CIPP Glossary Part 1

Question 1

A computer record of an individual’s medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.

Answer 1

Electronic Health Record

Question 2

A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence.

Answer 2

Factortame

Question 3

What are the eight Fair Information Practice Principles

Answer 3

(1) The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
(2) The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
(3) The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
(4) The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law.
(5) The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
(6) The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.
(7) The Individual Participation Principle. An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended;
(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

Question 4

NAME?

Answer 4

Binding Corporate Rules (BCR)

Question 5

Also known as a record of authority, identifiespersonal dataas it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

Answer 5

Data Inventory

Question 6

The now-defunct Data Retention Directive was designed to align the rules on data retention across the EU member states in order to ensure the availability of traffic and location data for serious crime and antiterrorism purposes. The Data Retention Directive is no longer part of EU law, although member states retain competence to adopt their own national data retention laws under Article 15(1) of the ePrivacy Directive (2002/58/EC) provided that those laws comply with the fundamental rights principles that form part of EU law and the CJEU ruling that struck down the Data Retention Directive. Accordingly, EU member states have introduced draft legislative amendments or implemented national data retention laws at an individual country level

Answer 6

Data Retention Directive

Question 7

A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that (e)veryone has the right to respect for his private and family life, his home and his correspondence. Article 8 of the Convention limits a public authority s interference with an individual s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society. This created the Council of Europe (see Council of Europe) and the European Court of Human Rights (see European Court of Human Rights).

Answer 7

European Convention on Human Rights

Question 8

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is significantly engaged in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-publicpersonal information, defined broadly to include a consumer s name and address, and consumers interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability toopt-outof some sharing of personal financial information.

Answer 8

Gramm-Leach-Bliley Act

Question 9

Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees personal data. These rules must include suitable and specific measures to safeguard the data subject s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.

Answer 9

Employee Personal Data

Question 10

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.

Answer 10

Assess

Question 11

A processing operation that is performed without any human intervention. -Profiling- is defined in the General Data Protection Regulation, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to object to such processing.

Answer 11

Automated Processing

Question 12

is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law.

Answer 12

Court of Justice of the European Union

Question 13

An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).

Answer 13

EU-U.S. Safe Harbor Agreement

Question 14

An expansion of theFair Credit Reporting Actwhich focuses on consumer access and identity theft prevention. The act mandates thatcredit reporting agenciesallow consumers to obtain a free credit report once every twelve months. Additionally, it allows consumers to request alerts when a creditor suspects identity theft and gave theFederal Trade Commission(FTC) authority to promulgate rules to prevent identity theft. The FTC used the authority to create theRed Flags Rule.

Answer 14

Fair and Accurate Credit Transactions Act of 2003

Question 15

One of two chambers of theCanadian Parliament, along with theSenate. Members of theHouse of Commonsare elected at least every five years.

Answer 15

House of Commons

Question 16

Linked graphic or text that is used to connect an end user to other websites, parts of websites or web-enabled services. TheURLof a web location is embedded in theHTMLcode, so that when certain words or images are selected through the web browser, the end user is transported to the destination website or page.

Answer 16

Hyperlink

Question 17

What are three Bureau of the FTC

Answer 17

Competition, Consumer Protection, and Economics

Question 18

A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005

Answer 18

Chief Privacy Officer (Agency level) (CPO)

Question 19

A federal law governing the behavior of federal advisory committees, restricting the formation of such committees to those deemed essential, limiting their powers and their length of operation, requiring open meetings and open records and mandating a publicly-accessible government-wide database.

Answer 19

Federal Advisory Committee Act, The

Question 20

A federal law requiring agencies found of data mining to submit a yearly report to Congress. The privacy office of that agency must be involved in producing the report. The report will be made public and describe all of the agency s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.

Answer 20

Federal Agency Data Mining Reporting Act

Question 21

is responsible for the functions that are critical to the success of the Canadian CA profession. -xxx-, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications

Answer 21

Canadian Institute of Chartered Accountants (CICA)

Question 22

A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

Answer 22

Freedom of Information Act, The

Question 23

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13

Answer 23

Childrens Online Privacy Protection Act (COPPA) of 1998

Question 24

Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.

Answer 24

Electronic Surveillance

Question 25

FOIA stands for

Answer 25

Freedom of Information Act

Question 26

An entity that enforces the nation’s antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.

Answer 26

FTC, Bureau of Competition

Question 27

In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

Answer 27

Anonymous Information

Question 28

One of the General Data Protection Regulation’s explicitly stated data protection principles, personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.

Answer 28

Data Quality (EU specific)

Question 29

A secure network communication method, technically not a protocol in itself, HTTPS is the result of layering theHypertext Transfer Protocol(HTTP) on top of theSSL/TLSprotocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.

Answer 29

Hypertext Transfer Protocol Secure

Question 30

The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that display personal information should be set to prohibit -xxx-

Answer 30

Caching

Question 31

Germany’s federal data protection act, implementing the General Data Protection Regulation. With the passage of the GDPR, it replaced a previous law with the same name (hence -neu- in common parlance) and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the new version suggests a procedure for national data protection authorities to challenge adequacy decisions of the EU Commission

Answer 31

Bundesdatenschutzgesetz-neu

Question 32

The data protection regulator for the European Union as an entity, ensuring the EU institutions, such as the Parliament, Commission, and Council of the European Union, protect the rights and freedoms of data subjects. The EDPS acts as secretariat to the European Data Protection Board (see European Data Protection Board).

Answer 32

European Data Protection Supervisor

Question 33

Use of employees own personal computing devices for work purposes.

Answer 33

Bring Your Own Device (BYOD)

Question 34

Collects data to meet the nations statistical needs. Because the data that the -xxx- collects is often highly personal in nature, and the -xxx- depends on the trust of the individuals and businesses that supply the data, privacy protection is a high priority

Answer 34

Census Bureau

Question 35

The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.

Answer 35

Contextual Advertising

Question 36

The General Data Protection Regulation requires that consent be a freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject must have a genuine choice, must be able to refuse or withdraw consent without fear of consequence. Where there is a power imbalance, as in an employer-employee relationship, for example, it’s likely that consent cannot be freely given.

Answer 36

Freely Given

Question 37

The -xxx’ is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a -xxx- often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.

Answer 37

Business Continuity Plan (BCP)

Question 38

In order to ensure the consistent application of the General Data Protection Regulation throughout the European Union, the GDPR establishes a -xxx- that allows member state supervisory authorities to cooperate with one anotherThe mechanism applies particularly where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several member states. When a member state supervisory authority intends to take action, such as approving a code of conduct or certification mechanism, it shall provide a draft to the European Data Protection Board, and the EDPB’s members shall render an opinion on that draft, which the supervisory authority shall take into account and then either amend or decide to go forward with the draft in its original form. Should there be significant difference in opinion, the dispute resolution mechanism will be triggered

Answer 38

Consistency Mechanism

Question 39

As technology has advanced, it has become easier to differentiate between users just based on the given instance of the browser they are using. Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.

Answer 39

Browser Fingerprinting

Question 40

xxxxx laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise

Answer 40

Anti-discrimination Laws

Question 41

In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.

Answer 41

Data Portability

Question 42

xxx is taking user identifications and converting them into an ordered system to track the users activities without directly using personally identifiable information (PII).

xxx can be used to encryptor map data; in the context of privacy, hashing is used in cryptographichash functions and have many information security applications.

Answer 42

Hashing Functions

Question 43

A term often used to refer to a supervisory authority, which is an independent public authority responsible for monitoring the application of the General Data Protection Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the European Union. xxx also oversee other data protection-related laws, such as the ePrivacy Directive and other local member state laws.

Answer 43

Data Protection Authority (DPA) (EU specific)

Question 44

xxx implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect

Answer 44

Establishment

Question 45

In the context of data protection law, xxx can be defined as personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations. While xxx is offered in the General Data Protection Regulation as an example of processing for the legitimate interest of an organization, it also says the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such xxx.

Answer 45

Direct Marketing (EU specific)

Question 46

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

Answer 46

American Institute of Certified Public Accountants

Question 47

Used in Plan-driven Development Models, a xxx is a detailed outline of how a software product or system will work once it is fully operational. This is used to shape how a product or system will be designed and implemented

Answer 47

Concept of Operations

Question 48

An identified or identifiable natural person.

Answer 48

Data Subject

Question 49

An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.

Answer 49

Established Business Relationship

Question 50

In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset.

xxxx criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. .

Answer 50

Authorization

Question 51

Attacks that exploit flaws in the network applications installed on network servers.

Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks

Answer 51

Application-Layer Attacks

Question 52

The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor s web browser, operating system and font preferences.

In some cases, combining this information can be used to xxx a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for xxx techniques to be used for targeted advertising.

Answer 52

Digital Fingerprinting

Question 53

Advertising that is targeted at individuals based on the observation of their behaviour over time.

Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of -xxx- advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

Answer 53

Behavioral Advertising

Question 54

Japanese legislation aimed at the financial services sector that established cross-sectional legislative framework for investor protections, enhanced disclosure requirements, provided guidelines for the management of self-regulatory operations by financial exchanges, and implemented strict countermeasures against unfair trading.

Answer 54

Financial Instruments and Exchange Law of Japan

Question 55

A comprehensive set of reform measures, developed by the xxx Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector

Answer 55

Basel III

Question 56

Common law tort focuses on a false or defamatory statement, defined as a communication tending so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.

Answer 56

Defamation

Question 57

This is the main decision-making body of the EU, with a central role in both political and legislative decisions.

The council was established by the treaties of the 1950s, which laid the foundations for the EU, and works with the European Parliament to create EU law.

Answer 57

Council of the European Union (28 Members)

Question 58

A networking language that manages data packets over the Internet.

It defines how messages are formatted and transmitted over a TCP/IP network for websites. Further, it defines what actions Web servers and web browsers take in response to various commands.

Answer 58

Hypertext Transfer Protocol

Question 59

xxx is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.

Answer 59

Convention 108

Question 60

A cryptographic algorithm applied to unencrypted text to disguise its value or to decrypt encrypted text.

Answer 60

Encryption Key

Question 61

The requirement under the General Data Protection Regulation that the European Data Protection Board and each supervisory authority periodically report on their activities.

The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission

Answer 61

Annual Reports

Question 62

The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable.

The xxx has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act

Answer 62

Federal Communications Commission (FCC)

Question 63

Used as a means of assuring compliance with privacy rules and policies in the design of new software systems. xxx take privacy rules and compare them to the system requirements that have been used to design a new software system.

By pairing privacy rules with specific system requirements, necessary technical safeguards can be accounted for, preventing the software from being designed in such a way that would violate privacy policies and regulations.

Answer 63

Completeness Arguments

Question 64

Passed in response to the increased use of the Internet by U.S. federal agencies, the act was designed to ensure the quality of information released by agencies by establishing four major requirements:

(1) Office of Management and Budget (OMB) was to issue guidelines -ensuring and maximizing the quality, objectivity, utility and integrity- of disseminated information;
(2) agencies must issue their own sets of information quality guidelines;
(3) agencies must establish administrative mechanisms for persons to correct erroneous information about themselves;
(4) agencies must annually report to OMB regarding the number, nature and handling of complaints.

Answer 64

Data Quality Act of 2000

Question 65

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

Answer 65

Data Controller

Question 66

Unwritten legal principles that have developed over time based on social customs and expectations.

Answer 66

Common Law

Question 67

Organizations may want to verify an applicants ability to function in the working environment as well as assuring the safety and security of existing workers.

xxx range from checking a persons educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.

Answer 67

Background Screening/Checks

Question 68

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union.

It is also responsible for making adequacy determinations with regard to data transfers to third-party countries

Answer 68

European Commission

Question 69

After the savings and loans crisis of the 1980s, the U.S Congress passed xxx to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a Financial institution fails to comply with the information privacy requirements contained in GLBA.

Answer 69

Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA )

Question 70

The idea that one should only collect and retain that personal data which is necessary.

Answer 70

Data Minimization Principle

Question 71

Independent public authorities that supervise the application of data protection laws in the EU.

xxx provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own xxx. Under GDPR, xxx have extensive enforcement powers, including the ability to impose fines that total 4% of a company s global annual revenue.

Answer 71

Data Protection Authority (DPA)

Question 72

The practice of customizing an advertisement for a product or service to a specific market based on the geographic location of potential customers.

Answer 72

Geotargeting

Question 73

Entities that collect, aggregate and sell individuals personal data, derivatives and inferences from disparate public or private sources.

Answer 73

Data Brokers

Question 74

An independent U.S. federal agency that enforces laws against workplace discrimination.

The xxx investigates discrimination complaints based on an individual’s race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.

Answer 74

Equal Employment Opportunity Commission, The (EEOC)

Question 75

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

xxx do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

Answer 75

Data Breach

Question 76

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

Answer 76

Collection Limitation

Question 77

What is Ciphertext

Answer 77

Encrypted (enciphered) data.

Question 78

The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.

It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts. xxxs are required by the General Data Protection Regulation in some instances, particularly where a new product or service is likely to result in a high risk to the rights and freedoms of natural persons.

Answer 78

Data Protection Impact Assessment (DPIA)

Question 79

A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

Answer 79

Health Breach Notification Rule

Question 80

xxx outline the basic contours of the measures an organization takes in the processing and handling of personal data.

Key matters the policy should address include: Scope, which explains both to whom the internal policy applies and the type of processing activities it covers; Policy statement; Employee responsibilities; Management responsibilities; Reporting incidents; Policy compliance.

Answer 80

Data Protection Policy (DPP)

Question 81

A content authoring language used to create web pages.

Web browsers use xxx to interpret and render visible and audible content from the web pages. Document tags can be used to format and lay out web page content and to hyperlinkconnect dynamically to other web content. Forms, links, pictures and text may all be added with minimal commands

Answer 81

Hypertext Markup Language (HTML)

Question 82

xxx is the creation of virtual perimeters linked to the geographic position of a mobile device.

In the BYOD context, xxx may be used to restrict access to applications or sensitive information inside of or outside of specific locations. For example, a company may be able to restrict access to potentially risky applications on a personal device when the device is connected to the company s network or, conversely, restrict access to company resources when the device is outside of the company s network.

Answer 82

Geofencing

Question 83

A firewall configuration for securinglocal area networks(LANs).

In a xxx configuration, there are a set of computers that act as a broker for traffic between the LAN and an outside network allowing the majority of computers to run safely behind a firewall. Thus these computers act as a broker similar to a joint security area in a political demilitarized zone.

Answer 83

DMZ (Demilitarized Zone) Network

Question 84

launched in 1949, is a human rights organization with 47 member countries, including the 28 member states of the European Union.

The members have all signed the European Convention on Human rights and are subject to the European Court of Human Rights. The Council’s Convention 108 (see Convention 108) was the first legally binding international agreement to protect the human right of privacy and data protection

Answer 84

Council of Europe

Question 85

What are the three V’s of Big data?

Answer 85

the three Vs:
volume (the amount of data),
velocity (the speed at which data may now be collected and analyzed), and
variety (the format, structured or unstructured, and type of data, e.g. transaction or behavioral).

Question 86

Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.

xxx must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

Answer 86

Codes of Conduct

Question 87

When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons

Answer 87

Active Data Collection

Question 88

What 3 entities are excluded from PIPEDA commercial activity definition

Answer 88

1. Non-profit associations
2. unions
3. Private Schools

Question 89

Amending the U.S.Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after five years, but with this act the registrations became permanent.

Answer 89

Do-Not-Call Improvement Act of 2007

Question 90

What are the three principle of CIA?

Answer 90

1. Confidentiality
2. Integrity,
3. Availability.

Question 91

When was the Charter of Rights and Freedoms added to the Canadian Constitution?

Answer 91

1982

Question 92

A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information

Answer 92

Canadian Organization for the Advancement of Computers in Health (COACH)

Question 93

The implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

Answer 93

Data Protection by Default

Question 94

A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.

Answer 94

Consumerization of Information Technology (COIT)

Question 95

COPPA required website operator to do the following 7 things

Answer 95

1. To post a privacy notice on the homepage of the website;
2. provide notice about collection practices to parents; 3.obtain verifiable parental consent before collecting personal information from children;
3. give parents a choice as to whether their child’s personal information will be disclosed to third parties;
4. provide parents access and the opportunity to delete the child’s personal information and
5. opt out of future collection or use of the information, and
6. maintain the confidentiality, security and integrity of personal information collected from children.

Question 96

A form of data encryption that uses two separate but related keys to encrypt data.

The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.

Answer 96

Asymmetric Encryption

Question 97

A consumer-initiated security measure which locks an individuals data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

Answer 97

Credit Freeze

Question 98

Websites with online ordering capabilities have special privacy advantages and risks. Unlike other web advertisers, xxx websites have direct access to information regarding user purchases and payment information. While creating a great opportunity for targeted advertising, it also puts extra onus on these websites to protect user information.

Answer 98

E-Commerce Websites

Question 99

The order that provides information about the goals, direction, duties and responsibilities with respect to the national intelligence effort and provides basic information on how intelligence activities should be conducted.

The executive order states that agencies within the intelligence community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned, and must be approved by the attorney general.

Answer 99

Executive Order 12333

Question 100

The xxx replaced the EEC, which was created by the Treaty of Rome and first promoted a single economic market across Europe. The xxx currently comprises 28 member states:

Answer 100

European Union

Question 101

A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file.

If anything is changed in the electronic document after the xxx is attached, the signature is rendered invalid.

Answer 101

Digital Signature

Question 102

Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals;

networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.

Answer 102

Electronic Communications Network

Question 103

An element in an access control list (ACL).

Each xxx , monitors, or records access to an object by a specified user.

Answer 103

Access Control Entry

Question 104

An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.

Answer 104

Attribute-Based Access Control

Question 105

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

Answer 105

Case Law

Question 106

It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Answer 106

Individual Participation

Question 107

Under Canada’s PIPEDA, xxx means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

Answer 107

Commercial Activity

Question 108

Specific details about how a system should work, what inputs create what outputs, and design elements to be implemented.

For example, A system shall do processing of personal information to create user profiles.

Answer 108

Functional System Requirements

Question 109

An encryption algorithm for security sensitive non-classified material by the U.S. Government.

This algorithm was selected in 2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.

Answer 109

Advanced Encryption Standard (AES)

Question 110

Originally an acronym for xxx, it has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise.

Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

Answer 110

closed circuit television (CCTV)

Question 111

Canadian xxx applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.

Answer 111

Canadas Anti-Spam Legislation

Question 112

Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.

xxx must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

Answer 112

Certification Mechanisms

Question 113

What does COPPA stand for?

Answer 113

Childrens Online Privacy Protection Act

Question 114

A U.S. federal law enacted as part of the E-Government Act of 2002.

The act requires each federal agency to develop, document and implement an agency-wide program to provide information security for the data and data systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.

xxx requires agency program officials, chief information officers and inspectors general to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget.

Answer 114

Federal Information Security Management Act of 2002, The (FISMA)

Question 115

Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. xxx can exist under both comprehensive and sectoral models.

Answer 115

Co-regulatory Model

Question 116

The provision of information technology services over the Internet.

These services may be provided by a company for its internal users in a -private cloud- or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems).
xxx has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models

Answer 116

Cloud Computing

Question 117

A US government entity that stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.

Answer 117

FTC, Bureau of Consumer Protection

Question 118

What are the 5 phase of the Audit Life Cycle

Answer 118

Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

Question 119

A network system formed through the connection of two or more corporate intranets. These external networks create inherent security risks, while often also meeting important organizational goals.

Answer 119

Extranet

Question 120

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.

Answer 120

Centralized governance

Question 121

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, -xxx- is the individual’s way of giving permission for the use or disclosure. -xxx-may be affirmative; i.e., opt-in; or implied; i.e., the individual didnt opt out.(1) Affirmative/Explicit -xxx-: A requirement that an individual –signifies– his or her agreement with a data controller by some active communication between the parties.(2) Implicit -xxx-: Implied -xxx- arises where -xxx- may reasonably be inferred from the action or inaction of the individual.

Answer 121

Consent (aka choice)

Question 122

Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, xxx is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, xxx counted 50 member countries.

Answer 122

Global Privacy Enforcement Network (GPEN)

Question 123

What year was COPPA implemented

Answer 123

1998

Question 124

A U.S. law that bars discrimination against qualified individuals with disabilities.

Answer 124

Americans with Disabilities Act (ADA)

Question 125

As defined in the U.S. Fair Credit Reporting Act: Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes, or (2) employment purposes, or (3) other purposes authorized under section 604. The term does not include any (A) any report containing information solely as to transactions or experiences between the consumer and the person making the report; (B) authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; or (C) report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made and such person makes the disclosures to the consumer required under section 615.

Answer 125

Consumer Report

Question 126

xxx, generally requires multi-member federal agencies; i.e., the FCC and SEC, to hold their meetings in public and to give advance public notice of their meetings. The goal of the xxx is to promote public access to information about the decision-making processes of the federal government and to improve those processes by exposing them to public view.

Answer 126

Government in the Sunshine Act

Question 127

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.

Answer 127

Business Continuity and Disaster Recovery Plan (BCDR)

Question 128

The process of de-identifying,anonymizing, or otherwise obscuring data so that the structure remains the same but the content is no longer sensitive in order to generate a data set that is useful for training or software testing purposes.

Answer 128

Data Masking

Question 129

Also known as information security triad; three common information security principles from the 1960s,

Answer 129

CIA Triad

Confidentiality, integrity, availability.

Question 130

A sectoral privacy directive for European Union Member States, which applies to the digital industry. Among other provisions, the xxx requires websites to obtain consumer consent before placing cookies for marketing purposes.
The EU is currently considering reform of the xxx.

Answer 130

ePrivacy Directive

Question 131

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

Answer 131

Computer Forensics

Question 132

One of the four classes of privacy, It focuses on a persons physical being and any invasion thereof.

Such an invasion can take the form of genetic testing, drug testing or body cavity searches.

Answer 132

Bodily Privacy

Question 133

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.

Answer 133

Authentication

Question 134

A set of non-binding principles that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Answer 134

APEC (Asian-Pacific Economic Cooperation) Privacy Principles

Question 135

Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission.

It also applies to onward transfers from one third country or international organisation to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer.

Answer 135

Cross-border Data Transfers (EU specific)

Question 136

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Answer 136

Direct Marketing

Question 137

Article 5 of the General Data Protection Regulation lists the principles as such: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality.

Answer 137

Data Protection Principles

Question 138

They are constitutional rights and thus are considered to be the most valued rights in Canada. The xxx and Freedoms was made part of the Canadian Constitution in 1982.

Answer 138

Charter Rights

Question 139

A U.S. federal law regulating the way that U.S. intelligence agencies conduct foreign intelligence surveillance activities, including wiretaps and the interception of communications.

The act sets forth a judicial approval process required when the government targets U.S. persons located within the United States. FISA allows warrantless surveillance to be conducted without a court order for up to one year, provided the surveillance is for foreign intelligence information, is targeting foreign powers and will not capture the contents of any communication to which a U.S. person is a party. Generally speaking, FISA does not apply to activities directed at persons overseas.

Answer 139

Foreign Intelligence Surveillance Act of 1978, The

Question 140

One of the four classes of privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

Answer 140

Communications Privacy

Question 141

A computer program or algorithm that replicates itself over a computer network, usually performing malicious actions.

Answer 141

Worm

Question 142

A court case in which the Court of Appeal of the United Kingdom narrowed the definition of personal data under the Data Protection Act of 1998. It established a two-stage test; the information must be biographical in a significant sense and the individual must be the focus of the information.

Answer 142

Durant v. Financial Services Authority

Question 143

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Answer 143

Data Recipient

Question 144

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The General Data Protection Regulation instituted new rules for notification of supervisory authorities and data subjects following the discovery of a data breach, depending on the risk the breach presents to the rights and freedoms of data subjects

Answer 144

Data Breach (EU specific)

Question 145

The rules and safeguards applying under various laws and regulations to personal data about individuals that organizations collect, store, use and disclose. Data protection is the professional term used in the EU, whereas in the U.S. the concept is generally referred to as information privacy. Importantly, data protection is different from data security, since it extends beyond securing information to devising and implementing policies for its fair use

Answer 145

Data Protection

Question 146

The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata (see Metadata). The ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of -xxx-.

Answer 146

Content Data

Question 147

Consists of three main categories of personal data, as defined in the European Union under the ePrivacy Directive: the content of a communication, traffic data, and location data.

Answer 147

Electronic Communications Data

Question 148

Previously, the EU distinguished between Binding Corporate Rules for controllers and -xxx-. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both

Answer 148

Binding Safe Processor Rules (BSPR)

Question 149

A company that allows advertising clients to buy digital media on several different selling systems, or exchanges, through one interface.

Answer 149

Demand Side Platform (DSP)

Question 150

A company that serves as a broker between a group of publishers and a group of advertisers. Networks traditionally aggregate unsold inventory from publishers in order to offer advertisers a consolidated and generally less expensive pool of impressions, but they can have a wide variety of business models and clients

Answer 150

Ad Network

Question 151

An activity that involves comparingpersonal dataobtained from a variety of sources, includingpersonal informationbanks, for the purpose of making decisions about the individuals to whom the data pertains.

Answer 151

Data Matching

Question 152

The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects

Answer 152

Breach Disclosure (EU specific)

Question 153

Also known asInformation Life Cycle Management(ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure;information security; authenticity and accuracy of one s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.

Answer 153

Data Life Cycle Management

Question 154

The General Data Protection Regulation requires that an organization be able to ensure the ongoing:

Answer 154

1. confidentiality, 2.integrity, 3.availability and 4.resilience of processing systems and services as part of its requirements for appropriate security

Question 155

Part of the consistency mechanism (see Consistency Mechanism) of the General Data Protection Regulation, xxx is required between supervisory authorities when working with controllers or processors handling the personal data of data subjects in multiple member states. This is often referred to as the -one-stop shop,- whereby a lead supervisory authority works with the supervisory authorities of other member states with affected data subjects.

Answer 155

Cooperation

Question 156

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Answer 156

Customer Information

Question 157

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals privacy and personal data use

Answer 157

EU Data Protection Directive

Question 158

A catch-all term for various technologies and browser settings designed to allow data subjects to indicate their objection to tracking by websites. Years of effort, by the W3C and other organizations, to create an official Do Not Track standard for HTTP headers has of yet led to naught.

Answer 158

Do Not Track (DNT)

Question 159

Shorthand for the case of Google Spain v AEPD and Mario Costeja Gonz ­lez, where Costeja successfully sued Google Spain, Google Inc. and La Vanguardia newspaper. When the Court of Justice of the EU ruled that Google Spain must remove the links to the article, the -right to be forgotten- (see Right To Be Forgotten) was effectively established in the European Union. The General Data Protection Regulation subsequently more formally granted data subjects the right to deletion in certain circumstances

Answer 159

Costeja

Question 160

A rule, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

Answer 160

Final Health Breach Notification Rule

Question 161

The process of assigning geographic coordinates to non-locational data so that they can be placed as points on a map. For example, geocoding could be used to translate a street address (which describes a location) into precise coordinates that identify the location on a map

Answer 161

Geocoding

Question 162

A corporation that acts as a regulator for brokerage firms and exchange markets. Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors. Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry

Answer 162

Financial Industry Regulatory Authority

Question 163

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance

Answer 163

Fair Credit Reporting Act, The

Question 164

One of 10 privacy principles ofPIPEDA. Organizations must be able to respond to requests from individuals for access to theirpersonal information.

Answer 164

Individual Access

Question 165

The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018. The aim of the GDPR is to provide one set of data protection rules for all EU member states and the European Economic Area (EEA). The document comprises 173 recitals and 99 articles.

Answer 165

General Data Protection Regulation

Question 166

Created by the Dodd-Frank Act, the -xxx- is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created xxx took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against abusive acts and practicesƒ  as specified by the Dodd-Frank Act.

Answer 166

Consumer Financial Protection Bureau (CFPB)

Question 167

List 3 ways Anonymization can occur

Answer 167

Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.

Question 168

The title given in some member states to the supervisory authority

Answer 168

Data Protection Commissioner

Question 169

The successor to the Article 29 Working Party, it consists of the heads of the supervisory authorities of the member states and the European Data Protection Supervisor (see European Data Protection Supervisor), and the Commission is entitled to send a delegate to its meetings. The EDPB s role is to ensure the consistent application of the Regulation and, in addition to supporting cooperation between the regulators and applying the consistency mechanism (see Consistency Mechanism), it shall publish advice, guidance, recommendations and best practices. The supervisory authorities elect a chairperson, with certain powers, from amongst their membership.

Answer 169

European Data Protection Board

Question 170

A scheme that provides the basis for managing access to, and protection of, data assets.

Answer 170

Data Classification

Question 171

Data is -xxx- if it is protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Answer 171

Confidentiality

Question 172

What 4 Situations are typically covered in BCP

Answer 172

Fire, Flood, Natural disasters, and terrorist attacks

Question 173

Adopted either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism (see Consistency Mechanism) and then adopted by the Commission, xxx are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

Answer 173

Contractual Clauses

Question 174

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.

Answer 174

The Bank Secrecy Act

Question 175

The only EU institution whose members are directly elected by citizens of individual member states, Parliament has four responsibilities legislative development, supervisory oversight of other institutions, democratic representation and budget development.

Answer 175

European Parliament

Question 176

As-isƒ  data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.

Answer 176

Current baseline

Question 177

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have adequateƒ  data protection practices.

Answer 177

Cross-border Data Transfers

Question 178

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.

Answer 178

Administrative Purpose

Question 179

NAME?

Answer 179

Artificial Intelligence

Question 180

Section 5(a) of the FTC Act empowers the agency to enforce against unfair or deceptive acts or practices in or affecting commerce. Over the past two decades, the FTC has used this authority extensively to hold businesses to fair and transparent privacy and security standards.

Answer 180

Federal Trade Commission Act, Section 5 of

Question 181

xxx, primarily in the European Union, are bodies that represent employees and have certain rights under local law that affect the use of employee data by employers. Works councils can have a role in deciding whether employees personal data can be processed because they typically have an obligation to safeguard employee rights, which include data protection and privacy rights. They are most likely to be encountered in a data protection setting in Germany.

Answer 181

Works Councils

Question 182

CIO Council mission to improve, what 6 practices

Answer 182

1. Design 2. Acquisitions 3. Development 4. Modernization 5. use 6.Sharing and performance of Federal government information resources

Question 183

The GET and POSTHTMLmethod attributes specify how form data is sent to a web page. The GET method appends the form data to theURLin name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser s address bar, and is thus less secure than the POST method.

Answer 183

GET Method

Question 184

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.

Answer 184

Active Scanning Tools

Question 185

A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information

Answer 185

BC PIPA (Privacy Information Protection Action)

Question 186

The so-called -xxx- is an amendment made to the European Union’s Directive 2002/58, also known as the ePrivacy Directive, that requires organizations to get consent before placing cookies (see Cookies) and other tracking technologies on digital devices. With the passage of the General Data Protection Regulation, this definition of consent has changed and opt-out consent is no longer viable in this area.

Answer 186

Cookie Directive

Question 187

xxx is the IT business strategy of providing employees with company-owned devices. xxx may, nonetheless, implicate BYOD concerns when employees use xxx devices equally for personal use.

Answer 187

Corporate Owned, Personally Enabled (COPE)

Question 188

A framework promulgated by theAmerican Institute of Certified Public Accountants(AICPA) in conjunction with theCanadian Institute of Chartered Accountants(CICA). The ten principles are management, notice,choiceandconsent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.

Answer 188

Generally Accepted Privacy Principles

Question 189

Created in 2016 to replace the invalidated EU-U.S. Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the United States for companies participating in the program. Only those companies that fall under the jurisdiction of the U.S. Federal Trade Commission may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.

Answer 189

EU-US Privacy Shield

Question 190

Under the Fair Credit Reporting Act, the term xxxxxxƒ  is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action

Answer 190

Adverse Action

Question 191

A case in which the European Court of Human Rights held that monitoring an applicant’s email at work was contrary to Article 8 of the Convention on Human Rights.

Answer 191

Copland v. United Kingdom

Question 192

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Answer 192

Data Processing

Question 193

what are the 10 Principles of Canadian Standards Association (CSA) also listed in PIPEDA

Answer 193

1. Accountability, 2. Identifying Purpose 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, and Retention 6. Accuracy 7. Safeguards 8. Openness 9.Individual Access 10. Challenging Compliance

Question 194

A data storage device in which information, once written, cannot be modified. This protection offers assurance that the data originally written to the device has not been tampered with. The only way to remove data written to a xxx device is to physically destroy the device.

Answer 194

Write Once Read Many (WORM)

Question 195

The degree to which a user is identified by anauthenticationsystem. The more unique (identifiable), the easier that user is tracked or targeted. The less identifiable, the easier it is to falsely authorize a non-user.

Answer 195

Identifiability

Question 196

Codes or strings used to represent an individual, device or browser.

Answer 196

Identifiers

Question 197

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.

Answer 197

Anonymization

Question 198

A continuation of policy directives for theEuropean UnionMember States as set forth in theData Protection Directive. It has been amended by theCookie Directive 2009/136EC, which added a requirement that all websites using tracking cookies obtain user consent unless the cookie is strictly necessary for the delivery of a service requested by the use. This policy recognizes the importance of cookies for the functioning of modern websites while still making users aware of any tracking the user may not want to participate in.

Answer 198

Directive on Privacy and Electronic Communications Act 2002/58EC

Question 199

A system that standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.

Answer 199

Controlled Unclassified Information

Question 200

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.

Answer 200

California Investigative Consumer Reporting Agencies Act

Question 201

EMM refers to a comprehensive organizational strategy for securing and enabling employee use of mobile devices such as smartphones and tablets. EMMs are used to prevent unauthorized access to applications containing corporate data on mobile devices, usually through the use of password protection,encryptionand remote wiping technology.

Answer 201

Enterprise Mobility Management (EMM)

Question 202

Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.

Answer 202

Accuracy

Question 203

-xxx-, refers to the idea that consent must be freely given and that data subjects must have a genuine -xxx- as to whether to provide personal data or not. If there is no true -xxx- it is unlikely the consent will be deemed valid under the General Data Protection Regulation.

Answer 203

Choice

Question 204

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

Answer 204

Audit Life Cycle

Question 205

Enacted as part of theAmerican Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

Answer 205

Health Information Technology for Economic and Clinical Health Act, The

Question 206

Data is -xxx- if it is accessible when needed by the organization or data subject. The General Data Protection Regulation requires that a business be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Answer 206

Availability

Question 207

A U.S. federal law that, among other things, requires federal agencies to conduct Privacy Impact Assessments on new or substantially revised information technology.

Answer 207

E-Government Act

Question 208

The GDPR establishes direct legal obligations applicable to service providers acting as -processors- (see Processor), whilst giving an increased emphasis to the contractual obligations in place between customers and data processing service providers

Answer 208

Established Service Provider

Question 209

The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law.

Answer 209

Digital Rights Management

Question 210

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.

Answer 210

Business case

Question 211

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

Answer 211

Consumer Reporting Agency

Question 212

The European Council is the collection of heads of states of European Union member states. It provides general political direction for the EU and does not exercise legislative functions.

Answer 212

European Council

Question 213

Grants the authority to theFederal Trade Commissionto create theNational Do-Not-Call Registryin the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations. Originally consumers would have to re-register their numbers with the FTC everyfive years for continued prevention, but theDo-Not-Call Improvement Act of 2007extended registration indefinitely. Violations can be enforced by the FTC,Federal Communications Commission, and state attorneys general with up to a $16,000 fine per violation.

Answer 213

Do-Not-Call Implementation Act of 2003

Question 214

A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data

Answer 214

Adequate Level of Protection

Question 215

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required theU.S. Department of Health and Human Servicesto promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have toopt inbefore their information can be shared with other organizations although there are important exceptions such as for treatment, payment and healthcare operations.

Answer 215

Health Insurance Portability and Accountability Act, The

Question 216

Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists -xxx- data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.

Answer 216

Biometrics

Question 217

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Answer 217

Accountability

Question 218

Personal informationthat is directly given to a social network or other website by a user.

Answer 218

Declared Data

Question 219

The General Data Protection Regulation refers to xxxxxx in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context

Answer 219

Appropriate Safeguards

Question 220

any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee

Answer 220

Credit Reporting Agency (CRA)

Question 221

A small text file stored on a client machine that may later be retrieved by a web server from the machine. xxx allow web servers to keep track of the end users browser activities, and connect individual web requests into a session

Answer 221

Cookie

Question 222

The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canadas PIPEDA

Answer 222

CSA Privacy Principles

Question 223

Laws that govern the collection, use and dissemination of personal information in the public and private sectors

Answer 223

Comprehensive Laws (aka: Omnibus Laws)

Question 224

A Qubquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.

Answer 224

Act Respecting the Protection of Personal Information in the Private Sector

Question 225

Software that is used to add animation and other visual effects to web-based content.

Answer 225

Flash

Question 226

While the title of data protection officer has long been in use, particularly in Germany and France, the General Data Protection Regulation introduced a new legal defintion of a DPO with specific tasks. Certain organizations, particularly those that process personal data as part of their business model or those who process special categories of data as outlined in Article 9, are obligated to designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO has a variety of mandated tasks, including communication with the supervisory authority, conducting DPIAs, and advising the organization on the mandates of the GDPR and how to comply with it.

Answer 226

Data Protection Officer

Question 227

In the context of European Union legislation interacting with member state law, a derogation is a place in an EU-wide regulation where individual member states are left to make their own law or have the option to deviate. A derogation can also simply refer to an exception to a certain basic rule or principle.

Answer 227

Derogation

Question 228

The European Court of Human Rights (ECHR) in Strasbourg, France, upholds privacy and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108. The ECHR applies the Convention and ensures that signatory states respect the rights and guarantees set out in the Convention.

Answer 228

European Court of Human Rights

Question 229

Facilities that store, manage and disseminate data and house a networks most critical systems. Data centers can serve either as a centralized facility for a single organizations data management functions or as a third-party provider for organizations data management needs.

Answer 229

Data Centers

Question 230

Under the Privacy Act, federal agencies using computerized means to match data between electronic federal privacy record systems, or to match data from any federal system with non federal records, are required to create a xxx composed of senior officials and the agencys inspector general. The xxx shall, among other things: review, approve and maintain all matching programs; review all existing matching programs annually to determine compliance with laws, regulations, guidelines and agreements, and; assess the cost and benefits of the agreements.

Answer 230

Data Integrity Board (DIB)

Question 231

The Federal Records Act requires the establishment of standards and procedures to ensure efficient and effective records management. The objectives of the Federal Records Act interact with federal privacy to: Ensure appropriate maintenance of a record that allows access rights to subject of the record; Minimize the collection of PII; Ensure the destruction of PII when there is no longer a business, legal, or historical need for the record.

Answer 231

Federal Records Act

Question 232

Article 17(1) of the GDPR establishes that data subjects have the right to erasure of their personal data if: the data is no longer needed for its original purpose and no new lawful purpose exists; the lawful basis for the processing is the data subject s consent, the data subject withdraws that consent, and no other lawful ground exists; the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing; the data has been processed unlawfully; or erasure is necessary for compliance with EU law or the national law of the relevant member state.

Answer 232

Erasure

Question 233

The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects

Answer 233

Data Breach Notification (EU specific)

Question 234

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.

Answer 234

Encryption

Question 235

A US government entity that evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers

Answer 235

FTC, Bureau of Economics

Question 236

To address the rise in citizen use of the Internet to access government information and services, some type of identity verification or authentication is needed. As such, agencies are required to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.

Answer 236

E-Authentication

Question 237

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.

Answer 237

Breach Disclosure

Question 238

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data

Answer 238

Data Elements

Question 239

What are the four classes of Privacy

Answer 239

Information, Bodily, Territorial, and Communication Privacy

Question 240

Requires agencies that match data among agency systems granting financial benefits to publicly disclose that matching and explain its scope

Answer 240

Computer Matching and Privacy Protection Act

Question 241

A program run by the Digital Advertising Alliance to promote awareness and choice in advertising for internet users. Websites with ads from participating DAA members will have an AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon, users may set preferences for behavioral advertising on that website or with DAA members generally across the web.

Answer 241

AdChoices

Question 242

A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity. The term originates in accounting as a reference to the chain of paperwork used to validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce, to track customers activity, or cyber-security, to investigate cybercrimes.

Answer 242

Audit Trail

Question 243

A Canadian term referring to information about an individual that is related to that individuals position, functions and/or performance of his or her job. A term that is undefined by PIPEDA, the privacy commissioner has decided that work product may at times fall under the definition of personal information. Access to such information by the commissioner is addressed on a case-by-case basis. Not to be confused with the American legal term -work product,- which refers to legal materials prepared in anticipation of litigation.

Answer 243

Work Product Information

Question 244

A treaty that consolidates human rights within the EU. The treaty states that everyone has a right to protect their personal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority

Answer 244

Charter of Fundamental Rights

Question 245

The servers that contain most or all of the visible elements of a web page and that are contacted to provide those elements. In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.

Answer 245

Content Delivery Network

Question 246

An employment contract can be terminated by either the employer or the employee at any time for any reason.

Answer 246

Employment at Will

Question 247

Also known as local governance, this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.

Answer 247

Decentralized Governance

Question 248

A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.

Answer 248

Data Processor

Question 249

A graphical representation of the flow of data in an information system thus allowing the visualization of how the system operates to accomplish its purpose. xxx are used both by systems analysts to design information systems and by management to model the flow of data

Answer 249

Data Flow Diagrams

Question 250

FERPA establishes requirements regarding the privacy protection of student educational records. It applies to all academic institutions that receive funds under applicable U.S. Department of Education programs. FERPA gives parents certain rights with respect to their children s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are referred to as eligible students.

Answer 250

Family Educational Rights and Privacy Act

Question 251

When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

Answer 251

Data Protection by Design

Question 252

An ad trafficking system through which advertisers, publishers, and networks meet and do business via a unified platform. An ad exchange allows advertisers and publishers to use the same technological platform, services, and methods, and -speak the same language- in order to exchange data, set prices, and ultimately serve an ad

Answer 252

Ad Exchange

Question 253

A conceptual outline, blueprint, or diagram that defines the structure and the operation of an organization, normally in the context of developing a strategy for the realization of current and future goals or objectives.

Answer 253

Enterprise Architecture

Question 254

A privacy law in the Canadian province of XXXXX, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information

Answer 254

Alberta PIPA (Personal Information Protection action)

Question 255

In 2010 the U.S. Congress passed the Dodd-Frank Act to reorganize and improve financial regulation. Among other reforms it put in place, the Dodd-Frank Act created theConsumer Financial Protection Bureauand granted it rule-making authority overFCRAandGLBAas well as a few other regulations.

Answer 255

Dodd-Frank Wall Street Reform and Consumer Protection Act

Question 256

Code injected by malicious web users into web pages viewed by other users.

Answer 256

Cross-site Scripting (XSS)

Question 257

The first state-level comprehensive privacy law in the U.S. The -xxx-, which comes into force in 2020, will apply broadly to businesses that collect personal information from -xxx- consumers, imposing extensive transparency and disclosure obligations. It also creates consumers rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their -xxx- rights.

Answer 257

California Consumer Privacy Act (CCPA)

Question 258

An identifier that is one of a kind to a specific user. For example, biometric data or a loginID for a social network.

Answer 258

Globally Unique Identifier (GUID)

Question 259

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.

Answer 259

Data Quality

Question 260

A data subject providespersonal datato the collector directly, through a form or survey that is sent to the collector upon thedata subjectsubmitting the information

Answer 260

First-Party Collection

Question 261

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated theFederal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. TheUSA PATRIOT Actand subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

Answer 261

Electronic Communications Privacy Act of 1986

Question 262

A type of access control that allows an owner of an object, within a given computer-based information system, to grant or deny access.

Answer 262

Discretionary Access Control (DAC)

Question 263

-xxx- is the principal interagency forum on Federal agency practices for IT management. Originally established by Executive Order 13011 (Federal Information Technology) and later codified by the E-Government Act of 2002, the -xxx- mission is to improve practices related to the design, acquisition, development, modernization, use, sharing and performance of Federal Government information resources.

Answer 263

CIO Council

Question 264

Web advertising based on information about an individual such as age, height, weight, geographic location or gender

Answer 264

Demographic Advertising

Question 265

An economic region that includes the European Union (EU) and Iceland, Norway and Liechtenstein which are not official members of the EU but are closely linked by economic relationship. Non-EU countries in the EEA are required to adopt EU legislation regarding the single market.

Answer 265

European Economic Area

Question 266

Under FISMA, U.S. agencies information security programs must be independently evaluated yearly. The independent auditor is selected by the agency’s inspector general or the head of the agency. The audit is submitted to the Office of Management and Budget.

Answer 266

Annual Independent Evaluations

Question 267

A non-profit organization that sets standards for consumer privacy, transparency and control in online advertising. Over 100 advertising companies participate in and comply with their standards. The DAA has an agreement with both theCouncil on Better Business Bureausand theDirect Marketing Associationto enforce the self-regulatory standards set down by theDigital Advertising AllianceincludingAdChoices, a programming offering user control overbehavioral advertising.

Answer 267

Digital Advertising Alliance

Question 268

This privacy requirement is one of the fair information practices. In the General Data Protection Regulation, however, consent is specifically one of the legal bases for processing personal data. According to the GDPR, for consent to be valid, it must be: clearly distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive, affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit consent is required for processing, a higher standard than unambiguous consent.

Answer 268

Consent (EU specific)

Question 269

Prior to trial, information is typically exchanged between parties and their attorneys. E-discovery requires civil litigants to turn over large volumes of a company s electronic records in litigation.

Answer 269

Electronic Discovery

Question 270

A customers ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Answer 270

Customer Access

Question 271

The process of adding geographical information to various media in the form ofmetadata, such as latitude and longitude coordinates or city and state details for the location of a photo or social media post.

Answer 271

Geotagging

Question 272

An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.

Answer 272

Confirmed Opt-In (aka. Double Opt-In)

Question 273

Data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.

Answer 273

Data Minimization Principle (EU specific)

Question 274

The General Data Protection Regulation requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These -xxxxxxx- might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly

Answer 274

Appropriate Technical and Organizational Measures

Question 275

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit orprivacy assessment, if any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure.

Answer 275

Gap Analysis

Question 276

A markup language that facilitates the transport, creation, retrieval and storage of documents. Similar toHTML,XMLuses tags to describe the contents of a web page or file.

Answer 276

Extensible Markup Language (XML)

Question 277

The consolidation and managing of customer information in all forms and from all sources allowable. xxx is a vital component of customer relationship management.

Answer 277

Customer Data Integration (CDI)

Question 278

Term used to describe both the strategy for ensuring end users do not disseminate sensitive information, whether intentionally or unintentionally, to outside ineligible sources and the software products that aid network administrators in controlling what data end users can transfer.

Answer 278

Data Loss Prevention

Question 279

One of three requirements established by the General Data Protection Regulation for the processing of personal data: The first principle of processing personal data is -lawfulness, fairness, and transparency,- which states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. Linked most often with transparency, fairness means data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. Consent notices should not contain unfair terms and supervisory authority powers should similarly be exercised fairly.

Answer 279

Fairness

Question 280

An action that one takes to remove identifying characteristics from data.

Answer 280

De-identification(De-ID)

Question 281

A judgment delivered by the European Court of Human Rights in 1989,in Gaskin v. United Kingdom, held that the restriction of the applicant s access to his personal file was contrary to Article 8 of the Convention, citing a breach of Gaskin’s right to respect for his family and private life.

Answer 281

Gaskin v. United Kingdom

Question 282

In the context of the consistency mechanism (see Consistency Mechanism), the European Data Protection Board can issue binding decisions on objections to lead authority decisions, on disputes about which supervisory authority should be the lead authority, and where there has been a failure to request the EDPB s opinion under Article 64 or the opinion is not followed.

Answer 282

Dispute Resolution

Question 283

Executive Order 13392 supplemented (FOIA) by reiterating the requirement for agencies to process requests in a courteous and expeditious manner. In addition, it required agencies to appoint a chief FOIA officer. The Open Government Act of 2007 codified this requirement and expanded on the responsibilities of the chief FOIA officer to include the following: have agency-wide responsibility for efficient and appropriate compliance with FOIA; monitor FOIA implementation throughout the agency; recommend to the head of the agency any necessary adjustments in practices, personnel, policies or funding.

Answer 283

Chief FOIA Officer

Question 284

A concept developed by Helen Nissenbaum, xxx is a way to think about and quantify potential privacy risks in software systems and products. xxx focuses on what consumer expectations are in a given situation and how the product or system differs from that expectation. The more a product or system deviates from those expectations, the more likely a consumer will perceive a privacy harm

Answer 284

Contextual Integrity

Question 285

FISMA codified a federal information security center, which is implemented in theU.S. Computer Emergency Readiness Team(US-CERT). U.S.-CERT is called upon to provide timely technical assistance regarding security incidents; compile and analyze security incident information; inform federal agency information system operators about current and potential threats, and consult withNISTand others regarding information security incidents.

Answer 285

Federal Information Security Incident Center

Question 286

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. xxx may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

Answer 286

Cyber liability insurance

Question 287

judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.

Answer 287

Consent Decree

Question 288

A list of access control entries (ACE) that apply to an object.

Each ACE controls or monitors access to an object by a specified user

Answer 288

Access Control List

Question 289

A Latin expression meaning from the beginning, anew or beginning again. In a legal context, a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.

Answer 289

De Novo

Question 290

Personal informationreasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.

Answer 290

Employee Information

Question 291

A process of software system and product design that incorporates new system requirements during the actual creation of the system, as opposed to the Plan-Driven Development Model. Agile development takes a given project and focuses on specific portions to develop one at a time

Answer 291

Agile Development Model

Question 292

The European Court of Human Rights decided in 2009 that Haralambie’s Article 8 right to respect for private life and family life had been violated when the applicant sought access to the secret service file on him drawn up in the days of Communist rule in Romania and was made to wait six years. The court awarded 6,000 euros.

Answer 292

Haralambie v. Romania

Question 293

The -xxx- was a European Union organization that functioned as an independent advisory body on data protection and privacy and consisted of the collected data protection authorities of the member states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect.

Answer 293

Article 29 Working Party (WP29)

Question 294

Integral to privacy protection is the obligation on organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.

Answer 294

Identifying Purposes

Question 295

The United States’ primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices

Answer 295

Federal Trade Commission

Question 296

In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by theFederal Trade Commissionat the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.

Answer 296

Deceptive Trade Practices

Question 297

A non-profit standards organization that developed its own set of privacy principles and broke the OECDs code into ten principles

Answer 297

Canadian Standards Association (CSA)

Question 298

A contract between the owner of the software application and the user. The user agrees to pay for the use of the software and promises to comply with certain restrictions on that use.

Answer 298

End-User License Agreement

Question 299

A term used to describe the large data sets which exponential growth in the amount and availability of data have allowed organizations to collect

Answer 299

Big Data

Question 300

This privacy governance model allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body.

Answer 300

Hybrid Governance

Question 301

The FEA-SPP serves two functions in the integration of privacy and security risk-management practices. First, it clearly articulates that while there is a symbiotic relationship between security and privacy, these practices are not identical; they are distinct practices, but intertwined. Second, the FEA-SPP lays the groundwork for driving agency integration of privacy risk management into the fundamental design of technical systems and technologies.

Answer 301

Federal Enterprise Architecture Security and Privacy Profile

Question 302

Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.

Answer 302

Data Aggregation

Question 303

The provision of access to personal data.

Answer 303

Disclosure

Question 304

Created by the Treaty of Rome, the EEC was a predecessor to the European Union that promoted a single economic market across Europe.

Answer 304

European Economic Community

Question 305

Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical.

Answer 305

Five-Step Metric Life Cycle

Question 306

Any service which provides to users thereof the ability to send or receive wire or electronic communications.

Answer 306

Electronic Communications Service

Question 307

The science or practice of hiding information, usually through its transformation. Common cryptographic functions include: encryption, decryption, digital signature and non-repudiation.

Answer 307

Cryptography

Question 308

The materials necessary to encrypt and decrypt a given message, usually consisting of the encryption algorithm and the security key.

Answer 308

Cryptosystem

Question 309

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

Answer 309

Commercial Electronic Message (CEM)