Chapter 1

Question 1

Who wrote ‘The Right to Privacy’ in 1890?,

Answer 1

Louis D. Brandeis

Question 2

Which case is noted for the dissenting opinion stating ‘the right to be left alone’?,

Answer 2

Olmstead v. United States

Question 3

How does AICPA (GAPP) define privacy?,

Answer 3

The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information.

Question 4

What is considered Personal Information (PI) according to GAPP?,

Answer 4

Information that is or can be about or related to an identifiable individual.

Question 5

List some examples of Sensitive Personal Information (SPI) according to GAPP.,

Answer 5

Racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, genetic data, biometric data (used for ID purposes), health data, and data concerning sex life or sexual orientation.

Question 6

What isn’t considered Personal Information (PI)?,

Answer 6

Information that does not provide a way to identify the person the information is about (anonymized PI).

Question 7

How can PI be truly anonymized according to HHS?,

Answer 7

1. Expert determination: Anonymization analysis conducted by a trained statistician. 2. Safe Harbor: Requires the removal of 18 types of information to remove direct and indirect links to an individual.

Question 8

What are some identifiers that need to be removed under Safe Harbor for personal information?,

Answer 8

Names, geographic divisions and zip codes containing fewer than 20,000 people, dates of birth, death, hospital admission, or discharge for individuals over the age of 89, telephone and fax numbers, VINs and serial numbers, including license plate numbers, device identifiers and serial numbers, email addresses, IP addresses, web URLs, media record numbers, SSNs, biometric identifiers, health plan beneficiary numbers, full-face photographs and any comparable images, account numbers, any other uniquely identifying numbers or codes, and certificate/license numbers.

Question 9

What is data aggregation?,

Answer 9

Summarizing data about a group of individuals to make it impossible to draw conclusions about a single person.

Question 10

Why should organizations care about privacy?,

Answer 10

Ethical obligation, laws and regulations, poor privacy practices reflect poorly on an organization’s reputation.

Question 11

What are the Generally Accepted Privacy Principles (GAPP)?,

Answer 11

Management, Notice, Choice and Consent, Collection, Use, Retention, and Disposal, Access, Disclosure to Third Parties, Security for Privacy, Quality, Monitoring and Enforcement.

Question 12

What does the Management principle under GAPP entail?,

Answer 12

The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

Question 13

What is the Notice principle in GAPP?,

Answer 13

The entity provides notice about its privacy policies and practices and identifies the purposes for which personal information is collected, used, retained, and disclosed.

Question 14

What is the Choice and Consent principle in GAPP?,

Answer 14

It allows individuals to retain control over the use of their personal information (PI).

Question 15

What does the Collection principle under GAPP govern?,

Answer 15

It governs the ways that organizations come into possession of personal information (PI).

Question 16

What does the Use, Retention, and Disposal principle under GAPP concern itself with?,

Answer 16

The entity limits the use of PI to purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains PI for only as long as necessary to fulfill the stated purposes or as required by law or regulations and then appropriately disposes of such information.

Question 17

What is the Access principle under GAPP?,

Answer 17

The entity provides individuals with access to their personal information for review and update.

Question 18

What does the Disclosure to Third Parties principle in GAPP involve?,

Answer 18

The entity discloses personal information (PI) to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Question 19

What is involved in the Security for Privacy principle under GAPP?,

Answer 19

The entity protects personal information against unauthorized access (both physical and logical).

Question 20

What does the Quality principle in GAPP state?,

Answer 20

The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

Question 21

What is covered under the Monitoring and Enforcement principle in GAPP?,

Answer 21

The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquiries, complaints, and disputes.

Question 22

What are the components of developing a privacy program?,

Answer 22

Strategic Mission Statement, Goals, Objectives.

Question 23

Who are considered Data Subjects in privacy roles?,

Answer 23

The individuals from whom personal information is collected.

Question 24

Who are Data Controllers in privacy roles?,

Answer 24

The organizations that determine the purposes and means of collecting personal information from data subjects.

Question 25

Who are Data Processors in privacy roles?,

Answer 25

Service providers who collect or process personal information on behalf of data controllers.

Question 26

What is required after crafting strategic mission, goals, and objectives in a privacy program?,

Answer 26

Establishing accountable officials and privacy roles, and creating a comprehensive inventory of the personal information (PI) that is collected, processed, and maintained, as well as the systems, storage locations, and processes involved in these activities.

Question 27

How is the inventory information used in a privacy program?,

Answer 27

It is leveraged for conducting privacy assessments and implementing privacy controls.

Question 28

Which standard is often leveraged for privacy assessments?,

Answer 28

ISO 27701.

Question 29

What is the end result of a privacy assessment?,

Answer 29

A gap analysis.

Question 30

What happens after privacy controls are implemented to address gap analyses?,

Answer 30

The program conducts ongoing operation and monitoring.

Question 31

What does Privacy by Design aim to do?,

Answer 31

Incorporates strong privacy practices into the design and implementation of technology systems, rather than adding privacy controls after a system is already in place.

Question 32

List the foundational principles of Privacy by Design.,

Answer 32

Proactive, not reactive; preventative, not remedial. Privacy as the default setting. Privacy embedded into design. Full functionality: Positive-sum, not zero-sum. End-to-end security: Full lifecycle protection. Visibility and transparency: Keep it open. Respect for user privacy: Keep it user-centric.