Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPM > Chapter 1 > Flashcards

Chapter 1 Flashcards

1
Q

What is PPM?

A

Privacy Program Management/Manager

structured approach, integrating privacy into framework & lifecycle to protect PI and individual rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is program management

A

Manage multiple projects to improve performance
Allows for oversight and status of projects
View on change management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is framework?

A

Structure to support program management

Created by analyzing laws, regulations and best practices to meet organizational goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Lifecycle - stages

A

Assess
Protect
Sustain
Respond

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Commonality with Framework & Lifecycle?

A

both include PbD principles & Privacy by Default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Organizations Privacy Program includes

A

Intentional plan to protect PI and individual rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

FW & LC allow orgs to…

A

FW and LC allows orgs to reuse procedures and processes, repeatable to reduce errors &/ gaps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What makes up the Privacy Program Framework?

A

FW and LC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Assess stage

A

-Steps, checklist and processes necessary to assess gaps (based on established best practices, corporate privacy policies, privacy laws and regulations & the organizations privacy framework (ie. PbD))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Protect stage

A
  • Data lifecycle, information security practices, PbD principles to protect PI
  • Technical aspect
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sustain stage

A
  • Monitoring, auditing and communication aspects of management framework.
  • Audit, risk and security practices to meet regulatory, industry and business objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Respond stage

A
  • Principles for legal requests, info requests, incident response planning, and incident handling
  • Aim is to reduce organizational risk and increase compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Responsibilities of a PPM

A
  • Align and support (not block) the business
  • Define privacy obligations
  • ID and mitigate privacy risks
  • Documentation (policies and procedures)
    • identify
    • create, revise, implement
    • raise data IQ of organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Privacy Program Goals

A
  • Effective & auditable framework
  • Promote trust & confidence for customers and employees
  • Highlight that privacy is important/taken serioulsy
  • Respond to breaches and data subject requests
  • Monitor, maintain and improve privacy program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Accountability

A
  • Policies and procedures for best practices and compliance

- Accountable for the actions it does or does NOT take

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Consumer Trust

A
  • transparent, accountable and good data stewards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Privacy across the organization

A
  • Constantly evolving
  • Build privacy into the organization
  • align with other key departments (legal, IT, etc.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Teams involved in privacy ( top 5)

A

Learning & development –> employee training
Communications –> internal content
Info security team –> encryption, data loss prevention (DLP), technological controls
IT team –> support privacy by adding processes & controls
Internal audit team –> are controls in place? adhered to?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Other teams involved in privacy

A 
Procurement
HR
Ethics & Compliance
Marketing
Business development
Finance
Legal
Risk
Data governance
Research and development
20
Q

Championing Privacy

A

Embed within the organization, not a singular entity.

21
Q

Developing a Privacy Program includes: (5)

A
  1. Create organizational vision
  2. Est. data governance model
  3. Define a privacy program
  4. Structure the privacy team
  5. Communicate
22
Q

Developing a Privacy Program details…

A
  1. create org vision
    - eval the objective
    - gain executive sponsorship
  2. est. data governance model
    - centralized
    - distributed
    - hybrid
  3. Define a Privacy program
    - define scope and charter
    - ID the source, types and uses of PI
  4. Privacy team
    - org model, responsibilities, reporting structure
    - point of contact for issues
    - est/endorse a measure of competency
  5. Communicate
    - create awareness internally and externally
    - develop internal and external comms plan to ingrain accountability
23
Q

What is Privacy?

A

“the right to be let alone”
from GAPP: “the rights and obligation of individual and organizations with respect to the collection, use, retention, disclosure and destruction of personal information”

24
Q

What is PI?

A

it is PI if you can identify the person that it is about

25
Q

SPI?

A

sensitive personal information
different levels of sensitivity, but people would want it to be private.
bank balances, medical records, college test scores, email communications, etc.

26
Q

Special categories of Personal data:

A
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • bio metric data to identify a person
  • health data
  • data concerning sex life or orientation

this list is used by GDPR

27
Q

what is not PI?

A

if it is not about a person, it is not PI

if it doesn’t identify the person; not identifiable

28
Q

Anonymization

A

process of taking PI and making it impossible to identify the individual to whom the information relates

not the same as deidentification…it is the removal of identifying characteristic’s from the data.

Anonymization is the process of altering info to the point that it makes it impossible to tie it back to an individual

29
Q

Safe Harbour

A

requires the removal of 18 types of information and indirect links to an individual, including:
- names
- geographic divisions and zip codes for <20K ppl
- month and day of birth, death, hosp addmission or discharge (or if the person is over 89)
- phone numbers
- VINs, serial numbers, incl. license plate numbers
- fax numbers
-device id’s and serial #
- email addresses
- web URLs
- Social Sec #
- IP addresses
- Medical record numbers
- biometric identifiers (finger and voice)
- health plan beneficiary numbers
- full-face photos or comparable images
- account numbers
- any other unique ID’s, characteristics, code
- certificate/license #

30
Q

Aggregation

A
  • summarizing data about a group of individuals in a manner so you cant draw conclusions about a single person
31
Q

Why is privacy important?

A
  • Ethical obligation
  • laws and regulations require privacy protections
  • poor privacy practices reflect poorly on an organization
  • consumers demand strong privacy practices
  • emerging tech create new privacy concerns
32
Q

10 Generally Accepted Privacy Principles

A
  1. Management
  2. Notice
  3. Choice and Consent
  4. Collection
  5. Use, Retention, and Disposal
  6. Access
  7. Disclosure to 3rd Parties
  8. Security for Privacy
  9. Quality
  10. Monitoring and Enforcement
33
Q

GAPP: Management principle

A

this entity defines, documents, communicates and assigns accountability for privacy polices and procedures

  • create and communicate written privacy policies
  • assign responsibility and accountability
  • establishing procedures for review and approval
  • ensures policies are consistent with applicable laws and regulations
  • annual priv risk assessments
  • create and maintain priv incident management
  • priv awareness and training
34
Q

GAPP: Notice

A

Inform individuals about privacy practices.

incorporates:
- notice practices are in privacy policy
- notify individuals about collecting PI and org policies around other GAPP principles
- provide notice to ind at the time of collection
- write priv notices in plain language and post it

35
Q

GAPP: Choice and Consent

A

individuals retain control over the use of their PI

  • C & C is in priv policies
  • individuals are informed on the choice and consent options availb
  • obtain implicit or explicit consent at time of collection
  • notify ind of proposed new uses for prev collected and additional consent for new uses
  • direct consent when c, u and D SPI
  • obtain consent before transferring PI
36
Q

GAPP: Collection

A

The entity collects PI only for the purposes identified in the notice

Also consider data minimization: collect the minimum amount of PI to meet objectives and discard that info when no longer needed

37
Q

GAPP: Use, retention and disposal

A

Maintain privacy of PI throughout the lifecycle, dispose of when it is time

38
Q

GAPP: Access

A

individuals should have the right to access information that an organization holds about them and to correct if necessary

39
Q

GAPP: disclosure to 3rd Parties

A

when an org maintains PI and then choose to share that info with 3rd parties in the course of doing business

40
Q

GAPP: Security for Privacy

A

“the entity protects PI against unauthorized access (both physical and logical)”

major privacy-related areas of security:
-Risk assessment and treatment
-Security policy
Organization of information security
-Asset management
-Human resources security
-Physical and environmental security
-Communications and operations management
-Access control
-Information systems acquisition, development, and maintenance
-Information security incident management
-Business continuity management
-Compliance

41
Q

GAPP: Quality

A

Consider the accuracy of the info -
individuals might be damaged by incorrect information

42
Q

GAPP: Monitoring and Enforcement

A

The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquires, complaints, and disputes.

43
Q

Privacy Program Charter

A

Charter is the organizaing document for the privacy program. Builds on the scope, it outlines the parameters within which the program will function.

Scope statement, Business purpose, statement of authority (CPO), Roles and responsibilities, governance structure and process, program documentation procedures, enforcement mechanisms, review process, approval statement

44
Q

Privacy Roles

A

Data Subjects - individuals about whom PI is collected
Data Controllers - the organization that determines the purpose and means of collecting PI from Data subjects
Data Processors - service providers that collect or process PI on behalf of data controllers

45
Q

Data Governance

A

Set of policies, procedures and controls that an organization develops to safeguard its information

46
Q

Data Governance approaches (3)

A

Centralized - data governance throughout the whole org
Distributed - each BU creates its own data gov program
Hybrid - combine centralized and distributed approaches

47
Q

Data Governance roles

A

Data Stewardship - leader of an org’s data governance activities
Data Owner - senior business leader with responsibility for a specific data domain (or data subject area)
Data Custodian - implements technical controls that execute data governance policies

CIPM (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions