Chapter 1 - Intro to Privacy Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

_____ privacy is concerned with rules that govern the collection and handling of personal information.

Examples included financial info, medical info, government records and records of a person’s internet activities

A

Information Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

_____ privacy is focused on a personals physical being and an invasion thereof. Invasions can take the form of genetic testing, drug testing, or body cavity searches. This also encompasses issues such as birth control, abortion and adoption.

A

Bodily Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

_____ privacy is concerned with the ability to intrude into another individual’s environment. “Environment” isnt limited to home; it includes workplace or public space. Intrusions typically take the form of monitoring (i.e., video surveillance, ID checks and the like)

A

Territorial Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

_____ privacy encompasses the means of correspondence, including postal mail, phone convos, email and other forms of communication

A

Communication Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are FIPs/FIPPs?

A
  1. FIP - Fair Information Practices/FIPP - Fair Information Privacy Practices (or Principles)
  2. FIPS are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.

Examples include:
OECD Guidelines
Convention 108
APEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 4 main categories of FIPs?

A

1- rights of individuals
2- controls on the information
3- information lifecycle
4- management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Re: “(FIP) Rights of Individuals”, organizations should address what 3 areas?

A

1-Notice
2- Choice and Consent
3- Data Subject Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

(FIP) Rights of Individuals - Re: NOTICE, orgs should….

A

provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained and disclosed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(FIP) “Rights of Individuals” - Re: CHOICE AND CONSENT orgs should….

A

describe the che choices available to individuals and should get implicit/explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is especially important for disclosures of personal info to other data controllers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

(FIP) “Rights of Individuals” - Re: DATA SUBJECT ACCESS, orgs should….

A

provide individuals with access to their personal info for review and update.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Re: (FIP) “Controls on the Information”, organizations should address what 2 areas?

A

1- Information Security

2- Information Quality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(FIP) “Controls on the Information” - Re: INFORMATION SECURITY, orgs should…

A

use reasonable administrative, technical and physical safeguards to protect personal info against unauthorized access, use, disclosure, modification and destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(FIP) “Controls on the Information” - Re: INFORMATION QUALITY, orgs should…

A

maintain accurate, complete and relevant personal info for the purposes identified in the notice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Re: (FIP) “Information Lifecycle”, organizations should address what 3 areas?

A

1- Collection
2- Use and Retention
3- Disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

(FIP) “Information Lifecycle” - Re: COLLECTION, orgs should…

A

collect personal information only for the purposes identified in the notice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

(FIP) “Information Lifecycle” - Re: USE AND RETENTION, orgs should…

A

limit the use of personal info for the purposes identified in the notice and for which the individual has provided implicit or explicit consent; orgs should also retain personal info for only as long as necessary to fulfill the state purpose

17
Q

(FIP) “Information Lifecycle” - Re: DISCLOSURE, orgs should…

A

disclose personal info to 3rd parties only for the purposes identified in the notice and with the implicit/explicit consent of the individual

18
Q

Re: (FIP) “Management”, organizations should address what 2 areas?

A

1- Management and Administration

2- Monitoring and Enforcement

19
Q

(FIP) “Information Lifecycle” - Re: MANAGEMENT AND ADMINISTRATION, orgs should…

A

define, document, communicate and assign accountability for their privacy policies and procedures

20
Q

(FIP) “Information Lifecycle” - Re: MONITORING AND ENFORCEMENT, orgs should…

A

monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes

21
Q

5 Key Principles in US Health, Education and Welfare FIPs

A

1 - There must be no personal data record-keeping systems whose very existence is secret

2- There must be a way for a person to find out what info about them is in a record and how it is used

3- There must be a way for a person to prevent info about them that was obtained for one purpose from being used or made available for other purposes w/o the person’s consent

4- There must be a way for a person to correct or amend a record of identifiable info about the person

5 - Any org creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for its intended use and must take precautions to prevent misuse of the data

22
Q

The most widely recognized framework for FIPs and have been endorsed by the US FTC and many other government organizations

A

OECD Guidelines (updated in 2013)

23
Q

OECD - Collection Limitation Prinicple

A

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate, with the knowledge or consent of the data subject

24
Q

OECD - Quality Principle

A

Personal data should be relevant to the purposes for which they are to be used, and as needed for those purposes, should be accurate, complete and kept up-to-date

25
Q

OECD - Purpose Specification Principle

A

Purposes for which personal data are collected should be specified not later than at the time of the data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

26
Q

OECD - Use Limitation Principle

A

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except (i) with the consent of the data subject or (b) by the authority of law

27
Q

OECD - Security Safeguards Principle

A

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

28
Q

OECD - Openness Principle

A

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

29
Q

OECD - Individual Participation Principle

A

An individual should have the right:

(i) to obtain confirmation of whether or not the data controller has data relating to them
(ii) to have communicated to him, data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him
(iii) to be given reasons if a request made under the preceding clauses is denied, and to be able to challenge such denial
(iv) to challenge data relating to him and if the challenge is successful, to have the data erased, rectified, completed or amended

30
Q

OECD - Accountability Principle

A

A data controller should be accountable for complying with measures which give effect to the OECD principles.

31
Q

Personal Identifiable Information (PII) includes…

A

information that makes it possible to identify and individual (i.e., social security numbers, passport numbers, street address, telephone number, email address)

32
Q

De-identified/Anonymized Data

A

Data where element used to identify the individual are removed and the remaining data becomes nonpersonal info.

33
Q

Pseudonymized Data

A

Data where info about individuals is retained under pseudonymns, such as a unique numerical doce for each person, that renders data temporarily nonpersonal. Pseudonmyized data can be reversed.

34
Q

Practice Note - Personal & Nonpersonal Information

A

The line between these 2 categories is not always clear, and regulators and courts in different jurisdictions may disagree on what counts as personal information. For example, IP addresses dont constitute personal information under the Privacy Act, , but the FTC has stated that in the context of breaches of healthcare information, IP addresses ARE personal information.

35
Q

Information Assets of an Organization that isnt “personal information” but should be protected and secured to ensure confidentiality include:

A

1 - financial data
2- operational data
3- intellectual property
4- info about the org’s products and services

36
Q

The term “Processing” refers to…

A

the collection, recording, organization, storage, updating or modification, retrieval, consultation and use of personal information; it also includes disclosure by transmission, dissemination or making available in any other form, linking, alignment, or combination, blocking, erasure, or destruction of personal information.

37
Q

Practice Note re: Sources of Personal Information

A

Information may be public record, publicly, available, and nonpublic all at once, and to understand how to use the underlying information, one must understand the source that provided the information (i.e., restrictions may apply to use of the name and address in a patient file, but not to public records or publicly available information)

38
Q

A Data Controller is…

A

an org that has the authority to decide how and why personal info is to be processed.

39
Q

A Data Processor is…

A

a 3rd party outsourcing services, that processes data on behalf of the data controller. Data processors arent authorized to do additional data processing outside of the scope of what is permitted for the data controller itself.

Under HIPPA, data processors are called “business associates”.