Chapter 8: Privacy Governance Flashcards

1
Q

List the elements of the Conceptualizing a Privacy Governance Program pyramid

A
Law & Policy
Privacy Controls
Security Controls
Standards
Compliance
Technology
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the role of the Law & Privacy element in the privacy governance program pyramid?

A

Translate fundamental requirements—whether foundational legal requirements or organizational privacy policies—into tooling that is manageable and scalable with the organization’s IT needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the role of the Compliance element in the privacy governance program pyramid?

A

Building upon law and established organizational policy, compliance begins the translation into practical and measurable requirements and the process through which privacy can be implemented and evaluated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the concept of reasonable assurance?

A

Means that requirements and objectives are not absolute, but rather based upon some criteria that is deemed practical to implement and manage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is reasonable assurance so important when safeguarding privacy in IT?

A

It affords flexibility and is greatly valuable for managing the potential overengineering of solutions
It also grounds solutions in common sense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are internal controls?

A

Objectives tied to practical measurements and designed to evaluate components governed by the privacy program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the 2 flavours of internal controls?

A
  • Preventative - designed to stop an activity from occurring

* Detective - for identifying problematic behaviour after the event has occurred

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does compliance offer a privacy program?

A

Structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the role of the Security element in the privacy governance program pyramid?

A

Protecting against unauthorized access and malicious actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How are security risks often framed?

A

CIA
• Confidentiality
• Integrity
• Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Provide an example of how security and privacy differ

A

Security can reasonably assure that two parties exchange personal data securely, but it is privacy that reasonably assures that the authorized parties are in fact using the personal data appropriately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What benefits does security provide to privacy?

A
  • Information security is more mature technologically
  • Frameworks and certifications are well established
  • Security thus provides privacy an avenue through which meaningful IT solutions can be developed to safeguard privacy
  • As security and compliance are as intertwined as privacy and compliance, reasonably assured internal controls can be repurposed, or extended, as necessary in order to maturate the privacy governance program
  • Important benefit for privacy: The ability to translate privacy into meaningful and understandable terminology for engineers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What benefits do industry standards such as NIST offer?

A

Establishment of a common language - this results in transparency

Standards provide a mechanism through which an organization can transparently describe its controls tied to governance and information technology in common and accessible terms

This helps build trust between an organization and its key stakeholders or customers and, in addition, provides auditability through independent third-party certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the role of the Standards element in the privacy governance program pyramid?

A

Standards provide a mechanism both to fact-check if the security and privacy controls meet minimum expectations as defined by outside parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 2 overall aims of the privacy governance program?

A

To be:
• Structured
• Enduring

Designed controls should focus on structuring objectives and activities in measurable and discrete ways that connect, but do not embed, higher-order legal requirements or lower-level technological solutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 6 core activities typical of a privacy program?

A
  • Privacy and Data Protection Impact Assessments
  • Privacy Reviews
  • Training and Awareness
  • Privacy Incident Management
  • Third-Party Relationships
  • Consent and Notice
17
Q

Describe the Privacy and Data Protection Impact Assessments activity of a privacy program

A

Assessments evaluating privacy harms and issues for major activities undertaken by an organization

18
Q

Describe the Privacy Reviews activity of a privacy program

A

Individual design reviews of systems or activities to evaluate sufficiency of privacy safeguards employed

19
Q

Describe the Training and Awareness activity of a privacy program

A

Educational and awareness activities for personnel supporting privacy functions within the organization. (Awareness may also include external engagement and transparency activities)

20
Q

Describe the Privacy Incident Management activity of a privacy program

A

Management and response for privacy-related incidents within the organization

21
Q

Describe the Third-Party Relationships activity of a privacy program

A

Requirements and privacy safeguards when interacting and sharing personal data with external organizations

22
Q

Describe the Consent and Notice activity of a privacy program

A

Practices and requirements to provide notice and appropriate consent for users of organizational services

23
Q

What is evaluated in a privacy review?

A

Among other things…
• the data and uses of a given service
• dataflows (across systems as well as geographic boundaries)
• consent/notice in keeping with organizational requirements
• access control
• other aspects as defined by an organization’s privacy program

24
Q

List the 3 steps that are helpful to conceptualize a model for data and use specifically tailored to an organization’s needs and goals

A

1 Business objective and purpose—Identifying the business objectives and associated purposes

2 Law and policy—Once business objectives and purposes are understood, law and policy help shape the limits

3 Technology—Ultimately, the data and uses, tied to business objectives and constrained by rules, must be channeled through technological controls

25
Q

How do you put in place privacy engineering?

A

Translating the highest-order objectives of a privacy governance program into actionable, practical technical controls, rationalized against an organization’s evaluation of privacy risk and the fundamental capabilities available within the organization’s IT infrastructure