Foundations I Flashcards

1
Q

What was “The Right to Privacy”?

A

The Harvard Law Review article written by Samuel Warren and Louis Brandies in 1890 that defined privacy as the “right to be left alone.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 4 classes of privacy?

A
  1. Information 2. Bodily 3. Territorial 4. Communications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What was one of the first privacy laws in the UK?

A

The Justices of the Peace Act enacted in 1361

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What country enacted the Access to Public Records Act in 1776?

A

Sweden - The Swedish Parliament

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the Universal Declaration of Human Rights?

A

Adopted by the General Assembly of the United Nations in 1948.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does Article 12 of the Universal Declaration of Human Rights say?

A

It describes both the territorial and communications notions of privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What document predated the Universal Declaration of Human Rights in 1948?

A

The American Declaration of the Rights and Duties of Man adopted by the Organization of American States. It predated the UDHR by 6 months.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the ECHR?

A

The European Convention for the Protection of Human Rights and Fundamental Freedoms set forth by the Council of Europe in 1950. It acknowledged the goals of the UDHR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does Article 8 of the ECHR state?

A

This treaty provision limits a public authority’s interference with an individual’s right to privacy, but acknowledges an exception for actions in accordance with the law that are necessary to preserve a democratic society.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How did the Council of Europe respond to concerns that privacy was not protected in light of emerging technology in the late 1960s?

A

Recommendation 509 on Human Rights and Modern and Scientific Technological Developments - establishes a framework of specific principles and standards to prevent unfair collection and processing of personal information. This was later built upon to protect personal data in data banks and set in motion national legislation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What country enacted the first modern data protection law?

A

The German State of Hesse in 1970.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What was the first national privacy law enacted in the US?

A

The Fair Credit Reporting Act in 1970.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does the EU define “personal data”?

A

“Any and all data that’s related to an identified or identifiable individual.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What term is used in the US to cover information covered by privacy laws?

A

personally identifiable information (PII)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is not included in the definition of “personal information” in Canada?

A

Certain business information is not covered in this country. NOTE: The types of data elements commonly found on a business card are excluded from coverage by the act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How is “personal information” defined in Japan?

A

information that’s related to living individuals and that can be used to identify specific individuals by name, date of birth or other description.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Sensitive Personal Information?

A

A subset of personal information that may vary depending on jurisdiction and particular regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Sensitive Personal Information called under the EU Data Protection Directive?

A

Special categories of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the categories of special categories of data?

A

Racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is important to note about sensitive categories of data?

A

Such data can be considered sensitive depending on jurisdiction and type and subject to strict rules (e.g. SSNs, biometric data in France, the context of data is important under PIPEDA, etc.).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Do privacy and data protection law apply to non-personal information?

A

Generally no.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can data become non-personal?

A

Through removal of the elements used to identify an individual (i.e. de-identified, anonymized, pseudonymized).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the difference between personal and non-personal information?

A

It depends on what is “identifiable” - regulators and courts from jurisdiction to jurisdiction may differ on this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What other information assets, though not personal information, need to be protected within an organization?

A
  1. Financial Data 2. Operational Data 3. Intellectual Property 4. Information about the organizations products and services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does Recital 26 of the EU Data Directive state?

A

“The principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Is retraceably pseudonymized data data about an identifiable individual?

A

Indirectly yes. Article 29 Working Party cautions that such data is subject to protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Are IP addresses “personal data”

A

In the EU yes, thought a court in Ireland said no. Federal agencies in the US operating under the Privacy Act say no, though the FTC has stated yes in the context of breaches of healthcare information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How does IPv6 show how technology can shift the line between personal and nonpersonal information?

A

IPv6 uses a new numbering scheme that by default uses information about the specific computer to generate an IPv6 address unlike an old IP address that was assigned anew by the ISP each time they logged on to the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Name 3 sources of personal information

A
  1. Public Records 2. Publicly Available Information 3. Nonpublic information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are public records?

A

information collected and maintained by the government and available to the general public.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is publicly available information?

A

Information generally available to a wide range of people. Examples include info in telephone books, info in newspapers and on search engines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is nonpublic information

A

Information that is not generally available to the public such as medical records, financial information and adoption records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Can information be from multiple sources?

A

Yes, it is important to understand the source of the information in order to know how to properly handle the info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is the definition of “processing” in the context of personal information?

A

This term refers to the collection, recording, organization, storage, updating or modification, retrieval, consultation, and use of personal information. It also includes the disclosure by transmission, dissemination, or making available in any other form, linking, alignment, or combination, blocking, erasure or destruction of personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is a “data subject”?

A

The individual about whom information is being processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is a “data controller”?

A

This term refers to the organization that has the authority to decide how and why PI is to be processed. Can be an individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is a “data processor”

A

An individual or org, often an outsourced entity, that processes data on behalf of the data controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Can data processors process outside the scope of the direction of the data controller?

A

No, and all sub-contracting processors must act consistently within the scope of what is permitted for the controller itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are some elements of personal information?

A

Name, gender, contact info, age, DOB, marital status, other demographic info, languages spoken.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What are some elements of HR information?

A

Salary, job title, productivity and performance stats, medical and pension benefits, employee evaluations, disabled, veteran, or other relevant status, location info (e.g. through GPS), nationality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Is employee and other HR info treated like PI?

A

Comprehensive data protection laws do treat HR info under the same general rules for PI, but some countries may have specific obligations for HR data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Is PI in the workplace only limited to current employes?

A

No, PI in the HR context can also apply to applicants and former/retired employees, dependents, vendors, contractors, volunteers, beneficiaries. etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What types of PI might “customer information” include?

A

Purchase history, other interaction history, leads or prospect info, former customers, market research participants, voice recordings, telephone calls, citizens or others who receive SS, health or other benefits from the govt, tax records or other records about individuals held by the government. (in this context “customer info” includes govt info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Can PI exist outside of the HR and customer context?

A

Yes. Example, companies that gather data about non-customers for a range of business reasons (i.e. to identify members of the press).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the difference between a privacy policy and a privacy notice?

A

A privacy policy is an internal statement that governs how an organization handles personal info. It is directed at the users of PI. A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains, and discloses PI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What are two purposes of a privacy notice?

A

(1) consumer education (2) organizational accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are some forms of a privacy notice?

A

contracts, application forms, signs, Icons (IABAO Icon), brochures, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Describe some of the drivers of risk associated with data privacy.

A

Compliance with laws & regulations, prevention of breaches, avoiding enforcement actions, staying up to date with evolving technology, meeting customer expectations. Meeting the demands of outsourcing and off-shoring, extended global enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What is one, often neglected, step in the data life cycle where breaches result?

A

Data destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What are the three categories of safeguards?

A

(1) Administrative (2) Technical (3) Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Describe the principles that track the information life cycle

A

Collection, Use, Disclosure, Storage, Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What limitations are placed on the collection stage?

A

Personal data should be collected for lawful and fair means, with the consent of the subject where appropriate, limited to identified purposes, proportionate and executed through fair and lawful means.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Expand on the principle of Use in the information life cycle.

A

Organizations should limit the use of PI to the purposes explained in the notice and to which the subject gave consent either implicitly or explicitly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What concepts are covered by the principle of limited disclosure?

A

Disclosure should be within the use and notice/consent limits and rights should be maintained even when transfer to other parties occur. Increases in scope should be subject to notice and consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What are the limits on storage and destruction?

A

PI should be retained for only as long as necessary to fulfill the stated purpose. Data not retained should be disposed of in a secure manner or returned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What are some common approaches to manage information risk through privacy risk assessments?

A

(1) Privacy Impact Assessments (PIAs) (2) Privacy assessments/audits (3) Privacy by Design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What are PIAs?

A

checklists or tools used to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

When should a PIA be completed?

A

Before implementation of the privacy project, product or service and ongoing through it’s deployment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What attributes should a PIA capture?

A

(1) what info is collected (2) and why (3) intended uses (4) with whom the info is shared (5) consent and choice rights of data subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

When should PIAs be used?

A

To assess new systems and significant changes to existing systems, etc. Before, during and after mergers and acquisitions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What does an effective PIA do?

A

This evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards and maintains consistency between policy and practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What is a privacy assessment/audit?

A

Reviews of an organizations compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

When are assessments or audits conducted?

A

On a regular basis or ad hoc as a result of privacy or security events or requests from an enforcement authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What is Privacy by Design?

A

This is the concept that organizations should build privacy directly into technology systems and practices at the design phase to ensure privacy from the outset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Where did Privacy by Design originate?

A

In the mid-90s with the Information and Privacy Commissioner of Ontario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What are the seven principles of Privacy by Design as set forth by the Privacy Commissioner of Ontario.

A

(1) Proactive not Reactive; Preventative not Remedial (2) Privacy as the Default Setting (3) Privacy Embedded into Design (4) Full Functionality - Positive-Sum, not Zero-Sum (5) End-to-End Security - Full Life Cycle Protection (6) Visibility and Transparency - Keep it Open (7) Respect for User-Privacy - Keep it User-Centric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which principles of Privacy by Design have been adopted by the FTC

A

Privacy Embedded into Design and End-to-End Security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What are FIPs?

A

Fair Information Practices - significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to PI since the 1970s. Their definitions have varied over time and there are exceptions to various rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

List some important codifications of FIPs

A

1973 - US Dept of Health, Education & Welfare Fair Information Practice Principles 1980 - OECD Guidelines Governing the Protection and Privacy of Transborder Data Flowsor Personal Data 1981 - Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (COE Convention). 2004 - APEC agreed to a Privacy Framework. 2009 Madrid Resolution - International Standards on the Protection of Personal Data and Privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What convention was codified in the 1995 EU Data Protection Directive

A

The COE Convention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What are the FIPs with regards to the Rights of Individuals?

A

(1) Notice (2) Choice and consent (3) Data subject access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What are the differences between the choice concepts of “opt in” and “opt out”

A

Opt-in: means an individual actively affirms that info can be shared with third parties. Opt-out: means that in the absence of action by the individual, information can be shared with third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What are the FIPs related to Controls on the Information?

A

(1) Information Security (2) Information Quality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What are the FIPs related to the Information Life Cycle?

A

(1) Collection (2) Use & Retention (3) Disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What are the FIPs related to Management?

A

(1) Management and Administration (2) Monitoring and Enforcement. Orgs should define, document, communicate and assign accountability for their privacy policies and procedures / Orgs should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

From where do the FIPs used widely today come from?

A

The 1973 report by the US Department of Health, Education and Welfare Advisory Committee on Automated Systems. There were 5 listed in the text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What are the 8 OECD Guidelines (1980)?

A
  1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principles 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What was one of the main issues underlying the development of the EU Directive?

A

The problem associated with the differences between privacy laws of individual European nations and assuring adequate protection in the context of trans-border data flows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

When was the Directive adopted and when did it go into effect?

A

1995 & 1998

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What are the twin goals of the EU Directive?

A

(1) a unified economic market within the EU, permitting flows of PI among member states. (2) strong overall privacy protection within the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

When was a draft regulation proposed to update the EU Directive?

A

2012

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

How does the APEC Privacy Framework (2004) differ from the EU Directive?

A

The APEC Framework is non-binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

How many information privacy principles are part of the APEC Privacy Framework?

A

9 principles that mirror the OECD Guidelines but are more explicit about exceptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What are the 9 information privacy principles in the APEC Privacy Framework?

A

(1) Preventing Harm (2) Notice (3) Collection Limitation (4) Uses of Personal Information (5) Choice (6) Integrity of Personal Information (7) Security Safeguards (8) Access and Correction (9) Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What are some of the explicit exceptions in the APEC Privacy Framework?

A

With regards to notice, use, choice, and access/correction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Under what APEC principles is proportionality incorporated?

A

This is not necessarily comprehensive - preventing harm and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What are the exceptions to the APEC Use Principle?

A

PI should be used only to fulfill the purposes of the collection and compatible purposes except: (1) with consent (2) when necessary to provide a service or product requested by the individual (3) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What are the exceptions to the access and correction APEC principle?

A

Access and the opportunity for correction should be provided except where: (1) burden or expense would be unreasonable or disproportionate to the risks to the individual’s privacy (2) info should not be disclosed due to legal, security, or commercial proprietary reasons (3) info privacy or persons other than the individual would be violated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

When, where and by whom was the Madrid Resolution approved?

A

By the independent data protection and privacy commissioners (not the govts) as the annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain in 2009.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What was the purposes of the Madrid Resolution?

A

There was a dual purpose: to define a set of principles and rights guaranteeing (1) the effective and internationally uniform protection of privacy with regards to the processing of personal data and (2) the facilitation of the international flow of personal data needed in a globalized world.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

What are the basic principles of the Madrid Resolution?

A

The principle of lawfulness and fairness, purpose specification principle, proportionality principle, data quality, openness, accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

What country has required a data protection office (DPO) for many companies since the early 1990s?

A

Germany

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What are some of the functions fulfilled by privacy professionals?

A

governance structure, personal data inventory, data privacy policies, operational policies and procedures, ongoing training and awareness, security controls, contracts, notices, inquires/complaints/disputes, new operational practices, data privacy breaches, data handling practices, tracking of external developments. NOTE - see Figure 1-1 on page 24 of text - Responsible Management Processes for Data Privacy Compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What is an important distinction between the OECD and the CoE?

A

The involvement of the US government.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

What are sources of privacy protection?

A

Markets, Technology, Legal Controls, Self-Regulation/Co-Regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

What are the components of self-regulation in the privacy context?

A

Legislation: Who defines privacy rules? Enforcement: Who should initiate an enforcement action? Adjudication: Who should decide whether an organization has violated a privacy rule?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

As of Nov. 2011 how many countries had data protection regimes?

A

80 - and over half first enacted their laws after 2000.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Name the major data protection models

A

Comprehensive, sectoral, co-regulatory/self-regulatory, technology-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Describe the Comprehensive Model of data protection

A

This model governs the collection, use and dissemination of PI in the public & private spheres. Generally, they have a official or agency that oversees enforcement (DPA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

What are the main reasons for enacting a comprehensive approach to data privacy?

A
  1. Remedy past injuries 2. Ensure consistency with European privacy laws 3. Promote electronic commerce.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

What are two common criticisms of the Comprehensive approach to data privacy?

A
  1. The costs of regulation can outweigh benefits - one-size-fits-all doesnt always work and can be expensive. 2. May hinder innovation in data processing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

Name two countries that take a Sectoral approach to data privacy?

A

United States & Japan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

What is the main characteristic of the Sectoral approach to data privacy?

A

PI is protected by enacting laws that address a particular industry sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What are the benefits of a Sectoral approach to data privacy?

A

Different sectors have different needs with regards to data privacy. This approach is flexible to meet different industry challenges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

What are some of the criticisms of the Sectoral approach to data privacy?

A

A lack of uniformity can cause gaps and overlaps in coverage and can lead to complexity and burdensome compliance costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

What does the Co-Regulatory Model emphasize?

A

Industry development of enforceable codes or standard for privacy and data protection against the backdrop of legal requirements by the government. This model can exist under both comprehensive and sectoral models.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

Names some countries that use a co-regulatory approach to data privacy.

A

Australia and New Zealand - some elements are found in the Netherlands, Ireland and the US (COPPA - code compliance is sufficient to satisfy the statute after codes have been approved by the FTC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

What does the Self-Regulatory approach to data privacy protection emphasize?

A

The creation of codes of practice for the protection of PI by a company, industry or independent body. There may be no generally applicable data protection law that creates a legal framework for this model unlike the co-regulatory model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

What are two examples of self-regulatory models that had a global impact?

A

The Payment Card Industry Data Security Standard & The Groupe Speciale Mobile Association.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Name an early self-regulatory effort.

A

Online Privacy Alliance (OPA). This was a coalition of online companies and trade associations est. in 1998 to encourage the self-regulation of online privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

What are “seal programs”?

A

A form of self-regulation that requires participants to abide by certain codes of information practices and submit to monitoring to ensure compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

Give some examples of seal programs

A

TRUSTe, BBBOnline, Web Trust, EuroPriSe, AMIPCI Trust Mark and TrustSG.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

What are some pros and cons of the self-regulatory approach to data privacy?

A

This model can be very flexible and it is thought that industry experts know best how handle the challenges associate with their industry. However, there are concerns over adequacy and enforcement. Are the needs of consumers and other stakeholders taken into account?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

What is the Technology-Based model of data privacy protection?

A

This can be considered as an alternative to protections that arise from an org’s administrative compliance with laws or self-reg codes. Think Google or Microsoft using encryption on global web-mail - this makes the protection practices of the local ISP less relevant to protect the content of a communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What law did the EU pass in 1995 with regards to data privacy?

A

Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data (the EU Data Protection Directive)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

When did the EU Data Protection Directive go into effect?

A

1998

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

In what year was a new regulation to revise and replace the Directive proposed?

A

2012

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

Who does the EU Directive apply to?

A

Any person who collects or processes data pertaining to individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

Is the EU Directive a law of exclusion or inclusion?

A

Exclusion - the law prohibits all processing, generally, unless permitted by law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

What are the data protection principles on which the EU Directive is based?

A

legitimate basis for processing, purpose limitation, data quality, proportionality, transparency, security and confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

What are the data subjects rights under the EU Directive?

A

Access, rectification, deletion, and objection

122
Q

Is onward transfer restricted under the EU Directive?

A

Yes

123
Q

Under what circumstances are additional protections afforded under the Directive?

A

Where special categories of data or direct marketing are involved.

124
Q

Are automated individual decisions prohibited under 95/46/EC?

A

YEs

125
Q

What are EU Member states required to do under the Directive?

A

Promulgate a national law.

126
Q

What section of the Directive codified the fair information practices first developed in the US in the 1970s?

A

Section 1, Article 6

127
Q

Section 1, Article 6 states that EU member states shall provide that personal data must be:

A

Processed…. ; Collected for specified…. further processing of data for historical or scientific….. ; adequate, relevant, and…. ; accurate and, where necessary….every reasonable step must be taken to….. ; kept in a form which permits identification of data subjects for no longer….member states shall lay down….

128
Q

What does the Directive regulate?

A

The processing of personal data.

129
Q

How is personal data defined under the Directive?

A

Broadly - data that related to an identified or identifiable individual.

130
Q

Does the EU Directive cover data collected from public sources?

A

Yes

131
Q

What characteristics of data make it likely to be considered personal?

A

Relates to an identifiable individual (whether in personal or family life, or in business or profession), is obviously about the individual, is used to inform or influence actions or decisions affecting an identifiable individual, is linked to an individual so that it provides particular information about the individual.

132
Q

How does the Directive define “processing”

A

Processing covers all operations performed on personal data including collection, storage, handling, use, AND deletion.

133
Q

Are only manual processing activities covered by the Directive?

A

No - automated processing is covered too.

134
Q

Under what circumstances are partial exemptions granted?

A

Processing for certain activities such as journalism and research but only to reconcile privacy rights with free expression and if “appropriate safeguards” are taken.

135
Q

When is processing permitted under the Directive?

A

When the “unambiguous consent” of the data subject is obtained. When processing is necessary for the performance of a contract to which the data subject is a party (applied narrowly). When “necessary for the purposes of the legitimate interests” of the company or a third party or parties to whom data is disclosed.

136
Q

What must be done in order for processing to be permitted for “legitimate interests”

A

A balancing test must be performed in every such case. The business interests must be balanced against the interests for fundamental rights and freedoms of the consumer.

137
Q

What is the dual purpose of the Directive?

A

To enhance the free flow of data among the EU member states while also providing for a high level of data protection.

138
Q

Do European data protection laws impose restrictions on data flows within the EU?

A

No, though registration and notification requirements may still apply.

139
Q

When can data be lawfully transferred outside the EU under the Directive?

A

When a jurisdiction offers an “adequate level of protection” or when another basis for transfer exists.

140
Q

If there is an “adequate level of protection” under the Directive what is allowed?

A

The transfer of data without further approvals or processes.

141
Q

As recently as 2012, what jurisdictions were deemed “adequate” under the Directive?

A

Canada (as long as the recipient of information is subject to PIPEDA), Switzerland, Argentina, Israel, Jersey, the Isle of Man, Guernsey, Faroe Islands, Andorra.

142
Q

What are two other mechanisms that can facilitate data transfer?

A

Model Contracts and Binding Corporate Rules

143
Q

What are Model Contracts?

A

Model Contracts contain standard clauses which are defined by the EU and the Article 29 Working Party to meet the adequacy standards under the Directive.

144
Q

What obligations come with Model Contracts?

A

Data protection commitments and liability requirements. They must be implemented for each business process or personal data flow from an EU country to a country not deemed “adequate.” These helps companies avoid enforcement actions and business interruptions.

145
Q

What are BCRs?

A

Binding Corporate Rules - legally binding internal corporate privacy rules for transferring PI within a corporate group.

146
Q

Who established BCRs?

A

The Article 29 Working Party

147
Q

Who typically users BCRs?

A

Companies that operate in multiple jurisdictions.

148
Q

What must happen before BCRs become effective?

A

They must be approved by the EU data protection authorities in the different states where the corporation operates.

149
Q

What must be designated under the requirements for BCRs?

A

A lead authority as the point of contact.

150
Q

What does the BCR authority do?

A

Handles the procedure for the review of the BCR and coordinates the authorization process in the various member states.

151
Q

How does one choose a lead authority under BCRs?

A

consider the location of the group’s European headquarters, the location of the company within the group that has delegated data protection responsibilities, the location of the company within the group best placed to deal with application and enforce BCRs, the location where most decisions are made in relation to processing, the location where most transfers outside the EU take place.

152
Q

The lead authority for purposes of BCRs is…

A

One of the DPAs from an EU member state….

153
Q

What is the procedure for approval of BCRs?

A

The finalization of the draft BCR usually requires exchanges between the company and the lead DPA, upon satisfaction, the lead DPA forwards them to two other DPAs, they have 1 months to review and comment, then the lead DPA sends the draft BCR to all DPAs in all countries from which the data is transferred.

154
Q

What was the e-Privacy directive originally called?

A

It was called the Telecommunications Directive passed in 1997.

155
Q

What is the formal name of the e-Privacy Directive?

A

The directive on privacy and electronic communications (2002/58/EC).

156
Q

What does the e-Privacy Directive regulate?

A

Online marketing practices - it extends the controls unsolicited direct marketing to all forms of electronic communications.

157
Q

What are some of the key provisions of the e-Privacy directive?

A

NAME?

158
Q

What does the Cookie Directive add to the e-Privacy Directive?

A

The Cookie Directive or 2009/136/EC revises the e-Privacy directive to require member states to pass legislation requiring opt-in mechanisms before cookies are installed. Not met by implementation deadline over controversy of what cookies are covered and how to practically provide for an opt-in mechanism.

159
Q

How was the Article 29 Working Party formed?

A

By the 1998 Data Protection Directive.

160
Q

What is the Article 29 Working Party?

A

a group of data protection authorities that has provided guidance on a range of data protection issues.

161
Q

Who enforces data protection laws?

A

national DPAs of the EU member states as well as the data protection authority of the European Commission itself.

162
Q

How does the treatment of employment data differ in the EU?

A

Privacy concerns tend to predominate security concerns and employee rights are very prominent. Employers often have to jump through more hoops to monitor or background check employees.

163
Q

Does the US have “adequate data protection” according to the EU?

A

No

164
Q

Who developed the “Safe Harbor” framework?

A

The US Department of Commerce in consultation with the European Commission.

165
Q

How does a corporation become “Safe Harbor” certified?

A

They self-certify with the Dept of Commerce that they abide by certain fair information practices and subject themselves to enforcement actions by the FTC and the DOT. The FTC considers it a deceptive trade practice to say that you are SH but fail to abide by the principles.

166
Q

What are the “Safe Harbor” requirements?

A

Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement

167
Q

Is Safe Harbor choice opt-out or opt-in?

A

Both - generally an individual must have the opportunity to opt-out whether their PI will be disclosed outside of the scope of original use. For sensitive info, affirmative or explicit (opt-in) choice must be given if used other than original purpose or authorized purpose.

168
Q

Describe the concept of onward transfer.

A

To disclose information to a 3rd party organizations must apply notice and choice principles. To transfer to a third party that party must subscribe to SH, subject to the Directive, be “adequate” - or at least have a written agreement in place that they provide the same level of protection are required by relevant principles.

169
Q

How is Safe Harbor enforced?

A

There must be independent resources to investigate complaints and disputes and provide for damages. Verification of compliance. obligations to remedy problems arising out of a failure to comply. Sanctions must be severe enough to ensure compliance. And if no letter - not on list and no benefits.

170
Q

What are alternative to Safe Harbor?

A

Model Contracts, Consent (or other exception under the Directive).

171
Q

Is consent enough to authorize data transfer?

A

generally, but it must be freely given and unambiguous. But the details of what constitutes consent differs across EU member states.

172
Q

Is consent valid if there are consequences for it not being given?

A

No, there must be no adverse consequences if consent is withheld or revoked.

173
Q

Is Consent always recognized in the HR context?

A

No, because of the subordinate nature of the employer-employee relationship.

174
Q

What type of model approach does the US have towards privacy protection?

A

A Sectoral Model - it has grown piecemeal over time.

175
Q

What often applies for sectors that are not subject to specific statues?

A

Self-regulation

176
Q

Does the US Constitution provide for an explicit right to privacy?

A

No

177
Q

When did legal attention to privacy first become prominent in the US?

A

1890 with the growth of photography - Brandeis and Warren - right to be left alone. Then 70 years later Proser’s law review article setting forth privacy torts (there are four now).

178
Q

How has privacy developed over time in terms of the Constitution vs. statues

A

Over the years courts have set forth privacy rights based on the Constitution. These are “decisional” in nature - birth control, abortion, sexual activity. NOT “information” privacy. Statues provide the primary source of legal obligation in the information realm.

179
Q

What two approaches to privacy legislation are prominent in the US today?

A

fair information practices and “permissible purpose” approach.

180
Q

What are two key principles in the fair information practices approach to privacy legislation?

A

notice and choice

181
Q

What law exemplifies the fair information practices approach to privacy legislation?

A

Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act)

182
Q

What is the best example of the permissible purpose approach to privacy legislation?

A

The Fair Credit Reporting Act

183
Q

What was announced in 2012 as an update to the Fair Information Practice Principles from the early 1970s?

A

Obama’s Consumer Privacy Bill of Rights - NOTE: This BoR has not been enacted into law.

184
Q

Under Obama, what principles should apply to personal information in modern online commercial settings?

A

Individual control, transparency, respect for context, security, access & accuracy, focused collection, accountability.

185
Q

Name four key private sector privacy laws:

A

(1) Fair Credit Reporting Act (FCRA) (1970) (2) Health Insurance Portability and Accountability Act of 1996 (HIPAA) (3) Gramm-Leach-Bliley Act (GLBA) (1999), & (4) Children’s Online Privacy Protection Act of 1998 (COPPA).

186
Q

What is the basic rule under HIPAA?

A

Patients have to opt-in before their information can be shared with other organizations though there are exceptions for treatment, payment and healthcare operations.

187
Q

What law amended HIPAA in 2009?

A

The HITECH Act

188
Q

What are GLBA’s basic requirements?

A

securely store personal financial information, give notice of policies regarding the sharing of personal financial info, give consumers the ability to opt-out of some sharing of personal financial info.

189
Q

What does COPPA apply to?

A

Operators of commercial websites and online services that are directed to children under the age of 13 AND general audience websites and online services that have actual knowledge that they are collecting PI from children under 13.

190
Q

Describe some of the broad powers of the FTC with regards to privacy

A

The FTC has authority under Section 5 of the FTC Act to bring enforcement actions against “unfair and deceptive” trade practices. Jurisdiction extended broadly to commercial entities with exceptions for the financial services industry and other sectors.

191
Q

What are two key public sector laws?

A

The Privacy Act of 1974 and The Freedom of Information Act (FOIA)

192
Q

What does the Privacy Act of 1974 regulate?

A

The federal government’s use of computerized databases of information about U.S. citizens and permanent, legal residents.

193
Q

When was FOIA enacted?

A

1966

194
Q

What does FOIA apply to?

A

FOIA covers all federal agency records, not just those that contain PI, under the federal executive branch.

195
Q

What does FOIA not apply to?

A

legislative or judicial records and state or local records.

196
Q

What law was enacted to update FOIA?

A

E-FOIA in 1996

197
Q

What types of laws have the states implemented?

A

Data breach laws, identity theft laws, medical privacy.

198
Q

Does the FCRA preempt state law?

A

Yes

199
Q

Does HIPAA preempt state law?

A

no - and stricter privacy protections can be added at the state level.

200
Q

What type of info privacy model does Australia have?

A

A co-regulatory model - Federal Privacy Act - contains 11 information privacy principles that apply to Commonwealth and ACT government agencies (Australian Capital Territory). Amendments have extended the 10 existing National Privacy Principles into the private sector. Note: Privacy Amendment Act 2000.

201
Q

What are the 10 National Privacy Principles in Australia?

A

fair and lawful collection, use and disclosure only with consent, reasonable quality and accuracy, reasonable security, openness, means for access and correction, limits on use of govt issued IDs, reasonable anonymity options must be offered, trans-border flows should be limited, special protection for sensitive data

202
Q

Does Australia encourage self-regulation?

A

yes, ones that reflect the National Privacy Principles

203
Q

What is the standard for the obligations of an organization regarding privacy?

A

“Reasonableness” under the circumstances

204
Q

What type of framework exists in China?

A

The PRC has not enacted a comprehensive privacy or data protection law. Though an individual right to privacy is established in the Constitution of the PRC (Articles 40 and 38).

205
Q

What were the draft guidelines published in China in 2011 and who published them?

A

“Information Security Technology - Guide of Personal Information Protection” published by The General Administration of Quality Supervision inspection and Quarantine and the Standards Administration of the PRC. If passed they would provide for broad privacy rules for the collection, use and handling of PI.

206
Q

What is the general approach of data protection in Europe?

A

To not allow any collection or use of personal data unless permitted by law.

207
Q

What countries are covered by the Directive?

A

27 EU States and 3 EFTA countries

208
Q

What are the 3 EFTA countries?

A

Norway Liechtenstein and Iceland

209
Q

Is Switzerland under the Directive?

A

No - it is an EFTA member but not an EEA member.

210
Q

What is the EEA?

A

The European Economic Area - the 27EU states and the 3 EFTA countries that have signed on to the EEA agreement.

211
Q

What are the 27 EU countries?

A

A, B, B, C, CR, D, E, F, F, G, G, H, I, I, L, L, L, M, N, P, P, R, S, S, S, S, UK

212
Q

What is the law of Andorra

A

The Qualified Law 15/2003

213
Q

What is the law of Armenia?

A

The Law of the Republic of Armenia on Personal Data in force since 2003.

214
Q

What is the law of Azerbaijan?

A

The law of the Republic of Azerbaijan on Information, Information Provisions and Protection of Information (1998)

215
Q

What is the law of Bosnia & Herzegovina?

A

The Law on the Protection of Personal Data

216
Q

What is the law of Belarus?

A

The Law on Information, Informatization, and Protection of Information of November 10, 2008.

217
Q

What is the law of Croatia?

A

The Personal Data Protection Act (2003)

218
Q

What is the law of Kosovo?

A

The Law on the Protection of Personal Data (May 13, 2010).

219
Q

What is the law of Maldova?

A

The Law Nr. 17-XVI of 15.02.2007

220
Q

What is the law of Russia?

A

The Federal Law of 27 July 2006 N 152-FZ on Personal Data.

221
Q

What is the law of Serbia?

A

The Law on Personal Data Protection (published in the Official Gazette of the Republic of Serbia No. 97/08).

222
Q

What is the law of the Ukraine?

A

Law No. 2297-VI on Personal Data Protection (January 1, 2011)

223
Q

What are the Canadian government officials who oversee privacy matters called?

A

information and privacy commissioners or ombudsmen

224
Q

What do Canadian government privacy official not rely on as of 2011?

A

Fines

225
Q

What is the act that limits Canadian government departments and agents ability to collect use and disclose personal data?

A

The Privacy Act of 1983

226
Q

What does PIPEDA stand for?

A

The Personal Information Protection and Electronic Documents Act of 2000 (Canada)

227
Q

What is PIPEDA?

A

Canada’s comprehensive national private sector privacy legislation.

228
Q

When did PIPEDA become fully applicable?

A

2004

229
Q

What are the 2 goals of PIPEDA?

A

(1) to instill trust in electronic commerce and private sector transactions for Canadian citizens and (2) to establish a level playing field where the same marketplace rules apply to all businesses.

230
Q

How is PI defined under PIPEDA?

A

information about an identifiable individual, but does not include business contact information.

231
Q

What type of ‘activity’ is covered by PIPEDA?

A

Commercial Activity

232
Q

What entity is responsible for oversight of PIPEDA?

A

On the national level - the Office of the Information and Privacy Commissioner of Canada located in Ottawa, Ontario.

233
Q

What does PIPEDA require?

A

Organizations to adhere to 10 standards regarding the information that they collect.

234
Q

How does PIPEDA related to provincial privacy legislation?

A

PIPEDA provides for the enactment of provincial privacy legislation and if a provincial law is deemed “substantially similar” to PIPEDA then it general supersedes PIPEDA with regards to intra provincial and provincial govt activities.

235
Q

What Canadian provinces have substantially similar privacy laws that govern the private sector?

A

Alberta, BC and Quebec.

236
Q

What is one law that has been deemed “substantially similar” to PIPEDA?

A

The province of Ontario’s health law, the Personal Health Information Protection Act.

237
Q

What should privacy practitioner be aware of when they encounter healthcare information?

A

That special rules may apply.

238
Q

What are some reasons why strict privacy and data protection laws are necessary for healthcare privacy information?

A
  1. medical information is related to the inner workings of one’s body or mind. 2. most doctors believe that patients will be more open if their info is not revealed. 3. protects employees from unequal treatment.
239
Q

What are some sectors of privacy and data protection law?

A

Healthcare Sector, Financial Sector, Telecommunications Sector, Online Privacy, Public Sector, Human Resources, Smart Grid and Smart Home, Direct Marketing.

240
Q

What Act established a complicated set of privacy and security requirements for all financial institutions?

A

Gramm-Leach-Bliley Act of 1999

241
Q

What is the Japanese law that regulates the use of customers’ personal information in the financial services sector?

A

The Act on the Protection of Personal Information and accompanying guidelines.

242
Q

What are two areas where privacy professionals should remain acutely aware?

A

Confidentiality and disclosure

243
Q

In what areas can financial rules apply?

A

Financial institutions, financial transactions, special local rules for information about credit histories.

244
Q

What are the four categories of modern telecommunications rules?

A
  1. wiretaps and similar tech which gain access to the CONTENT of communication 2. Access on an ongoing basis to TO/FROM information 3. STORED TELECOMMUNICATIONS RECORDS 4. LOCATION INFORMATION
245
Q

When was the Internet developed?

A

1990s

246
Q

What is the concept of technology neutrality?

A

The concept that citizen’s rights should not vary depending on a specific technology.

247
Q

How has the Internet created new challenges to privacy protections?

A
  1. Internet problems do not have easy comparisons to the past. 2. It enables far more detailed collection of information than in the past. 3. its inherently global nature.
248
Q

Does the EU Directive apply to both the private and government sectors?

A

Yes, those there are less strict rules for “first pillar” government organizations, where the police and other government agencies hold personal info, than for data held by private actors.

249
Q

What Act requires the federal government to apply FIPs?

A

The Privacy Act of 1974.

250
Q

How many levels of privacy law does Canada have?

A
  1. Federal 2. Provincial/Territory 3. Municipaility
251
Q

What is an important issue to explore when dealing with an issue in the public sector?

A

Special notice should be taken when a local or national government has access to personal information.

252
Q

What is an important aspect of a “public” record?

A

What is a “public record” varies from country to country. In Sweden salary information is a public record and in the US the owner of real estate is a public record while that info is considered private in many counties.

253
Q

Is HR information considered PI under the EU Directive?

A

Yes

254
Q

What organization in the US provides a general code of conduct in relation to the protection of HR information?

A

The International Association for Human Resources Information Management.

255
Q

In addition to internal procedures, what outside regulation must HR professionals consider with regards to data privacy?

A

HIPAA & the Fair Credit Reporting Act

256
Q

What is the balance in the HR world with regard to personal data?

A

Privacy rights of employees in the workplace vs. legitimate interests of the organization and customers.

257
Q

What does “smart grid” refer to?

A

A new energy system that manages electricity consumption through remote computerization and automation.

258
Q

What is the concept of “Privacy by Design?

A

Building privacy into technology.

259
Q

Which state passed the first consumer protection law regulating the use of consumer energy consumption in 2010?

A

California

260
Q

What has been done in the EU to address smart grid privacy laws?

A

In 2011, the EU adopted “Communication Smart Grids: from Innovation to Deployment” focused on developing technical standards and ensuring data protection for consumers, and in 2011 the EU issued an Article 29 Working Party Opinion that clarifies the legal framework applying to smart meters.

261
Q

What is one aspect of smart grid technology that raises privacy concerns?

A

The fact that it measures energy us continuously rather than at the end of a billing cycle.

262
Q

Smart grid issues set the stage for issues related to what other technology?

A

Smart home

263
Q

How is direct marketing distinguished from other types of marketing?

A

Direct marketing occurs when a seller directly contacts and individual, in contrast to marketing through mass media such as television or radio.

264
Q

What are the two traditional privacy issues related to direct marketing?

A
  1. What information is collected and used by default? 2. what rights do individuals have to change that default?
265
Q

What were the circumstances by which a self-regulatory system developed in the US for direct marketing?

A

In response to magazine subscription lists - the efforts were primarily led by the Direct Marketing Association.

266
Q

What type of system did the Direct Marketing Association establish for consumers receiving mailings?

A

Opt-out

267
Q

What was the wave of direct marketing efforts with regards to privacy protections?

A

Telephone calls to households which led to a company by company opt-out list through self-regulation and government rules.

268
Q

What opt-out regulation developing in 2004 in response to telemarketers?

A

The National Do Not Call Registry.

269
Q

Who enforces Do No Call?

A

FTC

270
Q

Are there any exceptions to Do Not Call?

A

Political activities and non-profit organizations (in an effort to uphold free speech rights).

271
Q

What was the argument underlying Do No Call?

A

How to enable direct marketing vs. protecting privacy

272
Q

What high-profile court case brought the direct marketing debate to light?

A

DoubleClick - they proposed to merge offline content with info collected by cookies set by DoubleClick’s own network.

273
Q

What did the DoubleClick decision also prompt?

A

The development of a self-regulatory code by the Network Advertising Initiative (NAI) that requires online advertisers to provide for opt-out measures for many forms of online targeted advertising (for those that adopt it).

274
Q

What EU Directive affirmed the right of individuals to to place limits on direct marketing?

A

The 2002 Privacy and Electronic Communications Directive (e-Privacy Directive)

275
Q

What is the Cookie Directive?

A

The nickname for the 2009 amendment to the 2002 e-Privacy Directive. Notably, it requires affirmative consent before cookies can be placed on an individual’s computer. As of early 2012, national laws implementing the directive are coming into effect and there are ongoing discussions about how to comply with the Directive while maintaining functionality of sites that use cookies.

276
Q

What is Do Not Track?

A

Do Not Track is a proposal by the FTC which is an update to Do Not Call. The W3C is establishing standards to define Do Not Track. There is another debate surrounding the use of data vs. the collection of data.

277
Q

What is Information Security?

A

The protection of information in order to prevent loss, unauthorized access or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve the information consistent with three key attributes: CIA

278
Q

Define CIA

A

Confidentiality - access to data is limited to authorized parties. Integrity - assurance that data is authentic and complete. Availability - Knowledge that the data is accessible, as needed, by those who are authorized to access it.

279
Q

How is IS achieved?

A

By implementing controls that must be monitored and reviewed.

280
Q

What are the types of security controls?

A

Physical / Administrative / Technical

281
Q

What do security controls do?

A

prevent, detect or correct a security incident

282
Q

How does information security differ from information privacy?

A

IS is the protection of info from unauthorized access, use and disclosure. IP also concerns rules that govern the collection and handling of Personal Information. IS is a necessary component of IP, but IP also involves the data subject’s right to control the data such as rights to notice and choice.

283
Q

What are the 3 main sources from which security requirements are derived?

A

(1) identifying and assessing the security threats to and vulnerabilities of the organization (2) legal, regulatory & contractual obligations (3) an organizations principles, policies & objectives.

284
Q

What are some basic steps to consider when establishing and managing an information security program?

A

(1) define the scope/boundaries of ISMS (2) Define security policy (3) Define the risk assessment approach (4) identify, analyze, evaluate risks (5) identify and evaluate options for handling risks (6) select control objectives and controls for risks (7) obtain management approval or proposed residual risks (8) monitor and review the security program

285
Q

What are some best practices for a good information identification and assessment process?

A

technical schematic of the infrastructure and processes but also insight into how the systems are actually used by individuals. Monitoring is also an important aspect - as assessments are essentially backward looking - monitoring is necessary to gain current or real-time information about a system.

286
Q

Define risk

A

a measure of the extent to which an entity is threatened by a potential circumstance or event. It is typically a function of adverse impacts if the circumstance occurs and likelihood of occurence.

287
Q

Define Threat

A

any circumstance or event with the potential to adversely impact organizational operations or assets.

288
Q

Define Vulnerability

A

a weakness in an info system, system security procedures, internal controls or implementation that could be exploited by a threat source.

289
Q

What is the most common form of monitoring?

A

System logs - they capture a current record of changes to the system and other important events.

290
Q

What should system logs be regularly checked for?

A

Gaps - that may indicate alterations of conceal a breach.

291
Q

Give one industry standard risk assessment formula

A

Risk = threat x vulnerability x expected loss

292
Q

What are some metrics to help evaluate risk?

A

Number of breaches, number of outages, unauthorized access, lost assets, software viruses, investigations

293
Q

Does information have to be stolen or altered for a breach to have occurred?

A

No - a breach occurs when an attacker enters the organization’s system.

294
Q

What is an outage?

A

This occurs when a component of the IS is offline due to an attack.

295
Q

When should an investigation of an attack begin?

A

During the attack and continue after the attack

296
Q

What is ISO?

A

The International Organization for Standardization - consists of over 160 member countries.

297
Q

What are the two main standards for information security?

A

ISO 27001 - IS Management (mandatory requirements & ISO 27002 (originally named ISO 17799 but renamed in 2007 and outlines international best practices for info security techniques and provides optional guidelines for implementing the requirements of ISO 27001.

298
Q

How many controls are within the ISO 27002 framework?

A

133 specific controls organized around 39 control objectives. The 11 security clauses of ISO 27002 each have categories of controls and implementation guidance. EXTRA CREDIT - name the 11 security clauses (pg. 82 of Foundations text)

299
Q

What must be a priority in order to maintain security within an organization?

A

Role and responsibilities must be clearly understood

300
Q

What are 5 things that an org must ensure that employees understand?

A

(1) the value of security and importance of reporting incidents (2) their roles and responsibilities (3) security policies and procedures (4) basic security issues (5) the importance of compliance with legal/regulatory requirements