CIPM CH 2 Privacy Program Framework Flashcards
Governance
A process whereby Senior Management exerts strategic control over business functions through policies, objectives, delegation of authority, and monitoring.
. Management’s continuous oversight of an organization’s business processes that is intended to ensure that these processes effectively meet the organization’s business vision and objectives
Developing the Privacy program framework
.. A privacy program comprises the structure and organization and all its parts
. These parts are represented by artifacts including
- privacy program Charter
- privacy policy
- privacy standards
- privacy processes
- privacy guidelines
- controls
Privacy Charter
. A formal document used in some organizations to Define and describe a major business activity and or Department
. Typically will contain these elements
- program name
- program purpose
- Executive sponsorship
- roles and responsibilities
- policies
- primary business processes
- budget and other resources
Internal privacy policy
. Organizations with more mature privacy and Security Programs will have detailed privacy policies that Define expected behaviors of their workers and the required characteristics of their information systems
. At a minimum, privacy and security policies will include General statements about sensitive or personal information that shall be used “for business purposes only” without further detail
Internal privacy policy content should include
. Roles and responsibilities for the organization’s privacy program
. Business processes governing the use of personal information
. Language regarding the protection of personal information
. Consequences for violation of privacy policy
. Provisions for the review and audit of privacy business processes
. Description of measurements of privacy business processes
. Citations of applicable regulations and other obligations
Roles and responsibilities for an organization’s privacy program
. Those who have data management responsibilities
. Those who approve and review access to personal information
. Those who review and approve new uses of personal data
. Those who receive and process subject data request
. Those who have responsibility for monitoring uses of personal data
. Those who have responsibility for responding to incidents that represent the misuse of personal information
. Those who review privacy business processes
. Those who audit Privacy business processes
Privacy standards
Policies Define what is to be done, and standards Define how policies are to be done
. Standards maybe frequently affected by change, because they are closer to the technology and are concerned with the details of the implementation of the policy
. Standards need to be developed carefully so that:
- they properly reflected the intent of one or more corresponding policies
- they can be implemented
- they are unambiguous
- their direction can be automated, where large numbers of systems exist
EU General data protection regulation
. Past April 2016, became effective May 2018
. Rights of data subjects
- right to access personal data
- right to recitification
- right to Erasure
- right to restrict processing
- right to be notified
- right to data portability
- right to object
- right to reject automated individual decision-making
Data controller and data processor
. Gdpr defines a data controller as an organization that directs the use of personal data
. A data processor is an organization that possesses personal data as directed by a data controller
Gdpr main privileges
. Rights of data subjects
. Definition of data controller and data processor
. Data protection and privacy by Design and by default
. cyber security
. breach notification
. data protection impact assessment (DPIA)
. data Protection Officer - DPO
. certification
. cross-border data transfers
. binding corporate rules
. supervisory Authority
. penalties
HIPAA 2 rules
. security rule -requires that organization enact several administrative, physical, and Technical safeguards to protect ePHI
. Privacy Rule: requires organizations to protect PHI, mainly in hard copy form
Health information technology for economic and clinical Health Act -HITECH
Expands HIPAA security breach notification requirements and expands the disclosures of the use of patients PHI
Canada: Personal information protection and economic documents Act - PIPEDA
. Was enacted to provide assurances to European countries and consumers that their personal information present in Canadian company’s Information Systems will be safe and free from abuses
. Also give Canadians the right to know why organizations collect, use, or disclose their personal information, and the assurance at the information will not be used for any other purpose
California consumer protection act (CCPA) and California privacy Rights Act (CPRA)
. Give California residents certain rights, including the following:
- knowledge of what personal information is being collected
- notifications of whether such personal information is subsequently transferred or disclosed to another party
- the ability to prohibit an organization from transferring or selling personal information
- the ability to examine the personal information held by an organization, with the right to request that the information be corrected or removed
- freedom from discrimination should individuals choose exercise their privacy rights
Standard contractual clauses
International organizations are able to make use of binding corporate rules that Define International transfers and protection of data within an organization.
Establishing legal basis for processing
Article 6.1 of the GDPR
.
Organizations must identify specifically, the legal basis under which they are collecting and/or processing personal information.
It must be lawful for the organization to collect and use data subjects personal information and the organization must be able to say specifically how it is lawful
Five possible Avenues of legal basis:
- processing is necessary for the performance of a contract to which the data subject is a party or an order to take steps at the request of the data of subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is a subject
- processing is necessary in order to protect the vital interests of the data subjects or of another natural person
- process is necessary for the performance of tests carried out in the public interest or an exercise of official authority vested in the controller
- processing is necessary for the purposes of legitimate interest pursued by the controller or by third-party
Controls
. Statements that Define required outcomes
. Are often implemented through policies, procedures, mechanisms, systems, and other measures designed to reduce risk
- are used for two primary purposes in an organization
. To ensure desired outcomes
. To avoid unwanted outcomes