All Questions Flashcards
What are the goals of a privacy program manager?
- identify privacy obligations for the org
- identify business, employee and customer privacy risks
- identify existing documentation, policies and procedures
- create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program
What is accountability?
Accountable organisations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws.
They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.
How can the IT group carry the mantle of privacy by design?
By implementing privacy principles into the realm of technology development by limiting the data fields built into a tool or application to only those actually required to perform a process or action, or by building in functions that enable the user to easily delete data according to a Retention schedule.
What is privacy governance?
The components that guide a privacy function toward compliance with privacy laws and regulations and enable it to support the organization’s broader business objectives and goals.
What are the components of privacy governance?
- creating the organisational privacy vision and Mission statement
- defining the scope of the privacy program
- selecting an appropriate privacy framework
- developing the organisational privacy strategy
- structuring the privacy team
What two steps are usually adopted to identify the privacy program’s scope?
- Identify the personal information collected and processed
- Identify in-scope privacy and data protection laws and regulations
Which Article of the GDPR has formalized the maintenance of written documentation about personal information (including info about how the org processes data, the categories of individuals impacted, and the recipients of data)
Article 30
What country takes the sectoral approach to privacy and data protection?
US
Enactment of laws that specifically address a particular industry sector, such as
- financial transactions
- credit records
- law enforcement
- medical records
- communications
What countries employ the comprehensive model for data protection?
EU member states and Canada
Govern the collection, use and dissemination of personal information in private and public sectors with an official oversight enforcement agency that:
- remedies past injustices
- promotes electronic commerce
- ensures consistency with pan-European laws
What country adopts the co-regulatory model for data protection?
Australia
Variant of the comprehensive model, where industry develops enforcement standards that are overseen by a privacy agency
What countries adopt the self- regulatory model for data protection?
US, Japan and Singapore
Companies use a code of practice by industry bodies. The Online Privacy Alliance, TrustArc, BBBOnline and Webtrust are examples of this type of model.
What entities are subject to the Gramm-Leach-Bliley Act?
Financial institutions
When is a DPO required under s37 GDPR?
(A) by public authorities or bodies
(B) Where the organization’s “core” activities consist of processing operations that require “regular and systematic monitoring of data subjects on a large scale
(C) Where the org’s core activities consist of processing “special” categories of data on a large scale
Formally appointing a DPO will subject the organisation to what DPO requirements?
- reporting structure and independence (Article 38) : DPO is required to report to highest management level.
- qualifications and responsibilities : expert knowledge of data protection law and practices
What are the requirements on a DPO under Article 39 GDPR?
(A) Monitoring company’s compliance with GDPR
(B) providing advice during data protection impact assessments
(C) Cooperating with supervisory authorities
What is the maximum amount of penalty for breach of HITECH?
1.5 million
What are the differences between privacy assessments, PIAs and DPIAs in terms of type of assessment?
Privacy assessment - measures an organisation’s compliance with laws and internal policies.
PIA- Analysis of privacy risks associated with processing information in relation to a project, product or service
DPIA- under GDPR, process designed to identify risks arising from the processing of personal data and to minimise these risks as much and as early as possible.
What are the differences between how privacy assessments, PIAs and DPIAs are triggered?
Privacy assessments- BAU audit at a predefined time period or in response to a security or privacy event or at a request of an enforcement authority.
PIAs - emanate from industry codes, organisational policy, laws, regulations, or supervisory authorities
DPIAs - when Processing is likely to result in high risk to the rights and freedoms of natural persons
What are the differences between the standards used for privacy assessments, vs PIAs and DPIAs?
Privacy assessments- subject like employee interviews, or objective like info system logs
PIAs - ISO 29134
DPIAs- minimum features : (a) description of processing, including its purpose and the legitimate interest being pursued; (b) the necessity of the processing, its proportionality and the risks it poses to data subjects; and (c) measures to address the risks specified
Which of privacy assessments, PIAs and DPIAs facilitate privacy by design?
PIAs
Which US government act requires PIAs from government agencies?
E-Government Act
When are PIAs required by the US gov pursuant to the E-Government Act of 2002?
(A) When developing or procuring IT systems containing PII of the public; or
(B) when initiating an electronic collection of PII
Under the E-Government Act of 2002, what requirements precedes a PIA to determine whether a PIA is needed?
Privacy Threshold Analysis
The PTA will seek to determine:
(A) from whom data is collected
(B) what types of personal data are collected
(C) how such data is shared
(D) whether the data has been merged
(E) Whether any determinations have been made as to the info security aspects of the system
Under ISO 29134, what is the performing phase?
- Identifying information flows of PII
- analysing the implications of the use case
- Determining the relevant privacy-safeguarding requirements
- Assessing privacy risks using steps or risk identification, risk analysis and risk evaluation
- Privacy risk treatment option
What is the follow up phase under ISO 29134?
- preparing and publishing the PIA report
- implementing the privacy risk treatment plan
- reviewing the PIS and reflecting changes to the process
What is the fine for failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required?
Admin fine of up to 10k euros, or 2% or total worldwide annual revenue, whichever is higher
What are the examples for when a processing operation is likely to result in high risks under Article 35 of the GDPR?
(a) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and in which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
(C) a systematic monitoring of a publicly accessible area on a large scale
What factors does the WP29 recommend be considered when determining whether the processing is carried out on a large scale?
(1) the no. of data subjects concerned, either as a specific number or as a proportion of the relevant population;
(2) the volume of data and/or the range of different data items being processed;
(3) the duration, or permanence, of the data processing activity; and
(4) the geographical extent of the processing activity
As part of the accountability principle, what info must a data controller maintain?
A record of processing activities under its protection responsibility including the purposes of processing, a description of the categories of data and the recipients of the data and where possible, a general description of the technical and organisational security measures
What should a DPIA include as a minimum under the GDPR?
(A) a description of the processing, including its purpose and the legitimate interest being pursued
(B) Necessity of the Processing, it’s proportionality and the risks that it poses to data subjects
(C) Measures to address the risks identified
Which three guides are the CNIL’s PIA method?
- The method explains how to carry out a PIA
- The models help to formalise a PIA by detailing how to handle the different sections introduced in the method
- The knowledge base is a code of practice that lists measures to be used to treat the risks
When must the supervisory authority be contacted in the context of a DPIA?
Whenever the data controller cannot find sufficient measures to reduce risks to an acceptable level, consultation with the supervisory authority will be necessary
What is attestation?
It is a tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities
What is NIST 800-60?
A guide from the National Institute of Standards and Technology and the US Department of Commerce
Info security requires ongoing assessment of threats and risks and of procedures and controls, consistent with three key attributes. of w
Confidentiality, integrity and availability
What rule sets forth required disposal protections for financial institutions?
The Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003
What is the difference between the privacy policy and the privacy notice?
The privacy policy is the high-level governance that aligns with the privacy vision or Mission statement of the organisation. Internal document:
The privacy notice is an external communication which describes how the organisation collects, uses, shares, retains and disclosed its personal information based on the organisation’s privacy policy.
Supporting policies must contain the following
1) Issue/ objective statement
2) Statements of the organisation’s position
3) Applicability
4) Roles and responsibilities
5) Compliance
6) Points of contacts and supplementary information
How can action been taken against breaches of privacy notices in the US?
Section 5(a) or the Federal Trade Commission Act prohibits unfair and deceptive trade practices and allows the FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices
How often must credit information be provided to consumers free of charge once a year under the Federal Credit Reporting Act in the US?
Free of charge once a year
What are the obligations placed on employers under the Federal Credit Reporting Act?
FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check.
Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment. This information must be provided in a standalone written notice separate from an employment application.
Under the Health Insurance Portability and Accountability Act (HIPAA), when must changes be implemented for corrections?
Within 60 days
Who enforces the Do Not Call Registry in the US?
Federal Communications Commission
Which Act provides individuals with a right of access to their own records from each federal agency that maintains a system of records, upon receipt of a written request from an individual?
Privacy Act of 1974
What are the three categories of law enforcement and national security records which are not subject to the requirements of the Freedom of Information Act?
- existence of ongoing criminal law enforcement investigation when the subject is unaware and disclosure could interfere with enforcement proceedings
- Informant records
- FBI- existence of foreign intelligence or counterintelligence
Which was the first state in the US to require commercial website or online service Operators To conspicuously post privacy notices on their websites or online services?
California Online Privacy Protection Act
What are the differences between the Delaware Online Privacy Protection Act and CalOPPA?
- CalOPPA applies to consumers while DOPPA applies to users
- CalOPPA is limited to commercial website and apps; DOPPA covers broader range of entities that could be handling PII, including websites, cloud computing services, online apps and mobile apps.
What are the similarities between CalOPPA and DOPPA?
Both require that Operators disclose in their privacy notices how they respond to Do Not Track requests regarding the collection of consumers’ and users’ PII
What is California’s Shine the Light law?
Gives California residents the right to request and be notified about how businesses use and share their personal information with other businesses for direct marketing purposes
The law also gives consumers a private right of action in the event that a business fails to respond to a consumer’s request
What is California’s Online Eraser law?
Designed to protect individuals under the age of 18, requires Operators of websites, online services, online applications and mobile applications to permit minors who Are registered users to request and remove content he posted
What is the California Consumer Privacy Act of 2018?
Landmark privacy bill to be implemented 1 Jan 2020
Ability to request a record of:
- What types of personal info an organisation holds about the requestor, it’s sources and the specific personal information that has been collected
- information about the use of the individual ‘s personal information in terms of both business use and third party sharing
- right to erasure
- option for consumers to opt out of having their data sold to third parties
Which act provides the most robust consumer rights of the biometric laws adopted thus far?
Illinois Biometric Information Privacy Act
BIPA requires that a private entity notify an individual in writing of its intent to collect biometric information; inform the individual of the purpose and length of term for which biometric information is being collected and used, and receive a written release authorising the use.
A private entity must also obtain consent for further disclosure of biometric identifiers.
What are the statutory damages against an entity for violating BIPA?
Negligence - $1k
Intentional or reckless violation - $5k
What are the exemptions for the right to erasure?
Orgs can decline data subjects’ requests to the extent that the processing is necessary:
(A) for exercising the right of freedom of expression and information
(B) for compliance with a legal obligation or performance of a task in public interest (eg. Public health, archiving and scientific, historical research or statistical purposes)
For personal data processed for scientific and historical research purposes or statistical purposes, how far does the right to object go?
Under Article 21(6) GDPR, where personal data is processed for scientific and historical research data purposes or statistical purposes, the right to object exists only as far as the processing is not considered necessary for the performance of a task carried out for reasons of public interest
What is irregular component or noise?
This analysis focuses on what is left over when the other components of the series (time and cyclical) have been accounted for. It is just the most difficult to detect- an example would be the absence of privacy breaches.
What are the maturity levels in the Privacy Maturity Model?
- Ad hoc
- Repeatable
- Defined
- Managed (reviews are conducted to assess effectiveness of controls)
- Optimised (regular feedback)
What are the four common approaches for compliance monitoring?
Self monitoring, audit management, security/ system management and risk management
What procedures should supplier monitoring cover?
- appropriate private and security requirements
- provider performance
- security of mobile devices
What are the types of audit?
- First party - will consider the org risk management culture, identify privacy risk factors, and evaluate control design and implementation
- Supplier audits
- Third party audits - NIST or ISO
What is a metric lifecycle?
The processes and methods to sustain a metric to match the ever changing needs of an organisation
What categories constitute preparedness?
- Training
- Getting an incident response plan in place
- Understanding key stakeholders
- Getting insurance coverage when appropriate
- Managing vendors who might be a part of an incident
Who are the relevant regulators to notify in the US?
The state attorney general and the FTC
In the healthcare industry, which regulator should be notified in a healthcare breach?
Department of Health and Human Services
What are the seven foundational principles of Privacy by Design?
- Proactive, not reactive; preventative not remedial
- Privacy as the default
- Privacy embedded into design
- Full functionality - positive-sum, not zero-sum
- End to end security - full lifecycle protection
- Visibility and transparency
- Respect for user privacy
What are the qualities of the Privacy by Design Paradigm?
- Being proactive - by default, privacy controls are part of the system engineering requirements. They are tested for effectiveness and monitored continuously
- Embedded privacy controls - this involves putting them into systems and applications, auditing them for regulatory compliance, and evaluating them when new threats to information systems are discovered
- Demonstrating respect for users - privacy and security controls coexist transparently to a user: they do not diminish the necessary authoritarians to access data. The protection of organisational information assets is enabled without unnecessary trade offs.
Which EU principles summarize the data protection by design and default?
Article 25 GDPR- data protection by design and default
Recital 78 - appropriate technical and organisational measures
What are the appropriate technical and organisational measures under Recital 78?
- pseudonymizing personal data as soon as possible
- transparency with regard to the functions and processing of personal data
- enabling the data subject to monitor the data processing, enabling the controller to create and improve security features
What is privacy engineering?
Privacy engineering provides a methodology and technical tools based on industry guidelines and best practices, including the Unified Modeling Language
What does information security aim to Ensure throughout the data lifecycle?
Confidentiality - prevention of unauthorised disclosure
Integrity- information is protected from unauthorised or unintentional alternation, modification or deletion
Availability - information is readily accessible to authorised users
What does accountability and assurance mean in information security?
Accountability means entity ownership is traceable, while assurance means all other four objectives are met
What are the categories of information security controls?
Preventative, Detective, corrective
What are the different nature of information security controls
Physical, administrative or policy controls, technical controls
What ISO provides the overview of information security management systems?
ISO/IEC 27000:2018
What is the standard that provides requirements for an ISMS?
ISO/IEC 27001
What is an ISMS information security management system?
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management system
What are the areas of overlap for information security and privacy?
- integrity / accuracy
- authorised access
- accountability
- access/ availability
Why is there not a complete overlap between privacy and information security?
- Privacy has a wider set of obligations and responsibilities than information security does (such as collection Limitation, openness, relevancy, use Limitation)
- Confidentiality - personal info is not always nonpublic
- You can have security without privacy, but you cannot have privacy without security
A survey commissioned by the IAPP and Trustarc found the nexus of information privacy and information security is driven by…
The mutual goal of preventing or mitigating data breaches.
What are some of the ways for information privacy and information security programs to align?
- increased involvement of privacy personnel on information security teams and vice versa
- employment of core privacy functions will an IT motivated to get a better handle on their data and the extent of their corporate risk
- increased investment in privacy technology
- increased use of privacy impact assessments and data inventory and classification
- increased use of data retention policies
What are the four principles for better alignment for information security and data privacy
- teaming
- don’t reinvent
- stay aware
- tank and prioritise
Basic security principles for role-based access include:
- segregation of duties
- least privilege
- need to know access
Required administrative or policy controls for privacy can be found in four areas. What are they?
- Laws and regulations
- Self regulatory regime
- Industry practices
- Corporate ethos/ policy
What are the four types of technical controls?
Obfuscation, data minimise ion, security, privacy engineering technologies
What regulations require data privacy training?
US Health Insurance Portability and Accountability Act HIPAA
What Act prohibits unfair and deceptive trade practices and allows the US FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices
Section 5(a) of the FTC Act
Which organisations have endorsed a layered approach to privacy notices?
Endorsed by both the FTC and the EU’s Article 29 Working Party, now the European Data Protection Board
The Digital Advertising Alliance regulates the use of its icon on websites and mobile screens by requiring compliance with DAA principles relating to what?
Notice, opt out and limitations on data collection and use
What is the age for parental consent under the California Consumer Privacy Act?
Parental or legal Guardian consent for children under the age of 13 and the affirmative consent of children between 13 and 16 years of age prior to engaging in data selling
What obligations does the Federal Credit Reporting Act place on employers?
FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check. Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment.
How Long do individuals have to obtain a copy of their information under HIPAA?
30 days
Under HIPAA, an individual has the right to change any incorrect information and add any missing or incomplete information and these changes must be implemented within how many days?
60 days
Who enforces the Do not call registry?
FTC and Federal Communications Commission
Who enforces CAN-SPAM?
FTC
What are the nine exemptions to information that may be requested under the Freedom of Information Act?
- Information that is classified to protect national security
- Information related solely to the internal personnel rules and practices of an agency
- Information that is prohibited from disclosure by another federal law
- Trade secrets or commercial or financial information that is confidential or privileged
- Privileged communications within or between agencies
- Information that, if disclosed, would invade another individual’s personal privacy
- Information compiled for various law enforcement purposes
- Information that concerns the supervision of financial institutions
- Geological information on wells
What is the scope of the CalOPPA?
The law applies to any website or online service operator in the US and possibly the world whose website collects personally identifiable information from Californian consumers
What are the differences between DOPPA and CalOPPA?
- scope (consumers under CalOPPA and users under DOPPA)
- DOPPA covers broader range of entities that could be handling PII, including websites, cloud computing services, online apps and mobile apps, while CalOPPA is limited to commercial websites and apps
What are the exceptions for the California Online eraser law?
A service operator is not required to comply with the request for removal and deletion if the content about the minor was posted by a third party other than the minor, who is a registered user of the website;
If a minor does not follow instructions provided to the minor on how to request removal of content
If a minor received compensation or other consideration for the content
Under Article 13 of the GDPR, what information do data subjects have the right to be provided with in relation to their relationship with the controller?
1: controller’s identity and contact details
2: reasons or purposes for processing their personal data
3: legal basis for processing
4: recipients of that data
5: other relevant information necessary to Ensure the fair and transparent processing of the data
6: the controller must identify the source of data if collected or obtained from a third party, in order to effectively enable the data subject to pursue their rights
What are the exemptions to the right of erasure in Article 17(3)?
Data subjects’ requests can be declined to the extent that processing is necessary:
- for exercising the right of freedom of expression and information
- for compliance with a legal obligation which requires processing in the public interest, like public health, archiving and scientific, historical research or statistical purposes
How does the right to object work under Article 21(1) whenever a controller justifies the data processing on the basis of its legitimate interests?
Data subjects can object to such processing. As a consequence, the controller is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing
Under the draft PI Security Specification, the handling of personal information and personal sensitive information must follow the seven principles of:
- Consistent rights and responsibilities
- Clear purpose
- Choice and consent
- Minimal and necessary uses
- Openness and transparency
- Security assurance
- Data subject participation
What are the three sub tasks of strategic management
1) Define privacy vision and Mission statement
2) Develop privacy strategy
3) Structure privacy team
What should a privacy vision/ Mission statement include?
1) Develop privacy objectives
2) Define scope
3) Identify legal and regulatory compliance challenges
4) Identify Personal Information Legal Requirements
Steps to develop a privacy strategy
1) ID stakeholders and internal partnerships
2) Leverage key functions
3) Create a process for interfacing
4) Develop a data governance strategy
5) Conduct a privacy workshop
What is a Privacy Program Framework?
Implementation roadmap that provides structure or checklists to guide privacy professionals through management and prompts for details to determine privacy relevant decisions
What are the four parts of the privacy operational life cycle?
1) Assess
2) Protect
3) Sustain
4) Respond
A pretty sweet rabbit
All of the following are factors in determining whether an organisation can craft a common solution to the privacy requirements of multiple jurisdictions except:
(A) effective date of most restrictive law
Other factors that can be considered:
(B) Implementation complexity
(C) legal regulations
(D) cost
What are nongovernmental organisations that advocate for privacy protection known as?
External privacy organisations
What step can best help you to identify the specific needs and objectives of Country Fresh regarding privacy protection?
Development of the business case.
What is a privacy program framework?
This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy- relevant decisions for the organization
