CIPP Glossary Part 1 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

A computer record of an individual’s medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.

A

Electronic Health Record

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence.

A

Factortame

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the eight Fair Information Practice Principles

A

(1) The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
(2) The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
(3) The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
(4) The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law.
(5) The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
(6) The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.
(7) The Individual Participation Principle. An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended;
(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

NAME?

A

Binding Corporate Rules (BCR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Also known as a record of authority, identifiespersonal dataas it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

A

Data Inventory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The now-defunct Data Retention Directive was designed to align the rules on data retention across the EU member states in order to ensure the availability of traffic and location data for serious crime and antiterrorism purposes. The Data Retention Directive is no longer part of EU law, although member states retain competence to adopt their own national data retention laws under Article 15(1) of the ePrivacy Directive (2002/58/EC) provided that those laws comply with the fundamental rights principles that form part of EU law and the CJEU ruling that struck down the Data Retention Directive. Accordingly, EU member states have introduced draft legislative amendments or implemented national data retention laws at an individual country level

A

Data Retention Directive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that (e)veryone has the right to respect for his private and family life, his home and his correspondence. Article 8 of the Convention limits a public authority s interference with an individual s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society. This created the Council of Europe (see Council of Europe) and the European Court of Human Rights (see European Court of Human Rights).

A

European Convention on Human Rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is significantly engaged in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-publicpersonal information, defined broadly to include a consumer s name and address, and consumers interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability toopt-outof some sharing of personal financial information.

A

Gramm-Leach-Bliley Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees personal data. These rules must include suitable and specific measures to safeguard the data subject s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.

A

Employee Personal Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.

A

Assess

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A processing operation that is performed without any human intervention. -Profiling- is defined in the General Data Protection Regulation, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to object to such processing.

A

Automated Processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law.

A

Court of Justice of the European Union

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).

A

EU-U.S. Safe Harbor Agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An expansion of theFair Credit Reporting Actwhich focuses on consumer access and identity theft prevention. The act mandates thatcredit reporting agenciesallow consumers to obtain a free credit report once every twelve months. Additionally, it allows consumers to request alerts when a creditor suspects identity theft and gave theFederal Trade Commission(FTC) authority to promulgate rules to prevent identity theft. The FTC used the authority to create theRed Flags Rule.

A

Fair and Accurate Credit Transactions Act of 2003

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

One of two chambers of theCanadian Parliament, along with theSenate. Members of theHouse of Commonsare elected at least every five years.

A

House of Commons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Linked graphic or text that is used to connect an end user to other websites, parts of websites or web-enabled services. TheURLof a web location is embedded in theHTMLcode, so that when certain words or images are selected through the web browser, the end user is transported to the destination website or page.

A

Hyperlink

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are three Bureau of the FTC

A

Competition, Consumer Protection, and Economics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005

A

Chief Privacy Officer (Agency level) (CPO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A federal law governing the behavior of federal advisory committees, restricting the formation of such committees to those deemed essential, limiting their powers and their length of operation, requiring open meetings and open records and mandating a publicly-accessible government-wide database.

A

Federal Advisory Committee Act, The

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A federal law requiring agencies found of data mining to submit a yearly report to Congress. The privacy office of that agency must be involved in producing the report. The report will be made public and describe all of the agency s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.

A

Federal Agency Data Mining Reporting Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

is responsible for the functions that are critical to the success of the Canadian CA profession. -xxx-, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications

A

Canadian Institute of Chartered Accountants (CICA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

A

Freedom of Information Act, The

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13

A

Childrens Online Privacy Protection Act (COPPA) of 1998

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.

A

Electronic Surveillance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

FOIA stands for

A

Freedom of Information Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An entity that enforces the nation’s antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.

A

FTC, Bureau of Competition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

A

Anonymous Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

One of the General Data Protection Regulation’s explicitly stated data protection principles, personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.

A

Data Quality (EU specific)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A secure network communication method, technically not a protocol in itself, HTTPS is the result of layering theHypertext Transfer Protocol(HTTP) on top of theSSL/TLSprotocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.

A

Hypertext Transfer Protocol Secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that display personal information should be set to prohibit -xxx-

A

Caching

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Germany’s federal data protection act, implementing the General Data Protection Regulation. With the passage of the GDPR, it replaced a previous law with the same name (hence -neu- in common parlance) and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the new version suggests a procedure for national data protection authorities to challenge adequacy decisions of the EU Commission

A

Bundesdatenschutzgesetz-neu

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The data protection regulator for the European Union as an entity, ensuring the EU institutions, such as the Parliament, Commission, and Council of the European Union, protect the rights and freedoms of data subjects. The EDPS acts as secretariat to the European Data Protection Board (see European Data Protection Board).

A

European Data Protection Supervisor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Use of employees own personal computing devices for work purposes.

A

Bring Your Own Device (BYOD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Collects data to meet the nations statistical needs. Because the data that the -xxx- collects is often highly personal in nature, and the -xxx- depends on the trust of the individuals and businesses that supply the data, privacy protection is a high priority

A

Census Bureau

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.

A

Contextual Advertising

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

The General Data Protection Regulation requires that consent be a freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject must have a genuine choice, must be able to refuse or withdraw consent without fear of consequence. Where there is a power imbalance, as in an employer-employee relationship, for example, it’s likely that consent cannot be freely given.

A

Freely Given

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The -xxx’ is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a -xxx- often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.

A

Business Continuity Plan (BCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

In order to ensure the consistent application of the General Data Protection Regulation throughout the European Union, the GDPR establishes a -xxx- that allows member state supervisory authorities to cooperate with one anotherThe mechanism applies particularly where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several member states. When a member state supervisory authority intends to take action, such as approving a code of conduct or certification mechanism, it shall provide a draft to the European Data Protection Board, and the EDPB’s members shall render an opinion on that draft, which the supervisory authority shall take into account and then either amend or decide to go forward with the draft in its original form. Should there be significant difference in opinion, the dispute resolution mechanism will be triggered

A

Consistency Mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

As technology has advanced, it has become easier to differentiate between users just based on the given instance of the browser they are using. Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.

A

Browser Fingerprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

xxxxx laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise

A

Anti-discrimination Laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.

A

Data Portability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

xxx is taking user identifications and converting them into an ordered system to track the users activities without directly using personally identifiable information (PII).

xxx can be used to encryptor map data; in the context of privacy, hashing is used in cryptographichash functions and have many information security applications.

A

Hashing Functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

A term often used to refer to a supervisory authority, which is an independent public authority responsible for monitoring the application of the General Data Protection Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the European Union. xxx also oversee other data protection-related laws, such as the ePrivacy Directive and other local member state laws.

A

Data Protection Authority (DPA) (EU specific)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

xxx implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect

A

Establishment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

In the context of data protection law, xxx can be defined as personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations. While xxx is offered in the General Data Protection Regulation as an example of processing for the legitimate interest of an organization, it also says the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such xxx.

A

Direct Marketing (EU specific)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

A

American Institute of Certified Public Accountants

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Used in Plan-driven Development Models, a xxx is a detailed outline of how a software product or system will work once it is fully operational. This is used to shape how a product or system will be designed and implemented

A

Concept of Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

An identified or identifiable natural person.

A

Data Subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.

A

Established Business Relationship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset.

xxxx criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. .

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Attacks that exploit flaws in the network applications installed on network servers.

Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks

A

Application-Layer Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor s web browser, operating system and font preferences.

In some cases, combining this information can be used to xxx a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for xxx techniques to be used for targeted advertising.

A

Digital Fingerprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Advertising that is targeted at individuals based on the observation of their behaviour over time.

Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of -xxx- advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

A

Behavioral Advertising

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Japanese legislation aimed at the financial services sector that established cross-sectional legislative framework for investor protections, enhanced disclosure requirements, provided guidelines for the management of self-regulatory operations by financial exchanges, and implemented strict countermeasures against unfair trading.

A

Financial Instruments and Exchange Law of Japan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

A comprehensive set of reform measures, developed by the xxx Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector

A

Basel III

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Common law tort focuses on a false or defamatory statement, defined as a communication tending so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.

A

Defamation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

This is the main decision-making body of the EU, with a central role in both political and legislative decisions.

The council was established by the treaties of the 1950s, which laid the foundations for the EU, and works with the European Parliament to create EU law.

A

Council of the European Union (28 Members)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

A networking language that manages data packets over the Internet.

It defines how messages are formatted and transmitted over a TCP/IP network for websites. Further, it defines what actions Web servers and web browsers take in response to various commands.

A

Hypertext Transfer Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

xxx is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.

A

Convention 108

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A cryptographic algorithm applied to unencrypted text to disguise its value or to decrypt encrypted text.

A

Encryption Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

The requirement under the General Data Protection Regulation that the European Data Protection Board and each supervisory authority periodically report on their activities.

The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission

A

Annual Reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable.

The xxx has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act

A

Federal Communications Commission (FCC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Used as a means of assuring compliance with privacy rules and policies in the design of new software systems. xxx take privacy rules and compare them to the system requirements that have been used to design a new software system.

By pairing privacy rules with specific system requirements, necessary technical safeguards can be accounted for, preventing the software from being designed in such a way that would violate privacy policies and regulations.

A

Completeness Arguments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Passed in response to the increased use of the Internet by U.S. federal agencies, the act was designed to ensure the quality of information released by agencies by establishing four major requirements:

(1) Office of Management and Budget (OMB) was to issue guidelines -ensuring and maximizing the quality, objectivity, utility and integrity- of disseminated information;
(2) agencies must issue their own sets of information quality guidelines;
(3) agencies must establish administrative mechanisms for persons to correct erroneous information about themselves;
(4) agencies must annually report to OMB regarding the number, nature and handling of complaints.

A

Data Quality Act of 2000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

A

Data Controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Unwritten legal principles that have developed over time based on social customs and expectations.

A

Common Law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Organizations may want to verify an applicants ability to function in the working environment as well as assuring the safety and security of existing workers.

xxx range from checking a persons educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.

A

Background Screening/Checks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union.

It is also responsible for making adequacy determinations with regard to data transfers to third-party countries

A

European Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

After the savings and loans crisis of the 1980s, the U.S Congress passed xxx to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a Financial institution fails to comply with the information privacy requirements contained in GLBA.

A

Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

The idea that one should only collect and retain that personal data which is necessary.

A

Data Minimization Principle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Independent public authorities that supervise the application of data protection laws in the EU.

xxx provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own xxx. Under GDPR, xxx have extensive enforcement powers, including the ability to impose fines that total 4% of a company s global annual revenue.

A

Data Protection Authority (DPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

The practice of customizing an advertisement for a product or service to a specific market based on the geographic location of potential customers.

A

Geotargeting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Entities that collect, aggregate and sell individuals personal data, derivatives and inferences from disparate public or private sources.

A

Data Brokers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

An independent U.S. federal agency that enforces laws against workplace discrimination.

The xxx investigates discrimination complaints based on an individual’s race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.

A

Equal Employment Opportunity Commission, The (EEOC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

xxx do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

A

Data Breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

A

Collection Limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is Ciphertext

A

Encrypted (enciphered) data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.

It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts. xxxs are required by the General Data Protection Regulation in some instances, particularly where a new product or service is likely to result in a high risk to the rights and freedoms of natural persons.

A

Data Protection Impact Assessment (DPIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

A

Health Breach Notification Rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

xxx outline the basic contours of the measures an organization takes in the processing and handling of personal data.

Key matters the policy should address include: Scope, which explains both to whom the internal policy applies and the type of processing activities it covers; Policy statement; Employee responsibilities; Management responsibilities; Reporting incidents; Policy compliance.

A

Data Protection Policy (DPP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

A content authoring language used to create web pages.

Web browsers use xxx to interpret and render visible and audible content from the web pages. Document tags can be used to format and lay out web page content and to hyperlinkconnect dynamically to other web content. Forms, links, pictures and text may all be added with minimal commands

A

Hypertext Markup Language (HTML)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

xxx is the creation of virtual perimeters linked to the geographic position of a mobile device.

In the BYOD context, xxx may be used to restrict access to applications or sensitive information inside of or outside of specific locations. For example, a company may be able to restrict access to potentially risky applications on a personal device when the device is connected to the company s network or, conversely, restrict access to company resources when the device is outside of the company s network.

A

Geofencing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

A firewall configuration for securinglocal area networks(LANs).

In a xxx configuration, there are a set of computers that act as a broker for traffic between the LAN and an outside network allowing the majority of computers to run safely behind a firewall. Thus these computers act as a broker similar to a joint security area in a political demilitarized zone.

A

DMZ (Demilitarized Zone) Network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

launched in 1949, is a human rights organization with 47 member countries, including the 28 member states of the European Union.

The members have all signed the European Convention on Human rights and are subject to the European Court of Human Rights. The Council’s Convention 108 (see Convention 108) was the first legally binding international agreement to protect the human right of privacy and data protection

A

Council of Europe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What are the three V’s of Big data?

A

the three Vs:
volume (the amount of data),
velocity (the speed at which data may now be collected and analyzed), and
variety (the format, structured or unstructured, and type of data, e.g. transaction or behavioral).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.

xxx must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

A

Codes of Conduct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons

A

Active Data Collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What 3 entities are excluded from PIPEDA commercial activity definition

A
  1. Non-profit associations
  2. unions
  3. Private Schools
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Amending the U.S.Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after five years, but with this act the registrations became permanent.

A

Do-Not-Call Improvement Act of 2007

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What are the three principle of CIA?

A
  1. Confidentiality
  2. Integrity,
  3. Availability.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

When was the Charter of Rights and Freedoms added to the Canadian Constitution?

A

1982

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information

A

Canadian Organization for the Advancement of Computers in Health (COACH)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

The implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

A

Data Protection by Default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.

A

Consumerization of Information Technology (COIT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

COPPA required website operator to do the following 7 things

A
  1. To post a privacy notice on the homepage of the website;
  2. provide notice about collection practices to parents; 3.obtain verifiable parental consent before collecting personal information from children;
  3. give parents a choice as to whether their child’s personal information will be disclosed to third parties;
  4. provide parents access and the opportunity to delete the child’s personal information and
  5. opt out of future collection or use of the information, and
  6. maintain the confidentiality, security and integrity of personal information collected from children.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

A form of data encryption that uses two separate but related keys to encrypt data.

The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.

A

Asymmetric Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

A consumer-initiated security measure which locks an individuals data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

A

Credit Freeze

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Websites with online ordering capabilities have special privacy advantages and risks. Unlike other web advertisers, xxx websites have direct access to information regarding user purchases and payment information. While creating a great opportunity for targeted advertising, it also puts extra onus on these websites to protect user information.

A

E-Commerce Websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

The order that provides information about the goals, direction, duties and responsibilities with respect to the national intelligence effort and provides basic information on how intelligence activities should be conducted.

The executive order states that agencies within the intelligence community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned, and must be approved by the attorney general.

A

Executive Order 12333

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

The xxx replaced the EEC, which was created by the Treaty of Rome and first promoted a single economic market across Europe. The xxx currently comprises 28 member states:

A

European Union

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file.

If anything is changed in the electronic document after the xxx is attached, the signature is rendered invalid.

A

Digital Signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals;

networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.

A

Electronic Communications Network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

An element in an access control list (ACL).

Each xxx , monitors, or records access to an object by a specified user.

A

Access Control Entry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.

A

Attribute-Based Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

A

Case Law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.

A

Individual Participation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

Under Canada’s PIPEDA, xxx means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

A

Commercial Activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

Specific details about how a system should work, what inputs create what outputs, and design elements to be implemented.

For example, A system shall do processing of personal information to create user profiles.

A

Functional System Requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

An encryption algorithm for security sensitive non-classified material by the U.S. Government.

This algorithm was selected in 2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.

A

Advanced Encryption Standard (AES)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Originally an acronym for xxx, it has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise.

Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

A

closed circuit television (CCTV)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

Canadian xxx applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.

A

Canadas Anti-Spam Legislation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

Introduced by the General Data Protection Regulation, xxx are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses.

xxx must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

A

Certification Mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

What does COPPA stand for?

A

Childrens Online Privacy Protection Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

A U.S. federal law enacted as part of the E-Government Act of 2002.

The act requires each federal agency to develop, document and implement an agency-wide program to provide information security for the data and data systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source.

xxx requires agency program officials, chief information officers and inspectors general to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget.

A

Federal Information Security Management Act of 2002, The (FISMA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. xxx can exist under both comprehensive and sectoral models.

A

Co-regulatory Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

The provision of information technology services over the Internet.

These services may be provided by a company for its internal users in a -private cloud- or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems).
xxx has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models

A

Cloud Computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

A US government entity that stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.

A

FTC, Bureau of Consumer Protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

What are the 5 phase of the Audit Life Cycle

A

Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

A network system formed through the connection of two or more corporate intranets. These external networks create inherent security risks, while often also meeting important organizational goals.

A

Extranet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.

A

Centralized governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, -xxx- is the individual’s way of giving permission for the use or disclosure. -xxx-may be affirmative; i.e., opt-in; or implied; i.e., the individual didnt opt out.(1) Affirmative/Explicit -xxx-: A requirement that an individual –signifies– his or her agreement with a data controller by some active communication between the parties.(2) Implicit -xxx-: Implied -xxx- arises where -xxx- may reasonably be inferred from the action or inaction of the individual.

A

Consent (aka choice)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, xxx is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, xxx counted 50 member countries.

A

Global Privacy Enforcement Network (GPEN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

What year was COPPA implemented

A

1998

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

A U.S. law that bars discrimination against qualified individuals with disabilities.

A

Americans with Disabilities Act (ADA)

125
Q

As defined in the U.S. Fair Credit Reporting Act: Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes, or (2) employment purposes, or (3) other purposes authorized under section 604. The term does not include any (A) any report containing information solely as to transactions or experiences between the consumer and the person making the report; (B) authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; or (C) report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made and such person makes the disclosures to the consumer required under section 615.

A

Consumer Report

126
Q

xxx, generally requires multi-member federal agencies; i.e., the FCC and SEC, to hold their meetings in public and to give advance public notice of their meetings. The goal of the xxx is to promote public access to information about the decision-making processes of the federal government and to improve those processes by exposing them to public view.

A

Government in the Sunshine Act

127
Q

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.

A

Business Continuity and Disaster Recovery Plan (BCDR)

128
Q

The process of de-identifying,anonymizing, or otherwise obscuring data so that the structure remains the same but the content is no longer sensitive in order to generate a data set that is useful for training or software testing purposes.

A

Data Masking

129
Q

Also known as information security triad; three common information security principles from the 1960s,

A

CIA Triad

Confidentiality, integrity, availability.

130
Q

A sectoral privacy directive for European Union Member States, which applies to the digital industry. Among other provisions, the xxx requires websites to obtain consumer consent before placing cookies for marketing purposes.
The EU is currently considering reform of the xxx.

A

ePrivacy Directive

131
Q

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

A

Computer Forensics

132
Q

One of the four classes of privacy, It focuses on a persons physical being and any invasion thereof.

Such an invasion can take the form of genetic testing, drug testing or body cavity searches.

A

Bodily Privacy

133
Q

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.

A

Authentication

134
Q

A set of non-binding principles that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

A

APEC (Asian-Pacific Economic Cooperation) Privacy Principles

135
Q

Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission.

It also applies to onward transfers from one third country or international organisation to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer.

A

Cross-border Data Transfers (EU specific)

136
Q

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

A

Direct Marketing

137
Q

Article 5 of the General Data Protection Regulation lists the principles as such: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality.

A

Data Protection Principles

138
Q

They are constitutional rights and thus are considered to be the most valued rights in Canada. The xxx and Freedoms was made part of the Canadian Constitution in 1982.

A

Charter Rights

139
Q

A U.S. federal law regulating the way that U.S. intelligence agencies conduct foreign intelligence surveillance activities, including wiretaps and the interception of communications.

The act sets forth a judicial approval process required when the government targets U.S. persons located within the United States. FISA allows warrantless surveillance to be conducted without a court order for up to one year, provided the surveillance is for foreign intelligence information, is targeting foreign powers and will not capture the contents of any communication to which a U.S. person is a party. Generally speaking, FISA does not apply to activities directed at persons overseas.

A

Foreign Intelligence Surveillance Act of 1978, The

140
Q

One of the four classes of privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

A

Communications Privacy

141
Q

A computer program or algorithm that replicates itself over a computer network, usually performing malicious actions.

A

Worm

142
Q

A court case in which the Court of Appeal of the United Kingdom narrowed the definition of personal data under the Data Protection Act of 1998. It established a two-stage test; the information must be biographical in a significant sense and the individual must be the focus of the information.

A

Durant v. Financial Services Authority

143
Q

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

A

Data Recipient

144
Q

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The General Data Protection Regulation instituted new rules for notification of supervisory authorities and data subjects following the discovery of a data breach, depending on the risk the breach presents to the rights and freedoms of data subjects

A

Data Breach (EU specific)

145
Q

The rules and safeguards applying under various laws and regulations to personal data about individuals that organizations collect, store, use and disclose. Data protection is the professional term used in the EU, whereas in the U.S. the concept is generally referred to as information privacy. Importantly, data protection is different from data security, since it extends beyond securing information to devising and implementing policies for its fair use

A

Data Protection

146
Q

The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata (see Metadata). The ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of -xxx-.

A

Content Data

147
Q

Consists of three main categories of personal data, as defined in the European Union under the ePrivacy Directive: the content of a communication, traffic data, and location data.

A

Electronic Communications Data

148
Q

Previously, the EU distinguished between Binding Corporate Rules for controllers and -xxx-. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both

A

Binding Safe Processor Rules (BSPR)

149
Q

A company that allows advertising clients to buy digital media on several different selling systems, or exchanges, through one interface.

A

Demand Side Platform (DSP)

150
Q

A company that serves as a broker between a group of publishers and a group of advertisers. Networks traditionally aggregate unsold inventory from publishers in order to offer advertisers a consolidated and generally less expensive pool of impressions, but they can have a wide variety of business models and clients

A

Ad Network

151
Q

An activity that involves comparingpersonal dataobtained from a variety of sources, includingpersonal informationbanks, for the purpose of making decisions about the individuals to whom the data pertains.

A

Data Matching

152
Q

The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects

A

Breach Disclosure (EU specific)

153
Q

Also known asInformation Life Cycle Management(ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure;information security; authenticity and accuracy of one s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.

A

Data Life Cycle Management

154
Q

The General Data Protection Regulation requires that an organization be able to ensure the ongoing:

A
  1. confidentiality, 2.integrity, 3.availability and 4.resilience of processing systems and services as part of its requirements for appropriate security
155
Q

Part of the consistency mechanism (see Consistency Mechanism) of the General Data Protection Regulation, xxx is required between supervisory authorities when working with controllers or processors handling the personal data of data subjects in multiple member states. This is often referred to as the -one-stop shop,- whereby a lead supervisory authority works with the supervisory authorities of other member states with affected data subjects.

A

Cooperation

156
Q

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

A

Customer Information

157
Q

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals privacy and personal data use

A

EU Data Protection Directive

158
Q

A catch-all term for various technologies and browser settings designed to allow data subjects to indicate their objection to tracking by websites. Years of effort, by the W3C and other organizations, to create an official Do Not Track standard for HTTP headers has of yet led to naught.

A

Do Not Track (DNT)

159
Q

Shorthand for the case of Google Spain v AEPD and Mario Costeja Gonz ­lez, where Costeja successfully sued Google Spain, Google Inc. and La Vanguardia newspaper. When the Court of Justice of the EU ruled that Google Spain must remove the links to the article, the -right to be forgotten- (see Right To Be Forgotten) was effectively established in the European Union. The General Data Protection Regulation subsequently more formally granted data subjects the right to deletion in certain circumstances

A

Costeja

160
Q

A rule, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

A

Final Health Breach Notification Rule

161
Q

The process of assigning geographic coordinates to non-locational data so that they can be placed as points on a map. For example, geocoding could be used to translate a street address (which describes a location) into precise coordinates that identify the location on a map

A

Geocoding

162
Q

A corporation that acts as a regulator for brokerage firms and exchange markets. Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors. Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry

A

Financial Industry Regulatory Authority

163
Q

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance

A

Fair Credit Reporting Act, The

164
Q

One of 10 privacy principles ofPIPEDA. Organizations must be able to respond to requests from individuals for access to theirpersonal information.

A

Individual Access

165
Q

The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018. The aim of the GDPR is to provide one set of data protection rules for all EU member states and the European Economic Area (EEA). The document comprises 173 recitals and 99 articles.

A

General Data Protection Regulation

166
Q

Created by the Dodd-Frank Act, the -xxx- is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created xxx took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against abusive acts and practicesƒ  as specified by the Dodd-Frank Act.

A

Consumer Financial Protection Bureau (CFPB)

167
Q

List 3 ways Anonymization can occur

A

Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.

168
Q

The title given in some member states to the supervisory authority

A

Data Protection Commissioner

169
Q

The successor to the Article 29 Working Party, it consists of the heads of the supervisory authorities of the member states and the European Data Protection Supervisor (see European Data Protection Supervisor), and the Commission is entitled to send a delegate to its meetings. The EDPB s role is to ensure the consistent application of the Regulation and, in addition to supporting cooperation between the regulators and applying the consistency mechanism (see Consistency Mechanism), it shall publish advice, guidance, recommendations and best practices. The supervisory authorities elect a chairperson, with certain powers, from amongst their membership.

A

European Data Protection Board

170
Q

A scheme that provides the basis for managing access to, and protection of, data assets.

A

Data Classification

171
Q

Data is -xxx- if it is protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

A

Confidentiality

172
Q

What 4 Situations are typically covered in BCP

A

Fire, Flood, Natural disasters, and terrorist attacks

173
Q

Adopted either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism (see Consistency Mechanism) and then adopted by the Commission, xxx are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

A

Contractual Clauses

174
Q

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.

A

The Bank Secrecy Act

175
Q

The only EU institution whose members are directly elected by citizens of individual member states, Parliament has four responsibilities legislative development, supervisory oversight of other institutions, democratic representation and budget development.

A

European Parliament

176
Q

As-isƒ  data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.

A

Current baseline

177
Q

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have adequateƒ  data protection practices.

A

Cross-border Data Transfers

178
Q

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.

A

Administrative Purpose

179
Q

NAME?

A

Artificial Intelligence

180
Q

Section 5(a) of the FTC Act empowers the agency to enforce against unfair or deceptive acts or practices in or affecting commerce. Over the past two decades, the FTC has used this authority extensively to hold businesses to fair and transparent privacy and security standards.

A

Federal Trade Commission Act, Section 5 of

181
Q

xxx, primarily in the European Union, are bodies that represent employees and have certain rights under local law that affect the use of employee data by employers. Works councils can have a role in deciding whether employees personal data can be processed because they typically have an obligation to safeguard employee rights, which include data protection and privacy rights. They are most likely to be encountered in a data protection setting in Germany.

A

Works Councils

182
Q

CIO Council mission to improve, what 6 practices

A
  1. Design 2. Acquisitions 3. Development 4. Modernization 5. use 6.Sharing and performance of Federal government information resources
183
Q

The GET and POSTHTMLmethod attributes specify how form data is sent to a web page. The GET method appends the form data to theURLin name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser s address bar, and is thus less secure than the POST method.

A

GET Method

184
Q

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.

A

Active Scanning Tools

185
Q

A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information

A

BC PIPA (Privacy Information Protection Action)

186
Q

The so-called -xxx- is an amendment made to the European Union’s Directive 2002/58, also known as the ePrivacy Directive, that requires organizations to get consent before placing cookies (see Cookies) and other tracking technologies on digital devices. With the passage of the General Data Protection Regulation, this definition of consent has changed and opt-out consent is no longer viable in this area.

A

Cookie Directive

187
Q

xxx is the IT business strategy of providing employees with company-owned devices. xxx may, nonetheless, implicate BYOD concerns when employees use xxx devices equally for personal use.

A

Corporate Owned, Personally Enabled (COPE)

188
Q

A framework promulgated by theAmerican Institute of Certified Public Accountants(AICPA) in conjunction with theCanadian Institute of Chartered Accountants(CICA). The ten principles are management, notice,choiceandconsent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.

A

Generally Accepted Privacy Principles

189
Q

Created in 2016 to replace the invalidated EU-U.S. Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the United States for companies participating in the program. Only those companies that fall under the jurisdiction of the U.S. Federal Trade Commission may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.

A

EU-US Privacy Shield

190
Q

Under the Fair Credit Reporting Act, the term xxxxxxƒ  is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action

A

Adverse Action

191
Q

A case in which the European Court of Human Rights held that monitoring an applicant’s email at work was contrary to Article 8 of the Convention on Human Rights.

A

Copland v. United Kingdom

192
Q

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A

Data Processing

193
Q

what are the 10 Principles of Canadian Standards Association (CSA) also listed in PIPEDA

A
  1. Accountability, 2. Identifying Purpose 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, and Retention 6. Accuracy 7. Safeguards 8. Openness 9.Individual Access 10. Challenging Compliance
194
Q

A data storage device in which information, once written, cannot be modified. This protection offers assurance that the data originally written to the device has not been tampered with. The only way to remove data written to a xxx device is to physically destroy the device.

A

Write Once Read Many (WORM)

195
Q

The degree to which a user is identified by anauthenticationsystem. The more unique (identifiable), the easier that user is tracked or targeted. The less identifiable, the easier it is to falsely authorize a non-user.

A

Identifiability

196
Q

Codes or strings used to represent an individual, device or browser.

A

Identifiers

197
Q

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.

A

Anonymization

198
Q

A continuation of policy directives for theEuropean UnionMember States as set forth in theData Protection Directive. It has been amended by theCookie Directive 2009/136EC, which added a requirement that all websites using tracking cookies obtain user consent unless the cookie is strictly necessary for the delivery of a service requested by the use. This policy recognizes the importance of cookies for the functioning of modern websites while still making users aware of any tracking the user may not want to participate in.

A

Directive on Privacy and Electronic Communications Act 2002/58EC

199
Q

A system that standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.

A

Controlled Unclassified Information

200
Q

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.

A

California Investigative Consumer Reporting Agencies Act

201
Q

EMM refers to a comprehensive organizational strategy for securing and enabling employee use of mobile devices such as smartphones and tablets. EMMs are used to prevent unauthorized access to applications containing corporate data on mobile devices, usually through the use of password protection,encryptionand remote wiping technology.

A

Enterprise Mobility Management (EMM)

202
Q

Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.

A

Accuracy

203
Q

-xxx-, refers to the idea that consent must be freely given and that data subjects must have a genuine -xxx- as to whether to provide personal data or not. If there is no true -xxx- it is unlikely the consent will be deemed valid under the General Data Protection Regulation.

A

Choice

204
Q

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

A

Audit Life Cycle

205
Q

Enacted as part of theAmerican Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

A

Health Information Technology for Economic and Clinical Health Act, The

206
Q

Data is -xxx- if it is accessible when needed by the organization or data subject. The General Data Protection Regulation requires that a business be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

A

Availability

207
Q

A U.S. federal law that, among other things, requires federal agencies to conduct Privacy Impact Assessments on new or substantially revised information technology.

A

E-Government Act

208
Q

The GDPR establishes direct legal obligations applicable to service providers acting as -processors- (see Processor), whilst giving an increased emphasis to the contractual obligations in place between customers and data processing service providers

A

Established Service Provider

209
Q

The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law.

A

Digital Rights Management

210
Q

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.

A

Business case

211
Q

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

A

Consumer Reporting Agency

212
Q

The European Council is the collection of heads of states of European Union member states. It provides general political direction for the EU and does not exercise legislative functions.

A

European Council

213
Q

Grants the authority to theFederal Trade Commissionto create theNational Do-Not-Call Registryin the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations. Originally consumers would have to re-register their numbers with the FTC everyfive years for continued prevention, but theDo-Not-Call Improvement Act of 2007extended registration indefinitely. Violations can be enforced by the FTC,Federal Communications Commission, and state attorneys general with up to a $16,000 fine per violation.

A

Do-Not-Call Implementation Act of 2003

214
Q

A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data

A

Adequate Level of Protection

215
Q

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required theU.S. Department of Health and Human Servicesto promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have toopt inbefore their information can be shared with other organizations although there are important exceptions such as for treatment, payment and healthcare operations.

A

Health Insurance Portability and Accountability Act, The

216
Q

Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists -xxx- data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.

A

Biometrics

217
Q

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

A

Accountability

218
Q

Personal informationthat is directly given to a social network or other website by a user.

A

Declared Data

219
Q

The General Data Protection Regulation refers to xxxxxx in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context

A

Appropriate Safeguards

220
Q

any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee

A

Credit Reporting Agency (CRA)

221
Q

A small text file stored on a client machine that may later be retrieved by a web server from the machine. xxx allow web servers to keep track of the end users browser activities, and connect individual web requests into a session

A

Cookie

222
Q

The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canadas PIPEDA

A

CSA Privacy Principles

223
Q

Laws that govern the collection, use and dissemination of personal information in the public and private sectors

A

Comprehensive Laws (aka: Omnibus Laws)

224
Q

A Qubquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.

A

Act Respecting the Protection of Personal Information in the Private Sector

225
Q

Software that is used to add animation and other visual effects to web-based content.

A

Flash

226
Q

While the title of data protection officer has long been in use, particularly in Germany and France, the General Data Protection Regulation introduced a new legal defintion of a DPO with specific tasks. Certain organizations, particularly those that process personal data as part of their business model or those who process special categories of data as outlined in Article 9, are obligated to designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO has a variety of mandated tasks, including communication with the supervisory authority, conducting DPIAs, and advising the organization on the mandates of the GDPR and how to comply with it.

A

Data Protection Officer

227
Q

In the context of European Union legislation interacting with member state law, a derogation is a place in an EU-wide regulation where individual member states are left to make their own law or have the option to deviate. A derogation can also simply refer to an exception to a certain basic rule or principle.

A

Derogation

228
Q

The European Court of Human Rights (ECHR) in Strasbourg, France, upholds privacy and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108. The ECHR applies the Convention and ensures that signatory states respect the rights and guarantees set out in the Convention.

A

European Court of Human Rights

229
Q

Facilities that store, manage and disseminate data and house a networks most critical systems. Data centers can serve either as a centralized facility for a single organizations data management functions or as a third-party provider for organizations data management needs.

A

Data Centers

230
Q

Under the Privacy Act, federal agencies using computerized means to match data between electronic federal privacy record systems, or to match data from any federal system with non federal records, are required to create a xxx composed of senior officials and the agencys inspector general. The xxx shall, among other things: review, approve and maintain all matching programs; review all existing matching programs annually to determine compliance with laws, regulations, guidelines and agreements, and; assess the cost and benefits of the agreements.

A

Data Integrity Board (DIB)

231
Q

The Federal Records Act requires the establishment of standards and procedures to ensure efficient and effective records management. The objectives of the Federal Records Act interact with federal privacy to: Ensure appropriate maintenance of a record that allows access rights to subject of the record; Minimize the collection of PII; Ensure the destruction of PII when there is no longer a business, legal, or historical need for the record.

A

Federal Records Act

232
Q

Article 17(1) of the GDPR establishes that data subjects have the right to erasure of their personal data if: the data is no longer needed for its original purpose and no new lawful purpose exists; the lawful basis for the processing is the data subject s consent, the data subject withdraws that consent, and no other lawful ground exists; the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing; the data has been processed unlawfully; or erasure is necessary for compliance with EU law or the national law of the relevant member state.

A

Erasure

233
Q

The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects

A

Data Breach Notification (EU specific)

234
Q

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.

A

Encryption

235
Q

A US government entity that evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers

A

FTC, Bureau of Economics

236
Q

To address the rise in citizen use of the Internet to access government information and services, some type of identity verification or authentication is needed. As such, agencies are required to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.

A

E-Authentication

237
Q

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.

A

Breach Disclosure

238
Q

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data

A

Data Elements

239
Q

What are the four classes of Privacy

A

Information, Bodily, Territorial, and Communication Privacy

240
Q

Requires agencies that match data among agency systems granting financial benefits to publicly disclose that matching and explain its scope

A

Computer Matching and Privacy Protection Act

241
Q

A program run by the Digital Advertising Alliance to promote awareness and choice in advertising for internet users. Websites with ads from participating DAA members will have an AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon, users may set preferences for behavioral advertising on that website or with DAA members generally across the web.

A

AdChoices

242
Q

A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity. The term originates in accounting as a reference to the chain of paperwork used to validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce, to track customers activity, or cyber-security, to investigate cybercrimes.

A

Audit Trail

243
Q

A Canadian term referring to information about an individual that is related to that individuals position, functions and/or performance of his or her job. A term that is undefined by PIPEDA, the privacy commissioner has decided that work product may at times fall under the definition of personal information. Access to such information by the commissioner is addressed on a case-by-case basis. Not to be confused with the American legal term -work product,- which refers to legal materials prepared in anticipation of litigation.

A

Work Product Information

244
Q

A treaty that consolidates human rights within the EU. The treaty states that everyone has a right to protect their personal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority

A

Charter of Fundamental Rights

245
Q

The servers that contain most or all of the visible elements of a web page and that are contacted to provide those elements. In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.

A

Content Delivery Network

246
Q

An employment contract can be terminated by either the employer or the employee at any time for any reason.

A

Employment at Will

247
Q

Also known as local governance, this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.

A

Decentralized Governance

248
Q

A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.

A

Data Processor

249
Q

A graphical representation of the flow of data in an information system thus allowing the visualization of how the system operates to accomplish its purpose. xxx are used both by systems analysts to design information systems and by management to model the flow of data

A

Data Flow Diagrams

250
Q

FERPA establishes requirements regarding the privacy protection of student educational records. It applies to all academic institutions that receive funds under applicable U.S. Department of Education programs. FERPA gives parents certain rights with respect to their children s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are referred to as eligible students.

A

Family Educational Rights and Privacy Act

251
Q

When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

A

Data Protection by Design

252
Q

An ad trafficking system through which advertisers, publishers, and networks meet and do business via a unified platform. An ad exchange allows advertisers and publishers to use the same technological platform, services, and methods, and -speak the same language- in order to exchange data, set prices, and ultimately serve an ad

A

Ad Exchange

253
Q

A conceptual outline, blueprint, or diagram that defines the structure and the operation of an organization, normally in the context of developing a strategy for the realization of current and future goals or objectives.

A

Enterprise Architecture

254
Q

A privacy law in the Canadian province of XXXXX, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information

A

Alberta PIPA (Personal Information Protection action)

255
Q

In 2010 the U.S. Congress passed the Dodd-Frank Act to reorganize and improve financial regulation. Among other reforms it put in place, the Dodd-Frank Act created theConsumer Financial Protection Bureauand granted it rule-making authority overFCRAandGLBAas well as a few other regulations.

A

Dodd-Frank Wall Street Reform and Consumer Protection Act

256
Q

Code injected by malicious web users into web pages viewed by other users.

A

Cross-site Scripting (XSS)

257
Q

The first state-level comprehensive privacy law in the U.S. The -xxx-, which comes into force in 2020, will apply broadly to businesses that collect personal information from -xxx- consumers, imposing extensive transparency and disclosure obligations. It also creates consumers rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their -xxx- rights.

A

California Consumer Privacy Act (CCPA)

258
Q

An identifier that is one of a kind to a specific user. For example, biometric data or a loginID for a social network.

A

Globally Unique Identifier (GUID)

259
Q

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.

A

Data Quality

260
Q

A data subject providespersonal datato the collector directly, through a form or survey that is sent to the collector upon thedata subjectsubmitting the information

A

First-Party Collection

261
Q

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated theFederal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. TheUSA PATRIOT Actand subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

A

Electronic Communications Privacy Act of 1986

262
Q

A type of access control that allows an owner of an object, within a given computer-based information system, to grant or deny access.

A

Discretionary Access Control (DAC)

263
Q

-xxx- is the principal interagency forum on Federal agency practices for IT management. Originally established by Executive Order 13011 (Federal Information Technology) and later codified by the E-Government Act of 2002, the -xxx- mission is to improve practices related to the design, acquisition, development, modernization, use, sharing and performance of Federal Government information resources.

A

CIO Council

264
Q

Web advertising based on information about an individual such as age, height, weight, geographic location or gender

A

Demographic Advertising

265
Q

An economic region that includes the European Union (EU) and Iceland, Norway and Liechtenstein which are not official members of the EU but are closely linked by economic relationship. Non-EU countries in the EEA are required to adopt EU legislation regarding the single market.

A

European Economic Area

266
Q

Under FISMA, U.S. agencies information security programs must be independently evaluated yearly. The independent auditor is selected by the agency’s inspector general or the head of the agency. The audit is submitted to the Office of Management and Budget.

A

Annual Independent Evaluations

267
Q

A non-profit organization that sets standards for consumer privacy, transparency and control in online advertising. Over 100 advertising companies participate in and comply with their standards. The DAA has an agreement with both theCouncil on Better Business Bureausand theDirect Marketing Associationto enforce the self-regulatory standards set down by theDigital Advertising AllianceincludingAdChoices, a programming offering user control overbehavioral advertising.

A

Digital Advertising Alliance

268
Q

This privacy requirement is one of the fair information practices. In the General Data Protection Regulation, however, consent is specifically one of the legal bases for processing personal data. According to the GDPR, for consent to be valid, it must be: clearly distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive, affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit consent is required for processing, a higher standard than unambiguous consent.

A

Consent (EU specific)

269
Q

Prior to trial, information is typically exchanged between parties and their attorneys. E-discovery requires civil litigants to turn over large volumes of a company s electronic records in litigation.

A

Electronic Discovery

270
Q

A customers ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

A

Customer Access

271
Q

The process of adding geographical information to various media in the form ofmetadata, such as latitude and longitude coordinates or city and state details for the location of a photo or social media post.

A

Geotagging

272
Q

An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.

A

Confirmed Opt-In (aka. Double Opt-In)

273
Q

Data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.

A

Data Minimization Principle (EU specific)

274
Q

The General Data Protection Regulation requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These -xxxxxxx- might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly

A

Appropriate Technical and Organizational Measures

275
Q

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit orprivacy assessment, if any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure.

A

Gap Analysis

276
Q

A markup language that facilitates the transport, creation, retrieval and storage of documents. Similar toHTML,XMLuses tags to describe the contents of a web page or file.

A

Extensible Markup Language (XML)

277
Q

The consolidation and managing of customer information in all forms and from all sources allowable. xxx is a vital component of customer relationship management.

A

Customer Data Integration (CDI)

278
Q

Term used to describe both the strategy for ensuring end users do not disseminate sensitive information, whether intentionally or unintentionally, to outside ineligible sources and the software products that aid network administrators in controlling what data end users can transfer.

A

Data Loss Prevention

279
Q

One of three requirements established by the General Data Protection Regulation for the processing of personal data: The first principle of processing personal data is -lawfulness, fairness, and transparency,- which states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. Linked most often with transparency, fairness means data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. Consent notices should not contain unfair terms and supervisory authority powers should similarly be exercised fairly.

A

Fairness

280
Q

An action that one takes to remove identifying characteristics from data.

A

De-identification(De-ID)

281
Q

A judgment delivered by the European Court of Human Rights in 1989,in Gaskin v. United Kingdom, held that the restriction of the applicant s access to his personal file was contrary to Article 8 of the Convention, citing a breach of Gaskin’s right to respect for his family and private life.

A

Gaskin v. United Kingdom

282
Q

In the context of the consistency mechanism (see Consistency Mechanism), the European Data Protection Board can issue binding decisions on objections to lead authority decisions, on disputes about which supervisory authority should be the lead authority, and where there has been a failure to request the EDPB s opinion under Article 64 or the opinion is not followed.

A

Dispute Resolution

283
Q

Executive Order 13392 supplemented (FOIA) by reiterating the requirement for agencies to process requests in a courteous and expeditious manner. In addition, it required agencies to appoint a chief FOIA officer. The Open Government Act of 2007 codified this requirement and expanded on the responsibilities of the chief FOIA officer to include the following: have agency-wide responsibility for efficient and appropriate compliance with FOIA; monitor FOIA implementation throughout the agency; recommend to the head of the agency any necessary adjustments in practices, personnel, policies or funding.

A

Chief FOIA Officer

284
Q

A concept developed by Helen Nissenbaum, xxx is a way to think about and quantify potential privacy risks in software systems and products. xxx focuses on what consumer expectations are in a given situation and how the product or system differs from that expectation. The more a product or system deviates from those expectations, the more likely a consumer will perceive a privacy harm

A

Contextual Integrity

285
Q

FISMA codified a federal information security center, which is implemented in theU.S. Computer Emergency Readiness Team(US-CERT). U.S.-CERT is called upon to provide timely technical assistance regarding security incidents; compile and analyze security incident information; inform federal agency information system operators about current and potential threats, and consult withNISTand others regarding information security incidents.

A

Federal Information Security Incident Center

286
Q

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. xxx may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

A

Cyber liability insurance

287
Q

judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.

A

Consent Decree

288
Q

A list of access control entries (ACE) that apply to an object.

Each ACE controls or monitors access to an object by a specified user

A

Access Control List

289
Q

A Latin expression meaning from the beginning, anew or beginning again. In a legal context, a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.

A

De Novo

290
Q

Personal informationreasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.

A

Employee Information

291
Q

A process of software system and product design that incorporates new system requirements during the actual creation of the system, as opposed to the Plan-Driven Development Model. Agile development takes a given project and focuses on specific portions to develop one at a time

A

Agile Development Model

292
Q

The European Court of Human Rights decided in 2009 that Haralambie’s Article 8 right to respect for private life and family life had been violated when the applicant sought access to the secret service file on him drawn up in the days of Communist rule in Romania and was made to wait six years. The court awarded 6,000 euros.

A

Haralambie v. Romania

293
Q

The -xxx- was a European Union organization that functioned as an independent advisory body on data protection and privacy and consisted of the collected data protection authorities of the member states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect.

A

Article 29 Working Party (WP29)

294
Q

Integral to privacy protection is the obligation on organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.

A

Identifying Purposes

295
Q

The United States’ primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices

A

Federal Trade Commission

296
Q

In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by theFederal Trade Commissionat the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.

A

Deceptive Trade Practices

297
Q

A non-profit standards organization that developed its own set of privacy principles and broke the OECDs code into ten principles

A

Canadian Standards Association (CSA)

298
Q

A contract between the owner of the software application and the user. The user agrees to pay for the use of the software and promises to comply with certain restrictions on that use.

A

End-User License Agreement

299
Q

A term used to describe the large data sets which exponential growth in the amount and availability of data have allowed organizations to collect

A

Big Data

300
Q

This privacy governance model allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body.

A

Hybrid Governance

301
Q

The FEA-SPP serves two functions in the integration of privacy and security risk-management practices. First, it clearly articulates that while there is a symbiotic relationship between security and privacy, these practices are not identical; they are distinct practices, but intertwined. Second, the FEA-SPP lays the groundwork for driving agency integration of privacy risk management into the fundamental design of technical systems and technologies.

A

Federal Enterprise Architecture Security and Privacy Profile

302
Q

Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.

A

Data Aggregation

303
Q

The provision of access to personal data.

A

Disclosure

304
Q

Created by the Treaty of Rome, the EEC was a predecessor to the European Union that promoted a single economic market across Europe.

A

European Economic Community

305
Q

Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical.

A

Five-Step Metric Life Cycle

306
Q

Any service which provides to users thereof the ability to send or receive wire or electronic communications.

A

Electronic Communications Service

307
Q

The science or practice of hiding information, usually through its transformation. Common cryptographic functions include: encryption, decryption, digital signature and non-repudiation.

A

Cryptography

308
Q

The materials necessary to encrypt and decrypt a given message, usually consisting of the encryption algorithm and the security key.

A

Cryptosystem

309
Q

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

A

Commercial Electronic Message (CEM)