Chapter 1: Privacy in the modern era Flashcards
Privacy definition
Individual right to protect yourself and your information from unwanted intrusions from others and the government.
Colloquial definition of privacy by Louis Brandeis
“Right to be let alone.”
GAPP definition of privacy
Rights and obligations of individuals and orgs with respect to the collection, use, retention, disclosure, and destruction of personal infomation
Personal information definition (GAPP)
Information that is or can be about or related to an identifiable person
SPI
Sensitive Personal Information
GDPR Special Categories of PI (8)
Racial or Ethnic Origin Political Opinions Religious or Philosophical Beliefs Trade Union Membership Genetic Data Biometric data used to identify a person Health data Sex life or sexual orientation data
Anonymization
Process of making it impossible to identify an individual to whom the information relates
HHS Deidentification Standard
A process to make information unidentifiable using two techniques
HHS Deidentification: Expert determination
Requires using a statistician who analyzes dataset and determines if individuals can be reidentified when data is combined with public information
HHS Deidentification: Safe Harbor
Removal of 18 types of information to eliminate direct and indirect links to an individual
?????Aggregation
Summarizing info in a way that makes it impossible to identify an individual
Privacy management
Defining, documenting, communicating, and assigning accountability for privacy policies and procedures.
Examples of privacy management
Policies
Assigning responsibility
Procedures for reviewing/editing policies
Performing annual risk assessments
Ensuring contractual terms align with privacy policies
Assessing privacy risks with technology
Privacy Incident Management Process
Training and awareness
Establishing qualifications for employees with privacy responsibilities
Notice
Providing notice about privacy policies and procedures, and identifying purpose for which PI is collected, used, retained, and disclosed
Notice tasks
Include notice practices in privacy policies
Notice about how collection aligns with other privacy principles
Providing timely, accurate, and updated notice (including when purpose/use change)
Writing notices in plain language and posting conspicuously
Choice and Consent
Describing choices available and obtaining implicit or explicit consent for the collection, use, and disclosure of PI
Collection
The way organizations obtain personal information.
Only collect for the purposes in a notice.
Use, retention, and disposal
Limit use of PI to purposes in the notice and for which consent was provided.
Retain only as long as necessary
Dispose information
Access
Providing individuals access to their PI for review and update
Disclosure to third parties
Entity discloses PI to 3rd Parties only for the purposes identified in the notice and with implicit or explicit consent
Security for privacy
Protect PI against unauthorized access
Quality
Maintain accurate, complete, and relevant PI for the purposes identified in the notice
Monitoring and enforcement
Monitor compliance with privacy policies and procedures to address privacy related inquiries, complaints, and disputes.
Three things a privacy program needs
Purpose
Strategy
Goals
