CIPP Glossary Part 2 Flashcards
Chapter 7 of the General Data Protection Regulation outlines the remedies available to data subjects and their right to compensation, the liability for damage caused by processing for both controllers and processors, and the penalties available to supervisory authorities for infringement of the law.
Remedies, Liability and Penalties
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
Unfair Trade Practices
The minimum level at which privacy should be protected in all new projects, applications and services. This includes the expectations of privacy in the new programs and guidelines for adherence to those standards. The standard is set based on both internal organizational policy and external regulations etc.
Privacy Standard
A formula to calculate the impact of a new project on the privacy of the consumer base that will use the new systems. To evaluate the xxx, one must consider the likelihood of the threat occurring, multiplied by the potential impact if the threat occurs. It may be difficult to quantify, so a comparison between projects may be the best way to understand xxx.
Privacy Risk
It is a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.
Personal Information (PI)
Taking information collected for one purpose and using it for another purpose later on.
Repurposing
Governs the release of customer financial information to federal government authorities.
The act defines both the circumstances under which a financial institution can volunteer information about customers financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers financial information.
Right to Financial Privacy Act of 1978
Technically Directive 2016/680, or the Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Law Enforcement,
this is the EU law governing the handling of personal data by competent law enforcement authorities. Each member state has a law that translates this directive into national law. The directive covers the cross-border and national processing of data by member states’ competent authorities for the purpose of law enforcement.
This includes the prevention, investigation, detection and prosecution of criminal offences, as well as the safeguarding and prevention of threats to public security. It does not cover activities by EU institutions, bodies, offices and agencies, nor activities falling outside the scope of EU law.
Law Enforcement Directive
The degree to which identifiers used to track an individual user can be paired with outside information to identify that individual.
For example, public record can be paired with date of birth, gender and zip code to identify an individual.
Linkability
The individual who is mandated by PIPEDA to enforce the act.
The commissioner has broad power to examine documents, but some documents may be shielded by solicitor-client privilege.
The xxx conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued. This individual is mandated by PIPEDA to enforce PIPEDA.
Aggrieved individuals also have a right to complain to the xxx.
Privacy Commissioner of Canada
A U.S. federal agency that administers the National Labor Relations Act. The xxx conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.
The National Labor Relations Board
A body enacted pursuant to an act under which a professional or occupational group or discipline is organized and that provides for the membership in the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.
Professional Regulatory Body
A case in which the European Court of Justice (ECJ) ruled that a woman who identified and included information about fellow church volunteers on her website was in breach of the Data Protection Directive 95/46/EC.
The ECJ held that the creation of a personal website was not a personal activity allowing the woman to be exempted from the data protection rules.
Some observers wonder whether Recital 18 of the General Data Protection Regulation, which says the law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, might affect this precedential ruling.
Recital 18 says personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
Lindqvist Judgement
The principle that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organizational measures required to safeguard the rights and freedoms of the data subject.
Storage Limitation
The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding.
Specifically, attorneys are required to xxx documents so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual s birth; (3) if the individual is a minor, only the minor s initials, and (4) the last four digits of the financial account number.
Redaction
These events constitute triggers for an organization to conduct a xxx: Conversion of records from paper-based to electronic form; Conversion of information from anonymous to identifiable form;
- System management changes involving significant new uses and/or application of new technologies;
- Significant merging, matching or other manipulation of multiple databases containing PII;
- Application of user-authenticatingtechnology to a system accessed by members of the public;
- Incorporation into existing databases of PII obtained from commercial or public sources;
- Significant new inter-agency exchanges or uses of PII;
- Alteration of a business process resulting in significant new collection, use and/or disclosure of PII;
- Alteration of the character of PII due to the addition of qualitatively new types of PII.
Privacy Impact Assessment (PIA) Triggers
An advertising strategy that leverages information learned from an initial consumer interaction to market to the same consumer multiple times in a digital or physical environment
Remarketing
A formal documentation of a software system or product to be developed that includes both functional and nonfunctional requirements.
These are used so that the individual tasked with creating the system or product is aware of the needs of the individual seeking the creation.
Software Requirements Specification
The 3rd of four phases of the privacy operational life cycle.
It provides privacy management through the monitoring, auditing, and communication aspects of the management framework
Sustain
One of three requirements established by the General Data Protection Regulation for the processing of personal data.
Personal data shall be processed xxx, fairly and in a transparent manner in relation to the data subject.
Data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. The GDPR outlines six bases for the xxx processing of personal data.
Lawfulness
Under the General Data Protection Regulation, a processor may not engage another processor without xxx of the data controller. This authorization may be general or specific. If it is general, the processor is required to give the controller an opportunity to object to the addition or replacement of other processors.
Prior Authorization
The concept that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law.
Limiting Use
A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions.
More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered xxx, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.
Value-Added Services (VAS)
The set of rules which govern the use of a service and must be agreed to, either implicitly through the use of that service or explicitly, in order to make use of that service.
Terms of Service
Phishing targeted at a specific individual or individuals known to be wealthy.
Whaling
A network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users an access to a central organizational network. xxx typically require remote users of the network to be authenticated and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.
Virtual Private Network (VPN)
The European Parliament, the European Council, the European Commission, the Court of Justice of the European Union, the European Central Bank and the Court of Auditors.
Six Major European Union Institutions, The
A cryptographic key used with a secret key cryptographic algorithm, uniquely associated with one or more entities and which shall not be made public.
The use of the term “xxx” in this context does not imply a classification level, rather the term implies the need to protect the key from disclosure or substitution.
Secret Key
UnderHIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose.
Minimum Necessary Requirement
An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept.
Privacy Champion
A U.S. federal agency that oversees the welfare of the job seekers, wage earners and retirees of the United States by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefits, helping employers find workers, strengthening free collective bargaining and tracking changes in employment, prices and other national economic measurements.
To achieve this mission, the department administers a variety of federal laws including, but not limited to, the Fair Labor Standards Act (FLSA), the Occupational Safety and Health Act (OSHA) and the Employee Retirement Income Security Act (ERISA).
U.S. Department of Labor
A resolution adopted in 2009 by the International Conference of Data Protection and Privacy Commissioners, consisting of 80 data protection authorities from 42 countries around the world.
The resolutions proposes international standards on the protection of privacy with regard to the processing of personal data, to include: lawfulness and fairness; purpose specification; proportionality; data quality; openness; and accountability.
Madrid Resolution
An authentication process that allows the user to enter a single set of credentials to access multiple applications.
Single-Sign-On (SSO)
Analogous to a demand side platform (DSP), an xxx enables publishers to access demand from a wide variety of networks, exchanges, and platforms via one interface.
Supply Side Platform (SSP)
Information collected and maintained by a government entity and available to the general public.
Public Records
“The jurisdictional reach of a law or regulation. In the case of the General Data Protection Regulation, it applies to organizations
established in the EU and to their third-party processors of personal data, wherever they happen to be located, and to those organizations that offer goods or services to, or monitor, individuals in the EU.”
Territorial Scope
Also known as Secret Key Encryption is a form of encryption using a single secret key to both encrypt and decrypt data
Symmetric Key Encryption
Under OMB Memorandum M-05-08, each executive agency should identify the senior official who has agency-wide responsibility for information privacy.
The agency’s chief information officer (CIO) may perform this role, or it may be performed by another senior official at the assistant secretary or equivalent level. Agencies are also advised that the official given this role should have the authority to address information privacy policy issues at a national and agency-wide level. The official has overall responsibility and accountability for ensuring the agency s implementation of information privacy protections, including full compliance with federal laws, regulations and policies relating to information security, such as thePrivacy Act.
Senior Agency Official for Privacy
Among the exception to the Privacy Act of 1974 are:
(1) Performance of regular duties of an agency employee;
(2) FOI A disclosures;
(3) Routine uses as specified in the applicable SORN;
(4) Census Bureau census or survey functions;
(5) Statistical research if not individually identifiable;
(6) Data held by the National Archives;
(7) Law enforcement activity;
(8) Compelling health or safety circumstances;
(9) Congressional committee with appropriate jurisdiction;
(10) GAO duties;
(11) Court order, and
(12) Consumer reporting agencies.
Privacy Act Exceptions
An indicator used to measure the financial gain/loss (or value ) of a project in relation to its cost. Privacy xxx defines metrics to measure the effectiveness of investments to protect investments in assets.
Return on Investment (ROI)
Criminalizes cyber bullying and loosens restraints on police to obtain warrants for telecommunications and internet data, as well as allows police to compel the preservation of electronic evidence.
Protecting Canadians from Online Crime Act
Used to distinguish from sectorial laws (see Sectorial Laws), to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population.
Omnibus Laws
An individual s right to request and receive their personal data from a business or other organization.
Right of Access
The following constitute risk assessment factors: Number of breaches; number of outages; unauthorized access; lost assets; software viruses; investigations.
Risk Assessment Factors
An individual s right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.
Rectification
To make (something) more difficult to understand; to hide the true meaning.
Obfuscation
Individual executives within an organization who lead and own the responsibility of privacy activities.
Stakeholders
Under theBank Secrecy Act, the log of transactions a financial institution must retain a record for cash purchases of monetary instruments (e.g., money orders, cashier s checks, travelers checks) ranging from $3,000 to $10,000.
Monetary Instrument Log
The General Data Protection Regulation requires that supervisory authorities assist each other in performing their tasks and provide mutual assistance to one another so as to ensure the consistent application and enforcement (see Consistency Mechanism). In certain cases, supervisory authorities can go forward without mutual assistance if request for assistance is not answered within 30 days or other time periods. The GDPR also requires international mutual assistance with third countries and international organizations in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms.
Mutual Assistance
Fourteen generic information security practice competency areas, including: Digital Security; Digital Forensics; Enterprise Continuity; Incident Management; IT Security and Training Awareness; IT Systems Operation and Maintenance; Network and Telecommunications Security; Personnel Security; Physical and Environmental Security; Procurement; Regulatory and Standards Compliance; Security Risk Management; Strategic Security Management; and System and Application Security.
US-CERT IT Security Essential Body of Knowledge
A special-purpose programming language that allows for the creation of interactive forms which users can insert, alter and delete data they have input, and the system administrators can easily transfer information into usable data banks of user information. Originally developed by IBM, SQL has become an international standard for data collection and use.
Structured Query Language
The movement of personal data from one organization to another.
Transfer
A member state of the European Union, formally created by the Maastricht Treaty in 1992. As of the last addition of member states in 2013, the EU consists of: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The U.K. submitted a notice of withdrawal under Article 50 of the Treaty of Lisbon in 2016 and will leave the European on March 29, 2019, unless the European Council decides to extend the two-year negotiating period by unanimous vote.
Member State
PCLOBis an independent, bipartisan agency within the executive branch established by the Implementing Recommendations of the 9/11 Commission Act, Pub. L. 110-53, signed into law in August 2007. Comprised of four part-time members and a full-time chairman, PCLOBis vested with two fundamental authorities: (1) To review and analyze actions the executive branch takes to protect the Nation from terrorism, ensuring the need for such actions is balanced with the need to protect privacy and civil liberties and (2) To ensure that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the Nation against terrorism.
Privacy and Civil Liberties Oversight Board
Most legislation recognizes thatdata breachnotifications involving thousands of impacteddata subjectscould place an undue financial burden on the organization and therefore allow substitute notification methods. In Connecticut, for example, Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agency if the person maintains one, and (C) notification to major state-wide media, including newspapers, radio and television.
Substitute Notice
Protecting “vital interests” refers to circumstances of life or death in other words, where the processing of personal data contemplated is vital to an individual s survival. For example, under the European General Data Protection Regulation, processing of personal data that necessary in order to protect the vital interests of the data subject or of another natural person is one of the six legal bases for processing personal data. This criterion will be relevant only in rare emergency situations such as health care settings, humanitarian response, and law enforcement.
Vital Interests
Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.
Perimeter Controls
A general term in many organizations for the head of privacy compliance and operations. In the United States federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Department of Homeland Security, or a career professional
Privacy Officer
A unique string of numbers that identifies a computer on the Internet or otherTCP/IP network. The IP address is expressed in four groups of up to three numbers, separated by periods. For example: 123.123.23.2. An address may be “dynamic,” meaning that it is assigned temporarily whenever a device logs on to a network or anInternet service providerand consequently may be different each time a device connects. Alternatively, an address may be “static,” meaning that it is assigned to a particular device and does not change, but remains assigned to one computer or device.
Internet Protocol Address
TheGETand POST HTML method attributes specify how form data is sent to a web page. The POST method is more secure than GET as the GET method appends the form data to theURLallowing passwords and othersensitive informationcollectedin a form to be visible in the browser s address bar.
POST Method
A type of network security that protects data traffic by providingencryptionat the network transfer layer. This form of encryption operates independently of other security measures and is invisible to the ender user as data is only encrypted while in transit.
Network Encryption
Contracting business processes, which may include the processing of personal information, to a third party. The General Data Protection Regulation establishes direct legal obligations applicable to service providers acting as “processors” and places an increased emphasis to the contractual obligations that must be established between organizations and their data processing service providers.
Outsourcing (EU-specific)
The main establishment of a controller in the Union should be the place of its central administration in the European Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the EU in which case that other establishment should be considered to be the main establishment. The main establishment of the processor should be the place of its central administration in the EU or, if it has no central administration in the EU the place where the main processing activities take place in the EU. The member state location of the main establishment determines the controller or processor’s lead supervisory authority
Main Establishment
A case recognized as establishing the “knock-and-announce rule,” an important concept relating to privacy in one’s home and Fourth Amendment search and seizure jurisprudence in the U.S.
Semayne s Case
One of two central concepts of choice. It means an individual s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties. The General Data Protection Regulation’s definition of consent as requiring a “clear affirmative act” makes opt-out unacceptable for the acquisition of consent.
Opt-Out (EU Specific)
The culture and desire of a business that seeks to use information collected by a company in every way possible to improve services and products. This needs to be balanced with privacy considerations.
Information Utility
This memorandum provides agencies with specific implementation guidance for conductingPIAs and developing website privacy policies. It applies to all executive branch agencies and departments, contractors and cross-agency initiatives that use websites or other information technology for interacting with the public. It requires agencies to: conduct PIAs and make them publicly available; postprivacy policieson agency websites; translate privacy policies into a standardized machine-readable format; ensure privacy responsibilities are properly executed for information in identifiable form (IIF) processed by information technology; report annually toOMBonSection 208compliance.
OMB Memorandum M-03-22
Provide management, technical and operational controls to reduce probable damage, loss, modification or unauthorized data access.
Information Security Practices
Concerns in software development that cannot be alleviated with a single design element or function. Privacy is an example of a quality attribute that can be divided up into further quality attributes (think about theFair Information Practices). UsingPrivacy by Designin all software development allows these quality attributes to be accounted for in all system functions as they are being developed.
Quality Attributes
The most expensive and most visible type of web advertising, typically on the homepage of a website and priced so that only big name companies/products use them.
Premium Advertising
A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices.
Privacy Notice
Short lifespan data storage such as a sessioncookiestored on a browser that is purged from the system when the browser is closed
Transient Storage
A superior government s ability to have its law(s) supersede those of an inferior government. For example, the U.S. federal government has mandated that no state government can regulate consumer credit reporting.
Preemption
A computer scripting language used to produce interactive and dynamic web content.
Javascript
A non-localized telecommunications network that can be used to transmit data across large regions.
Wide Area Network
Adata storage device in which information, once written, cannot be modified. This protection offersassurance that the data originally written to the device has not beentampered with. The only way to remove data written to a WORM device is to physically destroy the device.
Write Once Read Many
A trade association representing advertising businesses. The IAB develops industry standards, conducts research, and provides legal support for the online advertising industry.
Interactive Advertising Bureau
A technology that allows telephone calls to be made over aLANor the Internet itself. Skype is a well-known example. VoIP poses the same risk as network-connected PBX systems but also poses the additional risk of data interception when such data travel over an unsecured connection. VoIP functionality should beencryptedwhere possible and equipment monitored with intrusion-detection systems.
Voice Over Internet Protocol
Information or records obtained, with theconsentof the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics or other medical or medically related facilities.
Medical Information
A system of digital certificates, authorities and other registration entities that verifies the authenticity of each party involved in an electronic transaction through the use of cryptography.
Public Key Infrastructure
Phishingtargeted at a particular group of people with a known affiliation to some organization.
Spear Phishing
Data acquired from a source other than directly from the subject of the data.
Third-Party Collection
Requirements of new software systems or products as they are implemented in anAgile Development Model. Usually they consist of a few sentences that describe how a consumer would interact with the system or product and what the ideal functionality would look like. These are used to inform the developers of how a system or product should work while they are designing a given portion of the system.
User Stories
Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology.
Internal Partners
A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide [NIST SP 800-47], an MOU/A defines the responsibilities of two or more organizations in establishing, operating and securing a system interconnection. For the proposed transmission of PII among federal agencies, a memorandum will govern the purpose, methods of transmission, relevant authorities, specific responsibilities of the organizations transmitting and receiving the PII, and risks associated with its transmission.
Memorandum of Understanding/Agreement
According to the General Data Protection Regulation, in exceptional cases where there is an urgent need to protection individuals rights and freedoms, a supervisory authority can bypass the cooperation procedures and consistency mechanism (see Consistency Mechanism) to adopt provisional measures in its country, after which it should notify other regulators who have an interest in the matter, the Commission and the European Data Protection Board. The supervisory authority can apply to the EDPB for an urgent opinion or decision where it feels that final measures are needed, and any regulator can apply for an urgent opinion or decision where it feels that another regulator has failed to take appropriate action in a case of urgency.
Urgency Procedure
The guidelines for privacy breach responses were drafted in 2007 and consist of four steps: (1) Containment of the breach and preliminary assessment; (2) evaluating the associated risks; (3) notifying affected parties; (4) taking adequate steps to prevent future breaches.
Privacy Breach Response (Canadian)
An individual s right to have their personal data deleted by a business or other organization possessing or controlling that data.
Right to Deletion
A layered approach defines three levels of security policies. The top layer is a high-level document containing the controller s policy statement. The next layer is a more detailed document that sets out the controls that will be implemented to achieve the policy statements. The third layer is the most detailed and contains the operating procedures, which explain how the policy statements will be achieved in practice
Layered Security Policy
Data that describes other data. Meta is a prefix meaning an underlying description in information technology usage.
Metadata
Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
Personal Data (EU specific)
The PRA concerns information that is created, collected, disclosed, maintained, used, shared, and disseminated by or for the federal government, regardless of whether it isPII. The primary goal is to calculate and reduce as much as possible the burden of providing information to the government while maintaining the quality of that information. The requirements of the PRA cover collections of information, which may exist in any format, and could include surveys, applications, questionnaires, and reports or any scenario in which 10 or more persons are asked to provide the same information within a 12-month period.
Paperwork Reduction Act
One of the four classes of privacy, along withterritorial privacy,bodily privacy, andcommunications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.
Information Privacy
A subfield of, or building block for, artificial intelligence (see Artificial Intelligence), machine learning is a problem-solving technique that trains a computer to identify new patterns. It implements various algorithms in a problem-solving process that includes data cleansing, feature selection, training, testing, and validation. Companies and government agencies increasingly deploy machine learning algorithms for tasks such as fraud detection, speech recognition, image classification and other pattern-recognition applications.
Machine Learning
Overseeing the intelligence community is the Office of the Director of National Intelligence. The IRTPA established the director of National Intelligence as the head of the intelligence community and the principal advisor to the president and theNational Security Council.
Office of the Director of National Intelligence
A body sanctioned by local, regional or national governments to enforce laws and apprehend those who break them. In Europe, public law enforcement authorities are governed by strict rules of criminal procedure designed to protect the fundamental human right to privacy enshrined in Article 8 of the European Convention on Human Rights (ECHR). In the arena of data protection, law enforcement is governed by the Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purpose of Law Enforcement (Directive 2016/680), which came into force in April 2016 (see Law Enforcement Directive).
Law Enforcement Authority (EU specific)
The right for individuals to correct or amend information about themselves that is inaccurate.
Right To Correct
Buying through automated means, for example, by setting up a campaign in an RTB exchange or other automated system.
Programmatic Buying
Focused on refining and improving privacy processes, this model continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to measure (assess), improve (protect), evaluate (sustain) and support (respond), and then start again.
Privacy Operational Life Cycle
An individual s right to limit or prohibit a business or other organization from processing their personal data.
Right to Restriction
The ISO (International Organization for Standardization) 27001 standard is a code of practice for implementing an information security management system, against which organizations can be certified.
ISO 27001
Colloquial term for Schrems v. Data Protection Commission (Ireland). See “Max Schrems.” After revelations by Edward Snowden of NSA surveillance in the U.S. allegedly involving Facebook s cooperation, Schrems complained to the Irish DPC that Facebook Ireland, the company s European subsidiary, was improperly transferring his data to the U.S. where it could be accessed by the NSA. The data transfers from Facebook Ireland to the U.S. were allowed under the Safe Harbor adequacy decision. However, because Safe Harbor did not limit such U.S. government access for national security purposes, the CJEU (see “CJEU”) struck down the Safe Harbor agreement as inconsistent with the European right to privacy. As a result, adequacy is based on the concept of essential equivalence: There must be an adequate level of protection of personal data essentially equivalent to the protection of personal data in the EU.
Schrems I
Used to distinguish from omnibus laws (see Omnibus Laws), to mean laws that cover a a specific market sector or population, rather than a broad portion of the market or citizenry.
Sectorial Laws
Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language
Transparency
Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.
Online Behavioral Advertising
Where actions by a data subject lead to an unmistakable conclusion that consent has been provided; where consent meets the standard of being a “freely given, specific and informed” indication of an individual s wishes. This is the baseline standard for consent in the General Data Protection Regulation.
Unambiguous Consent
A written court order issued in an administrative, civil or criminal action that requires the person named in the subpoena to appear in court in order to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit. A subpoena may also require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that disclosespersonal information.
Subpoena
The predominant term for Personal Information in the European Union, defined broadly in the General Data Protection Regulation as any information relating to an identified or identifiable natural person.
Personal Data
A form of malware in which bad software masquerades as beneficial software.
Trojan Horse
A synonym for “personal data,” which is any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
Personal Information (EU specific)
The General Data Protection Regulation permits “visualisation” to be used to provide fair processing information to data subjects where appropriate and makes provision for the use of standardized icons to give an easily visible, understandable and meaningful overview of the processing.
Standardized Icons
Anaccess controlsystem by which access to data, by the owner or user, is constrained by the operating system itself.
Mandatory Access Control
An energy system that manages electricity consumption through continuous monitoring, remote computerization and automation. The traditional electric transmission system required physically sending workers into the field to periodically read customer meters and find where problems existed in the grid. Smart grid operators; however, can remotely monitor and control the use of electricity to each home or business
Smart Grid
An important source of standards and best practices for managingelectronic discoverycompliance through data retention policies. Regarding email retention, the Sedona Conference offers four key guidelines:
1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units;
2. such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice;
3. interdisciplinary teams should reach consensus as to policies while looking to industry standards;
technical solutions should meet and parallel the functional requirements of the organization.
Sedona Conference
Section 208 requires agency website privacy policies to include the following information: what information is to be collected through use of the website; why the information is being collected; the intended use by the agency of the information; with whom the information will be shared; what notices or opportunities for consent will be provided; how the information will be secured; the rights of individuals under thePrivacy Actand other privacy laws.
Section 208 of the E-Government Act
E-mails or other communications that are designed to trick a user into believing that he or she should provide a password, account number or other information. The user then typically provides that information to a website controlled by the attacker. Spear phishing is a phishing attack that is tailored to the individual user, such as when an e-mail appears to be from the user s boss, instructing the user to provide information.
Phishing
Data files created on a computer s hard drive by a domain to track user preferences and used by all versions of Adobe Flash Player. They are often calledflashcookies. LSOs differ fromHTTPcookiesin that they are saved to a computer s hard drive rather than the web
Local Shared Objects
Closely intertwined with access, rectification is the right or ability of a data subject to correct erroneous information that is stored about them. Under the General Data Protection Regulation, data subjects have the right to rectification of inaccurate personal data, and controllers must ensure that inaccurate or incomplete data is erased, amended or rectified.
Rectification (EU specific)
Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.
Retention
Data indicating the geographical position of a device, including data relating to the latitude, longitude, or altitude of the device, the direction of travel of the user, or the time the location information was recorded.
Location Data
A machine-readable language that helps to express a website s data management practices in an automated fashion.
Platform for Privacy Preferences
Defined by the U.S. Office of Management and Budget Memorandum M-03-22, [a] statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a web browser.
Privacy Policy in Standardized Machine-Readable Format
Groups of information on individuals that have been altered or suppressed in some way to anonymize the data, protecting individuals from being identified.
Microdata Sets