
– youth must be between the ages of 12-16 years at the time the program starts
– there is a minimum enrollment of 20 youth in the program
C] Work the Workout Personnel
– Owner – Isaac Malcom Buff
– Gym Manager – Mary Gottit
– Yoga Instructor – Ann Breeth
– Cardio Instructor – Jack Jumper
– Youth Program Coordinator – Danny Goodman
– there are also three trainee instructors
Privacy Impact Assessment
for
Assignment #1 Gym Database PIA
prepared by:
CSCI4101 Privacy & Information Management for the IT Professional (undergrad)
Assignment #1
Disclaimer: this template + PIA are for training purposes only.
Document Information
Document Title
Author
To be reviewed by
To be approved by
File name
C.Heggie, professor, CSCI4101
Version# Date
Ver.0.1
May 28
Revision History
Section(s) Author(s)
all
C.Heggie, prof
Ver.0.2
[…]
[…]
Ver.1.0
all
all



June 7, 2020
Description
Review of template with
author
First draft
Final draft for signature
Final sign-off
Assumptions for assignment:
You have been delegated full authority under the Act.
You will provided with relevant sections of PIPEDA needed to complete this PIA
Table of Contents
A.
B.
C.
D.
E.
F.
G.
H.
Project Description
Scope
Project Architecture
Collection, Use, and Disclosure of Personal Information
Listing of Personal Information to be collected, used, or disclosed
Description of Information Flow
Security Measures
Conclusions and Recommendations
Appendices:
I. CSA Fair Principles
500108598276
A. Project Description:
1) Name of Project:
Assignment #1 CSCI4101 gym case study
2) Requirement for project:
X law
 policy
 standard
X company commitment
 research
3) Is this project included in the company’s strategic plan? Yes
4) Is personal information collected as part of this project?
5) Responsible Dept/Dvsn:
6) Program Area(s):
7) Project Owner, Title:
8) Project Leader, Title:
9) Key Project Dates:
Start Date
End Date
yy-mm-dd
yy-mm-dd
Project Start-up Phase
Design Phase
Development Phase
User Acceptance Testing Phase
Training Phase
Implementation Phase
B. Scope:
Who will use it? Linkages? Time impacts? What is not covered in the PIA?
In Scope:

Out of Scope:

C. Technical Architecture
This may be a computer flow diagram or infogram showing the components of
the system, including input/output, access, and security.
(This section is usually filled out by the IT Systems Architect working on the
project. They would fill it out concurrently with the program owner and privacy
officer as part of a PIA.)
D. Collection, Use, and Disclosure of Personal Information
1) What is the authority to collect personal information?
Cite the specific clause in the legislation (in this case, use PIPEDA):
2) Is the personal information collected for law enforcement purposes?
3) Is the personal information collected for research?
4) Does the personal information relate directly to an operating program of the
company?
Cite program(s) or activity:
5) Is the personal information necessary for these programs/activities?
Explain:
6) What is the authority to use the personal information?
Cite the specific clause in the legislation (in this case, use PIPEDA):
7) Will the personal information be used for another, or different, purpose?
If yes, what is the other purpose(s), and cite the specific clause in the
legislation (in this case, use PIPEDA):
8) Would disclosure of the personal information be required for any of the following
reasons:
a. For a compatible purpose. If yes, explain.
b. For the purpose of complying with an enactment. If yes, explain.
c. To another division of the company to meet the necessary requirements of
company operations. If yes, explain.
d. To another company to meet the necessary requirements of that
company’s operations. If yes, explain.
e. To a government body. If yes, explain.
9) Is the personal information being disclosed outside of the program?
Cite the specific clause in the legislation (in this case, use PIPEDA):
10) Are there provisions for consent for collection? Consent for use? Consent for
disclosure?
Explain:
11) If there is a consent form, has the Privacy Officer reviewed the consent form?
If there is a consent form, explain what is required to be in the consent
form? If no consent form is required, explain why not.
E. Listing of Personal Information to be collected, used, or disclosed:
Listing of Personal Information to be Collected, Used, and/or disclosed
Field
Collect Use Disclose
Rationale
Source
1) Where will the personal information be stored (hardcopy and electronic)?
2) Is there a records management plan and retention schedule for the personal
information?
Explain
3) Are individuals informed that their personal information is being collected? How?
4) Are individuals informed of the purpose for which their personal information is
being used? How?
5) Are individuals made aware of how they may access their personal information
held by this company? How?
6) How is the personal information being entered into the system? By whom?
F. Description of Information Flow
This may be textual, bullets, or a flowchart, explaining the lifecycle of the
information.
G. Security Measures
1) What security measures are in place?
[Passwords? Encryption? Access controls? Etc.]
2) What protocols are in place to avoid unintentional disclosure?
3) Recommendations for mitigation of privacy risk:
4) Does the company have a privacy breach protocol?
Explain
5) Contingency plan in the event of a privacy breach:
H. Conclusions and Recommendations:
[to be completed by the Privacy Officer (for this assignment, this is You.)]
Signatory Page
Reviewed by:
print name
signature
date
print name
signature
date
print name
signature
date
Reviewed by:
Legal Counsel
Reviewed by:
Completed and recommended by:
Privacy Officer
print name
signature
date
print name
signature
date
Approved by:
Appendix I: Privacy Principles [aka: fair information principles]
Principle 1 – Accountability
An organization is responsible for personal information under its control and shall designate an individual
or individuals who are accountable for the organization’s compliance with the following principles.
Principle 2 – Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or
before the time the information is collected.
Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal
information, except where inappropriate.
Principle 4 – Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes
identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by law. Personal information shall be
retained only as long as necessary for the fulfillment of those purposes.
Principle 6 – Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for
which it is to be used.
Principle 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the
information.
Principle 8 – Openness
An organization shall make readily available to individuals specific information about its policies and
practices relating to the management of personal information.
Principle 9 – Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal
information and shall be given access to that information. An individual shall be able to challenge the
accuracy and completeness of the information and have it amended as appropriate.
Principle 10 – Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the
designated individual or individuals accountable for the organization’s compliance.
Protection of Personal Information
PIPEDA: selected sections for CSCI4104 class assignment
Appropriate purposes
5 (3) An organization may collect, use or disclose personal information only for purposes that
a reasonable person would consider are appropriate in the circumstances.
Valid consent
6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it
is reasonable to expect that an individual to whom the organization’s activities are directed
would understand the nature, purpose and consequences of the collection, use or disclosure
of the personal information to which they are consenting.
Collection without knowledge or consent
7 (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization may collect personal information without the knowledge or consent
of the individual only if
(a) the collection is clearly in the interests of the individual and consent cannot be
obtained in a timely way;
(b) it is reasonable to expect that the collection with the knowledge or consent of the
individual would compromise the availability or the accuracy of the information and the
collection is reasonable for purposes related to investigating a breach of an agreement or a
contravention of the laws of Canada or a province;
(b.1) it is contained in a witness statement and the collection is necessary to assess,
process or settle an insurance claim;
(b.2) it was produced by the individual in the course of their employment, business or
profession and the collection is consistent with the purposes for which the information
was produced;
(c) the collection is solely for journalistic, artistic or literary purposes;
(d) the information is publicly available and is specified by the regulations; or
(e) the collection is made for the purpose of making a disclosure
(ii) that is required by law.
Use without knowledge or consent
7(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization may, without the knowledge or consent of the individual, use
personal information only if
(a) in the course of its activities, the organization becomes aware of information that
it has reasonable grounds to believe could be useful in the investigation of a
contravention of the laws of Canada, a province or a foreign jurisdiction that has
been, is being or is about to be committed, and the information is used for the purpose
of investigating that contravention;
(b) it is used for the purpose of acting in respect of an emergency that threatens the
life, health or security of an individual;
(b.1) the information is contained in a witness statement and the use is necessary to
assess, process or settle an insurance claim;
(b.2) the information was produced by the individual in the course of their
employment, business or profession and the use is consistent with the purposes for
which the information was produced;
(c) it is used for statistical, or scholarly study or research, purposes that cannot be
achieved without using the information, the information is used in a manner that will
ensure its confidentiality, it is impracticable to obtain consent and the organization
informs the Commissioner of the use before the information is used;
(c.1) it is publicly available and is specified by the regulations;
Disclosure without knowledge or consent
7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization may disclose personal information without the knowledge or consent
of the individual only if the disclosure is
(b) for the purpose of collecting a debt owed by the individual to the organization;
(c) required to comply with a subpoena or warrant issued or an order made by a
court, person or body with jurisdiction to compel the production of information, or to
comply with rules of court relating to the production of records;
(c.1) made to a government institution or part of a government institution that has
made a request for the information, identified its lawful authority to obtain the
information and indicated that
(i) it suspects that the information relates to national security, the defence of
Canada or the conduct of international affairs,
(ii) the disclosure is requested for the purpose of enforcing any law of Canada,
a province or a foreign jurisdiction, carrying out an investigation relating to
the enforcement of any such law or gathering intelligence for the purpose of
enforcing any such law,
(iii) the disclosure is requested for the purpose of administering any law of
Canada or a province, or
(iv) the disclosure is requested for the purpose of communicating with the
next of kin or authorized representative of an injured, ill or deceased
individual;
or
(i) required by law.

Purchase answer to see full
attachment

Don't use plagiarized sources. Get Your Custom Essay on
CSCI 4101 Dalhousie University Privacy Impact Assessment for Gym Database PIA Project ALL of the requirements are in the files I Uploaded. And check this v
For $10/Page 0nly
Order Essay
Calculator

Calculate the price of your paper

Total price:$26

Need a better grade?
We've got you covered.

Order your paper