top of page

Questions

Who are the “third parties” referred to in the Declaration? Will we be provided a written list and how will this be updated if this changes?

 

“Including but not limited to” sounds like unlimited access to an unlimited amount of personal information. In past, information collected for medical certification was limited to what was found in Personal Information Banks, specifically TCU PPU 020. Is the information to be gleaned under this new declaration the same, or actually unlimited in scope?

 

Is there evidence, safety data, incident trends, or formal risk analysis demonstrating inadequacy of the existing aeromedical framework?

 

Will pilots be notified when their medical data is accessed, and if so, how and when?

 

Will we have access to a log showing who accessed our data and why?

 

Are there protocols in place for informing pilots in the event of a data breach?

 

At what date does TC have right to access (ie back to date of licensing, date of attestation)?

 

How long will personal and medical information be retained?

 

What is the process for deletion or anonymization of records after they are no longer needed?

 

Can a pilot request deletion of their personal data, and under what conditions?

 

How does this disclosure comply with Canadian privacy laws (e.g., Privacy Act, PIPEDA)?

 

Will disclosure be permitted to other government ministries or departments?

 

How is compliance with foreign data privacy laws ensured if data is stored or processed outside Canada?

 

Are there third-party audits or certifications confirming TC’s data protection measures?

 

Will any collected information be used for purposes beyond initial or ongoing medical certification? If not, will TC provide written affirmation of the same?

 

If the privacy policy or data-handling practices change, how will pilots be informed?

 

Are there contingency plans in case of government requests for emergency access (domestic or foreign)?

What measures prevent unauthorized access by rogue insiders or hackers?

 

Are there regular penetration tests or security audits of systems handling sensitive data?

 

How are third-party contractors vetted for compliance with privacy and security requirements?

 

How is TC ensuring objective analysis of medical information in accordance with International Civil Aviation Organization Annex 1 standards?

bottom of page