CIPP Glossary Part 1 Flashcards
1
Q
A computer record of an individual’s medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.
A
Electronic Health Record
2
Q
A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence.
A
Factortame
3
Q
What are the eight Fair Information Practice Principles
A
(1) The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
(2) The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
(3) The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
(4) The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law.
(5) The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
(6) The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.
(7) The Individual Participation Principle. An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended;
(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.
4
Q
NAME?
A
Binding Corporate Rules (BCR)
5
Q
Also known as a record of authority, identifiespersonal dataas it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.
A
Data Inventory
6
Q
The now-defunct Data Retention Directive was designed to align the rules on data retention across the EU member states in order to ensure the availability of traffic and location data for serious crime and antiterrorism purposes. The Data Retention Directive is no longer part of EU law, although member states retain competence to adopt their own national data retention laws under Article 15(1) of the ePrivacy Directive (2002/58/EC) provided that those laws comply with the fundamental rights principles that form part of EU law and the CJEU ruling that struck down the Data Retention Directive. Accordingly, EU member states have introduced draft legislative amendments or implemented national data retention laws at an individual country level
A
Data Retention Directive
7
Q
A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that (e)veryone has the right to respect for his private and family life, his home and his correspondence. Article 8 of the Convention limits a public authority s interference with an individual s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society. This created the Council of Europe (see Council of Europe) and the European Court of Human Rights (see European Court of Human Rights).
A
European Convention on Human Rights
8
Q
The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is significantly engaged in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-publicpersonal information, defined broadly to include a consumer s name and address, and consumers interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability toopt-outof some sharing of personal financial information.
A
Gramm-Leach-Bliley Act
9
Q
Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees personal data. These rules must include suitable and specific measures to safeguard the data subject s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.
A
Employee Personal Data
10
Q
The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.
A
Assess
11
Q
A processing operation that is performed without any human intervention. -Profiling- is defined in the General Data Protection Regulation, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to object to such processing.
A
Automated Processing
12
Q
is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law.
A
Court of Justice of the European Union
13
Q
An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).
A
EU-U.S. Safe Harbor Agreement
14
Q
An expansion of theFair Credit Reporting Actwhich focuses on consumer access and identity theft prevention. The act mandates thatcredit reporting agenciesallow consumers to obtain a free credit report once every twelve months. Additionally, it allows consumers to request alerts when a creditor suspects identity theft and gave theFederal Trade Commission(FTC) authority to promulgate rules to prevent identity theft. The FTC used the authority to create theRed Flags Rule.
A
Fair and Accurate Credit Transactions Act of 2003
15
Q
One of two chambers of theCanadian Parliament, along with theSenate. Members of theHouse of Commonsare elected at least every five years.
A
House of Commons
16
Q
Linked graphic or text that is used to connect an end user to other websites, parts of websites or web-enabled services. TheURLof a web location is embedded in theHTMLcode, so that when certain words or images are selected through the web browser, the end user is transported to the destination website or page.
A
Hyperlink
17
Q
What are three Bureau of the FTC
A
Competition, Consumer Protection, and Economics
18
Q
A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005
A
Chief Privacy Officer (Agency level) (CPO)
19
Q
A federal law governing the behavior of federal advisory committees, restricting the formation of such committees to those deemed essential, limiting their powers and their length of operation, requiring open meetings and open records and mandating a publicly-accessible government-wide database.
A
Federal Advisory Committee Act, The
20
Q
A federal law requiring agencies found of data mining to submit a yearly report to Congress. The privacy office of that agency must be involved in producing the report. The report will be made public and describe all of the agency s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.
A
Federal Agency Data Mining Reporting Act
21
Q
is responsible for the functions that are critical to the success of the Canadian CA profession. -xxx-, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications
A
Canadian Institute of Chartered Accountants (CICA)
22
Q
A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.
A
Freedom of Information Act, The
23
Q
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13
A
Childrens Online Privacy Protection Act (COPPA) of 1998
24
Q
Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.
A
Electronic Surveillance
25
FOIA stands for
Freedom of Information Act
26
An entity that enforces the nation's antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.
FTC, Bureau of Competition
27
In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.
Anonymous Information
28
One of the General Data Protection Regulation's explicitly stated data protection principles, personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.
Data Quality (EU specific)
29
A secure network communication method, technically not a protocol in itself, HTTPS is the result of layering theHypertext Transfer Protocol(HTTP) on top of theSSL/TLSprotocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.
Hypertext Transfer Protocol Secure
30
The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that display personal information should be set to prohibit -xxx-
Caching
31
Germany's federal data protection act, implementing the General Data Protection Regulation. With the passage of the GDPR, it replaced a previous law with the same name (hence -neu- in common parlance) and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the new version suggests a procedure for national data protection authorities to challenge adequacy decisions of the EU Commission
Bundesdatenschutzgesetz-neu
32
The data protection regulator for the European Union as an entity, ensuring the EU institutions, such as the Parliament, Commission, and Council of the European Union, protect the rights and freedoms of data subjects. The EDPS acts as secretariat to the European Data Protection Board (see European Data Protection Board).
European Data Protection Supervisor
33
Use of employees own personal computing devices for work purposes.
Bring Your Own Device (BYOD)
34
Collects data to meet the nations statistical needs. Because the data that the -xxx- collects is often highly personal in nature, and the -xxx- depends on the trust of the individuals and businesses that supply the data, privacy protection is a high priority
Census Bureau
35
The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.
Contextual Advertising
36
The General Data Protection Regulation requires that consent be a freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject must have a genuine choice, must be able to refuse or withdraw consent without fear of consequence. Where there is a power imbalance, as in an employer-employee relationship, for example, it's likely that consent cannot be freely given.
Freely Given
37
The -xxx' is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a -xxx- often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.
Business Continuity Plan (BCP)
38
In order to ensure the consistent application of the General Data Protection Regulation throughout the European Union, the GDPR establishes a -xxx- that allows member state supervisory authorities to cooperate with one anotherThe mechanism applies particularly where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several member states. When a member state supervisory authority intends to take action, such as approving a code of conduct or certification mechanism, it shall provide a draft to the European Data Protection Board, and the EDPB's members shall render an opinion on that draft, which the supervisory authority shall take into account and then either amend or decide to go forward with the draft in its original form. Should there be significant difference in opinion, the dispute resolution mechanism will be triggered
Consistency Mechanism
39
As technology has advanced, it has become easier to differentiate between users just based on the given instance of the browser they are using. Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.
Browser Fingerprinting
40
xxxxx laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise
Anti-discrimination Laws
41
In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.
Data Portability
42
xxx is taking user identifications and converting them into an ordered system to track the users activities without directly using personally identifiable information (PII).
xxx can be used to encryptor map data; in the context of privacy, hashing is used in cryptographichash functions and have many information security applications.
Hashing Functions
43
A term often used to refer to a supervisory authority, which is an independent public authority responsible for monitoring the application of the General Data Protection Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the European Union. xxx also oversee other data protection-related laws, such as the ePrivacy Directive and other local member state laws.
Data Protection Authority (DPA) (EU specific)
44
xxx implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect
Establishment
45
In the context of data protection law, xxx can be defined as personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations. While xxx is offered in the General Data Protection Regulation as an example of processing for the legitimate interest of an organization, it also says the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such xxx.
Direct Marketing (EU specific)
46
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
American Institute of Certified Public Accountants
47
Used in Plan-driven Development Models, a xxx is a detailed outline of how a software product or system will work once it is fully operational. This is used to shape how a product or system will be designed and implemented
Concept of Operations
48
An identified or identifiable natural person.
Data Subject
49
An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.
Established Business Relationship
50
In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset.
xxxx criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. .
Authorization
51
Attacks that exploit flaws in the network applications installed on network servers.
Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks
Application-Layer Attacks
52
The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor s web browser, operating system and font preferences.
In some cases, combining this information can be used to xxx a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for xxx techniques to be used for targeted advertising.
Digital Fingerprinting
53
Advertising that is targeted at individuals based on the observation of their behaviour over time.
Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of -xxx- advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Behavioral Advertising
54
Japanese legislation aimed at the financial services sector that established cross-sectional legislative framework for investor protections, enhanced disclosure requirements, provided guidelines for the management of self-regulatory operations by financial exchanges, and implemented strict countermeasures against unfair trading.
Financial Instruments and Exchange Law of Japan
55
A comprehensive set of reform measures, developed by the xxx Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector
Basel III
56
Common law tort focuses on a false or defamatory statement, defined as a communication tending so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.
Defamation
57
This is the main decision-making body of the EU, with a central role in both political and legislative decisions.
The council was established by the treaties of the 1950s, which laid the foundations for the EU, and works with the European Parliament to create EU law.
Council of the European Union (28 Members)
58
A networking language that manages data packets over the Internet.
It defines how messages are formatted and transmitted over a TCP/IP network for websites. Further, it defines what actions Web servers and web browsers take in response to various commands.
Hypertext Transfer Protocol
59
xxx is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.
Convention 108
60
A cryptographic algorithm applied to unencrypted text to disguise its value or to decrypt encrypted text.
Encryption Key
61
The requirement under the General Data Protection Regulation that the European Data Protection Board and each supervisory authority periodically report on their activities.
The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission
Annual Reports
62
The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable.
The xxx has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act
Federal Communications Commission (FCC)
63
Used as a means of assuring compliance with privacy rules and policies in the design of new software systems. xxx take privacy rules and compare them to the system requirements that have been used to design a new software system.
By pairing privacy rules with specific system requirements, necessary technical safeguards can be accounted for, preventing the software from being designed in such a way that would violate privacy policies and regulations.
Completeness Arguments
64
Passed in response to the increased use of the Internet by U.S. federal agencies, the act was designed to ensure the quality of information released by agencies by establishing four major requirements:
(1) Office of Management and Budget (OMB) was to issue guidelines -ensuring and maximizing the quality, objectivity, utility and integrity- of disseminated information;
(2) agencies must issue their own sets of information quality guidelines;
(3) agencies must establish administrative mechanisms for persons to correct erroneous information about themselves;
(4) agencies must annually report to OMB regarding the number, nature and handling of complaints.
Data Quality Act of 2000
65
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Data Controller
66
Unwritten legal principles that have developed over time based on social customs and expectations.
Common Law
67
Organizations may want to verify an applicants ability to function in the working environment as well as assuring the safety and security of existing workers.
xxx range from checking a persons educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.
Background Screening/Checks
68
The executive body of the European Union. Its main function is to implement the EU's decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union.
It is also responsible for making adequacy determinations with regard to data transfers to third-party countries
European Commission
69
After the savings and loans crisis of the 1980s, the U.S Congress passed xxx to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a Financial institution fails to comply with the information privacy requirements contained in GLBA.
Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA )
70
The idea that one should only collect and retain that personal data which is necessary.
Data Minimization Principle
71
Independent public authorities that supervise the application of data protection laws in the EU.
xxx provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own xxx. Under GDPR, xxx have extensive enforcement powers, including the ability to impose fines that total 4% of a company s global annual revenue.
Data Protection Authority (DPA)
72
The practice of customizing an advertisement for a product or service to a specific market based on the geographic location of potential customers.
Geotargeting
73
Entities that collect, aggregate and sell individuals personal data, derivatives and inferences from disparate public or private sources.
Data Brokers
74
An independent U.S. federal agency that enforces laws against workplace discrimination.
The xxx investigates discrimination complaints based on an individual's race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.
Equal Employment Opportunity Commission, The (EEOC)
75
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.
xxx do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Data Breach
76
A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject
Collection Limitation
77
What is Ciphertext
Encrypted (enciphered) data.
78
The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.
It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts. xxxs are required by the General Data Protection Regulation in some instances, particularly where a new product or service is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Impact Assessment (DPIA)
79
A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
Health Breach Notification Rule
80
xxx outline the basic contours of the measures an organization takes in the processing and handling of personal data.
Key matters the policy should address include: Scope, which explains both to whom the internal policy applies and the type of processing activities it covers; Policy statement; Employee responsibilities; Management responsibilities; Reporting incidents; Policy compliance.
Data Protection Policy (DPP)
81
A content authoring language used to create web pages.
Web browsers use xxx to interpret and render visible and audible content from the web pages. Document tags can be used to format and lay out web page content and to hyperlinkconnect dynamically to other web content. Forms, links, pictures and text may all be added with minimal commands
Hypertext Markup Language (HTML)
82
xxx is the creation of virtual perimeters linked to the geographic position of a mobile device.
In the BYOD context, xxx may be used to restrict access to applications or sensitive information inside of or outside of specific locations. For example, a company may be able to restrict access to potentially risky applications on a personal device when the device is connected to the company s network or, conversely, restrict access to company resources when the device is outside of the company s network.
Geofencing
83
A firewall configuration for securinglocal area networks(LANs).
In a xxx configuration, there are a set of computers that act as a broker for traffic between the LAN and an outside network allowing the majority of computers to run safely behind a firewall. Thus these computers act as a broker similar to a joint security area in a political demilitarized zone.
DMZ (Demilitarized Zone) Network
84
launched in 1949, is a human rights organization with 47 member countries, including the 28 member states of the European Union.
The members have all signed the European Convention on Human rights and are subject to the European Court of Human Rights. The Council's Convention 108 (see Convention 108) was the first legally binding international agreement to protect the human right of privacy and data protection
Council of Europe
85
What are the three V's of Big data?
the three Vs:
volume (the amount of data),
velocity (the speed at which data may now be collected and analyzed), and
variety (the format, structured or unstructured, and type of data, e.g. transaction or behavioral).
86
Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.
xxx must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.
Codes of Conduct
87
When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons
Active Data Collection
88
What 3 entities are excluded from PIPEDA commercial activity definition
1. Non-profit associations
2. unions
3. Private Schools
89
Amending the U.S.Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after five years, but with this act the registrations became permanent.
Do-Not-Call Improvement Act of 2007
90
What are the three principle of CIA?
1. Confidentiality
2. Integrity,
3. Availability.
91
When was the Charter of Rights and Freedoms added to the Canadian Constitution?
1982
92
A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information
Canadian Organization for the Advancement of Computers in Health (COACH)
93
The implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Data Protection by Default
94
A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.
Consumerization of Information Technology (COIT)
95
COPPA required website operator to do the following 7 things
1. To post a privacy notice on the homepage of the website;
2. provide notice about collection practices to parents; 3.obtain verifiable parental consent before collecting personal information from children;
4. give parents a choice as to whether their child's personal information will be disclosed to third parties;
5. provide parents access and the opportunity to delete the child's personal information and
6. opt out of future collection or use of the information, and
7. maintain the confidentiality, security and integrity of personal information collected from children.
96
A form of data encryption that uses two separate but related keys to encrypt data.
The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.
Asymmetric Encryption
97
A consumer-initiated security measure which locks an individuals data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.
Credit Freeze
98
Websites with online ordering capabilities have special privacy advantages and risks. Unlike other web advertisers, xxx websites have direct access to information regarding user purchases and payment information. While creating a great opportunity for targeted advertising, it also puts extra onus on these websites to protect user information.
E-Commerce Websites
99
The order that provides information about the goals, direction, duties and responsibilities with respect to the national intelligence effort and provides basic information on how intelligence activities should be conducted.
The executive order states that agencies within the intelligence community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned, and must be approved by the attorney general.
Executive Order 12333
100
The xxx replaced the EEC, which was created by the Treaty of Rome and first promoted a single economic market across Europe. The xxx currently comprises 28 member states:
European Union
101
A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file.
If anything is changed in the electronic document after the xxx is attached, the signature is rendered invalid.
Digital Signature
102
Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals;
networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.
Electronic Communications Network
103
An element in an access control list (ACL).
Each xxx , monitors, or records access to an object by a specified user.
Access Control Entry
104
An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.
Attribute-Based Access Control
105
Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.
Case Law
106
It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Individual Participation
107
Under Canada's PIPEDA, xxx means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.
Commercial Activity
108
Specific details about how a system should work, what inputs create what outputs, and design elements to be implemented.
For example, A system shall do processing of personal information to create user profiles.
Functional System Requirements
109
An encryption algorithm for security sensitive non-classified material by the U.S. Government.
This algorithm was selected in 2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
Advanced Encryption Standard (AES)
110
Originally an acronym for xxx, it has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise.
Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.
closed circuit television (CCTV)
111
Canadian xxx applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.
Canadas Anti-Spam Legislation
112
Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.
xxx must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.
Certification Mechanisms
113
What does COPPA stand for?
Childrens Online Privacy Protection Act
114
A U.S. federal law enacted as part of the E-Government Act of 2002.
The act requires each federal agency to develop, document and implement an agency-wide program to provide information security for the data and data systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.
xxx requires agency program officials, chief information officers and inspectors general to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget.
Federal Information Security Management Act of 2002, The (FISMA)
115
Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. xxx can exist under both comprehensive and sectoral models.
Co-regulatory Model
116
The provision of information technology services over the Internet.
These services may be provided by a company for its internal users in a -private cloud- or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems).
xxx has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models
Cloud Computing
117
A US government entity that stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.
FTC, Bureau of Consumer Protection
118
What are the 5 phase of the Audit Life Cycle
Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.
119
A network system formed through the connection of two or more corporate intranets. These external networks create inherent security risks, while often also meeting important organizational goals.
Extranet
120
Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.
Centralized governance
121
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, -xxx- is the individual's way of giving permission for the use or disclosure. -xxx-may be affirmative; i.e., opt-in; or implied; i.e., the individual didnt opt out.(1) Affirmative/Explicit -xxx-: A requirement that an individual --signifies-- his or her agreement with a data controller by some active communication between the parties.(2) Implicit -xxx-: Implied -xxx- arises where -xxx- may reasonably be inferred from the action or inaction of the individual.
Consent (aka choice)
122
Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, xxx is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, xxx counted 50 member countries.
Global Privacy Enforcement Network (GPEN)
123
What year was COPPA implemented
1998
124
A U.S. law that bars discrimination against qualified individuals with disabilities.
Americans with Disabilities Act (ADA)
125
As defined in the U.S. Fair Credit Reporting Act: Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes, or (2) employment purposes, or (3) other purposes authorized under section 604. The term does not include any (A) any report containing information solely as to transactions or experiences between the consumer and the person making the report; (B) authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; or (C) report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made and such person makes the disclosures to the consumer required under section 615.
Consumer Report
126
xxx, generally requires multi-member federal agencies; i.e., the FCC and SEC, to hold their meetings in public and to give advance public notice of their meetings. The goal of the xxx is to promote public access to information about the decision-making processes of the federal government and to improve those processes by exposing them to public view.
Government in the Sunshine Act
127
A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.
Business Continuity and Disaster Recovery Plan (BCDR)
128
The process of de-identifying,anonymizing, or otherwise obscuring data so that the structure remains the same but the content is no longer sensitive in order to generate a data set that is useful for training or software testing purposes.
Data Masking
129
Also known as information security triad; three common information security principles from the 1960s,
CIA Triad
| Confidentiality, integrity, availability.
130
A sectoral privacy directive for European Union Member States, which applies to the digital industry. Among other provisions, the xxx requires websites to obtain consumer consent before placing cookies for marketing purposes.
The EU is currently considering reform of the xxx.
ePrivacy Directive
131
The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.
Computer Forensics
132
One of the four classes of privacy, It focuses on a persons physical being and any invasion thereof.
Such an invasion can take the form of genetic testing, drug testing or body cavity searches.
Bodily Privacy
133
The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.
Authentication
134
A set of non-binding principles that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.
APEC (Asian-Pacific Economic Cooperation) Privacy Principles
135
Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission.
It also applies to onward transfers from one third country or international organisation to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer.
Cross-border Data Transfers (EU specific)
136
When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.
Direct Marketing
137
Article 5 of the General Data Protection Regulation lists the principles as such: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality.
Data Protection Principles
138
They are constitutional rights and thus are considered to be the most valued rights in Canada. The xxx and Freedoms was made part of the Canadian Constitution in 1982.
Charter Rights
139
A U.S. federal law regulating the way that U.S. intelligence agencies conduct foreign intelligence surveillance activities, including wiretaps and the interception of communications.
The act sets forth a judicial approval process required when the government targets U.S. persons located within the United States. FISA allows warrantless surveillance to be conducted without a court order for up to one year, provided the surveillance is for foreign intelligence information, is targeting foreign powers and will not capture the contents of any communication to which a U.S. person is a party. Generally speaking, FISA does not apply to activities directed at persons overseas.
Foreign Intelligence Surveillance Act of 1978, The
140
One of the four classes of privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.
Communications Privacy
141
A computer program or algorithm that replicates itself over a computer network, usually performing malicious actions.
Worm
142
A court case in which the Court of Appeal of the United Kingdom narrowed the definition of personal data under the Data Protection Act of 1998. It established a two-stage test; the information must be biographical in a significant sense and the individual must be the focus of the information.
Durant v. Financial Services Authority
143
A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Data Recipient
144
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The General Data Protection Regulation instituted new rules for notification of supervisory authorities and data subjects following the discovery of a data breach, depending on the risk the breach presents to the rights and freedoms of data subjects
Data Breach (EU specific)
145
The rules and safeguards applying under various laws and regulations to personal data about individuals that organizations collect, store, use and disclose. Data protection is the professional term used in the EU, whereas in the U.S. the concept is generally referred to as information privacy. Importantly, data protection is different from data security, since it extends beyond securing information to devising and implementing policies for its fair use
Data Protection
146
The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata (see Metadata). The ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of -xxx-.
Content Data
147
Consists of three main categories of personal data, as defined in the European Union under the ePrivacy Directive: the content of a communication, traffic data, and location data.
Electronic Communications Data
148
Previously, the EU distinguished between Binding Corporate Rules for controllers and -xxx-. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both
Binding Safe Processor Rules (BSPR)
149
A company that allows advertising clients to buy digital media on several different selling systems, or exchanges, through one interface.
Demand Side Platform (DSP)
150
A company that serves as a broker between a group of publishers and a group of advertisers. Networks traditionally aggregate unsold inventory from publishers in order to offer advertisers a consolidated and generally less expensive pool of impressions, but they can have a wide variety of business models and clients
Ad Network
151
An activity that involves comparingpersonal dataobtained from a variety of sources, includingpersonal informationbanks, for the purpose of making decisions about the individuals to whom the data pertains.
Data Matching
152
The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects
Breach Disclosure (EU specific)
153
Also known asInformation Life Cycle Management(ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure;information security; authenticity and accuracy of one s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.
Data Life Cycle Management
154
The General Data Protection Regulation requires that an organization be able to ensure the ongoing:
1. confidentiality, 2.integrity, 3.availability and 4.resilience of processing systems and services as part of its requirements for appropriate security
155
Part of the consistency mechanism (see Consistency Mechanism) of the General Data Protection Regulation, xxx is required between supervisory authorities when working with controllers or processors handling the personal data of data subjects in multiple member states. This is often referred to as the -one-stop shop,- whereby a lead supervisory authority works with the supervisory authorities of other member states with affected data subjects.
Cooperation
156
In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.
Customer Information
157
The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals privacy and personal data use
EU Data Protection Directive
158
A catch-all term for various technologies and browser settings designed to allow data subjects to indicate their objection to tracking by websites. Years of effort, by the W3C and other organizations, to create an official Do Not Track standard for HTTP headers has of yet led to naught.
Do Not Track (DNT)
159
Shorthand for the case of Google Spain v AEPD and Mario Costeja Gonz lez, where Costeja successfully sued Google Spain, Google Inc. and La Vanguardia newspaper. When the Court of Justice of the EU ruled that Google Spain must remove the links to the article, the -right to be forgotten- (see Right To Be Forgotten) was effectively established in the European Union. The General Data Protection Regulation subsequently more formally granted data subjects the right to deletion in certain circumstances
Costeja
160
A rule, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
Final Health Breach Notification Rule
161
The process of assigning geographic coordinates to non-locational data so that they can be placed as points on a map. For example, geocoding could be used to translate a street address (which describes a location) into precise coordinates that identify the location on a map
Geocoding
162
A corporation that acts as a regulator for brokerage firms and exchange markets. Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors. Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry
Financial Industry Regulatory Authority
163
One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance
Fair Credit Reporting Act, The
164
One of 10 privacy principles ofPIPEDA. Organizations must be able to respond to requests from individuals for access to theirpersonal information.
Individual Access
165
The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018. The aim of the GDPR is to provide one set of data protection rules for all EU member states and the European Economic Area (EEA). The document comprises 173 recitals and 99 articles.
General Data Protection Regulation
166
Created by the Dodd-Frank Act, the -xxx- is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created xxx took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against abusive acts and practicesƒ as specified by the Dodd-Frank Act.
Consumer Financial Protection Bureau (CFPB)
167
List 3 ways Anonymization can occur
Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.
168
The title given in some member states to the supervisory authority
Data Protection Commissioner
169
The successor to the Article 29 Working Party, it consists of the heads of the supervisory authorities of the member states and the European Data Protection Supervisor (see European Data Protection Supervisor), and the Commission is entitled to send a delegate to its meetings. The EDPB s role is to ensure the consistent application of the Regulation and, in addition to supporting cooperation between the regulators and applying the consistency mechanism (see Consistency Mechanism), it shall publish advice, guidance, recommendations and best practices. The supervisory authorities elect a chairperson, with certain powers, from amongst their membership.
European Data Protection Board
170
A scheme that provides the basis for managing access to, and protection of, data assets.
Data Classification
171
Data is -xxx- if it is protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Confidentiality
172
What 4 Situations are typically covered in BCP
Fire, Flood, Natural disasters, and terrorist attacks
173
Adopted either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism (see Consistency Mechanism) and then adopted by the Commission, xxx are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.
Contractual Clauses
174
A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.
The Bank Secrecy Act
175
The only EU institution whose members are directly elected by citizens of individual member states, Parliament has four responsibilities legislative development, supervisory oversight of other institutions, democratic representation and budget development.
European Parliament
176
As-isƒ data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.
Current baseline
177
The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have adequateƒ data protection practices.
Cross-border Data Transfers
178
The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.
Administrative Purpose
179
#NAME?
Artificial Intelligence
180
Section 5(a) of the FTC Act empowers the agency to enforce against unfair or deceptive acts or practices in or affecting commerce. Over the past two decades, the FTC has used this authority extensively to hold businesses to fair and transparent privacy and security standards.
Federal Trade Commission Act, Section 5 of
181
xxx, primarily in the European Union, are bodies that represent employees and have certain rights under local law that affect the use of employee data by employers. Works councils can have a role in deciding whether employees personal data can be processed because they typically have an obligation to safeguard employee rights, which include data protection and privacy rights. They are most likely to be encountered in a data protection setting in Germany.
Works Councils
182
CIO Council mission to improve, what 6 practices
1. Design 2. Acquisitions 3. Development 4. Modernization 5. use 6.Sharing and performance of Federal government information resources
183
The GET and POSTHTMLmethod attributes specify how form data is sent to a web page. The GET method appends the form data to theURLin name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser s address bar, and is thus less secure than the POST method.
GET Method
184
DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.
Active Scanning Tools
185
A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information
BC PIPA (Privacy Information Protection Action)
186
The so-called -xxx- is an amendment made to the European Union's Directive 2002/58, also known as the ePrivacy Directive, that requires organizations to get consent before placing cookies (see Cookies) and other tracking technologies on digital devices. With the passage of the General Data Protection Regulation, this definition of consent has changed and opt-out consent is no longer viable in this area.
Cookie Directive
187
xxx is the IT business strategy of providing employees with company-owned devices. xxx may, nonetheless, implicate BYOD concerns when employees use xxx devices equally for personal use.
Corporate Owned, Personally Enabled (COPE)
188
A framework promulgated by theAmerican Institute of Certified Public Accountants(AICPA) in conjunction with theCanadian Institute of Chartered Accountants(CICA). The ten principles are management, notice,choiceandconsent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.
Generally Accepted Privacy Principles
189
Created in 2016 to replace the invalidated EU-U.S. Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the United States for companies participating in the program. Only those companies that fall under the jurisdiction of the U.S. Federal Trade Commission may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.
EU-US Privacy Shield
190
Under the Fair Credit Reporting Act, the term xxxxxxƒ is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action
Adverse Action
191
A case in which the European Court of Human Rights held that monitoring an applicant's email at work was contrary to Article 8 of the Convention on Human Rights.
Copland v. United Kingdom
192
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processing
193
what are the 10 Principles of Canadian Standards Association (CSA) also listed in PIPEDA
1. Accountability, 2. Identifying Purpose 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, and Retention 6. Accuracy 7. Safeguards 8. Openness 9.Individual Access 10. Challenging Compliance
194
A data storage device in which information, once written, cannot be modified. This protection offers assurance that the data originally written to the device has not been tampered with. The only way to remove data written to a xxx device is to physically destroy the device.
Write Once Read Many (WORM)
195
The degree to which a user is identified by anauthenticationsystem. The more unique (identifiable), the easier that user is tracked or targeted. The less identifiable, the easier it is to falsely authorize a non-user.
Identifiability
196
Codes or strings used to represent an individual, device or browser.
Identifiers
197
The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.
Anonymization
198
A continuation of policy directives for theEuropean UnionMember States as set forth in theData Protection Directive. It has been amended by theCookie Directive 2009/136EC, which added a requirement that all websites using tracking cookies obtain user consent unless the cookie is strictly necessary for the delivery of a service requested by the use. This policy recognizes the importance of cookies for the functioning of modern websites while still making users aware of any tracking the user may not want to participate in.
Directive on Privacy and Electronic Communications Act 2002/58EC
199
A system that standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.
Controlled Unclassified Information
200
A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.
California Investigative Consumer Reporting Agencies Act
201
EMM refers to a comprehensive organizational strategy for securing and enabling employee use of mobile devices such as smartphones and tablets. EMMs are used to prevent unauthorized access to applications containing corporate data on mobile devices, usually through the use of password protection,encryptionand remote wiping technology.
Enterprise Mobility Management (EMM)
202
Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.
Accuracy
203
-xxx-, refers to the idea that consent must be freely given and that data subjects must have a genuine -xxx- as to whether to provide personal data or not. If there is no true -xxx- it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
Choice
204
High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.
Audit Life Cycle
205
Enacted as part of theAmerican Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.
Health Information Technology for Economic and Clinical Health Act, The
206
Data is -xxx- if it is accessible when needed by the organization or data subject. The General Data Protection Regulation requires that a business be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Availability
207
A U.S. federal law that, among other things, requires federal agencies to conduct Privacy Impact Assessments on new or substantially revised information technology.
E-Government Act
208
The GDPR establishes direct legal obligations applicable to service providers acting as -processors- (see Processor), whilst giving an increased emphasis to the contractual obligations in place between customers and data processing service providers
Established Service Provider
209
The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law.
Digital Rights Management
210
The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.
Business case
211
Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee
Consumer Reporting Agency
212
The European Council is the collection of heads of states of European Union member states. It provides general political direction for the EU and does not exercise legislative functions.
European Council
213
Grants the authority to theFederal Trade Commissionto create theNational Do-Not-Call Registryin the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations. Originally consumers would have to re-register their numbers with the FTC everyfive years for continued prevention, but theDo-Not-Call Improvement Act of 2007extended registration indefinitely. Violations can be enforced by the FTC,Federal Communications Commission, and state attorneys general with up to a $16,000 fine per violation.
Do-Not-Call Implementation Act of 2003
214
A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data
Adequate Level of Protection
215
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required theU.S. Department of Health and Human Servicesto promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have toopt inbefore their information can be shared with other organizations although there are important exceptions such as for treatment, payment and healthcare operations.
Health Insurance Portability and Accountability Act, The
216
Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists -xxx- data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.
Biometrics
217
The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Accountability
218
Personal informationthat is directly given to a social network or other website by a user.
Declared Data
219
The General Data Protection Regulation refers to xxxxxx in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context
Appropriate Safeguards
220
any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee
Credit Reporting Agency (CRA)
221
A small text file stored on a client machine that may later be retrieved by a web server from the machine. xxx allow web servers to keep track of the end users browser activities, and connect individual web requests into a session
Cookie
222
The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canadas PIPEDA
CSA Privacy Principles
223
Laws that govern the collection, use and dissemination of personal information in the public and private sectors
Comprehensive Laws (aka: Omnibus Laws)
224
A Qubquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.
Act Respecting the Protection of Personal Information in the Private Sector
225
Software that is used to add animation and other visual effects to web-based content.
Flash
226
While the title of data protection officer has long been in use, particularly in Germany and France, the General Data Protection Regulation introduced a new legal defintion of a DPO with specific tasks. Certain organizations, particularly those that process personal data as part of their business model or those who process special categories of data as outlined in Article 9, are obligated to designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO has a variety of mandated tasks, including communication with the supervisory authority, conducting DPIAs, and advising the organization on the mandates of the GDPR and how to comply with it.
Data Protection Officer
227
In the context of European Union legislation interacting with member state law, a derogation is a place in an EU-wide regulation where individual member states are left to make their own law or have the option to deviate. A derogation can also simply refer to an exception to a certain basic rule or principle.
Derogation
228
The European Court of Human Rights (ECHR) in Strasbourg, France, upholds privacy and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108. The ECHR applies the Convention and ensures that signatory states respect the rights and guarantees set out in the Convention.
European Court of Human Rights
229
Facilities that store, manage and disseminate data and house a networks most critical systems. Data centers can serve either as a centralized facility for a single organizations data management functions or as a third-party provider for organizations data management needs.
Data Centers
230
Under the Privacy Act, federal agencies using computerized means to match data between electronic federal privacy record systems, or to match data from any federal system with non federal records, are required to create a xxx composed of senior officials and the agencys inspector general. The xxx shall, among other things: review, approve and maintain all matching programs; review all existing matching programs annually to determine compliance with laws, regulations, guidelines and agreements, and; assess the cost and benefits of the agreements.
Data Integrity Board (DIB)
231
The Federal Records Act requires the establishment of standards and procedures to ensure efficient and effective records management. The objectives of the Federal Records Act interact with federal privacy to: Ensure appropriate maintenance of a record that allows access rights to subject of the record; Minimize the collection of PII; Ensure the destruction of PII when there is no longer a business, legal, or historical need for the record.
Federal Records Act
232
Article 17(1) of the GDPR establishes that data subjects have the right to erasure of their personal data if: the data is no longer needed for its original purpose and no new lawful purpose exists; the lawful basis for the processing is the data subject s consent, the data subject withdraws that consent, and no other lawful ground exists; the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing; the data has been processed unlawfully; or erasure is necessary for compliance with EU law or the national law of the relevant member state.
Erasure
233
The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects
Data Breach Notification (EU specific)
234
The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.
Encryption
235
A US government entity that evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers
FTC, Bureau of Economics
236
To address the rise in citizen use of the Internet to access government information and services, some type of identity verification or authentication is needed. As such, agencies are required to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.
E-Authentication
237
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.
Breach Disclosure
238
A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data
Data Elements
239
What are the four classes of Privacy
Information, Bodily, Territorial, and Communication Privacy
240
Requires agencies that match data among agency systems granting financial benefits to publicly disclose that matching and explain its scope
Computer Matching and Privacy Protection Act
241
A program run by the Digital Advertising Alliance to promote awareness and choice in advertising for internet users. Websites with ads from participating DAA members will have an AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon, users may set preferences for behavioral advertising on that website or with DAA members generally across the web.
AdChoices
242
A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity. The term originates in accounting as a reference to the chain of paperwork used to validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce, to track customers activity, or cyber-security, to investigate cybercrimes.
Audit Trail
243
A Canadian term referring to information about an individual that is related to that individuals position, functions and/or performance of his or her job. A term that is undefined by PIPEDA, the privacy commissioner has decided that work product may at times fall under the definition of personal information. Access to such information by the commissioner is addressed on a case-by-case basis. Not to be confused with the American legal term -work product,- which refers to legal materials prepared in anticipation of litigation.
Work Product Information
244
A treaty that consolidates human rights within the EU. The treaty states that everyone has a right to protect their personal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority
Charter of Fundamental Rights
245
The servers that contain most or all of the visible elements of a web page and that are contacted to provide those elements. In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.
Content Delivery Network
246
An employment contract can be terminated by either the employer or the employee at any time for any reason.
Employment at Will
247
Also known as local governance, this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.
Decentralized Governance
248
A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.
Data Processor
249
A graphical representation of the flow of data in an information system thus allowing the visualization of how the system operates to accomplish its purpose. xxx are used both by systems analysts to design information systems and by management to model the flow of data
Data Flow Diagrams
250
FERPA establishes requirements regarding the privacy protection of student educational records. It applies to all academic institutions that receive funds under applicable U.S. Department of Education programs. FERPA gives parents certain rights with respect to their children s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are referred to as eligible students.
Family Educational Rights and Privacy Act
251
When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.
Data Protection by Design
252
An ad trafficking system through which advertisers, publishers, and networks meet and do business via a unified platform. An ad exchange allows advertisers and publishers to use the same technological platform, services, and methods, and -speak the same language- in order to exchange data, set prices, and ultimately serve an ad
Ad Exchange
253
A conceptual outline, blueprint, or diagram that defines the structure and the operation of an organization, normally in the context of developing a strategy for the realization of current and future goals or objectives.
Enterprise Architecture
254
A privacy law in the Canadian province of XXXXX, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information
Alberta PIPA (Personal Information Protection action)
255
In 2010 the U.S. Congress passed the Dodd-Frank Act to reorganize and improve financial regulation. Among other reforms it put in place, the Dodd-Frank Act created theConsumer Financial Protection Bureauand granted it rule-making authority overFCRAandGLBAas well as a few other regulations.
Dodd-Frank Wall Street Reform and Consumer Protection Act
256
Code injected by malicious web users into web pages viewed by other users.
Cross-site Scripting (XSS)
257
The first state-level comprehensive privacy law in the U.S. The -xxx-, which comes into force in 2020, will apply broadly to businesses that collect personal information from -xxx- consumers, imposing extensive transparency and disclosure obligations. It also creates consumers rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their -xxx- rights.
California Consumer Privacy Act (CCPA)
258
An identifier that is one of a kind to a specific user. For example, biometric data or a loginID for a social network.
Globally Unique Identifier (GUID)
259
A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.
Data Quality
260
A data subject providespersonal datato the collector directly, through a form or survey that is sent to the collector upon thedata subjectsubmitting the information
First-Party Collection
261
The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated theFederal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. TheUSA PATRIOT Actand subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.
Electronic Communications Privacy Act of 1986
262
A type of access control that allows an owner of an object, within a given computer-based information system, to grant or deny access.
Discretionary Access Control (DAC)
263
-xxx- is the principal interagency forum on Federal agency practices for IT management. Originally established by Executive Order 13011 (Federal Information Technology) and later codified by the E-Government Act of 2002, the -xxx- mission is to improve practices related to the design, acquisition, development, modernization, use, sharing and performance of Federal Government information resources.
CIO Council
264
Web advertising based on information about an individual such as age, height, weight, geographic location or gender
Demographic Advertising
265
An economic region that includes the European Union (EU) and Iceland, Norway and Liechtenstein which are not official members of the EU but are closely linked by economic relationship. Non-EU countries in the EEA are required to adopt EU legislation regarding the single market.
European Economic Area
266
Under FISMA, U.S. agencies information security programs must be independently evaluated yearly. The independent auditor is selected by the agency's inspector general or the head of the agency. The audit is submitted to the Office of Management and Budget.
Annual Independent Evaluations
267
A non-profit organization that sets standards for consumer privacy, transparency and control in online advertising. Over 100 advertising companies participate in and comply with their standards. The DAA has an agreement with both theCouncil on Better Business Bureausand theDirect Marketing Associationto enforce the self-regulatory standards set down by theDigital Advertising AllianceincludingAdChoices, a programming offering user control overbehavioral advertising.
Digital Advertising Alliance
268
This privacy requirement is one of the fair information practices. In the General Data Protection Regulation, however, consent is specifically one of the legal bases for processing personal data. According to the GDPR, for consent to be valid, it must be: clearly distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive, affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit consent is required for processing, a higher standard than unambiguous consent.
Consent (EU specific)
269
Prior to trial, information is typically exchanged between parties and their attorneys. E-discovery requires civil litigants to turn over large volumes of a company s electronic records in litigation.
Electronic Discovery
270
A customers ability to access the personal information collected on them as well as review, correct or delete any incorrect information.
Customer Access
271
The process of adding geographical information to various media in the form ofmetadata, such as latitude and longitude coordinates or city and state details for the location of a photo or social media post.
Geotagging
272
An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.
Confirmed Opt-In (aka. Double Opt-In)
273
Data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.
Data Minimization Principle (EU specific)
274
The General Data Protection Regulation requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These -xxxxxxx- might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly
Appropriate Technical and Organizational Measures
275
Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit orprivacy assessment, if any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure.
Gap Analysis
276
A markup language that facilitates the transport, creation, retrieval and storage of documents. Similar toHTML,XMLuses tags to describe the contents of a web page or file.
Extensible Markup Language (XML)
277
The consolidation and managing of customer information in all forms and from all sources allowable. xxx is a vital component of customer relationship management.
Customer Data Integration (CDI)
278
Term used to describe both the strategy for ensuring end users do not disseminate sensitive information, whether intentionally or unintentionally, to outside ineligible sources and the software products that aid network administrators in controlling what data end users can transfer.
Data Loss Prevention
279
One of three requirements established by the General Data Protection Regulation for the processing of personal data: The first principle of processing personal data is -lawfulness, fairness, and transparency,- which states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. Linked most often with transparency, fairness means data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. Consent notices should not contain unfair terms and supervisory authority powers should similarly be exercised fairly.
Fairness
280
An action that one takes to remove identifying characteristics from data.
De-identification(De-ID)
281
A judgment delivered by the European Court of Human Rights in 1989,in Gaskin v. United Kingdom, held that the restriction of the applicant s access to his personal file was contrary to Article 8 of the Convention, citing a breach of Gaskin's right to respect for his family and private life.
Gaskin v. United Kingdom
282
In the context of the consistency mechanism (see Consistency Mechanism), the European Data Protection Board can issue binding decisions on objections to lead authority decisions, on disputes about which supervisory authority should be the lead authority, and where there has been a failure to request the EDPB s opinion under Article 64 or the opinion is not followed.
Dispute Resolution
283
Executive Order 13392 supplemented (FOIA) by reiterating the requirement for agencies to process requests in a courteous and expeditious manner. In addition, it required agencies to appoint a chief FOIA officer. The Open Government Act of 2007 codified this requirement and expanded on the responsibilities of the chief FOIA officer to include the following: have agency-wide responsibility for efficient and appropriate compliance with FOIA; monitor FOIA implementation throughout the agency; recommend to the head of the agency any necessary adjustments in practices, personnel, policies or funding.
Chief FOIA Officer
284
A concept developed by Helen Nissenbaum, xxx is a way to think about and quantify potential privacy risks in software systems and products. xxx focuses on what consumer expectations are in a given situation and how the product or system differs from that expectation. The more a product or system deviates from those expectations, the more likely a consumer will perceive a privacy harm
Contextual Integrity
285
FISMA codified a federal information security center, which is implemented in theU.S. Computer Emergency Readiness Team(US-CERT). U.S.-CERT is called upon to provide timely technical assistance regarding security incidents; compile and analyze security incident information; inform federal agency information system operators about current and potential threats, and consult withNISTand others regarding information security incidents.
Federal Information Security Incident Center
286
Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. xxx may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.
Cyber liability insurance
287
judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.
Consent Decree
288
A list of access control entries (ACE) that apply to an object.
Each ACE controls or monitors access to an object by a specified user
Access Control List
289
A Latin expression meaning from the beginning, anew or beginning again. In a legal context, a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.
De Novo
290
Personal informationreasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.
Employee Information
291
A process of software system and product design that incorporates new system requirements during the actual creation of the system, as opposed to the Plan-Driven Development Model. Agile development takes a given project and focuses on specific portions to develop one at a time
Agile Development Model
292
The European Court of Human Rights decided in 2009 that Haralambie's Article 8 right to respect for private life and family life had been violated when the applicant sought access to the secret service file on him drawn up in the days of Communist rule in Romania and was made to wait six years. The court awarded 6,000 euros.
Haralambie v. Romania
293
The -xxx- was a European Union organization that functioned as an independent advisory body on data protection and privacy and consisted of the collected data protection authorities of the member states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect.
Article 29 Working Party (WP29)
294
Integral to privacy protection is the obligation on organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.
Identifying Purposes
295
The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices
Federal Trade Commission
296
In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by theFederal Trade Commissionat the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.
Deceptive Trade Practices
297
A non-profit standards organization that developed its own set of privacy principles and broke the OECDs code into ten principles
Canadian Standards Association (CSA)
298
A contract between the owner of the software application and the user. The user agrees to pay for the use of the software and promises to comply with certain restrictions on that use.
End-User License Agreement
299
A term used to describe the large data sets which exponential growth in the amount and availability of data have allowed organizations to collect
Big Data
300
This privacy governance model allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body.
Hybrid Governance
301
The FEA-SPP serves two functions in the integration of privacy and security risk-management practices. First, it clearly articulates that while there is a symbiotic relationship between security and privacy, these practices are not identical; they are distinct practices, but intertwined. Second, the FEA-SPP lays the groundwork for driving agency integration of privacy risk management into the fundamental design of technical systems and technologies.
Federal Enterprise Architecture Security and Privacy Profile
302
Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.
Data Aggregation
303
The provision of access to personal data.
Disclosure
304
Created by the Treaty of Rome, the EEC was a predecessor to the European Union that promoted a single economic market across Europe.
European Economic Community
305
Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical.
Five-Step Metric Life Cycle
306
Any service which provides to users thereof the ability to send or receive wire or electronic communications.
Electronic Communications Service
307
The science or practice of hiding information, usually through its transformation. Common cryptographic functions include: encryption, decryption, digital signature and non-repudiation.
Cryptography
308
The materials necessary to encrypt and decrypt a given message, usually consisting of the encryption algorithm and the security key.
Cryptosystem
309
Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.
Commercial Electronic Message (CEM)
