Chapter 1: Privacy in the modern era Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Privacy definition

A

Individual right to protect yourself and your information from unwanted intrusions from others and the government.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Colloquial definition of privacy by Louis Brandeis

A

“Right to be let alone.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

GAPP definition of privacy

A

Rights and obligations of individuals and orgs with respect to the collection, use, retention, disclosure, and destruction of personal infomation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Personal information definition (GAPP)

A

Information that is or can be about or related to an identifiable person

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SPI

A

Sensitive Personal Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

GDPR Special Categories of PI (8)

A
Racial or Ethnic Origin
Political Opinions
Religious or Philosophical Beliefs
Trade Union Membership
Genetic Data
Biometric data used to identify a person
Health data
Sex life or sexual orientation data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Anonymization

A

Process of making it impossible to identify an individual to whom the information relates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HHS Deidentification Standard

A

A process to make information unidentifiable using two techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HHS Deidentification: Expert determination

A

Requires using a statistician who analyzes dataset and determines if individuals can be reidentified when data is combined with public information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

HHS Deidentification: Safe Harbor

A

Removal of 18 types of information to eliminate direct and indirect links to an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

?????Aggregation

A

Summarizing info in a way that makes it impossible to identify an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Privacy management

A

Defining, documenting, communicating, and assigning accountability for privacy policies and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Examples of privacy management

A

Policies
Assigning responsibility
Procedures for reviewing/editing policies
Performing annual risk assessments
Ensuring contractual terms align with privacy policies
Assessing privacy risks with technology
Privacy Incident Management Process
Training and awareness
Establishing qualifications for employees with privacy responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Notice

A

Providing notice about privacy policies and procedures, and identifying purpose for which PI is collected, used, retained, and disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Notice tasks

A

Include notice practices in privacy policies
Notice about how collection aligns with other privacy principles
Providing timely, accurate, and updated notice (including when purpose/use change)
Writing notices in plain language and posting conspicuously

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Choice and Consent

A

Describing choices available and obtaining implicit or explicit consent for the collection, use, and disclosure of PI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Collection

A

The way organizations obtain personal information.

Only collect for the purposes in a notice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Use, retention, and disposal

A

Limit use of PI to purposes in the notice and for which consent was provided.
Retain only as long as necessary
Dispose information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Access

A

Providing individuals access to their PI for review and update

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Disclosure to third parties

A

Entity discloses PI to 3rd Parties only for the purposes identified in the notice and with implicit or explicit consent

21
Q

Security for privacy

A

Protect PI against unauthorized access

22
Q

Quality

A

Maintain accurate, complete, and relevant PI for the purposes identified in the notice

23
Q

Monitoring and enforcement

A

Monitor compliance with privacy policies and procedures to address privacy related inquiries, complaints, and disputes.

24
Q

Three things a privacy program needs

A

Purpose
Strategy
Goals

25
Q

3 primary data roles

A

Subject
Controller
Processor

26
Q

Data Subject

A

Person about whom PI is collected

27
Q

Data controllers

A

Determine the purpose and means of collecting PI from data subjects

28
Q

Data Processors

A
29
Q

Data Processors

A

Collect and process PI on behalf of controllers

30
Q

Inventory

A

Contains information about sensitive PI held by the organization

31
Q

ISO 27701

A

Extension to IISO 27001 for privacy information management

32
Q

Privacy assessment results in…

A

A gap analysis

33
Q

Privacy assessment results in…

A

A gap analysis

34
Q

Examples of program monitoring

A

Audits
Periodic reviews
Assessment updates
Dashboards with key metrics

35
Q

What are these examples of?
Privacy policies
Encryption
Puring data not meeting purpose limitation
Access controls
Process to maintain privacy preferences
Process to deal with incidents and complaints
Periodic program testing and assessment

A

Privacy controls

36
Q

Active data collection

A

User submits data

37
Q

Passive data collection

A

Org collects data automatically

38
Q

Privacy notice

A

Conveys details of the privacy policy to end users

39
Q

Layered privacy notice

A

Privacy noticed in plain language with legalese available

40
Q

Who is responsible for protecting non-electronic records? (Privacy or Security)

A

Privacy

41
Q

Privacy by Design

A

Incorporate privacy into design and implementation of technology

42
Q

Proactive, not reactive. Preventative, no remedial.

A

Systems should be designed to prevent prviacy risks

43
Q

Privacy as the default setting

A

Protect users even if they do not act in any way

44
Q

Privacy embedded into Design

A

Privacy is a core requirement

45
Q

Full functionality - Positive sum, not zero-sum

A

Seek win-win situations where privacy objectives are achieved alongside other objective.

46
Q

End-to-end security - Full lifecycle protection

A

Security practices persist through entire information lifecycle

47
Q

Visibility and transparency, Keep it open

A

System should be open for inspection

48
Q

Respect for user privacy - Keep it user centric

A

Focus on the individual, empowering data subjects with user-friendly privacy practices