CIPP / US outline Flashcards
<p>Where, how, and for what length of time is the data stored?</p>
<p>Limited retention reduces the risk from data breach - no breach will occur once the data is removed from the system</p>
<p>How sensitive is the information?</p>
<p>- Confidential, proprietary - property of the organization
- Sensitive, restricted - available to select few
- Public - generally available</p>
<p>Should the information be encrypted?</p>
<p>Generally, no notice is required if the lost PI is sufficiently encrypted or protected by some other effective technical protection</p>
<p>Will the info be transfered to or from other countries, and if so, how will it be transferred?</p>
<p>Organization should familiarize itself with the privacy requirements of both origination and destination countries for transborder data</p>
<p>Who determines the rules that apply to the information?</p>
<p>1) Controller - entity who determines the purposes and means of the processing of personal data
2) Processor - entity that processes personal data on behalf of the controller
3) Business - think HIPAA</p>
<p>How is the info processed, and how will these processes be maintained?</p>
<p>- Steps should be taken to train staff members involved in the processes and computers on which the info will be processed should be secured appropriately to minimize the risk of data leak or breach
- Physical transfer of data also should be secured</p>
<p>Is the use of such data dependent upon other systems?</p>
<p>- If the use of personal data depends on the working condition of other systems >> the condition of those systems must also be evaluated and updated if necessary
- an outdated system may call for developing a new method or program for using relevant data</p>
<p>Classes or categories of privacy</p>
<p>1) Information privacy – established rules that govern the collection and handling of personal information
2) Bodily privacy – a person’s physical being and any invasion thereof, ex./ genetic testing, drug testing or body cavity searches
3) Territorial privacy – placing limits on the ability to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance
4) Communications privacy – protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus</p>
<p>Consent decree</p>
<p>• A judgement entered by consent of the parties
• Typically, the (D) agrees to stop alleged illegal activity and pay a fine, w/o admitting guilt or wrongdoing
• This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and adverse party
• Consent decrees are posted publicly on the FTC’s website, and the details of these decrees provide guidance about what practices the FTC considers inappropriate</p>
<p>Protected health information (PHI)</p>
<p>Any individually identifiable health info that is: transmitted or maintained in any form or medium; held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; created or received by a covered entity or an employer; and relates to a past, present or future physical mental condition, provision of health care or payment for health care to that individual</p>
<p>Electronic protected health info (ePHI)</p>
<p>Any PHI that is transmitted or maintained in electronic media</p>
<p>Business associate</p>
<p>Any person or organization, other than a member of a covered entity’s workforce, that performs services and; activities for, or on behalf of, covered entity, if such services or activities involve the use or disclosure of PHI</p>
<p>Under the Fair Credit Reporting Act, employee investigations are not treated as consumer reports as long as</p>
<p>1) The employer or its agents complies w/ the procedure set forth in the act
2) No credit info is used
3) Summary describing nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation</p>
<p>Under the Fair Credit Reporting Act, medical information</p>
<p>• Limits the use of medical info obtained from CRAs, other than payment info that appears in a coded form and does not identify the medical provider
• If the report is to be used for employment purposes – or in connection with a credit transaction, expect as provided in regulations issued by the banking and credit union regulators – the consumer must provide specific written consent and the medical info must be relevant</p>
<p>Red Flag Rule</p>
<p>• Required agencies that regulate financial entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft
• Eliminates entities that extend credit only “for expenses incidental to a service”
• Authorizes regulations that apply the rule to businesses whose account should be “subject to a reasonably foreseeable risk of identity theft”</p>
