Ch 1 - Intro to Privacy Flashcards
Chapter 1
The FIP Category ‘Management’ includes:
a. Choice and consent; data subject access; notice b. Rights of individuals and controls on information c. Management and administration; monitoring and enforcement d. All of the above
c. Management and administration; monitoring and enforcement
The intrusion or collection and handling of information concerning a person’s physical being is part of the _____________ ______________ class of privacy.
Bodily privacy
An organization or individual, sometimes a third-party outsourcing service, that processes data about a Data Subject, on behalf of a Data Controller is known as a __________ __________.
Data Processor
What are the 4 data protection roles?
- Data protection authority
- Data controller
- Data subject
- Data processor
A source of information that is confidential and not available to the public, such as medical records, financial records, customer databases, and adoption records is known as __________ __________.
Nonpublic information
What legal protection of privacy did the General Assembly of the United Nations adopt in 1948?
The Universal Declaration of Human Rights in 12/1948, which states “no one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.”
What data roles are the FTC, Federal financial regulators, and state attorney generals examples of?
Data protection authorities
The four categories of FIPs are:
a. Rights of individuals, choice and consent, data subject access, and management
b. Rights of individuals, controls on the information, information lifecycle, and management
c. Controls on the information, security and data quality, information lifecycle, and management
d. Bodily privacy, information privacy, territorial privacy, and communications privacy
b. Rights of individuals, controls on the information, information lifecycle, and management
What is the definition of privacy according to the 1890 Harvard Law Review Article “The Right to Privacy”?
The ‘right to be left alone’
___________ ____________ is the data that remains when the data elements used to identify an individual are removed.
Nonpersonal information
The FIP category ‘Rights of Individuals’ includes:
a. Notice, choice and consent, and data subject access
b. Notice, information security, and collection
c. Notice, choice and consent, and collection
d. None of the above
a. Notice, choice and consent, and data subject access
What is a subset of personal information that typically requires additional safeguarding of its collection, use, and disclosure?
Sensitive personal information, which includes information such as social security number, bank account number and information, driver’s license number, and medical history.
Genetic testing, drug testing, body cavity searches, birth control, abortion, and adoption are examples of the class of ______________ privacy.
bodily
____________ _____________ _____________ is a subset of personal information that generally requires added safeguards in its collection, use and disclosure.
Sensitive personal information
What is the class of privacy concerned with implementing rules concerning a person’s correspondence with others?
Communications Privacy
Examples include mail, email, phone, and any other forms of communication.
Privacy is implied in which 4 amendments to the U. S. Constitution?
3rd: cannot be forced to quarter soldiers;
4th: undue seizure (authorities need a search warrant);
5th: cannot be forced to testify against or incriminate oneself;
14th: due process of law (also covered in the 5th amendment).
In the FIP category ‘Controls on the Information’ what information security measures should an organization take to protect personal information against unauthorized access, disclosure, use or destruction?
a. Organizations should maintain accurate, complete and relevant personal information for the purposes identified in the notice.
b. Organizations should collect personal information only for the purposes identified in the notice.
c. Organizations should use reasonable administrative, technical, and physical safeguards.
d. All of the above
c. Organizations should use reasonable administrative, technical, and physical safeguards.
Consumer, employee, and patient are examples of a __________ __________.
Data Subject
What is a subset of personal information that typically requires additional safeguarding of its collection, use, and disclosure?
a. Sensitive personal information
b. Nonpublic personal information
c. Confidential information
d. All of the above
a. Sensitive personal information
The intrusion into a person’s environment, including residence, workplace, and public spaces is part of the ___________ __________ class of privacy.
Territorial privacy
What type of privacy governs the collection and handling of personal information that relates to an individual’s residence?
Territorial privacy
A source of information that is part of public records is known as ___________ _______________ and includes sources such as real estate records, birth and death records, licensing records, and statistical records.
Public information
The FTC, State AGs, and financial regulators in the U.S.; and DPAs in the EU are all examples of the role __________ __________ __________.
Data Protection Authority
In the FIP category ‘Rights of Individuals’ what should an organization do to comply with the ‘data subject access’ standard?
a. Describe choices available to individuals and get explicit consent
b. Maintain accurate, complete and relevant personal information for purposes identified in the notice
c. Provide individuals with access to their personal information for review and update
d. None of the above
c. Provide individuals with access to their personal information for review and update
References in historical texts such as the Bible, Qur’an and Greek law about the importance of not engaging in gossip or intruding on others are examples of privacy as a ___________ __________.
social concept
What legal protection of privacy did the General Assembly of the United Nations adopt in 1948?
a. Fair Information Privacy Practices
b. Universal Declaration of Human Rights
c. Code of Fair Information Practices
d. None of the above
b. Universal Declaration of Human Rights
Video surveillance, ID checks, and similar technology/procedures are examples of the class of _____________ privacy.
territorial
What class of privacy is concerned with implementing rules for handling personal information?
Information Privacy
Examples include financial information, medical information, government records and Internet activity records
Financial information, medical information, government records, logs of a person’s activities on the internet are examples of the class of __________ privacy.
information
The __________ of the __________ Act in England that addressed “peeping Toms” and “eavesdroppers” is evidence of legal protection of a person’s privacy during the 1300s.
Justices of the Peace Act
A source of information that is available to the public, such as telephone books, public media, newspapers, and search engine results, is known as ______________ _______________ ______________.
Publicly available information
What are the 4 categories or classes of privacy?
- Information Privacy
- Bodily Privacy
- Territorial Privacy
- Communication Privacy
What class of privacy is concerned with information about, or the invasion of, a person’s physical being?
Bodily Privacy
Examples include genetic testing, birth control, adoption, abortion, and body cavity searches?
Examples of a Data ____________ include a third-party marketing firm, a company the HR Department outsources to process payroll, and an in-house contact center for answering questions about customers’ accounts.
Processor
Removing identifying elements, rendering the data nonpersonal, and generally no longer subject to data privacy laws is known as __________________.
Anonymizing
Which state constitution added an article in 1972 that states that all people’s inalienable rights include “enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy”?
California Constitution, Article 1, Section 1
What is the class of privacy concerned with implementing rules about limiting intrusion into a person’s environment or physical surroundings?
Territorial Privacy
Examples include monitoring (surveillance or ID Checks) or searching a person’s home, workplace or location in a public space.
The individual about whom information is collected and processed is generally known as a __________ __________.
Data Subject
Examples include consumer, employee, and patient.
Wire tapping, monitoring email, opening another person’s mail are examples of ________________ privacy.
communication
The Universal Declaration of Human Rights states:
a. “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.”
b. “Everyone has the right to respect for his private and family life, his home and his correspondence.”
c. “There must be no personal data record-keeping systems whose very existence is secret.”
d. None of the above
a. “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.”
The collection and handling of personal information are protections in the _____________ ____________ class of privacy.
Information privacy
Replacing personal information with a unique code to temporarily protect the information is known as ______________.
Pseudonomyzing
A Data Protection Authority’s primary responsibilities are:
a. Advising on best practices for protecting data
b. Administering data protection programs
c. Ensuring data is processed according to contractual agreements
d. Implementing and enforcing laws and regulations
d. Implementing and enforcing laws and regulations
Medical facilities, financial institutions, and public services such as the Department of Motor Vehicles are all examples of the role of __________ __________.
Data Controller
The intrusion into a person’s correspondence, including postal mail, telephone conversations, and email is part of the ___________ __________ class of privacy.
Communications privacy
What are the 4 categories of Fair Information Practices?
- Rights of Individuals
- Controls on the Information
- Information Lifecycle
- Management
An organization or individual, sometimes a third-party outsourcing service, that processes data about a Data Subject, on behalf of a Data Controller is known as a:
a. Data Protection Authority
b. Data Service Provider
c. Data Processor
d. Data Subject Processor
c. Data Processor
Which four US Constitutional Amendments imply a right to privacy?
a. Third, fourth, sixth and thirteenth
b. Second, fourth, fifth and fourteenth
c. Third, fourth, fifth, and fourteenth
d. First, third, fourth, and fifth
c. Third, fourth, fifth, and fourteenth
The FIP Category ‘Controls on the Information’ includes:
1) ________ ________
2) ________ ________
1) Information security
2) Information quality
What privacy rights does the third amendment to the U.S. Constitution provide for citizens?
a. Cannot be forced to testify against, or incriminate, oneself
b. Cannot be forced to quarter soldiers
c. Authorities must obtain a search warrant prior to seizing any items
d. Authorities must follow due process of law
b. Cannot be forced to quarter soldiers
The FIP Category ‘Management’ includes:
1) ________ and _________
2) ________ and _________
1) Management and administration
2) Monitoring and enforcement
What privacy rights does the fourth amendment to the U.S. Constitution provide for citizens?
a. Cannot be forced to testify against, or incriminate, oneself
b. Cannot be forced to quarter soldiers
c. Authorities must obtain a search warrant prior to seizing any items
d. Authorities must follow due process of law
c. Authorities must obtain a search warrant prior to seizing any items
What privacy rights does the fifth amendment to the U.S. Constitution provide for citizens?
a. Cannot be forced to testify against, or incriminate, oneself
b. Cannot be forced to quarter soldiers
c. Authorities must obtain a search warrant prior to seizing any items
d. Authorities must follow due process of law
a. Cannot be forced to testify against, or incriminate, oneself
In the FIP Category ‘Rights of Individuals,’ under ‘_________ __________ __________’ organizations should provide individuals with access to their personal information for __________ and _________.
data subject access
review
update
In the FIP Category ‘Controls on the Information,’ under ‘Information Security’ organizations should use reasonable ___________, ___________ and ___________ safeguards to
protect personal information against unauthorized access, use, disclosure or destruction.
administrative
technical
physical
What privacy rights does the fourteenth amendment to the U.S. Constitution provide for citizens?
a. Cannot be forced to testify against, or incriminate, oneself
b. Cannot be forced to quarter soldiers
c. Authorities must obtain a search warrant prior to seizing any items
d. Authorities must follow due process of law
d. Authorities must follow due process of law
In the FIP Category ‘Information Lifecycle,’ under ‘_________’ organizations should collect personal information only for the _________ identified in the __________.
Collection
purposes
notice
The intrusion or collection and handling of information concerning a person’s physical being is part of which class of privacy?
a. Territorial privacy
b. Bodily privacy
c. Information privacy
d. None of the above
b. Bodily privacy
The four data protection roles are:
a. Data Processor, Data Protection Authority, Data Controller, Data Subject
b. Data Processor, Data Regulator, Data Controller, Data Subject
c. Data Processor, Data Controller, Data Provider, Data Authority
d. Data Processor, Data Controller, Data Authority, Data Subject
a. Data Processor, Data Protection Authority, Data Controller, Data Subject
A source of information that is confidential and not available to the public, such as medical records, financial records, customer databases, and adoption records, is known as:
a. De-identified information
b. Qualitative personal data
c. Sensitive information
d. Nonpublic information
d. Nonpublic information
In the FIP Category ‘Management,’ under ‘________ and _________’ organizations should ___________ compliance with their privacy ___________ and ___________ and have procedures to address privacy-related __________ and ___________.
Monitoring and enforcement
monitor
policies and procedures
complaints and disputes
What data role are the FTC, Federal financial regulators, and state attorneys general examples of?
a. Financial data regulators
b. Data processing authorities
c. Data protection authorities
d. Data controller authorities
c. Data protection authorities
Personal information that has been converted to nonpersonal information by removing data elements used to identify the individual, so it may be used for research, statistical or aggregate purposes is known as:
a. Aggregated information
b. De-identified or anonymized information
c. Sensitive personal information
d. Pseudonymized information
b. De-identified or anonymized information
Privacy was defined as the ‘right to be left alone’ in the:
a. 1361 Justices of the Peace Act
b. 1789 Ratification of the U.S. Constitution
c. 1972 Article 1, Section 1, of the California Constitution
d. 1890 Harvard Law Review Article “The Right to Privacy”
d. 1890 Harvard Law Review Article “The Right to Privacy”
What is always true about a Data Controller?
a. Can be an employee or customer of a retail store
b. Also known as a “business associate”
c. Determines the purpose and means of processing of personal data
d. Processes a data subject’s personal information
c. Determines the purpose and means of processing of personal data
Genetic testing, drug testing, body cavity searches, birth control, abortion and adoption are examples of which privacy class?
a. Bodily
b. Territorial
c. Information
d. Communications
a. Bodily
The class of privacy concerned with implementing rules concerning a person’s correspondence with others is:
a. Information
b. Territorial
c. Communications
d. Bodily
c. Communications
Consumers, employees, and patients are examples of:
a. Data authorities
b. Data subjects
c. Data processors
d. Data controllers
b. Data subjects
In the FIP category ‘Controls on the Information’ under ‘Information Quality,’ organizations should maintain personal information:
a. With accuracy, completeness and relevant for the purposes identified in the notice
b. With reasonable administrative, technical and physical safeguards
c. Giving individuals access to their personal information for review and update
d. For only as long as the stated purpose
a. With accuracy, completeness and relevant for the purposes identified in the notice
- Which of the following is an FIP guideline for organizations from the ‘Information Lifecycle’ subcategory ‘Use and Retention’?
a. Collect personal information only for the purposes identified in the notice
b. Disclose personal information to third parties only for the purposes identified in the notice
c. Limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent
d. All of the above
c. Limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent
In the FIP guideline the ‘Information Lifecycle’ subcategory ‘Disclosure,’ under what conditions may an organization disclose personal information to third parties?
a. When the third party collects personal information only for the purposes identified in the notice
b. When the third party agrees to limit its use of personal information to the purposes identified in the notice
c. Only for the purposes identified in the notice, with the implicit or explicit consent of the data subject.
d. None of the above
c. Only for the purposes identified in the notice, with the implicit or explicit consent of the data subject.
Which FIP subcategory of ‘Management’ recommends organizations define, document, communicate, and assign accountability for their privacy policies and procedures?
a. Monitoring and Enforcement
b. Management and Administration
c. Use and Retention
d. Disclosure
b. Management and Administration
Which of the following is a recommendation to organizations from the FIP subcategory ‘Monitoring and Enforcement’?
a. Define, document, communicate and assign accountability for privacy policies
b. Retain personal information only as long as needed to fulfill the intended purpose
c. Use reasonable administrative, technical and physical safeguards
d. Maintain procedures to address privacy-related complaints and disputes
d. Maintain procedures to address privacy-related complaints and disputes
The purpose of the Fair Information Practices is to set guidelines for:
a. Handling, storing, and managing data with privacy, security, and fairness
b. Addressing notice, choice and consent, and data subject access
c. Rights of individuals, controls on the information, and information management
d. Disclosing personal information in an information society that is rapidly evolving
a. Handling, storing, and managing data with privacy, security, and fairness
Which OECD principle recommends that organizations specify the purposes for which personal data is collected?
a. Purpose Specification Principle
b. Collection Specification Principle
c. Purpose of Collection Principle
d. None of the above
a. Purpose Specification Principle
What are the four categories of Fair Information Practices?
a. Choice and Consent, Data Subject Access, Information Security, and Use and Retention
b. Data Subject Access, Information Control, Information Lifecycle, and Management
c. Rights of Individuals, Controls on the Information, Information Lifecycle, and Management
d. Data Subject Rights, Information Security, Information Lifecycle, and Management and Administration
c. Rights of Individuals, Controls on the Information, Information Lifecycle, and Management
What are the two subcategories of the FIP category ‘Management’?
a. Information Management, and Monitoring and Enforcement
b. Information Governance, and Quality Control
c. Management and Administration, and Monitoring and Enforcement
d. Controls on the Information, and Monitoring Oversight
c. Management and Administration, and Monitoring and Enforcement
Which of the following is currently included in the five major codifications of FIPs:
a. Justices of the Peace Act
b. U. S. Constitution
c. Universal Declaration of Human Rights
d. APEC Privacy Framework
d. APEC Privacy Framework
Which of the following are included in the 1980 OECD Guidelines in the Protection of Privacy and Transborder Flows of Personal Data Flows of Personal Data:
a. Data quality
b. Collection limitation
c. Purpose specification
d. All of the above
d. All of the above
Medical records, financial records, customer databases, and adoption records are considered to be:
a. Nonpublic information
b. Public records
c. Publicly available information
d. Only b and c
a. Nonpublic information
The FIP category ‘Information Lifecycle’ includes the following:
a. Collection
b. Use and Retention
c. Disclosure
d. All of the above
d. All of the above
A recommendation of the subcategory ‘Disclosure’ in the ‘Information Lifecycle’ FIP guideline is that organizations:
a. Define, document, communicate and assign accountability for third party relationships
b. Require that third parties maintain reasonable administrative, technical and physical safeguards for personal information
c. Disclose personal information to third parties only for the purposes identified in the notice
d. All of the above
c. Disclose personal information to third parties only for the purposes identified in the notice
The 1973 U.S. Dept of Health, Education and Welfare FIPs stated there must be:
a. A third party for ensuring data is accurate and complete
b. An annual audit to identify weaknesses in record-keeping systems
c. No secret personal data record-keeping systems
d. A process in place for receiving and responding to complaints in a timely manner
c. No secret personal data record-keeping systems
Under the OECD ‘Purpose Specification Principle,’ when should organizations specify the purposes for which personal information is collected?
a. Prior to collection and when the purpose changes
b. Within 10 days of collection and on an annual basis thereafter
c. At the time of collection, annually, and when the purpose changes
d. At the time of collection and whenever the purpose changes
d. At the time of collection and whenever the purpose changes
According to the FIP category ‘Rights of Individuals,’ under the ‘Choice and Consent’ subcategory, organizations are advised to:
a. Describe choices available to individuals
b. Obtain implicit or explicit consent
c. Maintain a general policy of openness about personal data policies
d. Only a and b
d. Only a and b
Under the OECD guideline ‘Collection Limitation,’ organizations should:
a. Limit the collection of personal data
b. Obtain personal data by lawful and fair means
c. Obtain consent of data subject when appropriate
d. All of the above
d. All of the above
Under the OECD ‘Data Quality Principle,’ organizations should ensure that personal data is:
a. Relevant to the purposes it is used
b. Accurate and complete
c. Up to date
d. All of the above
d. All of the above
Under the OECD ‘Use Limitation Principle,’ organizations should not disclose or otherwise make available personal data other than for purposes specified to the data subject except:
a. With the data subject’s consent or under the authority of law
b. Under a joint marketing agreement with a third party
c. When reasonable safeguards have been taken to ensure it is secure
d. All of the above
a. With the data subject’s consent or under the authority of law
In the FIP category ‘Rights of Individuals,’ under ‘Data Subject Access,’ organizations should:
a. Use reasonable administrative, technical, and physical safeguards to protect personal information
b. Provide individuals with access to their personal information for review and update
c. Collect personal information only for the purpose described to the data subject
d. Monitor compliance with their privacy policies and procedures
b. Provide individuals with access to their personal information for review and update
What legal protection of privacy did the General Assembly of the United Nations adopt in 1948?
a. The Madrid Resolution
b. OECD Guidelines
c. APEC Fair Information Practices
d. The Universal Declaration of Human Rights
d. The Universal Declaration of Human Rights
The intrusion or collection and handling of information concerning a person’s physical being is part of which privacy class?
a. Bodily
b. Territorial
c. Residential
d. None of the above
a. Bodily
The FIP category ‘Rights of Individuals’ includes:
a. Notice, Choice and Consent, and Request to Update
b. Notice, Choice and Consent, and Data Subject Access
c. Notice, Choice and Consent, and Complaint System
d. None of the above
b. Notice, Choice and Consent, and Data Subject Access
In the FIP category, ‘Controls on the Information,’ under ‘Information Security,’ what safeguards should organizations use to protect personal information against unauthorized access use, disclosure, or destruction?
a. Reasonable administrative, physical, and virtual controls
b. Strict administrative, technical, and security safeguards
c. Reasonable administrative, technical, and physical safeguards
d. None of the above
c. Reasonable administrative, technical, and physical safeguards
In the FIP category ‘Information Lifecycle,’ under ‘Use and Retention’ organizations should:
a. Retain personal information for only as long as necessary to fulfill the need.
b. Describe the choices of retention available to data subjects.
c. Provide individuals with a retention schedule for their personal information.
d. All of the above.
a. Retain personal information for only as long as necessary to fulfill the need.
In the FIP category ‘Management’ under ‘Monitoring and Enforcement’ organizations should:
a. Monitor the external environment for changes to data privacy laws.
b. Enforce the application of FIPs.
c. Monitor compliance with their privacy policies and procedures.
d. None of the above.
c. Monitor compliance with their privacy policies and procedures.
Under the OECD ‘Purpose Specification Principle’, organizations should specify the purposes for which personal data is collected:
a. Prior to collection and every 12 months subsequent to collection.
b. At the time of collection and each occasion of changed purpose.
c. At the time of collection and on an annual basis.
d. Within 10 days of collection.
b. At the time of collection and each occasion of changed purpose.
Under the OECD ‘Purpose Specification Principle’, organizations should specify the purposes for which personal data is collected and:
a. The relevance for collecting the information.
b. Use should be limited to the purposes specified or those that are compatible with the stated purposes.
c. State the risk associated with collection for those purposes.
d. Ensure the data is up-to-date.
b. Use should be limited to the purposes specified or those that are compatible with the stated purposes.
Which of the following is not a major codification of FIPs:
a. 1973 US Department of Health, Education and Welfare FIPPs,
b. 1980 OECD Guidelines
c. 1981 Council of Europe Convention 180
d. 2009 Madrid Resolution.
d. 2009 Madrid Resolution.
Which of the following are not included in the 1980 OECD Guidelines in the Protection of Privacy and Transborder Flows of Personal Data:
a. Security safeguards
b. Use and retention
c. Individual participation
d. Accountability
b. Use and retention
In the FIP category ‘Information Lifecycle,’ under ‘Disclosure,’ organizations should:
a. Disclose the individual’s personal information for joint marketing agreements only.
b. Obtain the explicit consent of the individual.
c. Disclose only publicly available information to third parties.
d. Obtain the implicit or explicit consent of the individual.
d. Obtain the implicit or explicit consent of the individual.
The 1973 U.S. Department of Health, Education, and Welfare FIPs requires that organizations should:
a. Provide policies and procedures for transborder flows of personal data.
b. Maintain record-keeping systems known only to the organization.
c. Maintain a process for individuals to determine what personal information is on record and how it is used.
d. Only a and c
c. Maintain a process for individuals to determine what personal information is on record and how it is used.
The 1973 U.S. Department of Health, Education, and Welfare FIPs requires that organizations should:
a. Define, document, communicate and assign accountability for their privacy policies.
b. Allow individuals to change the purpose for which their data is being used.
c. Prevent personal information obtained for one purpose from being used for another.
d. Only a and b
c. Prevent personal information obtained for one purpose from being used for another.
The 1973 U.S. Department of Health, Education, and Welfare FIPs requires that organizations should:
a. Limit the use of personal data to the purpose they determine is best.
b. Maintain a process for correcting or amending a record with identifiable information.
c. Send a request to individuals to update their information on an annual basis.
d. All of the above
b. Maintain a process for correcting or amending a record with identifiable information.
The 1973 U.S. Department of Health, Education, and Welfare FIPs requires that organizations should:
a. Arrange to meet with individuals on an annual basis to discuss the intended use purposes.
b. Collect data no later than 10 days after receiving explicit consent from a data subject.
c. Secure personal data using a two-factor encryption method.
d. Ensure reliability of identifiable personal data
d. Ensure reliability of identifiable personal data
Under the OECD ‘Purpose Specification Principle,’ organizations should
a. Limit the use should of personal data to the purposes specified or those that are compatible with the stated purposes.
b. Determine the purpose for use of personal data after the data subject has provided consent.
c. Specify the purposes for use of personal data prior to or at the time of collection.
d. Only a and c.
d. Only a and c.
In the FIP category ‘Rights of Individuals,’ under ‘Choice and Consent’ organizations should describe choices available and obtain implicit or explicit consent related to:
a. Types of information security available for the data collected.
b. Roles and responsibilities assigned to maintaining the security of their information.
c. Retention policies and disposal methods used by the organization.
d. Collection, use, retention, and disclosure of personal information, including to other data controllers.
d. Collection, use, retention, and disclosure of personal information, including to other data controllers.
What are the eight principles of the OECD Guidelines?
a. Collection limitation, data security, purpose specification, use of data, security safeguards, openness, and individual participation.
b. Collection limitation, individual rights, purpose specification, use limitation, security safeguards, openness, and individual participation.
c. Collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, and individual participation.
d. Individual rights, information controls, information lifecycle, management, information security, choice and consent, collection, retention and disposal.
c. Collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, and individual participation.
Which U.S. federal agency strongly endorses the OECD Guidelines?
a. Federal Reserve
b. Federal Deposit Insurance Corporation
c. Federal Trade Commission
d. Federal Communications Commission
c. Federal Trade Commission
What is the difference between public records and publicly available information?
a. Public records are comprised of information collected by government entities and made available to the public, whereas publicly available information is generally available to the public through various media such as phone directories.
b. Public records are comprised of information collected by government entities that is only made available to the public when released by the federal government, whereas publicly available information is always available to the public.
c. Public records are comprised of information widely known by the public whereas publicly available information is only available at the public’s request.
d. None of the above
a. Public records are comprised of information collected by government entities and made available to the public, whereas publicly available information is generally available to the public through various media such as phone directories.
Which of the following examples include information that may be considered a public record, publicly available, and nonpublic?
a. The parents’ name and address on a birth certificate, available through a request to a state agency, and included in a marriage certificate.
b. A name and address on a real estate deed, available through a search engine directory, and included in a bank account record.
c. An employer’s name on a paycheck, published in a phone directory, and included in a contract with a third-party service provider.
d. All of the above.
b. A name and address on a real estate deed, available through a search engine directory, and included in a bank account record.
What are the four sources of privacy protection?
a. Markets, technology, law, and federal regulation
b. Free market, internet, state law, and federal regulation
c. Markets, security, law and self-regulation or co-regulation
d. Markets, technology, law, and self-regulation or co-regulation
d. Markets, technology, law, and self-regulation or co-regulation
What are the three world models of data protection?
a. Intensive model, sectoral model, and regulatory models
b. Comprehensive model, sectoral model, and federal regulatory models
c. Comprehensive model, sectoral model, and co-regulatory and self-regulatory models
d. None of the above
c. Comprehensive model, sectoral model, and co-regulatory and self-regulatory models
Which of the following best describes market forces serving as a source of privacy protection:
a. Companies respond when consumers raise concerns about their privacy to protect their reputation
b. Companies provide stronger data security as rapid advancements in technology create better encryption applications.
c. Stronger laws are implemented to protect consumer data.
d. All of the above.
a. Companies respond when consumers raise concerns about their privacy to protect their reputation
Which of the following best describes technology serving as a source of privacy protection:
a. The market creates competition between technology providers.
b. The law requires companies to use encryption for storing personal information.
c. Companies self-regulate to maintain certification for information security and are monitored by a national agency.
d. Advancements in encryption technology and security best practices provide better ways to protect data.
d. Advancements in encryption technology and security best practices provide better ways to protect data.
Which of the following best describes the law serving as a source of privacy protection?
a. Companies self-regulate to maintain certification for information security and are monitored by a national agency.
b. Legislation that requires all companies to encrypt sensitive data sent via email.
c. Advancements in encryption technology and security best practices provide better ways to maintain legal compliance.
d. Companies respond to privacy laws to protect their reputation.
b. Legislation that requires all companies to encrypt sensitive data sent via email.
Which of the following best describes self-regulation and co-regulation serving as a source of privacy protection?
a. Companies are required to comply with specific regulatory requirements to safeguard personal information; and are examined and rated on a periodic basis by a federal regulator.
b. Companies are encouraged to meet specific legal guidelines to safeguard personal information, and an administrator calls the CEO on a periodic basis to ask if they are complying with the guidelines.
c. Companies are required to meet specific regulatory requirements to safeguard personal information, and are monitored when a customer complains about a data breach.
d. None of the above
a. Companies are required to comply with specific regulatory requirements to safeguard personal information; and are examined and rated on a periodic basis by a federal regulator.
Which of the following best describes the Comprehensive Model of data protection?
a. Laws govern the collection, use and disclosure of personal data, and data subjects are provided with a means to complain if they disagree.
b. Guidelines developed by companies govern the collection, use and disclosure of personal data, and companies report on their compliance to stockholders.
c. Laws govern the collection, use and disclosure of personal data, and a data protection authority provides oversight and guidance.
d. None of the above
c. Laws govern the collection, use and disclosure of personal data, and a data protection authority provides oversight and guidance.
Which of the following best describes the Sectoral Model of data protection?
a. A framework in which laws govern the collection, use and disclosure of personal data, and a data protection authority provides oversight and guidance.
b. A framework in which companies are required to comply with specific regulatory requirements to safeguard personal information; and are examined and rated on a periodic basis by a federal regulator.
c. A framework that protects personal information through laws that address a specific industry.
d. None of the above.
c. A framework that protects personal information through laws that address a specific industry.
Which of the following best describes the features of Self-Regulatory and Co-Regulatory models of data protection?
a. Nongovernment institutions protect personal information through the use of best practices, and a data protection authority provides oversight and guidance.
b. A combination of both government and nongovernment institutions protect personal information through the use of enforceable codes or codes of best practices, which may sometimes include a general data protection law.
c. A framework in which laws govern the collection, use and disclosure of personal data, and a data protection authority provides oversight and guidance.
d. None of the above.
b. A combination of both government and nongovernment institutions protect personal information through the use of enforceable codes or codes of best practices, which may sometimes include a general data protection law.
