CIPP

Question 1

4 Classes of Privacy

Answer 1

1. Information Privacy
2. Communications Privacy
3. Bodily Privacy
4. Territorial Privacy

Question 2

Information Privacy

Answer 2

Rules that govern the collection and handling of personal info:

• Financial and medical info
• Government Records
• Internet activity

Question 3

Communications Privacy

Answer 3

Establishes protection of the means of correspondence, such as:

• Postal Mail
• Telephone Conversations
• Email

Question 4

Territorial Privacy

Answer 4

Establishes placing limits on the ability to intrude into another individual’s environment including:

• Home
• Workplace
• Public Space

Question 5

Fair Information Practices - 4 Principals

Answer 5

Set of principles that consider: 
1. rights of individuals
2. controls on the information
3. the info life-cycle 
4. management.  
They are guidelines for handling, storing and managing personal info properly.

Question 6

Data Protection Authority

Answer 6

Enforces privacy or data protection laws and regulations. US has no national data protection authority but several groups over see privacy matters (FTC, state attorneys general, federal financial regulators)

Question 7

Data Controller

Answer 7

An organization or individual with the authority to decide how and why information about data subjects is to be processed

Question 8

Data Subject

Answer 8

An individual about whom information is being processed. Ex. Consumer, employee, patient

Question 9

Data Processor

Answer 9

An organization or individual, often a third-party outsourcing service that process data on behalf of the data controller

Question 10

Personal Information

Answer 10

Information that make sit possible to identify and individual

Question 11

Nonpersonal Information

Answer 11

Anonymizing personal information by removing identifying elements renders it nonpersonal

Question 12

Sensitive personal information

Answer 12

A subset of personal information; usually requires additional safeguarding of its collection use and disclosure

Question 13

Pseudonymized Information

Answer 13

A unique code or pseudonym is used as a temporary solution to protecting information. It is reversible

Question 14

Examples of Public Records

Answer 14

Real estate records, birth and death records, licensing records, statistical data

Question 15

Examples of Publicly available information

Answer 15

Telephone books, public media, newspapers, search engine results

Question 16

Examples of Nonpublic information

Answer 16

Medical records, financial information, customer databases, adoption records

Question 17

Federal Trade Commission (FTC)

Answer 17

Has general authority to enforce rules against unfair and deceptive trade practices.

• has power to bring enforcement actions where privacy promise is broken
• has statutory responsibility for issues such as children’s online privacy and commercial email marketing

Question 18

Federal Communications Commission (FCC)

Answer 18

places significant compliance regulations on the marketplace. Governs the communications industry such as television, radio, telemarketing, and online marketing. FTC also enforces privacy law.

Question 19

US Department of Commerce (DOC)

Answer 19

Plays a leading role in federal privacy policy development and administers the Privacy Shield Framework btwn the US and EU. DOC works with FTC on enforcement of privacy and security standards by organizations.

Question 20

Department of Health and Human Services (HHS)

Answer 20

Created regulations to protect the privacy and security of healthcare information. It is responsible for the enforcement of HIPPA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the HITECH Act.

Question 21

Federal Reserve Board

Answer 21

As a federal financial regulator the FRB enforces provisions by specific financial mandates such as the Gramm-Leach-Bliley Act (GLBA).

Question 22

Office of the Comptroller of the Currency (OCC)

Answer 22

An independent bureau of the US Department of the Treasure. It regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Additionally, the OCC ensures fair access to financial services and compliance with financial privacy laws and regulations.

Question 23

State Attorney General

Answer 23

The state attorney general is the chief legal advisory to the state government as well as the state’s chief law enforcement officer. They may take enforcement action on a state’s unfair and deceptive practice laws, HIPAA, GLBA, the Telemarketing Sales Rule and violations of breach notification laws.

Question 24

Self-regulatory programs and trust marks

Answer 24

Refers to many approaches to privacy protection. Many industry groups create and monitor their own privacy guidelines and practices.

Question 25

Consent Decree

Answer 25

An agreement or settlement that resolves a dispute between two parties without admission of guilt or liability.

Question 26

3 branches of government

Answer 26

Executive, Legislative, Judicial

Question 27

Executive Branch

Answer 27

Enforces Laws, made up of President, VP, cabinet and federal agencies

Question 28

Legislative Branch

Answer 28

Makes Laws, made up of Congress, House and Senate

Question 29

Judicial Laws

Answer 29

Interprets Laws, made up of federal courts

Question 30

Constitution

Answer 30

US Constitution is the supreme law in the US. while the word privacy is not mentioned in the Constitution, there are parts that directly affect it, such as the Fourth Amendment. State constitutions are also sources of law and can create stronger rights than those provided by the US Constitution.

Question 31

Legislation

Answer 31

Privacy and security laws have been passed by both federal and state legislatures. These regulations are implemented across numerous industries, from healthcare and education to finance and surveillance. State legislation may be stricter than national legislation, and in other cases, Federal law overrides state laws, as with HIPAA and CAN-SPAM.

Question 32

Regulations and Rules

Answer 32

Regulatory agencies, such as the Federal Trade Commission and Federal Communications Commission, issue regulations and rules that place compliance expectations on industries, such as marketing.

Question 33

Case Law

Answer 33

When final decisions are made by duges in court cases, this is knows as case law. Often judges will look to past decisions and decide how to rule in the new case in a manner that was consistent with a past decision. These precedents do change, however, as technological and societal changes in values and laws evolve over time.

Question 34

Common Law

Answer 34

These laws refer to legal principles that have developed over time through judicial decisions and contrast with statutory laws. Drawing from social customs and expectations, doctor-patient and attorney-client confidentiality are examples of common law.

Question 35

Consent Decree

Answer 35

Consent decrees are agreements or settlements that resolve a dispute between two parties without admission of guilt or liability. through a legal document approved by a judge the defendant may have to take specific action, such as agreeing to stop the alleged illegal activity or pay money to the government and agree to not violate the relevant law in the future.

Question 36

Contract Law

Answer 36

A legally binding contract that must include an offer, such as terms of agreement, acceptance by the person to whom the offer was made, and consideration, which is bargained-for exchange, as in money, property or services. This contract is usually enforceable in a court of law or in arbitration by a neutral third party where agreed-upon by the parties. In regard to privacy, the contract may include provisions on data usage, security, and breach notification.

Question 37

Tort Law

Answer 37

Tor laws are civil wrong recognized by laws as having the grounds for lawsuits. The primary goal for lawsuit is to provide relief for damages incurred and deter others from committing the same wrongs. There are three general tort categories: Intentional, negligent, and strict liability.

Question 38

Private Right of Action

Answer 38

The ability of an individual harmed by a violation of a law to file a lawsuit against the violator

Question 39

Jurisdiction

Answer 39

The authority of a court to hear a particular case.

Question 40

Authority

Answer 40

Permission to regulate a field of activity or a singular activity, which is outlined by legislation.

Question 41

Preemption

Answer 41

A superior government's ability to have its laws supersede those of an inferior government

Question 42

6 Tenants to Understanding Privacy Laws

Answer 42

1. Who is covered by the Law? (identifies an organization or person) 2. What types of info and what uses of info are covered? (Explains the scope, suggests good practices or trends) 3. What exactly is required or prohibited? (How one must comply with the law) 4. Who enforces the law? 5. What happens if i don't comply? (assesses the risk of failing to comply with the law) 6. Why does this law exist? (Fosters understanding and improvement of the law)

Question 43

Federal Trade Commission (FTC)

Answer 43

Has general authority to enforce rules against unfair and deceptive trade practices. This also include the power to bring deception enforcement actions where an organization has broken a privacy promise. Additionally, the FTC has statutory responsibility for issues such as children's online privacy and commercial email marketing and have been instrumental in developing US privacy standards.

Question 44

Federal Communications Commission

Answer 44

Places significant compliance regulations on the marketplace. It governs the communications industry, such as television, radio and telemarketing, and more recently, with online marketing developing such as laws a the Telemarketing Sales Rule and controlling the Assault of Non-Solicited Pornography and Marketing Act (know as the CAN-SPAM Act). Along with the FTC the FCC also enforces privacy law.

Question 45

US Department of Commerce

Answer 45

The Department of Commerce plays a leading role in federal privacy policy development and administers the Privacy Shield Framework between the US and the EU. The Department of Commerce works along with the FTC on the enforcement of privacy and security standards set by organizations, particularly with those having privacy self-regulatory programs.

Question 46

Department of Health and Human Services

Answer 46

Created regulation to protect the privacy and security of healthcare information. It is responsible for the enforcement of HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Question 47

Federal Reserve Board

Answer 47

Enforces provisions by specific financial mandates, such as the Gramm-Leach-Bliley Act (GLBA). The consumer Financial Protection Bureau is an independent bureau under the Federal Reserve, has rule-making authority for laws related to financial privacy and oversees the relationship between consumers and financial product and service providers.

Question 48

Office of the Comptroller of the Currency

Answer 48

An independent bureau of the US Department of Treasury. It regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Additionally, the OCC ensures fair access to financial services and compliance with financial privacy laws and regulations.

Question 49

State Attorney General

Answer 49

Chief legal advisor to the state government, as well as the state's chief law enforcement officer. They may take enforcement action on a state's unfair and deceptive practice laws, HIPAA, GLBA, the Telemarketing Sales Rule and violations of breach of notification laws.

Question 50

Self-Regulatory Programs

Answer 50

refers to many approaches to privacy protection. Many industry groups create and monitor their own privacy guidelines and practices. Governmetn agencies, such as the FTC, may be involved in enforcement and adjudication. Organizations may also adopt th guidelines of a third party and have that third party motor and enforce compliance, as in third-party seal and certification programs, such a s TrustArc, the Better Business Bureau and the EU-US Privacy Shield.

Question 51

EEC

Answer 51

European Economic Community

Question 52

Universal Declaration of Human Rights

Answer 52

(1948) Followed WWII, established right to private life and associated freedoms (Article 12) right to freedom of expression (Article 19)

Question 53

ECHR

Answer 53

European Convention on Human Rights

Question 54

Collection Limitation Principle

Answer 54

Personal information must be collected fairly and lawfully and where appropriate with the knowledge and consent of the individual concerned

Question 55

Data Quality Principle

Answer 55

Personal information must be relevant, complete, accurate and up to date

Question 56

Purpose Specification Principle

Answer 56

The purpose for which the personal information is to be used must be specified not later than at the time of collection and any use must be compatible with that purpose

Question 57

Use Limitation Principle

Answer 57

Any disclosure of personal information must be consistent with the purposes specified unless the individual has given consent or the data controller has lawful authority to do so

Question 58

Security Safeguards Principle

Answer 58

Reasonable security safeguards must be taken against risk such as a loss or unauthorized access, destruction, use, modification or disclosure of personal information.

Question 59

Openness Principle

Answer 59

There should be a general policy of openness with respect to the uses of personal information, as well as the identity and location of the data controller

Question 60

Individual Participation Principle

Answer 60

This sets out what an individual is entitled to receive from a data controller pursuant to a request for his or her personal information. This has become one of the most important aspects of subsequent data protection legislation

Question 61

Accountability Principle

Answer 61

A data controller should be accountable for complying with measures that ensure the principles state above