Foundations I. Common Principles and Approaches to Privacy Flashcards
• Historical descriptions, definitions and classes of privacy • Types and elements of information • Privacy policies and notices and processing of personal data • Information risk management and information lifecycle principles • Modern privacy principles, including FIPs, OECD and APEC, and common themes
What was “The Right to Privacy”?
The Harvard Law Review article written by Samuel Warren and Louis Brandies in 1890 that defined privacy as the “right to be left alone.”
What are the 4 classes of privacy?
- Information
- Bodily
- Territorial
- Communications
What was one of the first privacy laws in the UK?
The Justices of the Peace Act enacted in 1361
What country enacted the Access to Public Records Act in 1776?
Sweden - The Swedish Parliament
What is the Universal Declaration of Human Rights?
Adopted by the General Assembly of the United Nations in 1948.
What does Article 12 of the Universal Declaration of Human Rights say?
It describes both the territorial and communications notions of privacy.
What document predated the Universal Declaration of Human Rights in 1948?
The American Declaration of the Rights and Duties of Man adopted by the Organization of American States. It predated the UDHR by 6 months.
What is the ECHR?
The European Convention for the Protection of Human Rights and Fundamental Freedoms set forth by the Council of Europe in 1950. It acknowledged the goals of the UDHR.
What does Article 8 of the ECHR state?
This treaty provision limits a public authority’s interference with an individual’s right to privacy, but acknowledges an exception for actions in accordance with the law that are necessary to preserve a democratic society.
How did the Council of Europe respond to concerns that privacy was not protected in light of emerging technology in the late 1960s?
Recommendation 509 on Human Rights and Modern and Scientific Technological Developments - establishes a framework of specific principles and standards to prevent unfair collection and processing of personal information. This was later built upon to protect personal data in data banks and set in motion national legislation.
What country enacted the first modern data protection law?
The German State of Hesse in 1970.
What was the first national privacy law enacted in the US?
The Fair Credit Reporting Act in 1970.
How does the EU define “personal data”?
“Any and all data that’s related to an identified or identifiable individual.”
What term is used in the US to cover information covered by privacy laws?
personally identifiable information (PII)
What is not included in the definition of “personal information” in Canada?
Certain business information is not covered in this country. NOTE: The types of data elements commonly found on a business card are excluded from coverage by the act.
How is “personal information” defined in Japan?
information that’s related to living individuals and that can be used to identify specific individuals by name, date of birth or other description.
What is Sensitive Personal Information?
A subset of personal information that may vary depending on jurisdiction and particular regulations.
What is Sensitive Personal Information called under the EU Data Protection Directive?
Special categories of data.
What are the categories of special categories of data?
Racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life information.
What is important to note about sensitive categories of data?
Such data can be considered sensitive depending on jurisdiction and type and subject to strict rules (e.g. SSNs, biometric data in France, the context of data is important under PIPEDA, etc.).
Do privacy and data protection law apply to non-personal information?
Generally no.
How can data become non-personal?
Through removal of the elements used to identify an individual (i.e. de-identified, anonymized, pseudonymized).
What is the difference between personal and non-personal information?
It depends on what is “identifiable” - regulators and courts from jurisdiction to jurisdiction may differ on this.
What other information assets, though not personal information, need to be protected within an organization?
- Financial Data
- Operational Data
- Intellectual Property
- Information about the organizations products and services
What does Recital 26 of the EU Data Directive state?
“The principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.”
Is retraceably pseudonymized data data about an identifiable individual?
Indirectly yes.
Article 29 Working Party cautions that such data is subject to protection.
Are IP addresses “personal data”
In the EU yes, thought a court in Ireland said no. Federal agencies in the US operating under the Privacy Act say no, though the FTC has stated yes in the context of breaches of healthcare information.
How does IPv6 show how technology can shift the line between personal and nonpersonal information?
IPv6 uses a new numbering scheme that by default uses information about the specific computer to generate an IPv6 address unlike an old IP address that was assigned anew by the ISP each time they logged on to the Internet.
Name 3 sources of personal information
- Public Records
- Publicly Available Information
- Nonpublic information
What are public records?
information collected and maintained by the government and available to the general public.
What is publicly available information?
Information generally available to a wide range of people. Examples include info in telephone books, info in newspapers and on search engines.
What is nonpublic information
Information that is not generally available to the public such as medical records, financial information and adoption records.
Can information be from multiple sources?
Yes, it is important to understand the source of the information in order to know how to properly handle the info.
What is the definition of “processing” in the context of personal information?
This term refers to the collection, recording, organization, storage, updating or modification, retrieval, consultation, and use of personal information. It also includes the disclosure by transmission, dissemination, or making available in any other form, linking, alignment, or combination, blocking, erasure or destruction of personal information.
What is a “data subject”?
The individual about whom information is being processed.
What is a “data controller”?
This term refers to the organization that has the authority to decide how and why PI is to be processed. Can be an individual.
What is a “data processor”
An individual or org, often an outsourced entity, that processes data on behalf of the data controller.
Can data processors process outside the scope of the direction of the data controller?
No, and all sub-contracting processors must act consistently within the scope of what is permitted for the controller itself.
What are some elements of personal information?
Name, gender, contact info, age, DOB, marital status, other demographic info, languages spoken.
What are some elements of HR information?
Salary, job title, productivity and performance stats, medical and pension benefits, employee evaluations, disabled, veteran, or other relevant status, location info (e.g. through GPS), nationality.
Is employee and other HR info treated like PI?
Comprehensive data protection laws do treat HR info under the same general rules for PI, but some countries may have specific obligations for HR data.
Is PI in the workplace only limited to current employes?
No, PI in the HR context can also apply to applicants and former/retired employees, dependents, vendors, contractors, volunteers, beneficiaries. etc.
What types of PI might “customer information” include?
Purchase history, other interaction history, leads or prospect info, former customers, market research participants, voice recordings, telephone calls, citizens or others who receive SS, health or other benefits from the govt, tax records or other records about individuals held by the government. (in this context “customer info” includes govt info.
Can PI exist outside of the HR and customer context?
Yes. Example, companies that gather data about non-customers for a range of business reasons (i.e. to identify members of the press).
What is the difference between a privacy policy and a privacy notice?
A privacy policy is an internal statement that governs how an organization handles personal info. It is directed at the users of PI. A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains, and discloses PI.
What are two purposes of a privacy notice?
(1) consumer education
(2) organizational accountability.
What are some forms of a privacy notice?
contracts, application forms, signs, Icons (IABAO Icon), brochures, etc.
Describe some of the drivers of risk associated with data privacy.
Compliance with laws & regulations, prevention of breaches, avoiding enforcement actions, staying up to date with evolving technology, meeting customer expectations. Meeting the demands of outsourcing and off-shoring, extended global enterprise.
What is one, often neglected, step in the data life cycle where breaches result?
Data destruction
What are the three categories of safeguards?
(1) Administrative
(2) Technical
(3) Physical
Describe the principles that track the information life cycle
Collection, Use, Disclosure, Storage, Destruction
What limitations are placed on the collection stage?
Personal data should be collected for lawful and fair means, with the consent of the subject where appropriate, limited to identified purposes, proportionate and executed through fair and lawful means.
Expand on the principle of Use in the information life cycle.
Organizations should limit the use of PI to the purposes explained in the notice and to which the subject gave consent either implicitly or explicitly.
What concepts are covered by the principle of limited disclosure?
Disclosure should be within the use and notice/consent limits and rights should be maintained even when transfer to other parties occur. Increases in scope should be subject to notice and consent.
What are the limits on storage and destruction?
PI should be retained for only as long as necessary to fulfill the stated purpose. Data not retained should be disposed of in a secure manner or returned.
What are some common approaches to manage information risk through privacy risk assessments?
(1) Privacy Impact Assessments (PIAs) (2) Privacy assessments/audits (3) Privacy by Design
What are PIAs?
checklists or tools used to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind.
When should a PIA be completed?
Before implementation of the privacy project, product or service and ongoing through it’s deployment.
What attributes should a PIA capture?
(1) what info is collected (2) and why (3) intended uses (4) with whom the info is shared (5) consent and choice rights of data subjects.
When should PIAs be used?
To assess new systems and significant changes to existing systems, etc. Before, during and after mergers and acquisitions.
What does an effective PIA do?
This evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards and maintains consistency between policy and practice.
What is a privacy assessment/audit?
Reviews of an organizations compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.
When are assessments or audits conducted?
On a regular basis or ad hoc as a result of privacy or security events or requests from an enforcement authority.
What is Privacy by Design?
This is the concept that organizations should build privacy directly into technology systems and practices at the design phase to ensure privacy from the outset.
Where did Privacy by Design originate?
In the mid-90s with the Information and Privacy Commissioner of Ontario.
What are the seven principles of Privacy by Design as set forth by the Privacy Commissioner of Ontario.
(1) Proactive not Reactive; Preventative not Remedial (2) Privacy as the Default Setting (3) Privacy Embedded into Design (4) Full Functionality - Positive-Sum, not Zero-Sum (5) End-to-End Security - Full Life Cycle Protection (6) Visibility and Transparency - Keep it Open (7) Respect for User-Privacy - Keep it User-Centric.
Which principles of Privacy by Design have been adopted by the FTC
Privacy Embedded into Design and End-to-End Security.
What are FIPs?
Fair Information Practices - significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to PI since the 1970s. Their definitions have varied over time and there are exceptions to various rules.
List some important codifications of FIPs
1973 - US Dept of Health, Education & Welfare Fair Information Practice Principles 1980 - OECD Guidelines Governing the Protection and Privacy of Transborder Data Flowsor Personal Data 1981 - Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (COE Convention). 2004 - APEC agreed to a Privacy Framework. 2009 Madrid Resolution - International Standards on the Protection of Personal Data and Privacy.
What convention was codified in the 1995 EU Data Protection Directive
The COE Convention.
What are the FIPs with regards to the Rights of Individuals?
(1) Notice (2) Choice and consent (3) Data subject access.
What are the differences between the choice concepts of “opt in” and “opt out”
Opt-in: means an individual actively affirms that info can be shared with third parties. Opt-out: means that in the absence of action by the individual, information can be shared with third parties.
What are the FIPs related to Controls on the Information?
(1) Information Security (2) Information Quality
What are the FIPs related to the Information Life Cycle?
(1) Collection (2) Use & Retention (3) Disclosure
What are the FIPs related to Management?
(1) Management and Administration (2) Monitoring and Enforcement. Orgs should define, document, communicate and assign accountability for their privacy policies and procedures / Orgs should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes.
From where do the FIPs used widely today come from?
The 1973 report by the US Department of Health, Education and Welfare Advisory Committee on Automated Systems. There were 5 listed in the text.
What are the 8 OECD Guidelines (1980)?
- Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principles 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle
What was one of the main issues underlying the development of the EU Directive?
The problem associated with the differences between privacy laws of individual European nations and assuring adequate protection in the context of trans-border data flows.
When was the Directive adopted and when did it go into effect?
1995 & 1998
What are the twin goals of the EU Directive?
(1) a unified economic market within the EU, permitting flows of PI among member states. (2) strong overall privacy protection within the EU.
When was a draft regulation proposed to update the EU Directive?
2012
How does the APEC Privacy Framework (2004) differ from the EU Directive?
The APEC Framework is non-binding.
How many information privacy principles are part of the APEC Privacy Framework?
9 principles that mirror the OECD Guidelines but are more explicit about exceptions.
What are the 9 information privacy principles in the APEC Privacy Framework?
(1) Preventing Harm
(2) Notice
(3) Collection Limitation
(4) Uses of Personal Information
(5) Choice
(6) Integrity of Personal Information
(7) Security Safeguards
(8) Access and Correction
(9) Accountability
What are some of the explicit exceptions in the APEC Privacy Framework?
With regards to notice, use, choice, and access/correction.
Under what APEC principles is proportionality incorporated?
This is not necessarily comprehensive - preventing harm and security.
What are the exceptions to the APEC Use Principle?
PI should be used only to fulfill the purposes of the collection and compatible purposes except:
(1) with consent
(2) when necessary to provide a service or product requested by the individual
(3) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect.
What are the exceptions to the access and correction APEC principle?
Access and the opportunity for correction should be provided except where: (1) burden or expense would be unreasonable or disproportionate to the risks to the individual’s privacy (2) info should not be disclosed due to legal, security, or commercial proprietary reasons (3) info privacy or persons other than the individual would be violated.
When, where and by whom was the Madrid Resolution approved?
By the independent data protection and privacy commissioners (not the govts) as the annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain in 2009.
What was the purposes of the Madrid Resolution?
There was a dual purpose: to define a set of principles and rights guaranteeing (1) the effective and internationally uniform protection of privacy with regards to the processing of personal data and (2) the facilitation of the international flow of personal data needed in a globalized world.
What are the basic principles of the Madrid Resolution?
The principle of lawfulness and fairness, purpose specification principle, proportionality principle, data quality, openness, accountability.
What country has required a data protection office (DPO) for many companies since the early 1990s?
Germany
What are some of the functions fulfilled by privacy professionals?
governance structure, personal data inventory, data privacy policies, operational policies and procedures, ongoing training and awareness, security controls, contracts, notices, inquires/complaints/disputes, new operational practices, data privacy breaches, data handling practices, tracking of external developments. NOTE - see Figure 1-1 on page 24 of text - Responsible Management Processes for Data Privacy Compliance.
What is an important distinction between the OECD and the CoE?
The involvement of the US government.
What are sources of privacy protection?
Markets, Technology, Legal Controls, Self-Regulation/Co-Regulation
What are the components of self-regulation in the privacy context?
Legislation: Who defines privacy rules? Enforcement: Who should initiate an enforcement action? Adjudication: Who should decide whether an organization has violated a privacy rule?
As of Nov. 2011 how many countries had data protection regimes?
80 - and over half first enacted their laws after 2000.
Name the major data protection models
Comprehensive, sectoral, co-regulatory/self-regulatory, technology-based
Describe the Comprehensive Model of data protection
This model governs the collection, use and dissemination of PI in the public & private spheres. Generally, they have a official or agency that oversees enforcement (DPA).
What are the main reasons for enacting a comprehensive approach to data privacy?
- Remedy past injuries 2. Ensure consistency with European privacy laws 3. Promote electronic commerce.
What are two common criticisms of the Comprehensive approach to data privacy?
- The costs of regulation can outweigh benefits - one-size-fits-all doesnt always work and can be expensive. 2. May hinder innovation in data processing.
Name two countries that take a Sectoral approach to data privacy?
United States & Japan
What is the main characteristic of the Sectoral approach to data privacy?
PI is protected by enacting laws that address a particular industry sector.
What are the benefits of a Sectoral approach to data privacy?
Different sectors have different needs with regards to data privacy. This approach is flexible to meet different industry challenges.
What are some of the criticisms of the Sectoral approach to data privacy?
A lack of uniformity can cause gaps and overlaps in coverage and can lead to complexity and burdensome compliance costs.
What does the Co-Regulatory Model emphasize?
Industry development of enforceable codes or standard for privacy and data protection against the backdrop of legal requirements by the government. This model can exist under both comprehensive and sectoral models.
Names some countries that use a co-regulatory approach to data privacy.
Australia and New Zealand - some elements are found in the Netherlands, Ireland and the US (COPPA - code compliance is sufficient to satisfy the statute after codes have been approved by the FTC).
What does the Self-Regulatory approach to data privacy protection emphasize?
The creation of codes of practice for the protection of PI by a company, industry or independent body. There may be no generally applicable data protection law that creates a legal framework for this model unlike the co-regulatory model.
What are two examples of self-regulatory models that had a global impact?
The Payment Card Industry Data Security Standard & The Groupe Speciale Mobile Association.
Name an early self-regulatory effort.
Online Privacy Alliance (OPA). This was a coalition of online companies and trade associations est. in 1998 to encourage the self-regulation of online privacy.
What are “seal programs”?
A form of self-regulation that requires participants to abide by certain codes of information practices and submit to monitoring to ensure compliance.
Give some examples of seal programs
TRUSTe, BBBOnline, Web Trust, EuroPriSe, AMIPCI Trust Mark and TrustSG.
What are some pros and cons of the self-regulatory approach to data privacy?
This model can be very flexible and it is thought that industry experts know best how handle the challenges associate with their industry. However, there are concerns over adequacy and enforcement. Are the needs of consumers and other stakeholders taken into account?
What is the Technology-Based model of data privacy protection?
This can be considered as an alternative to protections that arise from an org’s administrative compliance with laws or self-reg codes. Think Google or Microsoft using encryption on global web-mail - this makes the protection practices of the local ISP less relevant to protect the content of a communication.
What law did the EU pass in 1995 with regards to data privacy?
Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data (the EU Data Protection Directive)
When did the EU Data Protection Directive go into effect?
1998
In what year was a new regulation to revise and replace the Directive proposed?
2012
Who does the EU Directive apply to?
Any person who collects or processes data pertaining to individuals.
Is the EU Directive a law of exclusion or inclusion?
Exclusion - the law prohibits all processing, generally, unless permitted by law.
What are the data protection principles on which the EU Directive is based?
legitimate basis for processing, purpose limitation, data quality, proportionality, transparency, security and confidentiality.
What are the data subjects rights under the EU Directive?
Access, rectification, deletion, and objection
Is onward transfer restricted under the EU Directive?
Yes
Under what circumstances are additional protections afforded under the Directive?
Where special categories of data or direct marketing are involved.
Are automated individual decisions prohibited under 95/46/EC?
YEs
What are EU Member states required to do under the Directive?
Promulgate a national law.
What section of the Directive codified the fair information practices first developed in the US in the 1970s?
Section 1, Article 6
Section 1, Article 6 states that EU member states shall provide that personal data must be:
Processed…. ; Collected for specified…. further processing of data for historical or scientific….. ; adequate, relevant, and…. ; accurate and, where necessary….every reasonable step must be taken to….. ; kept in a form which permits identification of data subjects for no longer….member states shall lay down….
What does the Directive regulate?
The processing of personal data.
How is personal data defined under the Directive?
Broadly - data that related to an identified or identifiable individual.
Does the EU Directive cover data collected from public sources?
Yes
What characteristics of data make it likely to be considered personal?
Relates to an identifiable individual (whether in personal or family life, or in business or profession), is obviously about the individual, is used to inform or influence actions or decisions affecting an identifiable individual, is linked to an individual so that it provides particular information about the individual.
How does the Directive define “processing”
Processing covers all operations performed on personal data including collection, storage, handling, use, AND deletion.
Are only manual processing activities covered by the Directive?
No - automated processing is covered too.
Under what circumstances are partial exemptions granted?
Processing for certain activities such as journalism and research but only to reconcile privacy rights with free expression and if “appropriate safeguards” are taken.
When is processing permitted under the Directive?
When the “unambiguous consent” of the data subject is obtained. When processing is necessary for the performance of a contract to which the data subject is a party (applied narrowly). When “necessary for the purposes of the legitimate interests” of the company or a third party or parties to whom data is disclosed.
What must be done in order for processing to be permitted for “legitimate interests”
A balancing test must be performed in every such case. The business interests must be balanced against the interests for fundamental rights and freedoms of the consumer.
What is the dual purpose of the Directive?
To enhance the free flow of data among the EU member states while also providing for a high level of data protection.
Do European data protection laws impose restrictions on data flows within the EU?
No, though registration and notification requirements may still apply.
When can data be lawfully transferred outside the EU under the Directive?
When a jurisdiction offers an “adequate level of protection” or when another basis for transfer exists.
If there is an “adequate level of protection” under the Directive what is allowed?
The transfer of data without further approvals or processes.
As recently as 2012, what jurisdictions were deemed “adequate” under the Directive?
Canada (as long as the recipient of information is subject to PIPEDA), Switzerland, Argentina, Israel, Jersey, the Isle of Man, Guernsey, Faroe Islands, Andorra.
What are two other mechanisms that can facilitate data transfer?
Model Contracts and Binding Corporate Rules
What are Model Contracts?
Model Contracts contain standard clauses which are defined by the EU and the Article 29 Working Party to meet the adequacy standards under the Directive.
What obligations come with Model Contracts?
Data protection commitments and liability requirements. They must be implemented for each business process or personal data flow from an EU country to a country not deemed “adequate.” These helps companies avoid enforcement actions and business interruptions.
What are BCRs?
Binding Corporate Rules - legally binding internal corporate privacy rules for transferring PI within a corporate group.
Who established BCRs?
The Article 29 Working Party
Who typically users BCRs?
Companies that operate in multiple jurisdictions.
What must happen before BCRs become effective?
They must be approved by the EU data protection authorities in the different states where the corporation operates.
What must be designated under the requirements for BCRs?
A lead authority as the point of contact.
What does the BCR authority do?
Handles the procedure for the review of the BCR and coordinates the authorization process in the various member states.
How does one choose a lead authority under BCRs?
consider the location of the group’s European headquarters, the location of the company within the group that has delegated data protection responsibilities, the location of the company within the group best placed to deal with application and enforce BCRs, the location where most decisions are made in relation to processing, the location where most transfers outside the EU take place.
The lead authority for purposes of BCRs is…
One of the DPAs from an EU member state….
What is the procedure for approval of BCRs?
The finalization of the draft BCR usually requires exchanges between the company and the lead DPA, upon satisfaction, the lead DPA forwards them to two other DPAs, they have 1 months to review and comment, then the lead DPA sends the draft BCR to all DPAs in all countries from which the data is transferred.
What was the e-Privacy directive originally called?
It was called the Telecommunications Directive passed in 1997.
What is the formal name of the e-Privacy Directive?
The directive on privacy and electronic communications (2002/58/EC).
What does the e-Privacy Directive regulate?
Online marketing practices - it extends the controls unsolicited direct marketing to all forms of electronic communications.
What are some of the key provisions of the e-Privacy directive?
NAME?
What does the Cookie Directive add to the e-Privacy Directive?
The Cookie Directive or 2009/136/EC revises the e-Privacy directive to require member states to pass legislation requiring opt-in mechanisms before cookies are installed. Not met by implementation deadline over controversy of what cookies are covered and how to practically provide for an opt-in mechanism.
How was the Article 29 Working Party formed?
By the 1998 Data Protection Directive.
What is the Article 29 Working Party?
a group of data protection authorities that has provided guidance on a range of data protection issues.
Who enforces data protection laws?
national DPAs of the EU member states as well as the data protection authority of the European Commission itself.
How does the treatment of employment data differ in the EU?
Privacy concerns tend to predominate security concerns and employee rights are very prominent. Employers often have to jump through more hoops to monitor or background check employees.
Does the US have “adequate data protection” according to the EU?
No
Who developed the “Safe Harbor” framework?
The US Department of Commerce in consultation with the European Commission.
How does a corporation become “Safe Harbor” certified?
They self-certify with the Dept of Commerce that they abide by certain fair information practices and subject themselves to enforcement actions by the FTC and the DOT. The FTC considers it a deceptive trade practice to say that you are SH but fail to abide by the principles.
What are the “Safe Harbor” requirements?
Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement
Is Safe Harbor choice opt-out or opt-in?
Both - generally an individual must have the opportunity to opt-out whether their PI will be disclosed outside of the scope of original use. For sensitive info, affirmative or explicit (opt-in) choice must be given if used other than original purpose or authorized purpose.
Describe the concept of onward transfer.
To disclose information to a 3rd party organizations must apply notice and choice principles. To transfer to a third party that party must subscribe to SH, subject to the Directive, be “adequate” - or at least have a written agreement in place that they provide the same level of protection are required by relevant principles.
How is Safe Harbor enforced?
There must be independent resources to investigate complaints and disputes and provide for damages. Verification of compliance. obligations to remedy problems arising out of a failure to comply. Sanctions must be severe enough to ensure compliance. And if no letter - not on list and no benefits.
What are alternative to Safe Harbor?
Model Contracts, Consent (or other exception under the Directive).
Is consent enough to authorize data transfer?
generally, but it must be freely given and unambiguous. But the details of what constitutes consent differs across EU member states.
Is consent valid if there are consequences for it not being given?
No, there must be no adverse consequences if consent is withheld or revoked.
Is Consent always recognized in the HR context?
No, because of the subordinate nature of the employer-employee relationship.
What type of model approach does the US have towards privacy protection?
A Sectoral Model - it has grown piecemeal over time.
What often applies for sectors that are not subject to specific statues?
Self-regulation
Does the US Constitution provide for an explicit right to privacy?
No
When did legal attention to privacy first become prominent in the US?
1890 with the growth of photography - Brandeis and Warren - right to be left alone. Then 70 years later Proser’s law review article setting forth privacy torts (there are four now).
How has privacy developed over time in terms of the Constitution vs. statues
Over the years courts have set forth privacy rights based on the Constitution. These are “decisional” in nature - birth control, abortion, sexual activity. NOT “information” privacy. Statues provide the primary source of legal obligation in the information realm.
What two approaches to privacy legislation are prominent in the US today?
fair information practices and “permissible purpose” approach.
What are two key principles in the fair information practices approach to privacy legislation?
notice and choice
What law exemplifies the fair information practices approach to privacy legislation?
Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act)
What is the best example of the permissible purpose approach to privacy legislation?
The Fair Credit Reporting Act
What was announced in 2012 as an update to the Fair Information Practice Principles from the early 1970s?
Obama’s Consumer Privacy Bill of Rights - NOTE: This BoR has not been enacted into law.
Under Obama, what principles should apply to personal information in modern online commercial settings?
Individual control, transparency, respect for context, security, access & accuracy, focused collection, accountability.
Name four key private sector privacy laws:
(1) Fair Credit Reporting Act (FCRA) (1970) (2) Health Insurance Portability and Accountability Act of 1996 (HIPAA) (3) Gramm-Leach-Bliley Act (GLBA) (1999), & (4) Children’s Online Privacy Protection Act of 1998 (COPPA).
What is the basic rule under HIPAA?
Patients have to opt-in before their information can be shared with other organizations though there are exceptions for treatment, payment and healthcare operations.
What law amended HIPAA in 2009?
The HITECH Act
What are GLBA’s basic requirements?
securely store personal financial information, give notice of policies regarding the sharing of personal financial info, give consumers the ability to opt-out of some sharing of personal financial info.
What does COPPA apply to?
Operators of commercial websites and online services that are directed to children under the age of 13 AND general audience websites and online services that have actual knowledge that they are collecting PI from children under 13.
Describe some of the broad powers of the FTC with regards to privacy
The FTC has authority under Section 5 of the FTC Act to bring enforcement actions against “unfair and deceptive” trade practices. Jurisdiction extended broadly to commercial entities with exceptions for the financial services industry and other sectors.
What are two key public sector laws?
The Privacy Act of 1974 and The Freedom of Information Act (FOIA)
What does the Privacy Act of 1974 regulate?
The federal government’s use of computerized databases of information about U.S. citizens and permanent, legal residents.
When was FOIA enacted?
1966
What does FOIA apply to?
FOIA covers all federal agency records, not just those that contain PI, under the federal executive branch.
What does FOIA not apply to?
legislative or judicial records and state or local records.
What law was enacted to update FOIA?
E-FOIA in 1996
What types of laws have the states implemented?
Data breach laws, identity theft laws, medical privacy.
Does the FCRA preempt state law?
Yes
Does HIPAA preempt state law?
no - and stricter privacy protections can be added at the state level.
What type of info privacy model does Australia have?
A co-regulatory model - Federal Privacy Act - contains 11 information privacy principles that apply to Commonwealth and ACT government agencies (Australian Capital Territory). Amendments have extended the 10 existing National Privacy Principles into the private sector. Note: Privacy Amendment Act 2000.
What are the 10 National Privacy Principles in Australia?
fair and lawful collection, use and disclosure only with consent, reasonable quality and accuracy, reasonable security, openness, means for access and correction, limits on use of govt issued IDs, reasonable anonymity options must be offered, trans-border flows should be limited, special protection for sensitive data
Does Australia encourage self-regulation?
yes, ones that reflect the National Privacy Principles
What is the standard for the obligations of an organization regarding privacy?
“Reasonableness” under the circumstances
What type of framework exists in China?
The PRC has not enacted a comprehensive privacy or data protection law. Though an individual right to privacy is established in the Constitution of the PRC (Articles 40 and 38).
What were the draft guidelines published in China in 2011 and who published them?
“Information Security Technology - Guide of Personal Information Protection” published by The General Administration of Quality Supervision inspection and Quarantine and the Standards Administration of the PRC. If passed they would provide for broad privacy rules for the collection, use and handling of PI.
What is the general approach of data protection in Europe?
To not allow any collection or use of personal data unless permitted by law.
What countries are covered by the Directive?
27 EU States and 3 EFTA countries
What are the 3 EFTA countries?
Norway Liechtenstein and Iceland
Is Switzerland under the Directive?
No - it is an EFTA member but not an EEA member.
What is the EEA?
The European Economic Area - the 27EU states and the 3 EFTA countries that have signed on to the EEA agreement.
What are the 27 EU countries?
A, B, B, C, CR, D, E, F, F, G, G, H, I, I, L, L, L, M, N, P, P, R, S, S, S, S, UK
What is the law of Andorra
The Qualified Law 15/2003
What is the law of Armenia?
The Law of the Republic of Armenia on Personal Data in force since 2003.
What is the law of Azerbaijan?
The law of the Republic of Azerbaijan on Information, Information Provisions and Protection of Information (1998)
What is the law of Bosnia & Herzegovina?
The Law on the Protection of Personal Data
What is the law of Belarus?
The Law on Information, Informatization, and Protection of Information of November 10, 2008.
What is the law of Croatia?
The Personal Data Protection Act (2003)
What is the law of Kosovo?
The Law on the Protection of Personal Data (May 13, 2010).
What is the law of Maldova?
The Law Nr. 17-XVI of 15.02.2007
What is the law of Russia?
The Federal Law of 27 July 2006 N 152-FZ on Personal Data.
What is the law of Serbia?
The Law on Personal Data Protection (published in the Official Gazette of the Republic of Serbia No. 97/08).
What is the law of the Ukraine?
Law No. 2297-VI on Personal Data Protection (January 1, 2011)
What are the Canadian government officials who oversee privacy matters called?
information and privacy commissioners or ombudsmen
What do Canadian government privacy official not rely on as of 2011?
Fines
What is the act that limits Canadian government departments and agents ability to collect use and disclose personal data?
The Privacy Act of 1983
What does PIPEDA stand for?
The Personal Information Protection and Electronic Documents Act of 2000 (Canada)
What is PIPEDA?
Canada’s comprehensive national private sector privacy legislation.
When did PIPEDA become fully applicable?
2004
What are the 2 goals of PIPEDA?
(1) to instill trust in electronic commerce and private sector transactions for Canadian citizens and (2) to establish a level playing field where the same marketplace rules apply to all businesses.
How is PI defined under PIPEDA?
information about an identifiable individual, but does not include business contact information.
What type of ‘activity’ is covered by PIPEDA?
Commercial Activity
What entity is responsible for oversight of PIPEDA?
On the national level - the Office of the Information and Privacy Commissioner of Canada located in Ottawa, Ontario.
What does PIPEDA require?
Organizations to adhere to 10 standards regarding the information that they collect.
How does PIPEDA related to provincial privacy legislation?
PIPEDA provides for the enactment of provincial privacy legislation and if a provincial law is deemed “substantially similar” to PIPEDA then it general supersedes PIPEDA with regards to intra provincial and provincial govt activities.
What Canadian provinces have substantially similar privacy laws that govern the private sector?
Alberta, BC and Quebec.
What is one law that has been deemed “substantially similar” to PIPEDA?
The province of Ontario’s health law, the Personal Health Information Protection Act.
What should privacy practitioner be aware of when they encounter healthcare information?
That special rules may apply.
What are some reasons why strict privacy and data protection laws are necessary for healthcare privacy information?
- medical information is related to the inner workings of one’s body or mind. 2. most doctors believe that patients will be more open if their info is not revealed. 3. protects employees from unequal treatment.
What are some sectors of privacy and data protection law?
Healthcare Sector, Financial Sector, Telecommunications Sector, Online Privacy, Public Sector, Human Resources, Smart Grid and Smart Home, Direct Marketing.
What Act established a complicated set of privacy and security requirements for all financial institutions?
Gramm-Leach-Bliley Act of 1999
What is the Japanese law that regulates the use of customers’ personal information in the financial services sector?
The Act on the Protection of Personal Information and accompanying guidelines.
What are two areas where privacy professionals should remain acutely aware?
Confidentiality and disclosure
In what areas can financial rules apply?
Financial institutions, financial transactions, special local rules for information about credit histories.
What are the four categories of modern telecommunications rules?
- wiretaps and similar tech which gain access to the CONTENT of communication 2. Access on an ongoing basis to TO/FROM information 3. STORED TELECOMMUNICATIONS RECORDS 4. LOCATION INFORMATION
When was the Internet developed?
1990s
What is the concept of technology neutrality?
The concept that citizen’s rights should not vary depending on a specific technology.
How has the Internet created new challenges to privacy protections?
- Internet problems do not have easy comparisons to the past. 2. It enables far more detailed collection of information than in the past. 3. its inherently global nature.
Does the EU Directive apply to both the private and government sectors?
Yes, those there are less strict rules for “first pillar” government organizations, where the police and other government agencies hold personal info, than for data held by private actors.
What Act requires the federal government to apply FIPs?
The Privacy Act of 1974.
How many levels of privacy law does Canada have?
- Federal 2. Provincial/Territory 3. Municipaility
What is an important issue to explore when dealing with an issue in the public sector?
Special notice should be taken when a local or national government has access to personal information.
What is an important aspect of a “public” record?
What is a “public record” varies from country to country. In Sweden salary information is a public record and in the US the owner of real estate is a public record while that info is considered private in many counties.
Is HR information considered PI under the EU Directive?
Yes
What organization in the US provides a general code of conduct in relation to the protection of HR information?
The International Association for Human Resources Information Management.
In addition to internal procedures, what outside regulation must HR professionals consider with regards to data privacy?
HIPAA & the Fair Credit Reporting Act
What is the balance in the HR world with regard to personal data?
Privacy rights of employees in the workplace vs. legitimate interests of the organization and customers.
What does “smart grid” refer to?
A new energy system that manages electricity consumption through remote computerization and automation.
What is the concept of “Privacy by Design?
Building privacy into technology.
Which state passed the first consumer protection law regulating the use of consumer energy consumption in 2010?
California
What has been done in the EU to address smart grid privacy laws?
In 2011, the EU adopted “Communication Smart Grids: from Innovation to Deployment” focused on developing technical standards and ensuring data protection for consumers, and in 2011 the EU issued an Article 29 Working Party Opinion that clarifies the legal framework applying to smart meters.
What is one aspect of smart grid technology that raises privacy concerns?
The fact that it measures energy us continuously rather than at the end of a billing cycle.
Smart grid issues set the stage for issues related to what other technology?
Smart home
How is direct marketing distinguished from other types of marketing?
Direct marketing occurs when a seller directly contacts and individual, in contrast to marketing through mass media such as television or radio.
What are the two traditional privacy issues related to direct marketing?
- What information is collected and used by default? 2. what rights do individuals have to change that default?
What were the circumstances by which a self-regulatory system developed in the US for direct marketing?
In response to magazine subscription lists - the efforts were primarily led by the Direct Marketing Association.
What type of system did the Direct Marketing Association establish for consumers receiving mailings?
Opt-out
What was the wave of direct marketing efforts with regards to privacy protections?
Telephone calls to households which led to a company by company opt-out list through self-regulation and government rules.
What opt-out regulation developing in 2004 in response to telemarketers?
The National Do Not Call Registry.
Who enforces Do No Call?
FTC
Are there any exceptions to Do Not Call?
Political activities and non-profit organizations (in an effort to uphold free speech rights).
What was the argument underlying Do No Call?
How to enable direct marketing vs. protecting privacy
What high-profile court case brought the direct marketing debate to light?
DoubleClick - they proposed to merge offline content with info collected by cookies set by DoubleClick’s own network.
What did the DoubleClick decision also prompt?
The development of a self-regulatory code by the Network Advertising Initiative (NAI) that requires online advertisers to provide for opt-out measures for many forms of online targeted advertising (for those that adopt it).
What EU Directive affirmed the right of individuals to to place limits on direct marketing?
The 2002 Privacy and Electronic Communications Directive (e-Privacy Directive)
What is the Cookie Directive?
The nickname for the 2009 amendment to the 2002 e-Privacy Directive. Notably, it requires affirmative consent before cookies can be placed on an individual’s computer. As of early 2012, national laws implementing the directive are coming into effect and there are ongoing discussions about how to comply with the Directive while maintaining functionality of sites that use cookies.
What is Do Not Track?
Do Not Track is a proposal by the FTC which is an update to Do Not Call. The W3C is establishing standards to define Do Not Track. There is another debate surrounding the use of data vs. the collection of data.
What is Information Security?
The protection of information in order to prevent loss, unauthorized access or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve the information consistent with three key attributes: CIA
Define CIA
Confidentiality - access to data is limited to authorized parties. Integrity - assurance that data is authentic and complete. Availability - Knowledge that the data is accessible, as needed, by those who are authorized to access it.
How is IS achieved?
By implementing controls that must be monitored and reviewed.
What are the types of security controls?
Physical / Administrative / Technical
What do security controls do?
prevent, detect or correct a security incident
How does information security differ from information privacy?
IS is the protection of info from unauthorized access, use and disclosure. IP also concerns rules that govern the collection and handling of Personal Information. IS is a necessary component of IP, but IP also involves the data subject’s right to control the data such as rights to notice and choice.
What are the 3 main sources from which security requirements are derived?
(1) identifying and assessing the security threats to and vulnerabilities of the organization (2) legal, regulatory & contractual obligations (3) an organizations principles, policies & objectives.
What are some basic steps to consider when establishing and managing an information security program?
(1) define the scope/boundaries of ISMS (2) Define security policy (3) Define the risk assessment approach (4) identify, analyze, evaluate risks (5) identify and evaluate options for handling risks (6) select control objectives and controls for risks (7) obtain management approval or proposed residual risks (8) monitor and review the security program
What are some best practices for a good information identification and assessment process?
technical schematic of the infrastructure and processes but also insight into how the systems are actually used by individuals. Monitoring is also an important aspect - as assessments are essentially backward looking - monitoring is necessary to gain current or real-time information about a system.
Define risk
a measure of the extent to which an entity is threatened by a potential circumstance or event. It is typically a function of adverse impacts if the circumstance occurs and likelihood of occurence.
Define Threat
any circumstance or event with the potential to adversely impact organizational operations or assets.
Define Vulnerability
a weakness in an info system, system security procedures, internal controls or implementation that could be exploited by a threat source.
What is the most common form of monitoring?
System logs - they capture a current record of changes to the system and other important events.
What should system logs be regularly checked for?
Gaps - that may indicate alterations of conceal a breach.
Give one industry standard risk assessment formula
Risk = threat x vulnerability x expected loss
What are some metrics to help evaluate risk?
Number of breaches, number of outages, unauthorized access, lost assets, software viruses, investigations
Does information have to be stolen or altered for a breach to have occurred?
No - a breach occurs when an attacker enters the organization’s system.
What is an outage?
This occurs when a component of the IS is offline due to an attack.
When should an investigation of an attack begin?
During the attack and continue after the attack
What is ISO?
The International Organization for Standardization - consists of over 160 member countries.
What are the two main standards for information security?
ISO 27001 - IS Management (mandatory requirements & ISO 27002 (originally named ISO 17799 but renamed in 2007 and outlines international best practices for info security techniques and provides optional guidelines for implementing the requirements of ISO 27001.
How many controls are within the ISO 27002 framework?
133 specific controls organized around 39 control objectives. The 11 security clauses of ISO 27002 each have categories of controls and implementation guidance. EXTRA CREDIT - name the 11 security clauses (pg. 82 of Foundations text)
What must be a priority in order to maintain security within an organization?
Role and responsibilities must be clearly understood
What are 5 things that an org must ensure that employees understand?
(1) the value of security and importance of reporting incidents (2) their roles and responsibilities (3) security policies and procedures (4) basic security issues (5) the importance of compliance with legal/regulatory requirements
