CIPP Glossary Part 1 Flashcards
A computer record of an individual’s medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.
Electronic Health Record
A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence.
Factortame
What are the eight Fair Information Practice Principles
(1) The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
(2) The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
(3) The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
(4) The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law.
(5) The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
(6) The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.
(7) The Individual Participation Principle. An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended;
(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.
NAME?
Binding Corporate Rules (BCR)
Also known as a record of authority, identifiespersonal dataas it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.
Data Inventory
The now-defunct Data Retention Directive was designed to align the rules on data retention across the EU member states in order to ensure the availability of traffic and location data for serious crime and antiterrorism purposes. The Data Retention Directive is no longer part of EU law, although member states retain competence to adopt their own national data retention laws under Article 15(1) of the ePrivacy Directive (2002/58/EC) provided that those laws comply with the fundamental rights principles that form part of EU law and the CJEU ruling that struck down the Data Retention Directive. Accordingly, EU member states have introduced draft legislative amendments or implemented national data retention laws at an individual country level
Data Retention Directive
A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that (e)veryone has the right to respect for his private and family life, his home and his correspondence. Article 8 of the Convention limits a public authority s interference with an individual s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society. This created the Council of Europe (see Council of Europe) and the European Court of Human Rights (see European Court of Human Rights).
European Convention on Human Rights
The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is significantly engaged in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-publicpersonal information, defined broadly to include a consumer s name and address, and consumers interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability toopt-outof some sharing of personal financial information.
Gramm-Leach-Bliley Act
Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees personal data. These rules must include suitable and specific measures to safeguard the data subject s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.
Employee Personal Data
The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.
Assess
A processing operation that is performed without any human intervention. -Profiling- is defined in the General Data Protection Regulation, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to object to such processing.
Automated Processing
is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law.
Court of Justice of the European Union
An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).
EU-U.S. Safe Harbor Agreement
An expansion of theFair Credit Reporting Actwhich focuses on consumer access and identity theft prevention. The act mandates thatcredit reporting agenciesallow consumers to obtain a free credit report once every twelve months. Additionally, it allows consumers to request alerts when a creditor suspects identity theft and gave theFederal Trade Commission(FTC) authority to promulgate rules to prevent identity theft. The FTC used the authority to create theRed Flags Rule.
Fair and Accurate Credit Transactions Act of 2003
One of two chambers of theCanadian Parliament, along with theSenate. Members of theHouse of Commonsare elected at least every five years.
House of Commons
Linked graphic or text that is used to connect an end user to other websites, parts of websites or web-enabled services. TheURLof a web location is embedded in theHTMLcode, so that when certain words or images are selected through the web browser, the end user is transported to the destination website or page.
Hyperlink
What are three Bureau of the FTC
Competition, Consumer Protection, and Economics
A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005
Chief Privacy Officer (Agency level) (CPO)
A federal law governing the behavior of federal advisory committees, restricting the formation of such committees to those deemed essential, limiting their powers and their length of operation, requiring open meetings and open records and mandating a publicly-accessible government-wide database.
Federal Advisory Committee Act, The
A federal law requiring agencies found of data mining to submit a yearly report to Congress. The privacy office of that agency must be involved in producing the report. The report will be made public and describe all of the agency s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.
Federal Agency Data Mining Reporting Act
is responsible for the functions that are critical to the success of the Canadian CA profession. -xxx-, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications
Canadian Institute of Chartered Accountants (CICA)
A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.
Freedom of Information Act, The
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13
Childrens Online Privacy Protection Act (COPPA) of 1998
Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.
Electronic Surveillance
FOIA stands for
Freedom of Information Act
An entity that enforces the nation’s antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.
FTC, Bureau of Competition
In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.
Anonymous Information
One of the General Data Protection Regulation’s explicitly stated data protection principles, personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.
Data Quality (EU specific)
A secure network communication method, technically not a protocol in itself, HTTPS is the result of layering theHypertext Transfer Protocol(HTTP) on top of theSSL/TLSprotocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.
Hypertext Transfer Protocol Secure
The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that display personal information should be set to prohibit -xxx-
Caching
Germany’s federal data protection act, implementing the General Data Protection Regulation. With the passage of the GDPR, it replaced a previous law with the same name (hence -neu- in common parlance) and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the new version suggests a procedure for national data protection authorities to challenge adequacy decisions of the EU Commission
Bundesdatenschutzgesetz-neu
The data protection regulator for the European Union as an entity, ensuring the EU institutions, such as the Parliament, Commission, and Council of the European Union, protect the rights and freedoms of data subjects. The EDPS acts as secretariat to the European Data Protection Board (see European Data Protection Board).
European Data Protection Supervisor
Use of employees own personal computing devices for work purposes.
Bring Your Own Device (BYOD)
Collects data to meet the nations statistical needs. Because the data that the -xxx- collects is often highly personal in nature, and the -xxx- depends on the trust of the individuals and businesses that supply the data, privacy protection is a high priority
Census Bureau
The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.
Contextual Advertising
The General Data Protection Regulation requires that consent be a freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject must have a genuine choice, must be able to refuse or withdraw consent without fear of consequence. Where there is a power imbalance, as in an employer-employee relationship, for example, it’s likely that consent cannot be freely given.
Freely Given
The -xxx’ is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a -xxx- often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.
Business Continuity Plan (BCP)
In order to ensure the consistent application of the General Data Protection Regulation throughout the European Union, the GDPR establishes a -xxx- that allows member state supervisory authorities to cooperate with one anotherThe mechanism applies particularly where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several member states. When a member state supervisory authority intends to take action, such as approving a code of conduct or certification mechanism, it shall provide a draft to the European Data Protection Board, and the EDPB’s members shall render an opinion on that draft, which the supervisory authority shall take into account and then either amend or decide to go forward with the draft in its original form. Should there be significant difference in opinion, the dispute resolution mechanism will be triggered
Consistency Mechanism
As technology has advanced, it has become easier to differentiate between users just based on the given instance of the browser they are using. Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.
Browser Fingerprinting
xxxxx laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise
Anti-discrimination Laws
In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.
Data Portability
xxx is taking user identifications and converting them into an ordered system to track the users activities without directly using personally identifiable information (PII).
xxx can be used to encryptor map data; in the context of privacy, hashing is used in cryptographichash functions and have many information security applications.
Hashing Functions
A term often used to refer to a supervisory authority, which is an independent public authority responsible for monitoring the application of the General Data Protection Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the European Union. xxx also oversee other data protection-related laws, such as the ePrivacy Directive and other local member state laws.
Data Protection Authority (DPA) (EU specific)
xxx implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect
Establishment
In the context of data protection law, xxx can be defined as personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations. While xxx is offered in the General Data Protection Regulation as an example of processing for the legitimate interest of an organization, it also says the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such xxx.
Direct Marketing (EU specific)
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
American Institute of Certified Public Accountants
Used in Plan-driven Development Models, a xxx is a detailed outline of how a software product or system will work once it is fully operational. This is used to shape how a product or system will be designed and implemented
Concept of Operations
An identified or identifiable natural person.
Data Subject
An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.
Established Business Relationship
In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset.
xxxx criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. .
Authorization
Attacks that exploit flaws in the network applications installed on network servers.
Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks
Application-Layer Attacks
The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor s web browser, operating system and font preferences.
In some cases, combining this information can be used to xxx a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for xxx techniques to be used for targeted advertising.
Digital Fingerprinting
Advertising that is targeted at individuals based on the observation of their behaviour over time.
Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of -xxx- advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Behavioral Advertising
Japanese legislation aimed at the financial services sector that established cross-sectional legislative framework for investor protections, enhanced disclosure requirements, provided guidelines for the management of self-regulatory operations by financial exchanges, and implemented strict countermeasures against unfair trading.
Financial Instruments and Exchange Law of Japan
A comprehensive set of reform measures, developed by the xxx Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector
Basel III
Common law tort focuses on a false or defamatory statement, defined as a communication tending so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.
Defamation
This is the main decision-making body of the EU, with a central role in both political and legislative decisions.
The council was established by the treaties of the 1950s, which laid the foundations for the EU, and works with the European Parliament to create EU law.
Council of the European Union (28 Members)
A networking language that manages data packets over the Internet.
It defines how messages are formatted and transmitted over a TCP/IP network for websites. Further, it defines what actions Web servers and web browsers take in response to various commands.
Hypertext Transfer Protocol
xxx is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.
Convention 108
A cryptographic algorithm applied to unencrypted text to disguise its value or to decrypt encrypted text.
Encryption Key
The requirement under the General Data Protection Regulation that the European Data Protection Board and each supervisory authority periodically report on their activities.
The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission
Annual Reports
The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable.
The xxx has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act
Federal Communications Commission (FCC)
Used as a means of assuring compliance with privacy rules and policies in the design of new software systems. xxx take privacy rules and compare them to the system requirements that have been used to design a new software system.
By pairing privacy rules with specific system requirements, necessary technical safeguards can be accounted for, preventing the software from being designed in such a way that would violate privacy policies and regulations.
Completeness Arguments
Passed in response to the increased use of the Internet by U.S. federal agencies, the act was designed to ensure the quality of information released by agencies by establishing four major requirements:
(1) Office of Management and Budget (OMB) was to issue guidelines -ensuring and maximizing the quality, objectivity, utility and integrity- of disseminated information;
(2) agencies must issue their own sets of information quality guidelines;
(3) agencies must establish administrative mechanisms for persons to correct erroneous information about themselves;
(4) agencies must annually report to OMB regarding the number, nature and handling of complaints.
Data Quality Act of 2000
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Data Controller
Unwritten legal principles that have developed over time based on social customs and expectations.
Common Law
Organizations may want to verify an applicants ability to function in the working environment as well as assuring the safety and security of existing workers.
xxx range from checking a persons educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.
Background Screening/Checks
The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union.
It is also responsible for making adequacy determinations with regard to data transfers to third-party countries
European Commission
After the savings and loans crisis of the 1980s, the U.S Congress passed xxx to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a Financial institution fails to comply with the information privacy requirements contained in GLBA.
Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA )
The idea that one should only collect and retain that personal data which is necessary.
Data Minimization Principle
Independent public authorities that supervise the application of data protection laws in the EU.
xxx provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own xxx. Under GDPR, xxx have extensive enforcement powers, including the ability to impose fines that total 4% of a company s global annual revenue.
Data Protection Authority (DPA)
The practice of customizing an advertisement for a product or service to a specific market based on the geographic location of potential customers.
Geotargeting
Entities that collect, aggregate and sell individuals personal data, derivatives and inferences from disparate public or private sources.
Data Brokers
An independent U.S. federal agency that enforces laws against workplace discrimination.
The xxx investigates discrimination complaints based on an individual’s race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.
Equal Employment Opportunity Commission, The (EEOC)
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.
xxx do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
Data Breach
A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject
Collection Limitation
What is Ciphertext
Encrypted (enciphered) data.
The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.
It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts. xxxs are required by the General Data Protection Regulation in some instances, particularly where a new product or service is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Impact Assessment (DPIA)
A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
Health Breach Notification Rule
xxx outline the basic contours of the measures an organization takes in the processing and handling of personal data.
Key matters the policy should address include: Scope, which explains both to whom the internal policy applies and the type of processing activities it covers; Policy statement; Employee responsibilities; Management responsibilities; Reporting incidents; Policy compliance.
Data Protection Policy (DPP)
A content authoring language used to create web pages.
Web browsers use xxx to interpret and render visible and audible content from the web pages. Document tags can be used to format and lay out web page content and to hyperlinkconnect dynamically to other web content. Forms, links, pictures and text may all be added with minimal commands
Hypertext Markup Language (HTML)
xxx is the creation of virtual perimeters linked to the geographic position of a mobile device.
In the BYOD context, xxx may be used to restrict access to applications or sensitive information inside of or outside of specific locations. For example, a company may be able to restrict access to potentially risky applications on a personal device when the device is connected to the company s network or, conversely, restrict access to company resources when the device is outside of the company s network.
Geofencing
A firewall configuration for securinglocal area networks(LANs).
In a xxx configuration, there are a set of computers that act as a broker for traffic between the LAN and an outside network allowing the majority of computers to run safely behind a firewall. Thus these computers act as a broker similar to a joint security area in a political demilitarized zone.
DMZ (Demilitarized Zone) Network
launched in 1949, is a human rights organization with 47 member countries, including the 28 member states of the European Union.
The members have all signed the European Convention on Human rights and are subject to the European Court of Human Rights. The Council’s Convention 108 (see Convention 108) was the first legally binding international agreement to protect the human right of privacy and data protection
Council of Europe
What are the three V’s of Big data?
the three Vs:
volume (the amount of data),
velocity (the speed at which data may now be collected and analyzed), and
variety (the format, structured or unstructured, and type of data, e.g. transaction or behavioral).
Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.
xxx must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.
Codes of Conduct
When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons
Active Data Collection
What 3 entities are excluded from PIPEDA commercial activity definition
- Non-profit associations
- unions
- Private Schools
Amending the U.S.Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after five years, but with this act the registrations became permanent.
Do-Not-Call Improvement Act of 2007
What are the three principle of CIA?
- Confidentiality
- Integrity,
- Availability.
When was the Charter of Rights and Freedoms added to the Canadian Constitution?
1982
A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information
Canadian Organization for the Advancement of Computers in Health (COACH)
The implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Data Protection by Default
A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.
Consumerization of Information Technology (COIT)
COPPA required website operator to do the following 7 things
- To post a privacy notice on the homepage of the website;
- provide notice about collection practices to parents; 3.obtain verifiable parental consent before collecting personal information from children;
- give parents a choice as to whether their child’s personal information will be disclosed to third parties;
- provide parents access and the opportunity to delete the child’s personal information and
- opt out of future collection or use of the information, and
- maintain the confidentiality, security and integrity of personal information collected from children.
A form of data encryption that uses two separate but related keys to encrypt data.
The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.
Asymmetric Encryption
A consumer-initiated security measure which locks an individuals data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.
Credit Freeze
Websites with online ordering capabilities have special privacy advantages and risks. Unlike other web advertisers, xxx websites have direct access to information regarding user purchases and payment information. While creating a great opportunity for targeted advertising, it also puts extra onus on these websites to protect user information.
E-Commerce Websites
The order that provides information about the goals, direction, duties and responsibilities with respect to the national intelligence effort and provides basic information on how intelligence activities should be conducted.
The executive order states that agencies within the intelligence community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned, and must be approved by the attorney general.
Executive Order 12333
The xxx replaced the EEC, which was created by the Treaty of Rome and first promoted a single economic market across Europe. The xxx currently comprises 28 member states:
European Union
A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file.
If anything is changed in the electronic document after the xxx is attached, the signature is rendered invalid.
Digital Signature
Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals;
networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.
Electronic Communications Network
An element in an access control list (ACL).
Each xxx , monitors, or records access to an object by a specified user.
Access Control Entry
An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.
Attribute-Based Access Control
Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.
Case Law
It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Individual Participation
Under Canada’s PIPEDA, xxx means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.
Commercial Activity
Specific details about how a system should work, what inputs create what outputs, and design elements to be implemented.
For example, A system shall do processing of personal information to create user profiles.
Functional System Requirements
An encryption algorithm for security sensitive non-classified material by the U.S. Government.
This algorithm was selected in 2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
Advanced Encryption Standard (AES)
Originally an acronym for xxx, it has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise.
Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.
closed circuit television (CCTV)
Canadian xxx applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.
Canadas Anti-Spam Legislation
Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.
xxx must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.
Certification Mechanisms
What does COPPA stand for?
Childrens Online Privacy Protection Act
A U.S. federal law enacted as part of the E-Government Act of 2002.
The act requires each federal agency to develop, document and implement an agency-wide program to provide information security for the data and data systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.
xxx requires agency program officials, chief information officers and inspectors general to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget.
Federal Information Security Management Act of 2002, The (FISMA)
Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. xxx can exist under both comprehensive and sectoral models.
Co-regulatory Model
The provision of information technology services over the Internet.
These services may be provided by a company for its internal users in a -private cloud- or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems).
xxx has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models
Cloud Computing
A US government entity that stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.
FTC, Bureau of Consumer Protection
What are the 5 phase of the Audit Life Cycle
Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.
A network system formed through the connection of two or more corporate intranets. These external networks create inherent security risks, while often also meeting important organizational goals.
Extranet
Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.
Centralized governance
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, -xxx- is the individual’s way of giving permission for the use or disclosure. -xxx-may be affirmative; i.e., opt-in; or implied; i.e., the individual didnt opt out.(1) Affirmative/Explicit -xxx-: A requirement that an individual –signifies– his or her agreement with a data controller by some active communication between the parties.(2) Implicit -xxx-: Implied -xxx- arises where -xxx- may reasonably be inferred from the action or inaction of the individual.
Consent (aka choice)
Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, xxx is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, xxx counted 50 member countries.
Global Privacy Enforcement Network (GPEN)
What year was COPPA implemented
1998