All Questions Flashcards
What are the goals of a privacy program manager?
- identify privacy obligations for the org
- identify business, employee and customer privacy risks
- identify existing documentation, policies and procedures
- create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program
What is accountability?
Accountable organisations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws.
They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.
How can the IT group carry the mantle of privacy by design?
By implementing privacy principles into the realm of technology development by limiting the data fields built into a tool or application to only those actually required to perform a process or action, or by building in functions that enable the user to easily delete data according to a Retention schedule.
What is privacy governance?
The components that guide a privacy function toward compliance with privacy laws and regulations and enable it to support the organization’s broader business objectives and goals.
What are the components of privacy governance?
- creating the organisational privacy vision and Mission statement
- defining the scope of the privacy program
- selecting an appropriate privacy framework
- developing the organisational privacy strategy
- structuring the privacy team
What two steps are usually adopted to identify the privacy program’s scope?
- Identify the personal information collected and processed
- Identify in-scope privacy and data protection laws and regulations
Which Article of the GDPR has formalized the maintenance of written documentation about personal information (including info about how the org processes data, the categories of individuals impacted, and the recipients of data)
Article 30
What country takes the sectoral approach to privacy and data protection?
US
Enactment of laws that specifically address a particular industry sector, such as
- financial transactions
- credit records
- law enforcement
- medical records
- communications
What countries employ the comprehensive model for data protection?
EU member states and Canada
Govern the collection, use and dissemination of personal information in private and public sectors with an official oversight enforcement agency that:
- remedies past injustices
- promotes electronic commerce
- ensures consistency with pan-European laws
What country adopts the co-regulatory model for data protection?
Australia
Variant of the comprehensive model, where industry develops enforcement standards that are overseen by a privacy agency
What countries adopt the self- regulatory model for data protection?
US, Japan and Singapore
Companies use a code of practice by industry bodies. The Online Privacy Alliance, TrustArc, BBBOnline and Webtrust are examples of this type of model.
What entities are subject to the Gramm-Leach-Bliley Act?
Financial institutions
When is a DPO required under s37 GDPR?
(A) by public authorities or bodies
(B) Where the organization’s “core” activities consist of processing operations that require “regular and systematic monitoring of data subjects on a large scale
(C) Where the org’s core activities consist of processing “special” categories of data on a large scale
Formally appointing a DPO will subject the organisation to what DPO requirements?
- reporting structure and independence (Article 38) : DPO is required to report to highest management level.
- qualifications and responsibilities : expert knowledge of data protection law and practices
What are the requirements on a DPO under Article 39 GDPR?
(A) Monitoring company’s compliance with GDPR
(B) providing advice during data protection impact assessments
(C) Cooperating with supervisory authorities
What is the maximum amount of penalty for breach of HITECH?
1.5 million
What are the differences between privacy assessments, PIAs and DPIAs in terms of type of assessment?
Privacy assessment - measures an organisation’s compliance with laws and internal policies.
PIA- Analysis of privacy risks associated with processing information in relation to a project, product or service
DPIA- under GDPR, process designed to identify risks arising from the processing of personal data and to minimise these risks as much and as early as possible.
What are the differences between how privacy assessments, PIAs and DPIAs are triggered?
Privacy assessments- BAU audit at a predefined time period or in response to a security or privacy event or at a request of an enforcement authority.
PIAs - emanate from industry codes, organisational policy, laws, regulations, or supervisory authorities
DPIAs - when Processing is likely to result in high risk to the rights and freedoms of natural persons
What are the differences between the standards used for privacy assessments, vs PIAs and DPIAs?
Privacy assessments- subject like employee interviews, or objective like info system logs
PIAs - ISO 29134
DPIAs- minimum features : (a) description of processing, including its purpose and the legitimate interest being pursued; (b) the necessity of the processing, its proportionality and the risks it poses to data subjects; and (c) measures to address the risks specified
Which of privacy assessments, PIAs and DPIAs facilitate privacy by design?
PIAs
Which US government act requires PIAs from government agencies?
E-Government Act
When are PIAs required by the US gov pursuant to the E-Government Act of 2002?
(A) When developing or procuring IT systems containing PII of the public; or
(B) when initiating an electronic collection of PII
Under the E-Government Act of 2002, what requirements precedes a PIA to determine whether a PIA is needed?
Privacy Threshold Analysis
The PTA will seek to determine:
(A) from whom data is collected
(B) what types of personal data are collected
(C) how such data is shared
(D) whether the data has been merged
(E) Whether any determinations have been made as to the info security aspects of the system
Under ISO 29134, what is the performing phase?
- Identifying information flows of PII
- analysing the implications of the use case
- Determining the relevant privacy-safeguarding requirements
- Assessing privacy risks using steps or risk identification, risk analysis and risk evaluation
- Privacy risk treatment option
What is the follow up phase under ISO 29134?
- preparing and publishing the PIA report
- implementing the privacy risk treatment plan
- reviewing the PIS and reflecting changes to the process
What is the fine for failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required?
Admin fine of up to 10k euros, or 2% or total worldwide annual revenue, whichever is higher
What are the examples for when a processing operation is likely to result in high risks under Article 35 of the GDPR?
(a) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and in which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
(C) a systematic monitoring of a publicly accessible area on a large scale
What factors does the WP29 recommend be considered when determining whether the processing is carried out on a large scale?
(1) the no. of data subjects concerned, either as a specific number or as a proportion of the relevant population;
(2) the volume of data and/or the range of different data items being processed;
(3) the duration, or permanence, of the data processing activity; and
(4) the geographical extent of the processing activity
As part of the accountability principle, what info must a data controller maintain?
A record of processing activities under its protection responsibility including the purposes of processing, a description of the categories of data and the recipients of the data and where possible, a general description of the technical and organisational security measures
What should a DPIA include as a minimum under the GDPR?
(A) a description of the processing, including its purpose and the legitimate interest being pursued
(B) Necessity of the Processing, it’s proportionality and the risks that it poses to data subjects
(C) Measures to address the risks identified
Which three guides are the CNIL’s PIA method?
- The method explains how to carry out a PIA
- The models help to formalise a PIA by detailing how to handle the different sections introduced in the method
- The knowledge base is a code of practice that lists measures to be used to treat the risks
When must the supervisory authority be contacted in the context of a DPIA?
Whenever the data controller cannot find sufficient measures to reduce risks to an acceptable level, consultation with the supervisory authority will be necessary
What is attestation?
It is a tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities
What is NIST 800-60?
A guide from the National Institute of Standards and Technology and the US Department of Commerce
Info security requires ongoing assessment of threats and risks and of procedures and controls, consistent with three key attributes. of w
Confidentiality, integrity and availability
What rule sets forth required disposal protections for financial institutions?
The Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003
What is the difference between the privacy policy and the privacy notice?
The privacy policy is the high-level governance that aligns with the privacy vision or Mission statement of the organisation. Internal document:
The privacy notice is an external communication which describes how the organisation collects, uses, shares, retains and disclosed its personal information based on the organisation’s privacy policy.
Supporting policies must contain the following
1) Issue/ objective statement
2) Statements of the organisation’s position
3) Applicability
4) Roles and responsibilities
5) Compliance
6) Points of contacts and supplementary information
How can action been taken against breaches of privacy notices in the US?
Section 5(a) or the Federal Trade Commission Act prohibits unfair and deceptive trade practices and allows the FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices
How often must credit information be provided to consumers free of charge once a year under the Federal Credit Reporting Act in the US?
Free of charge once a year
What are the obligations placed on employers under the Federal Credit Reporting Act?
FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check.
Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment. This information must be provided in a standalone written notice separate from an employment application.
Under the Health Insurance Portability and Accountability Act (HIPAA), when must changes be implemented for corrections?
Within 60 days
Who enforces the Do Not Call Registry in the US?
Federal Communications Commission
Which Act provides individuals with a right of access to their own records from each federal agency that maintains a system of records, upon receipt of a written request from an individual?
Privacy Act of 1974