CIPP-US Glossary Flashcards
1
Q
This term describes a control on an ACL that is used to prevent unauthorized persons from accessing a particular object.
A
Access Control Entry (ACE)
2
Q
Traditionally, this has been an FIPP, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
A
Accountability
3
Q
A transfer of personal data from the EU to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an ___________ _____________ of ______________, which involves taking into account elements including the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred.
A
Adequate Level of Protection
4
Q
A transfer of personal data from the EU to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an ___________ _____________ of ______________, which involves taking into account elements including the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules.
A
Adequate Level of Protection
5
Q
A transfer of personal data from the EU to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an ___________ _____________ of ______________, which involves taking into account elements including the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data.
A
Adequate Level of Protection
6
Q
Under the Fair Credit Reporting Act, the term ___________ _____________ is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion.
A
Adverse Action
7
Q
No _________ ___________ occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient with a copy of the credit report leading to the action.
A
Adverse Action
8
Q
______________________________ is a fair information practice principle included in the OECD Guidelines, APEC Privacy Framework, and Madrid Resolution, and includes the due diligence and reasonable steps an organization undertakes to protect an individual’s personal information and handle the information according to relevant laws and fair use principles.
A
Accountability
9
Q
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
A
American Institute of Certified Public Accountants (AICPA)
10
Q
A U.S. law that bars discrimination against qualified individuals with disabilities.
A
Americans with Disabilities Act
11
Q
________________ includes the organization’s responsibility to maintain accurate data in relation to the purpose for which it is collected and used, as well as its responsibility to respond to record correction requests from data subjects.
A
Accuracy
12
Q
A set of laws that are indications of special classes of personal data. If there exists laws protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.
A
Anti-Discrimination Laws
13
Q
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD FIPPs. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing privacy with business needs.
A
APEC Privacy Principles
14
Q
Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers.
A
Background Screening / Checks
15
Q
The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU GDPR and other frameworks, including APEC’s Cross Border Privacy Rules.
A
Accountability
16
Q
These range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such checks vary by member state and may be negotiated with local work councils.
A
Background Screening / Checks
17
Q
A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.
A
Bank Secrecy Act (BSA)
18
Q
Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling. The General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing.
A
Behavioral Advertising
aka Online Behavioral Advertising (OBA); Behavioral Targeting
19
Q
If cookies are used to store or access information for the purposes of this type of advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
A
Behavioral Advertising
aka Online Behavioral Advertising (OBA); Behavioral Targeting
20
Q
An appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules.
A
Binding Corporate Rules (BCRs)
21
Q
__________ _________ _______ compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had these approved.
A
Binding Corporate Rules (BCRs)
22
Q
Previously, the EU distinguished between Binding Corporate Rules for controllers and __________ _________ ___________ ________ for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both.
A
Binding Safe Processor Rules (BSPRs)
23
Q
What does the acronym AICPA stand for?
A
American Institute of Certified Public Accountants
24
Q
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.
A
Breach Disclosure
25
Use of employees' own personal computing devices for work purposes.
Bring Your Own Device (BYOD)
26
A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.
California Investigative Consumer Reporting Agencies Act (CICRAA)
27
Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.
Case Law
28
The ____________ Privacy Principles is a set of non-binding principles similar to the OECD FIPs.
APEC
29
Originally an acronym for "closed circuit television," this term has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and were truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.
CCTV
30
The acronym APEC stands for _______________ - ______________ _______________ _____________________.
Asian-Pacific Economic Cooperative
31
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13.
Children's Online Privacy Protection Act (COPPA) of 1998
32
This federal law requires website operators to post a privacy notice on the homepage of their website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Children's Online Privacy Protection Act (COPPA) of 1998
33
In the context of consent, this refers to the idea that consent must be freely given and that data subjects must genuinely have this to decide as to whether to provide personal data or not. If this is not in place, it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
Choice
34
The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a "private cloud" or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). This technology has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.
Cloud Computing
35
A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Collection Limitation
36
Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.
Commercial Electronic Message
37
Under Canada's PIPEDA, this refers to any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.
Commercial Activity
38
Unwritten legal principles that have developed over time based on social customs and expectations.
Common Law
39
One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.
Communications Privacy
40
Laws that govern the collection, use and dissemination of personal information in the public and private sectors.
Comprehensive Laws (aka Omnibus Laws)
41
The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.
Computer Forensics
42
Data should be protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing __________, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security.
Confidentiality
43
The GDPR requires that persons authorized to process the personal data have committed themselves to, or are under an appropriate statutory obligation of, ______________.
Confidentiality
44
An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.
Confirmed Opt-In
| aka Double Opt-In
45
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, this is the individual's way of giving permission for the use or disclosure. It may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
Consent
46
A requirement that an individual ""signifies"" his or her agreement with a data controller by some active communication between the parties.
Affirmative/Explicit Consent
47
Arises where agreement may reasonably be inferred from the action or inaction of the individual.
Implicit Consent
| aka Implied Consent
48
A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.
Consent Decree
49
Created by the Dodd-Frank Act, this entity is intended to consolidate the oversight of the financial industry.
Consumer Financial Protection Bureau (CFPB)
50
An independent entity within the Federal Reserve which took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators.
Consumer Financial Protection Bureau (CFPB)
51
This entity's enforcement powers include authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act.
Consumer Financial Protection Bureau (CFPB)
52
Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
Consumer Reporting Agency
53
A small text file stored on a client machine that may later be retrieved by a web server from the machine.
Cookie
54
Allows web servers to keep track of the end user’s browser activities, and connect individual web requests into a session.
Cookie
55
May be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already.
Cookie
56
A small text file stored on a client machine that may be referred to as "first-party" (if it is placed by the website that is visited) or "third-party" (if it is placed by a party other than the visited website).
Cookie
57
A type of cookie that may be deleted when a session ends.
Session Cookie
58
A type of cookie that remains on the client machine for a long period of time after the session ends. This category of cookies is listed as "cookie identifiers" by the GDPR, and is considered an example of personal information.
Persistent Cookie
59
Provisions regarding the use of cookies in the GDPR and the ePrivacy Directive.
Cookie Directive
60
A consumer-initiated security measure which locks an individual’s data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.
Credit Freeze
61
A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.
Customer Access
62
In contrast to employee information, this type of information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.
Customer Information
63
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. This does not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Data Breach
64
A scheme that provides the basis for managing access to, and protection of, data assets.
Data Classification
65
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the _____________ or the specific criteria for its nomination may be provided for by EU or member state law.
Data Controller
66
A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates.
Data Element
67
In the context of data protection, it is important to understand that ______ _______ in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.
Data Elements
68
An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.
Data Matching
69
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processing
70
A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.
Data Processor
71
A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Data Quality
72
This is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? It is considered appropriate if these criteria are satisfied for a particular application.
Data Quality
73
A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Excludes public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law. However, the processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Data Recipient
74
An identified or identifiable natural person.
Data Subject
75
In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by the Federal Trade Commission at the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.
Deceptive Trade Practices
76
Common law tort that focuses on a false or defamatory statement, defined as a communication tending “so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.”
Defamation
77
The use of log files to identify a website visitor. It is often used for security and system maintenance purposes.
Digital Fingerprinting
78
Log files that generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor’s web browser, operating system and font preferences. In some cases, combining this information can be used to identify a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same.
Digital Fingerprint
79
Used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for these techniques to be used for targeted advertising.
Digital Fingerprinting
80
A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file. If anything is changed in the electronic document after this is attached, it is rendered invalid.
Digital Signature
81
When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.
Direct Marketing
82
A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.
Do Not Track
83
Grants the authority to the FTC to create the National Do-Not-Call Registry in the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations.
Do-Not-Call Implementation Act of 2003
84
Originally consumers would have to re-register their numbers on the DNC Registry every five years for continued prevention, but this act extended registration indefinitely. Violations can be enforced by the FTC, Federal Communications Commission, and State Attorneys General with up to a $16,000 fine per violation.
Do-Not-Call Improvement Act of 2007
85
This act amended the U.S. Do-Not-Call Implementation Act of 2003 to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after five years, but with this act the registrations became permanent.
Do-Not-Call Improvement Act of 2007
86
In 2010 the U.S. Congress passed this act to reorganize and improve financial regulation. Among other reforms it put in place, the act created the Consumer Financial Protection Bureau and granted it rule-making authority over FCRA and GLBA as well as a few other regulations.
Dodd-Frank Wall Street Reform and Consumer Protection Act
87
This act is the collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. The amended act protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers.
Electronic Communications Privacy Act of 1986
88
This act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated the act in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.
Electronic Communications Privacy Act of 1986
89
Prior to trial, information is typically exchanged between parties and their attorneys. This term refers to the requirement for civil litigants to turn over large volumes of a company’s electronic records in litigation.
Electronic Discovery
| aka eDiscovery
90
A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.
Electronic Health Record (EHR)
91
This type of computer record may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers.
Electronic Health Record (EHR)
92
Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.
Electronic Surveillance
93
Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.
Employee Information
94
A type of employment contract that can be terminated by either the employer or the employee at any time for any reason.
Employment at Will
95
An independent U.S. federal agency that enforces laws against workplace discrimination. This agency investigates discrimination complaints based on an individual's race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.
Equal Employment Opportunity Commission
96
An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.
Established Business Relationship (EBR)
97
This directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.
EU Data Protection Directive
98
An agreement between the EU and U.S., invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the U.S. (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).
EU-U.S. Safe Harbor Agreement
99
Created in 2016 to replace the invalidated EU-U.S. Safe Harbor agreement, this agreement is an adequacy agreement that allows for the transfer of personal data from the EU to the U.S. for companies participating in the program. Only those companies that fall under the jurisdiction of the U.S. FTC may certify to the agreement's principles and participate, which notably excludes health care, financial services, and non-profit institutions.
EU-U.S. Privacy Shield
100
The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.
European Commission
101
An expansion of the Fair Credit Reporting Act which focuses on consumer access and identity theft prevention. The act mandates that credit reporting agencies allow consumers to obtain a free credit report once every twelve months.
Fair and Accurate Credit Transactions Act of 2003 (FACTA, FACT Act)
102
This act allows consumers to request alerts when a creditor suspects identity theft. The Federal Trade Commission (FTC) has authority to promulgate rules to prevent identity theft. The FTC used the authority to create the Red Flags Rule.
Fair and Accurate Credit Transactions Act of 2003 (FACTA, FACT Act)
103
One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability to access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.
Fair Credit Reporting Act (FCRA)
104
The U.S. agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable. This agency has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act.
Federal Communications Commission (FCC)
105
The U.S.'s primary consumer protection agency, it collects complaints about companies, business practices and identity theft and other laws that it enforces or administers. Importantly, it brings actions under Section 5 of the ____ Act, which prohibits unfair and deceptive trade practices.
Federal Trade Commission (FTC)
106
A corporation that acts as a regulator for brokerage firms and exchange markets. Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors. Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry.
Financial Industry Regulatory Authority (FINRA)
107
After the savings and loans crisis of the 1980s, the U.S Congress passed this law to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a financial institution fails to comply with the information privacy requirements contained in GLBA.
Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA)
108
A U.S. federal law that ensures citizen access to federal government agency records. This only applies to federal executive branch documents. It does not apply to legislative or judicial records. Requests made under this regulation will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of this regulation, which like the federal regulation, also include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.
Freedom of Information Act (FOIA)
109
The attributes of this method specify how form data is sent to a web page. This method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method.
GET Method
110
Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, this network is a collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, this network had a membership of 50 countries.
Global Privacy Enforcement Network (GPEN)
111
The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the U.S. and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.
Gramm-Leach-Bliley Act (GLBA)
112
In this act's privacy provisions, it addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions.
Gramm-Leach-Bliley Act (GLBA)
113
This act requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt-out of some sharing of personal financial information.
Gramm-Leach-Bliley Act (GLBA)
114
A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
Health Breach Notification Rule
115
Enacted as part of the American Recovery and Reinvestment Act of 2009, this act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA.
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
116
This act's privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
117
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. This act required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.
Health Insurance Portability and Accountability Act (HIPAA)
118
A cycle that recognizes that data has different value, and requires different approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.
Information Life Cycle
119
One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.
Information Privacy
120
The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.
Information Security (IS)
121
Creates the Existing Business Relationship exception to the U.S. Telephone Consumer Protection Act’s ban of fax-based marketing without consent but contains a requirement that all marketing faxes be accompanied by instructions on how to opt out of further unsolicited communications.
Junk Fax Prevention Act of 2005 (JFPA)
122
The authority of a court to hear a particular case. Courts must have this over both the parties to the dispute (personal) and the type of dispute (subject matter). The term is also used to denote the geographical area or subject-matter to which such authority applies.
Jurisdiction
123
Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically rely upon GPS, RFID, Wi-Fi, or similar technologies in which geolocation is used to identify the real-world geographic location of an object, such as a mobile device or an internet-connected computer terminal.-
Location-Based Service
124
Information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics or other medical or medically related facilities.
Medical Information
125
Under HIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose.
Minimum Necessary Requirement
126
An authentication process that requires more than one verification method, such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.
Multi-Factor Authentication
127
Allows U.S. consumers to place their phone number on a national list, preventing calls from unsolicited telemarketers. This registration is now permanent and can be enforced by the FTC, FCC, and state AGs with up to a $16,000 fine per violation. Cell phones are protected from any unsolicited automatic-dialed calls through other FCC regulations.
National Do-Not-Call Registry (U.S.)
128
A U.S. federal agency that administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.
National Labor Relations Board (NLRB)
129
A category of subpoena. The USA PATRIOT Act expanded the use of them. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies and travel agencies.
National Security Letter (NSL)
130
A condition under which an organization will be liable for damages if it breaches a legal duty to protect personal information and an individual is harmed by that breach.
Negligence
131
This is defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information.
Non-Public Personal Information (NPI)
132
First released in 1980, and then updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data.
OECD Guidelines
133
These principles, widely emulated in national privacy laws, include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.
OECD Guidelines
134
Used to distinguish from sectorial laws to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population.
Omnibus Laws
135
Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.
Online Behavioral Advertising
136
One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.
Opt-In
137
One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.
Opt-Out
138
An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.
Organization for Economic Cooperation and Development (OECD)
139
Contracting business processes, which may include the processing of personal information, to a third party.
Outsourcing
140
A self-regulatory system that provides an enforceable security standard for payment card data.
PCI Data Security Standard (PCI-DSS)
141
These rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties.
PCI Data Security Standard (PCI-DSS)
142
Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.
Perimeter Controls
143
The predominant term for Personal Information in the European Union, defined broadly in the GDPR as any information relating to an identified or identifiable natural person.
Personal Data
144
A synonym for "personal data." It is a term with particular meaning under the CCPA, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.
Personal Information (PI)
145
A device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty.
Polygraph
| aka Lie Detector
146
This is a method with attributes that specify how form data is sent to a web page. This method is more secure than GET as it does not append the form data to the URL, which would allow passwords and other sensitive information collected in a form to be visible in the browser’s address bar.
POST Method
147
A superior government’s ability to have its law(s) supersede those of an inferior government. For example, the U.S. federal government has mandated that no state government can regulate consumer credit reporting.
Preemption
148
An assessment of an organization’s compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.
Privacy Assessment
149
This type of assessment or audit measures how closely the organization’s privacy practices align with its legal obligations and stated practices and may rely on subjective information such as employee interviews/questionnaires and complaints received, or objective standards, such as information system logs or training and awareness attendance and test scores.
Privacy Assessment
150
These types of assessments may be conducted internally by an audit function or by external third parties. It is also common in some jurisdictions for the privacy/data protection officer to conduct them. The results of the assessment or audit are documented for management sign-off, and analyzed to develop recommendations for improvement and a remediation plan.
Privacy Assessment
151
Resolution of privacy issues and vulnerabilities noted on this type of assessment are monitored to ensure appropriate corrective action is taken on a timely basis. While assessments and audits may be conducted on a regular or scheduled basis, they may also arise ad hoc as the result of a privacy or security event or due to a request from an enforcement authority.
Privacy Assessment
152
Generally regarded as a synonym for Data Protection by Design. However, this term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.
Privacy by Design (PbD)
153
A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. This may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require these.
Privacy Notice
154
A general term in many organizations for the head of privacy compliance and operations. In the U.S. federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Dept of Homeland Security, or a career professional.
Privacy Officer
155
An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.
Privacy Policy
| aka Data Protection Policy
156
Under HIPAA, this rule establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically.
Privacy Rule
157
Under HIPAA, this rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
Privacy Rule
158
Unless otherwise restricted by law, this term describes the action that can be taken by any individual that is harmed by a violation of the law by filing a lawsuit against the violator.
Private Right of Action
159
Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by HIPAA or its business associate; that identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.
Protected Health Information (PHI)
160
A type of order in which a judge determines what information should not be made public and what conditions apply to who may access the protected information.
Protective Order
161
Information collected and maintained by a government entity and available to the general public.
Public Records
162
A U.S. common law tort that states: “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.” (Restatement (Second) of Torts § 652D)
Publicity Given to Private Life
163
Requires that the parties are prohibited from using or disclosing protected health information for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation.
Qualified Protective Order (QPO)
164
Technologies that use radio waves to identify people or objects carrying encoded microchips.
Radio-Frequency Identification (RFID)
165
This type of testing is sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in specific, narrowly defined jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security.
Random Testing
| aka Substance Testing
166
The action of reattaching identifying characteristics to pseudonymized or de-identified data. Often invoked as a “risk of ___________” or “_____________ risk,” which refers to nullifying the de-identification actions previously applied to data.
Re-identification
167
A determining factor in substance testing where testing is allowed as a condition of continued employment if there is “___________ ___________” of drug or alcohol use based on specific facts as well as rational inferences from those facts; i.e., appearance, behavior, speech, odors.
Reasonable Suspicion
168
An individual’s right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.
Rectification
169
A regulation created by the FTC under the authority of the FACTA of 2003. This regulation requires financial institutions and creditors to implement measures to detect and prevent identity theft. The original FTC rule was circumscribed by the Red Flag Program Clarification Act of 2010, which limited the definition of “creditors” to exclude any creditor “that advances funds on the behalf of a person for expenses incidental to a service.” The act in effect allowed lawyers, some doctors and other service type companies to avoid implementing Red Flag credit measures.
Red Flags Rule
170
The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding.
Redaction
171
Attorneys are required to perform this process so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual’s birth; (3) if the individual is a minor, only the minor’s initials, and (4) the last four digits of the financial account number.
Redaction
172
Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.
Retention
173
An individual’s right to request and receive their personal data from a business or other organization.
Right of Access
174
A U.S. law, passed in 2002, regulating the transparency of publicly held companies. In particular, public companies must establish a way for the company to confidentially receive and deal with complaints about actual or potential fraud from misappropriation of assets and/or material misstatements in financial reporting from so-called "whistle-blowers."
Sarbanes-Oxley Act (SOX)
175
Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of this type of program are allowed to display the programs seal on their website.
Seal Program
176
A cryptographic key used with a cryptographic algorithm, uniquely associated with one or more entities and which is not made public. This term is not used to indicate the level of classification for the information, but rather implies the need to protect the mechanism from disclosure or substitution.
Secret Key
| see Federal Information Processing Standards Publication 140-1, Security Requirements for Cryptographic Modules
177
An important source of standards and best practices for managing electronic discovery compliance through data retention policies, implemented through a cross-functional team.
Sedona Conference
178
This source of standards offers four key guidelines for email retention:
1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units;
2. The teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice;
3. Interdisciplinary teams should reach consensus as to policies while looking to industry standards;
4. Technical solutions should meet and parallel the functional requirements of the organization.
Sedona Conference
179
This refers to stakeholder-based models for ensuring privacy. It can refer to any or all of three pieces: legislation, enforcement and adjudication.
Self-Regulation Model
180
In this type of model, legislation refers to question of who defines privacy rules. This typically occurs through the privacy policy of a company or other entity, or by an industry association.
Self-Regulation Model
181
In this type of model, enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities, other government agencies, industry code enforcement or, in some cases, the affected individuals.
Self-Regulation Model
182
In this type of model, adjudication refers to the question of who should decide whether an organization has violated a privacy rule. The decision maker can be an industry association, a government agency or a judicial officer.
Self-Regulation Model
183
The term “________-________” covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who defines the requirements, which organization brings enforcement action and who actually makes the judicial decisions.
Self-Regulation
184
A case recognized as establishing the "knock-and-announce rule," an important concept relating to privacy in one's home and Fourth Amendment search and seizure jurisprudence in the U.S.
Semayne's Case
185
Unsolicited commercial e-mail.
SPAM
186
As defined in Article 9 of the GDPR, this type of personal information that reveals, for example, racial origin, political opinions or religious or other beliefs, as well as personal data that concerns health or sexual life or criminal convictions cannot be processed except under specific circumstances.
Special Categories of Data
187
Contractual Clauses in EU Data Protection Directive are known as __________ _____________ ____________.
Standard Model Clauses
188
This act was enacted as part of Electronic Communications Privacy Act in 1986 in the U.S. It generally prohibits the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.
Stored Communications Act (SCA)
189
A written court order issued in an administrative, civil or criminal action that requires the person named in the order to appear in court to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit.
Subpoena
190
A written court order that may require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that discloses personal information.
Subpoena
191
A screening to identify drug use, which can be used in a variety of settings such as preemployment, reasonable suspicion, routine testing, post-accident testing or randomly.
Substance Testing
192
Most legislation recognizes that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore often allow this type of notification method.
Substitute Notice
193
A type of notice, which in the state of Connecticut "shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agency if the person maintains one, and (C) notification to major state-wide media, including newspapers, radio and television.”
Substitute Notice
194
The first enactment of laws limiting unsolicited and automated telemarketing for both telephone and fax communications. Most notably the act creates a private right of action for those receiving unsolicited faxes, carrying a $500 fine per violation and any damages sustained because of the fax.
Telephone Consumer Protection Act of 1991 (TCPA)
195
This act gives rule-making authority to the Federal Communications Commission, allowing it to make further regulations in the area of automated telemarketing for both telephone and fax communications. Among other provisions, the act prevents faxing without consent from the recipient (this requirement was amended by the Junk Fax Prevention Act of 2005 to not include customers with an existing business relationship) and requires companies to create and honor internal do-not-call registries (in 2003 the National Registry was created by the Federal Trade Commission).
Telephone Consumer Protection Act of 1991 (TCPA)
196
One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into this type of an individual’s privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures.
Territorial Privacy
197
The movement of personal data from one organization to another.
Transfer
198
This term relates to taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language.
Transparency
199
A U.S. federal agency that oversees “the welfare of the job seekers, wage earners and retirees of the U.S. by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefits, helping employers find workers, strengthening free collective bargaining and tracking changes in employment, prices and other national economic measurements.” To achieve this mission, the department administers a variety of federal laws including, but not limited to, the Fair Labor Standards Act (FLSA), the Occupational Safety and Health Act (OSHA) and the Employee Retirement Income Security Act (ERISA).
U.S. Department of Labor (DOL)
200
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
Unfair Trade Practices
201
A code of fair information practices that contains five principles:
1. There must be no personal data record keeping systems whose very existence is secret.
2. There must be a way for an individual to find out what information about him (or her) is in a record and how it is used.
3. There must be a way for an individual to prevent information about him (or her) that was obtained for one purpose from being used or made available for other purposes without his (or her) consent.
4. There must be a way for an individual to correct or amend a record of identifiable information about him (or her).
5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.
U.S. Department of Health, Education and Welfare Fair Information Practice Principles (1973)
aka HEW Principles; HEW Report
202
A broad-ranging act designed to counter terrorism that expanded U.S. law enforcement authority to surveillance and capturing communications and records.
USA PATRIOT Act
aka 'The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001'
203
A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions. More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business.
Value-Added Services
204
For mobile phones, technologies like SMS, MMS and GPRS
Value-Added Services
205
Premium-charged mobile phone content, which are supplied either in-house by the mobile network operator themselves or by a third-party service provider, also known as a content provider such as Headline News or Reuters.
Value-Added Services
| related to: Mobile Value-Added Services (MVAS); Value-Added Service Provider (VASP); and Content Provider (CP)
206
These types of technologies typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service center (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.
Value-Added Service Providers
207
Recordings that do not have sound.
Video Surveillance
208
A technology that allows telephone calls to be made over a LAN or the Internet itself. Skype is a well-known example. This technology poses the same risk as network-connected PBX systems but also poses the additional risk of data interception when such data travel over an unsecured connection. Its functionality should be encrypted where possible and equipment monitored with intrusion-detection systems.
Voice Over Internet Protocol (VoIP)
209
Created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is a self-regulating seal program which licenses qualifying certified public accountants.
WebTrust
210
If an illegal or improper activity is taking place within an organization, the process of employees first observing it and reporting it to individuals with more authority or an agency outside of the organization. In setting up procedures to make it possible for an employee to report such activity, per laws in a variety of jurisdictions that protect the rights of the employees, an organization will want to be sure that appropriate privacy safeguards are put in place.
Whistleblowing
211
The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.
Contextual Advertising
212
A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.
Consumerization of Information Technology (COIT)
213
A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.
Personal Information Protection and Electronic Documents Act (PIPEDA)
