CIPP Flashcards
Pass the fucking exam
4 Classes of Privacy
- Information Privacy
- Communications Privacy
- Bodily Privacy
- Territorial Privacy
Information Privacy
Rules that govern the collection and handling of personal info:
- Financial and medical info
- Government Records
- Internet activity
Communications Privacy
Establishes protection of the means of correspondence, such as:
- Postal Mail
- Telephone Conversations
Territorial Privacy
Establishes placing limits on the ability to intrude into another individual’s environment including:
- Home
- Workplace
- Public Space
Fair Information Practices - 4 Principals
Set of principles that consider: 1. rights of individuals 2. controls on the information 3. the info life-cycle 4. management. They are guidelines for handling, storing and managing personal info properly.
Data Protection Authority
Enforces privacy or data protection laws and regulations. US has no national data protection authority but several groups over see privacy matters (FTC, state attorneys general, federal financial regulators)
Data Controller
An organization or individual with the authority to decide how and why information about data subjects is to be processed
Data Subject
An individual about whom information is being processed. Ex. Consumer, employee, patient
Data Processor
An organization or individual, often a third-party outsourcing service that process data on behalf of the data controller
Personal Information
Information that make sit possible to identify and individual
Nonpersonal Information
Anonymizing personal information by removing identifying elements renders it nonpersonal
Sensitive personal information
A subset of personal information; usually requires additional safeguarding of its collection use and disclosure
Pseudonymized Information
A unique code or pseudonym is used as a temporary solution to protecting information. It is reversible
Examples of Public Records
Real estate records, birth and death records, licensing records, statistical data
Examples of Publicly available information
Telephone books, public media, newspapers, search engine results
Examples of Nonpublic information
Medical records, financial information, customer databases, adoption records
Federal Trade Commission (FTC)
Has general authority to enforce rules against unfair and deceptive trade practices.
- has power to bring enforcement actions where privacy promise is broken
- has statutory responsibility for issues such as children’s online privacy and commercial email marketing
Federal Communications Commission (FCC)
places significant compliance regulations on the marketplace. Governs the communications industry such as television, radio, telemarketing, and online marketing. FTC also enforces privacy law.
US Department of Commerce (DOC)
Plays a leading role in federal privacy policy development and administers the Privacy Shield Framework btwn the US and EU. DOC works with FTC on enforcement of privacy and security standards by organizations.
Department of Health and Human Services (HHS)
Created regulations to protect the privacy and security of healthcare information. It is responsible for the enforcement of HIPPA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the HITECH Act.
Federal Reserve Board
As a federal financial regulator the FRB enforces provisions by specific financial mandates such as the Gramm-Leach-Bliley Act (GLBA).
Office of the Comptroller of the Currency (OCC)
An independent bureau of the US Department of the Treasure. It regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Additionally, the OCC ensures fair access to financial services and compliance with financial privacy laws and regulations.
State Attorney General
The state attorney general is the chief legal advisory to the state government as well as the state’s chief law enforcement officer. They may take enforcement action on a state’s unfair and deceptive practice laws, HIPAA, GLBA, the Telemarketing Sales Rule and violations of breach notification laws.
Self-regulatory programs and trust marks
Refers to many approaches to privacy protection. Many industry groups create and monitor their own privacy guidelines and practices.
Consent Decree
An agreement or settlement that resolves a dispute between two parties without admission of guilt or liability.
3 branches of government
Executive, Legislative, Judicial
Executive Branch
Enforces Laws, made up of President, VP, cabinet and federal agencies
Legislative Branch
Makes Laws, made up of Congress, House and Senate
Judicial Laws
Interprets Laws, made up of federal courts
Constitution
US Constitution is the supreme law in the US. while the word privacy is not mentioned in the Constitution, there are parts that directly affect it, such as the Fourth Amendment. State constitutions are also sources of law and can create stronger rights than those provided by the US Constitution.
Legislation
Privacy and security laws have been passed by both federal and state legislatures. These regulations are implemented across numerous industries, from healthcare and education to finance and surveillance. State legislation may be stricter than national legislation, and in other cases, Federal law overrides state laws, as with HIPAA and CAN-SPAM.
Regulations and Rules
Regulatory agencies, such as the Federal Trade Commission and Federal Communications Commission, issue regulations and rules that place compliance expectations on industries, such as marketing.
Case Law
When final decisions are made by duges in court cases, this is knows as case law. Often judges will look to past decisions and decide how to rule in the new case in a manner that was consistent with a past decision. These precedents do change, however, as technological and societal changes in values and laws evolve over time.
Common Law
These laws refer to legal principles that have developed over time through judicial decisions and contrast with statutory laws. Drawing from social customs and expectations, doctor-patient and attorney-client confidentiality are examples of common law.
Consent Decree
Consent decrees are agreements or settlements that resolve a dispute between two parties without admission of guilt or liability. through a legal document approved by a judge the defendant may have to take specific action, such as agreeing to stop the alleged illegal activity or pay money to the government and agree to not violate the relevant law in the future.
Contract Law
A legally binding contract that must include an offer, such as terms of agreement, acceptance by the person to whom the offer was made, and consideration, which is bargained-for exchange, as in money, property or services. This contract is usually enforceable in a court of law or in arbitration by a neutral third party where agreed-upon by the parties. In regard to privacy, the contract may include provisions on data usage, security, and breach notification.
Tort Law
Tor laws are civil wrong recognized by laws as having the grounds for lawsuits. The primary goal for lawsuit is to provide relief for damages incurred and deter others from committing the same wrongs. There are three general tort categories: Intentional, negligent, and strict liability.
Private Right of Action
The ability of an individual harmed by a violation of a law to file a lawsuit against the violator
Jurisdiction
The authority of a court to hear a particular case.
Authority
Permission to regulate a field of activity or a singular activity, which is outlined by legislation.
Preemption
A superior government’s ability to have its laws supersede those of an inferior government
6 Tenants to Understanding Privacy Laws
- Who is covered by the Law? (identifies an organization or person)
- What types of info and what uses of info are covered? (Explains the scope, suggests good practices or trends)
- What exactly is required or prohibited? (How one must comply with the law)
- Who enforces the law?
- What happens if i don’t comply? (assesses the risk of failing to comply with the law)
- Why does this law exist? (Fosters understanding and improvement of the law)
Federal Trade Commission (FTC)
Has general authority to enforce rules against unfair and deceptive trade practices. This also include the power to bring deception enforcement actions where an organization has broken a privacy promise. Additionally, the FTC has statutory responsibility for issues such as children’s online privacy and commercial email marketing and have been instrumental in developing US privacy standards.
Federal Communications Commission
Places significant compliance regulations on the marketplace. It governs the communications industry, such as television, radio and telemarketing, and more recently, with online marketing developing such as laws a the Telemarketing Sales Rule and controlling the Assault of Non-Solicited Pornography and Marketing Act (know as the CAN-SPAM Act). Along with the FTC the FCC also enforces privacy law.
US Department of Commerce
The Department of Commerce plays a leading role in federal privacy policy development and administers the Privacy Shield Framework between the US and the EU. The Department of Commerce works along with the FTC on the enforcement of privacy and security standards set by organizations, particularly with those having privacy self-regulatory programs.
Department of Health and Human Services
Created regulation to protect the privacy and security of healthcare information. It is responsible for the enforcement of HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Federal Reserve Board
Enforces provisions by specific financial mandates, such as the Gramm-Leach-Bliley Act (GLBA). The consumer Financial Protection Bureau is an independent bureau under the Federal Reserve, has rule-making authority for laws related to financial privacy and oversees the relationship between consumers and financial product and service providers.
Office of the Comptroller of the Currency
An independent bureau of the US Department of Treasury. It regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Additionally, the OCC ensures fair access to financial services and compliance with financial privacy laws and regulations.
State Attorney General
Chief legal advisor to the state government, as well as the state’s chief law enforcement officer. They may take enforcement action on a state’s unfair and deceptive practice laws, HIPAA, GLBA, the Telemarketing Sales Rule and violations of breach of notification laws.
Self-Regulatory Programs
refers to many approaches to privacy protection. Many industry groups create and monitor their own privacy guidelines and practices. Governmetn agencies, such as the FTC, may be involved in enforcement and adjudication. Organizations may also adopt th guidelines of a third party and have that third party motor and enforce compliance, as in third-party seal and certification programs, such a s TrustArc, the Better Business Bureau and the EU-US Privacy Shield.
EEC
European Economic Community
Universal Declaration of Human Rights
(1948) Followed WWII, established right to private life and associated freedoms (Article 12) right to freedom of expression (Article 19)
ECHR
European Convention on Human Rights
Collection Limitation Principle
Personal information must be collected fairly and lawfully and where appropriate with the knowledge and consent of the individual concerned
Data Quality Principle
Personal information must be relevant, complete, accurate and up to date
Purpose Specification Principle
The purpose for which the personal information is to be used must be specified not later than at the time of collection and any use must be compatible with that purpose
Use Limitation Principle
Any disclosure of personal information must be consistent with the purposes specified unless the individual has given consent or the data controller has lawful authority to do so
Security Safeguards Principle
Reasonable security safeguards must be taken against risk such as a loss or unauthorized access, destruction, use, modification or disclosure of personal information.
Openness Principle
There should be a general policy of openness with respect to the uses of personal information, as well as the identity and location of the data controller
Individual Participation Principle
This sets out what an individual is entitled to receive from a data controller pursuant to a request for his or her personal information. This has become one of the most important aspects of subsequent data protection legislation
Accountability Principle
A data controller should be accountable for complying with measures that ensure the principles state above