Chapter 1: Introduction to Privacy for the IT Professional

Question 1

Who invented the concept of Contextual Integrity

Answer 1

Helen Nissenbaum

Question 2

What is Helen Nissenbaum’s Contextual Integrity

Answer 2

Privacy concerns are not absolute but largely depend on the context

Question 3

Provide an example of privacy norms being domain and context specific

Answer 3

The norms governing banking information will differ from the norms governing medical information

Question 4

List the 4 risk categories of privacy harm identified in Daniel Solove’s Taxonomy of Privacy

Answer 4

Information Collection
Information Processing
Information Dissemination
Invasion

Question 5

List the 2 activities or mechanisms that can violate privacy related to Information Collection (Daniel Solove’s Taxonomy of Privacy)

Answer 5

Surveillance

Interrogation

Question 6

List the 5 activities or mechanisms that can violate privacy related to Information Processing (Daniel Solove’s Taxonomy of Privacy)

Answer 6

Aggregation
Insecurity
Secondary Use
Identification
Exclusion

Question 7

List the 7 activities or mechanisms that can violate privacy related to Information Dissemination (Daniel Solove’s Taxonomy of Privacy)

Answer 7

Breach of confidentiality
Increased Accessibility
Disclosure
Exposure
Blackmail
Appropriation
Distortion

Question 8

List the 2 activities or mechanisms that can violate privacy related to Invasion (Daniel Solove’s Taxonomy of Privacy)

Answer 8

Intrusion

Decisional Interference

Question 9

Describe Surveillance (Daniel Solove’s Taxonomy of Privacy)

Answer 9

Watching, listening to, or recording of an individual’s activities

Question 10

Describe Interrogation (Daniel Solove’s Taxonomy of Privacy)

Answer 10

Questioning or probing for personal information

Question 11

Describe Aggregation (Daniel Solove’s Taxonomy of Privacy)

Answer 11

Combining of various pieces of personal information

Question 12

Describe Insecurity (Daniel Solove’s Taxonomy of Privacy)

Answer 12

Carelessness in protecting information from leaks or improper access

Question 13

Describe Identification (Daniel Solove’s Taxonomy of Privacy)

Answer 13

Linking of information to a particular individual

Question 14

Describe Secondary Use (Daniel Solove’s Taxonomy of Privacy)

Answer 14

Using personal information for a purpose other than the purpose for which it was collected

Question 15

Describe Exclusion (Daniel Solove’s Taxonomy of Privacy)

Answer 15

Failing to let an individual know about the information that others have about them and participate in its handling or use

Question 16

Describe Breach of Confidentiality (Daniel Solove’s Taxonomy of Privacy)

Answer 16

Breaking a promise to keep a person’s information confidential

Question 17

Describe Disclosure (Daniel Solove’s Taxonomy of Privacy)

Answer 17

Revealing truthful personal information about a person that impacts the ways others judge their character or their security

Question 18

Describe Exposure (Daniel Solove’s Taxonomy of Privacy)

Answer 18

Revealing an individual’s nudity, grief, or bodily functions

Question 19

Describe Increased Accessibility (Daniel Solove’s Taxonomy of Privacy)

Answer 19

Amplifying the accessibility of personal information

Question 20

Describe Blackmail (Daniel Solove’s Taxonomy of Privacy)

Answer 20

Threatening to disclose personal information

Question 21

Describe Appropriation (Daniel Solove’s Taxonomy of Privacy)

Answer 21

Using an individual’s identity to serve the aims and interests of another

Question 22

Describe Distortion (Daniel Solove’s Taxonomy of Privacy)

Answer 22

Disseminating false or misleading information about an individual

Question 23

Describe Intrusion (Daniel Solove’s Taxonomy of Privacy)

Answer 23

Disturbing an individual’s tranquility or solitude

Question 24

Describe Decisional Interference (Daniel Solove’s Taxonomy of Privacy)

Answer 24

Intruding into an individual’s decision regarding their private affairs

Question 25

What are Ryan Calo’s 2 dimensions of privacy harm

Answer 25

Objective

Subjective

Question 26

Describe an objective harm (Ryan Calo)

Answer 26

Measurable and observable harm, wherein a person’s privacy has been violated and a direct harm is known to exist

Question 27

Describe a subjective harm (Ryan Calo)

Answer 27

Exists without an observable or measurable harm, but where an expectation or perception of harm exists

Question 28

How are privacy risks measured?

Answer 28

Likelihood and impact

Question 29

What are some common non-malicious insider threats?

Answer 29

Weak security policies
Insufficient training
Mistakes
Ineffective controls
Carelessness

Question 30

List the 8 principles included in the OECD international standard for privacy

Answer 30

Collection Limitation
Accountability 
Data Quality
Individual Participation
Security Safeguards
Openness
Use Limitation
Purpose Specification

Question 31

Describe the Collection Limitation principle (OECD international standard for privacy)

Answer 31

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate, with the knowledge or consent of the data subject

Question 32

Describe the Data Quality principle (OECD international standard for privacy)

Answer 32

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date

Question 33

Describe the Purpose Specification principle (OECD international standard for privacy)

Answer 33

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use should be limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

Question 34

Describe Use Limitation principle (OECD international standard for privacy)

Answer 34

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except: (a) with the consent of the data subject; or (b) by the authority of law

Question 35

Describe Security Safeguards principle (OECD international standard for privacy)

Answer 35

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data

Question 36

Describe Openness principle (OECD international standard for privacy)

Answer 36

There should be a general policy of openness about developments, practices and policies with respect to personal data - Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Question 37

Describe Individual Participation principle (OECD international standard for privacy)

Answer 37

An individual should have the right:

(a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
(b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
(d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended

Question 38

Describe Accountability principle (OECD international standard for privacy)

Answer 38

A data controller should be accountable for complying with measures which give effect to the principles stated above

Question 39

Describe first-party data collection

Answer 39

When the data subject provides data about themselves directly to the collector

Question 40

Describe third-party data collection

Answer 40

When previously collected information is transferred to a third-party

Question 41

What is the difference between active and passive data collection?

Answer 41

Active data collection occurs when a data subject is aware of the collection
Passive data collection occurs when a data subject is unaware

Question 42

How is explicit consent obtained?

Answer 42

The individual is required to expressly act to communicate consent (checking a box, clicking a button, responding to an email, etc.)

Question 43

How is passive or implied consent generally obtained?

Answer 43

By including a conspicuous link to a privacy notice that describes the collection activities - no actions are taken by the IT system to engage the individual with the notice
Use of the system is assumed to imply consent

Question 44

What is bounded rationality?

Answer 44

The idea that rationality is limited when individuals make decisions

Question 45

What type of privacy threat is behavioural advertising according to Daniel Solove?

Answer 45

Intrusion
Decisional interference
Self-representation

Question 46

What type of privacy threat is cyberbullying according to Daniel Solove?

Answer 46

Intrusion
Decisional interference
Self-representation

Question 47

What type of privacy threat is social engineering according to Daniel Solove?

Answer 47

Self-representation