Foundational Principles

Question 1

Helen Nissenbaum’s Contextual Integrity

Answer 1

Norm based

norms are domain specific - IE: norms for governing banking information will differ from norms governing medical information.

Norms are context specific - IE: an individual can have their own reasons for controlling access to their information in specific situations based on their own expectations

Question 2

Ryan Calo’s Harm Dimensions

Answer 2

Objective Harms - measurable and observable (IE: person’s privacy has been violated and direct harm exists)

Subjective Harms - expectation of harms. Subjective harms may have the same impact as objective harms because the individual has taken similar steps to protect themselves.

IE: the perception of harm is just as likely to have significantly negative impact as experienced objective harms

Question 3

Security is traditionally defined as….

Answer 3

(1) Confidentiality - ensures that information is only accessible by unauthorized individuals
(2) Integrity - ensures that information has not been unintentionally modified
(3) Availability - ensures that information is readily available when needed

Question 4

FIPs

Answer 4

Fair Information Practices - established by the Health, Education and Welfare Advisory Committed on Automated Data Systems in 1972

Question 5

FIPPs

Answer 5

The Fair Information Practice Principles - US Federal Trade Commission (FTC) and used as guidance to businesses in the US

Question 6

NIST

Answer 6

NISTIR 8062 - An Introduction to Privacy Engineering and Risk Management in Federal Systems - published by the US National Institute of Standards and Technology (NIST)

Question 7

OECD

Answer 7

The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) - published by the Organization for Economic Cooperation and Development (OECD)

Question 8

APEC

Answer 8

The Privacy Framework - published by the Asia-Pacific Economic Cooperation (APEC)

Question 9

OECD Guidelines

Answer 9

(1) Collection Limitation - limitation of data, obtained lawfully and fair means, knowledge and consent of subject;
(2) Data Quality Principles - data should be relevant to purposes, extent necessary, accurate, complete, and up to date
(3) Purposes Specification Principle - use specified at time of collection, use is limited, specified on change of purpose
(4) Use Limitation Principle - data not disclosed, used, available for purposes outside of specific use without (1) consent or (2) authority of law
(5) Security Safeguards Principles - protected by reasonable security safeguards
(6) Openness Principle - open about development, policies and principles of data use and data controller
(7) Individual Participation Principle - individuals right to (1) obtain from data controller info about their data (2) communication re data at a reasonable time, manner and form (3) reasons if denied and challenge denial; (4) if successful, data erased
(8) Accountability Principle - data controller accountable for complying with measures

Question 10

Data Life Cycle

Answer 10

Consent / Notice - Collection - Disclosure

Consent / Notice - Processing - Retention - Destruction

Question 11

Data Collection Types

Answer 11

(1) First-party collection - data subject provides data directly to collector
(2) Surveillance - collector observes data streams without interfering with subject’s behavior
(3) Repurposing - data is assigned for a different use
(4) Third-party collection - data is transferred to third-party for new data collection

Question 12

Explicit Consent of Data Collection

Answer 12

Individual is required to expressly act to communicate consent

EX: clicking a checkbox, clicking button of privacy notice, responding to automatically generated email

Question 13

Passive or Complied Consent of Data Collection

Answer 13

IE: Inclusion of a conspicuous link on a privacy notified describing collection activities

Question 14

Data Life Cycle: Maximize-Information-Utility

Answer 14

Views data as the basis for monetization and new revenue and seeks to collect and retain as much data as possible

Information broadly collected and shared, retention persists up to the physical limits of org’s storage devices

Question 15

Data Life Cycle: Minimize-privacy-risk

Answer 15

Views data as potentially toxic with inherent risks that can result in significant, irreversible privacy harms

Question 16

Defect, Fault, Error, Failure, and Harm

Answer 16

(1) Defect - a flaw in the requirements, designs or implementation that can lead to a fault (IE: a line of source code that does not correctly check that an access attempt is properly authorized)
(2) Fault - an incorrect step, process or data definition in a computer program (IE: execution of that source code that leads to error)
(3) Error - difference between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition (IE: unauthorized access as opposed to a notice that unauthorized access will occur)
(4) Failure - inability of a system or component to perform its required functions within specified performance requirements (IE: unauthorized third-party access)
(5) Harm - actual or potential danger to an individuals personal privacy

Question 17

Solove’s Four Risks of Privacy Harms

Answer 17

(1) Information collection
(2) Information processing
(3) information dissemination
(4) invasion

Question 18

Formulation of Risk

Answer 18

Risk is the potential adverse impact along with the likelihood that the impact will occur

Risk = probability of an adverse impact (x) impact of the event

Question 19

Risk: Compliance Model

Answer 19

Risks are delineated as the failure to do what is required or avoid what is prohibited

IE: GDPR, HIPAA, etc.

Question 20

Risk: FIPPs

Answer 20

Adopted by FTC and US Department of Homeland Security

Most FIPPs principles are relative to the purpose of the system

Question 21

Risk: Calo’s Subjective/Objective Dichotomy

Answer 21

Falls into two categories - (1) Subjective and (2) Objective

Any privacy threat that is perceivable by individuals corresponds to a subjective privacy harm

Question 22

Risk: Solove’s Taxonomy - Information Collection

Answer 22

(1) Surveillance - observation and capturing of individual’s activities (IE: Track users link clicks and pages visited)
(2) Interrogation - actively questioning an individual or probing for information (IE: requires an individual enter their phone number for registration)

Question 23

Risk: Solove’s Taxomony - Information Processing

Answer 23

(1) Aggregation - combining pieces of information to produce a whole greater than its parts (IE: retail views purchases for large tote bags, unscented lotions, prenatal vitamins = individual is pregnant)
(2) Identification - links information to specific individuals (IE: cookies for browsing histories)
(3) Insecurity - failure to protect individual’s information (IE: website fails to encrypt communications)
(4) Secondary Use -using information without consent for purposes unrelated to original use (IE: retailer uses email for marketing purposes as opposed to purchase)
(5) Exclusion - denies an individual knowledge/participation in what is done with their information (IE: marketing firm uses purchase data to advertise under a different name)

Question 24

Risk: Solove’s Taxonomy - Information Dissemination

Answer 24

(1) Breach of Confidentiality - release of PII
(2) Disclosure - revealing truthful information that negatively affects how others view the individual (IE: lifestyle member list)
(3) Distortion - spreading false and inaccurate information (IE: employment verification mistake)
(4) Exposure - information that is normally concealed, including private physical details about our bodies
(5) Increased accessibility - information more easily attainable (IE: child entertainment service allows adults to register and interact)
(6) Blackmail - threat to disclose information against their will
(7) Appropriation - using someone’s identity for another person’s purposes

Question 25

Risk: Solove’s Taxonomy - Intrusion and Decisional Interference

Answer 25

(1) Intrusion - consists of acts that disturb an individual’s solitude or tranquility (IE: mobile alerts)
(2) Decisional Interference - involves others inserting themselves into a decision-making process that affects a person’s personal affairs (IE: website limits negative reviews for bias)

Question 26

Helen Nissenbaum’s Contextual Integrity

Answer 26

Maintaining personal information in alignment with informational norms that apply to a particular context.

An analyst must establish existing informational norms and then determine how the system may disrupt those norms.

Question 27

NIST Privacy Risk Model

Answer 27

embedded in Privacy Risk Assessment Methodology (PRAM) - includes vulnerabilities (problematic data actions), adverse effects (problems for individuals) and the relative likelihood’s and impacts of those event.

Question 28

NIST Privacy Risk Model - Problematic Data Actions

Answer 28

(1) Appropriation - when PI is used in ways beyond what is expected/authorized by individual
(2) Distortion - the use of dissemination of inaccurate/misleading PI
(3) Induced disclosure - individual’s are pressured to provide PI
(4) Insecurity - lapses in data security
(5) Surveillance - PI is tracked/monitored out of proportion to system objectives
(6) Unanticipated revelation - unexpected exposure of facets of an individual as a result of processing
(7) Unwarranted restriction - imposition of unjustified constraints on individuals regarding access to the system and its information as it relates to them

Question 29

NIST Privacy Risk Model - Problems for Individuals

Answer 29

(1) Loss of Autonomy - self-imposed restrictions on behavior
(2) Exclusion - denies individuals knowledge about their PI or ability to act
(3) Loss of liberty - improperly rises the possibility of arrest/detainment
(4) Physical harm - direct bodily harm to an individual
(5) Stigmatization - links information to an identity so as to stigmatize the person associated with the identity
(6) Power imbalance - enables abusive or unfair treatment of an individual
(7) Loss of Trust - result from violations of implicit or explicit expectation or agreements regarding treatment of PI
(8) Economic loss - direct or indirect financial loss

Question 30

Privacy Risk Management Framework and 7 Steps

Answer 30

A process for applying a risk model to a specific information system in order to identify and address risks.

(1) Characterization
(2) Threat
(3) Vulnerability and event identification
(4) Risk Assessment
(5) Risk Response Determination
(6) Risk Control Implementation
(7) Monitoring and Reviewing

Question 31

Privacy Risk Management Framework - Characterization

Answer 31

Identifying the purpose of the system -> how PI flows/processed on the systems -> technologies in place to support the system

Question 32

Privacy Risk Management Framework - Risk Response Determination

Answer 32

(1) Accept the risk - if risk is low, may be reasonable and necessary to accept the risk
(2) Transfer the risk - if other entities can manage the risk better, transfer the risk (IE: payroll services)
(3) Mitigate the risk - best option when IT developer can implement privacy controls that reduce risk (IE: daily backups)
(4) Avoid the risk - avoid risk by changing the system design or business process

Question 33

Privacy Risk Management Framework - Risk Control Implementation

Answer 33

(1) Administrative Controls - business practices
(2) Technical Controls - governs software processes and data
(3) Physical Controls - governs physical access to hard copies of data and systems that process and store electronic copies

Question 34

Documenting Requirements

Answer 34

SRS - software requirement specification

(1) Functional requirements - describes a specific function of the intended information system (IE: this system shall encrypt credit card numbers)
(2) Nonfunctional requirements - describe a constraint or property of the system that an engineer can trace to functional requirements or design elements (IE: system shall not disclosure PI without consent)

Question 35

Trace Matrices

Answer 35

Trace link from a requirement to a privacy law = requirement implements the law

Trace link to a design element = requirement is implemented by the design element

Includes rationale description of the trace link (IE: X provides an exception for any disclosure that is required by law or regulation)