Foundations I. Common Principles and Approaches to Privacy Flashcards
• Historical descriptions, definitions and classes of privacy • Types and elements of information • Privacy policies and notices and processing of personal data • Information risk management and information lifecycle principles • Modern privacy principles, including FIPs, OECD and APEC, and common themes
What was “The Right to Privacy”?
The Harvard Law Review article written by Samuel Warren and Louis Brandies in 1890 that defined privacy as the “right to be left alone.”
What are the 4 classes of privacy?
- Information
- Bodily
- Territorial
- Communications
What was one of the first privacy laws in the UK?
The Justices of the Peace Act enacted in 1361
What country enacted the Access to Public Records Act in 1776?
Sweden - The Swedish Parliament
What is the Universal Declaration of Human Rights?
Adopted by the General Assembly of the United Nations in 1948.
What does Article 12 of the Universal Declaration of Human Rights say?
It describes both the territorial and communications notions of privacy.
What document predated the Universal Declaration of Human Rights in 1948?
The American Declaration of the Rights and Duties of Man adopted by the Organization of American States. It predated the UDHR by 6 months.
What is the ECHR?
The European Convention for the Protection of Human Rights and Fundamental Freedoms set forth by the Council of Europe in 1950. It acknowledged the goals of the UDHR.
What does Article 8 of the ECHR state?
This treaty provision limits a public authority’s interference with an individual’s right to privacy, but acknowledges an exception for actions in accordance with the law that are necessary to preserve a democratic society.
How did the Council of Europe respond to concerns that privacy was not protected in light of emerging technology in the late 1960s?
Recommendation 509 on Human Rights and Modern and Scientific Technological Developments - establishes a framework of specific principles and standards to prevent unfair collection and processing of personal information. This was later built upon to protect personal data in data banks and set in motion national legislation.
What country enacted the first modern data protection law?
The German State of Hesse in 1970.
What was the first national privacy law enacted in the US?
The Fair Credit Reporting Act in 1970.
How does the EU define “personal data”?
“Any and all data that’s related to an identified or identifiable individual.”
What term is used in the US to cover information covered by privacy laws?
personally identifiable information (PII)
What is not included in the definition of “personal information” in Canada?
Certain business information is not covered in this country. NOTE: The types of data elements commonly found on a business card are excluded from coverage by the act.
How is “personal information” defined in Japan?
information that’s related to living individuals and that can be used to identify specific individuals by name, date of birth or other description.
What is Sensitive Personal Information?
A subset of personal information that may vary depending on jurisdiction and particular regulations.
What is Sensitive Personal Information called under the EU Data Protection Directive?
Special categories of data.
What are the categories of special categories of data?
Racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life information.
What is important to note about sensitive categories of data?
Such data can be considered sensitive depending on jurisdiction and type and subject to strict rules (e.g. SSNs, biometric data in France, the context of data is important under PIPEDA, etc.).
Do privacy and data protection law apply to non-personal information?
Generally no.
How can data become non-personal?
Through removal of the elements used to identify an individual (i.e. de-identified, anonymized, pseudonymized).
What is the difference between personal and non-personal information?
It depends on what is “identifiable” - regulators and courts from jurisdiction to jurisdiction may differ on this.
What other information assets, though not personal information, need to be protected within an organization?
- Financial Data
- Operational Data
- Intellectual Property
- Information about the organizations products and services
What does Recital 26 of the EU Data Directive state?
“The principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.”
Is retraceably pseudonymized data data about an identifiable individual?
Indirectly yes.
Article 29 Working Party cautions that such data is subject to protection.
Are IP addresses “personal data”
In the EU yes, thought a court in Ireland said no. Federal agencies in the US operating under the Privacy Act say no, though the FTC has stated yes in the context of breaches of healthcare information.
How does IPv6 show how technology can shift the line between personal and nonpersonal information?
IPv6 uses a new numbering scheme that by default uses information about the specific computer to generate an IPv6 address unlike an old IP address that was assigned anew by the ISP each time they logged on to the Internet.
Name 3 sources of personal information
- Public Records
- Publicly Available Information
- Nonpublic information
What are public records?
information collected and maintained by the government and available to the general public.
What is publicly available information?
Information generally available to a wide range of people. Examples include info in telephone books, info in newspapers and on search engines.
What is nonpublic information
Information that is not generally available to the public such as medical records, financial information and adoption records.
Can information be from multiple sources?
Yes, it is important to understand the source of the information in order to know how to properly handle the info.
What is the definition of “processing” in the context of personal information?
This term refers to the collection, recording, organization, storage, updating or modification, retrieval, consultation, and use of personal information. It also includes the disclosure by transmission, dissemination, or making available in any other form, linking, alignment, or combination, blocking, erasure or destruction of personal information.
What is a “data subject”?
The individual about whom information is being processed.
What is a “data controller”?
This term refers to the organization that has the authority to decide how and why PI is to be processed. Can be an individual.
What is a “data processor”
An individual or org, often an outsourced entity, that processes data on behalf of the data controller.
Can data processors process outside the scope of the direction of the data controller?
No, and all sub-contracting processors must act consistently within the scope of what is permitted for the controller itself.
What are some elements of personal information?
Name, gender, contact info, age, DOB, marital status, other demographic info, languages spoken.
What are some elements of HR information?
Salary, job title, productivity and performance stats, medical and pension benefits, employee evaluations, disabled, veteran, or other relevant status, location info (e.g. through GPS), nationality.
Is employee and other HR info treated like PI?
Comprehensive data protection laws do treat HR info under the same general rules for PI, but some countries may have specific obligations for HR data.
Is PI in the workplace only limited to current employes?
No, PI in the HR context can also apply to applicants and former/retired employees, dependents, vendors, contractors, volunteers, beneficiaries. etc.
What types of PI might “customer information” include?
Purchase history, other interaction history, leads or prospect info, former customers, market research participants, voice recordings, telephone calls, citizens or others who receive SS, health or other benefits from the govt, tax records or other records about individuals held by the government. (in this context “customer info” includes govt info.
Can PI exist outside of the HR and customer context?
Yes. Example, companies that gather data about non-customers for a range of business reasons (i.e. to identify members of the press).
What is the difference between a privacy policy and a privacy notice?
A privacy policy is an internal statement that governs how an organization handles personal info. It is directed at the users of PI. A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains, and discloses PI.
What are two purposes of a privacy notice?
(1) consumer education
(2) organizational accountability.
What are some forms of a privacy notice?
contracts, application forms, signs, Icons (IABAO Icon), brochures, etc.
Describe some of the drivers of risk associated with data privacy.
Compliance with laws & regulations, prevention of breaches, avoiding enforcement actions, staying up to date with evolving technology, meeting customer expectations. Meeting the demands of outsourcing and off-shoring, extended global enterprise.
What is one, often neglected, step in the data life cycle where breaches result?
Data destruction
What are the three categories of safeguards?
(1) Administrative
(2) Technical
(3) Physical
Describe the principles that track the information life cycle
Collection, Use, Disclosure, Storage, Destruction
What limitations are placed on the collection stage?
Personal data should be collected for lawful and fair means, with the consent of the subject where appropriate, limited to identified purposes, proportionate and executed through fair and lawful means.
Expand on the principle of Use in the information life cycle.
Organizations should limit the use of PI to the purposes explained in the notice and to which the subject gave consent either implicitly or explicitly.
What concepts are covered by the principle of limited disclosure?
Disclosure should be within the use and notice/consent limits and rights should be maintained even when transfer to other parties occur. Increases in scope should be subject to notice and consent.
What are the limits on storage and destruction?
PI should be retained for only as long as necessary to fulfill the stated purpose. Data not retained should be disposed of in a secure manner or returned.
What are some common approaches to manage information risk through privacy risk assessments?
(1) Privacy Impact Assessments (PIAs) (2) Privacy assessments/audits (3) Privacy by Design
What are PIAs?
checklists or tools used to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind.
When should a PIA be completed?
Before implementation of the privacy project, product or service and ongoing through it’s deployment.
What attributes should a PIA capture?
(1) what info is collected (2) and why (3) intended uses (4) with whom the info is shared (5) consent and choice rights of data subjects.
When should PIAs be used?
To assess new systems and significant changes to existing systems, etc. Before, during and after mergers and acquisitions.
What does an effective PIA do?
This evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards and maintains consistency between policy and practice.
What is a privacy assessment/audit?
Reviews of an organizations compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.
When are assessments or audits conducted?
On a regular basis or ad hoc as a result of privacy or security events or requests from an enforcement authority.
What is Privacy by Design?
This is the concept that organizations should build privacy directly into technology systems and practices at the design phase to ensure privacy from the outset.
Where did Privacy by Design originate?
In the mid-90s with the Information and Privacy Commissioner of Ontario.
What are the seven principles of Privacy by Design as set forth by the Privacy Commissioner of Ontario.
(1) Proactive not Reactive; Preventative not Remedial (2) Privacy as the Default Setting (3) Privacy Embedded into Design (4) Full Functionality - Positive-Sum, not Zero-Sum (5) End-to-End Security - Full Life Cycle Protection (6) Visibility and Transparency - Keep it Open (7) Respect for User-Privacy - Keep it User-Centric.
Which principles of Privacy by Design have been adopted by the FTC
Privacy Embedded into Design and End-to-End Security.
What are FIPs?
Fair Information Practices - significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to PI since the 1970s. Their definitions have varied over time and there are exceptions to various rules.
List some important codifications of FIPs
1973 - US Dept of Health, Education & Welfare Fair Information Practice Principles 1980 - OECD Guidelines Governing the Protection and Privacy of Transborder Data Flowsor Personal Data 1981 - Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (COE Convention). 2004 - APEC agreed to a Privacy Framework. 2009 Madrid Resolution - International Standards on the Protection of Personal Data and Privacy.
What convention was codified in the 1995 EU Data Protection Directive
The COE Convention.
What are the FIPs with regards to the Rights of Individuals?
(1) Notice (2) Choice and consent (3) Data subject access.
What are the differences between the choice concepts of “opt in” and “opt out”
Opt-in: means an individual actively affirms that info can be shared with third parties. Opt-out: means that in the absence of action by the individual, information can be shared with third parties.
What are the FIPs related to Controls on the Information?
(1) Information Security (2) Information Quality
What are the FIPs related to the Information Life Cycle?
(1) Collection (2) Use & Retention (3) Disclosure
What are the FIPs related to Management?
(1) Management and Administration (2) Monitoring and Enforcement. Orgs should define, document, communicate and assign accountability for their privacy policies and procedures / Orgs should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes.
From where do the FIPs used widely today come from?
The 1973 report by the US Department of Health, Education and Welfare Advisory Committee on Automated Systems. There were 5 listed in the text.
What are the 8 OECD Guidelines (1980)?
- Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principles 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle
What was one of the main issues underlying the development of the EU Directive?
The problem associated with the differences between privacy laws of individual European nations and assuring adequate protection in the context of trans-border data flows.
When was the Directive adopted and when did it go into effect?
1995 & 1998
What are the twin goals of the EU Directive?
(1) a unified economic market within the EU, permitting flows of PI among member states. (2) strong overall privacy protection within the EU.
When was a draft regulation proposed to update the EU Directive?
2012
How does the APEC Privacy Framework (2004) differ from the EU Directive?
The APEC Framework is non-binding.
How many information privacy principles are part of the APEC Privacy Framework?
9 principles that mirror the OECD Guidelines but are more explicit about exceptions.
What are the 9 information privacy principles in the APEC Privacy Framework?
(1) Preventing Harm
(2) Notice
(3) Collection Limitation
(4) Uses of Personal Information
(5) Choice
(6) Integrity of Personal Information
(7) Security Safeguards
(8) Access and Correction
(9) Accountability
What are some of the explicit exceptions in the APEC Privacy Framework?
With regards to notice, use, choice, and access/correction.
Under what APEC principles is proportionality incorporated?
This is not necessarily comprehensive - preventing harm and security.
What are the exceptions to the APEC Use Principle?
PI should be used only to fulfill the purposes of the collection and compatible purposes except:
(1) with consent
(2) when necessary to provide a service or product requested by the individual
(3) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect.
What are the exceptions to the access and correction APEC principle?
Access and the opportunity for correction should be provided except where: (1) burden or expense would be unreasonable or disproportionate to the risks to the individual’s privacy (2) info should not be disclosed due to legal, security, or commercial proprietary reasons (3) info privacy or persons other than the individual would be violated.
When, where and by whom was the Madrid Resolution approved?
By the independent data protection and privacy commissioners (not the govts) as the annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain in 2009.
What was the purposes of the Madrid Resolution?
There was a dual purpose: to define a set of principles and rights guaranteeing (1) the effective and internationally uniform protection of privacy with regards to the processing of personal data and (2) the facilitation of the international flow of personal data needed in a globalized world.
What are the basic principles of the Madrid Resolution?
The principle of lawfulness and fairness, purpose specification principle, proportionality principle, data quality, openness, accountability.
What country has required a data protection office (DPO) for many companies since the early 1990s?
Germany
What are some of the functions fulfilled by privacy professionals?
governance structure, personal data inventory, data privacy policies, operational policies and procedures, ongoing training and awareness, security controls, contracts, notices, inquires/complaints/disputes, new operational practices, data privacy breaches, data handling practices, tracking of external developments. NOTE - see Figure 1-1 on page 24 of text - Responsible Management Processes for Data Privacy Compliance.
What is an important distinction between the OECD and the CoE?
The involvement of the US government.
What are sources of privacy protection?
Markets, Technology, Legal Controls, Self-Regulation/Co-Regulation
What are the components of self-regulation in the privacy context?
Legislation: Who defines privacy rules? Enforcement: Who should initiate an enforcement action? Adjudication: Who should decide whether an organization has violated a privacy rule?
As of Nov. 2011 how many countries had data protection regimes?
80 - and over half first enacted their laws after 2000.
Name the major data protection models
Comprehensive, sectoral, co-regulatory/self-regulatory, technology-based
Describe the Comprehensive Model of data protection
This model governs the collection, use and dissemination of PI in the public & private spheres. Generally, they have a official or agency that oversees enforcement (DPA).
What are the main reasons for enacting a comprehensive approach to data privacy?
- Remedy past injuries 2. Ensure consistency with European privacy laws 3. Promote electronic commerce.
What are two common criticisms of the Comprehensive approach to data privacy?
- The costs of regulation can outweigh benefits - one-size-fits-all doesnt always work and can be expensive. 2. May hinder innovation in data processing.
Name two countries that take a Sectoral approach to data privacy?
United States & Japan
What is the main characteristic of the Sectoral approach to data privacy?
PI is protected by enacting laws that address a particular industry sector.
What are the benefits of a Sectoral approach to data privacy?
Different sectors have different needs with regards to data privacy. This approach is flexible to meet different industry challenges.
What are some of the criticisms of the Sectoral approach to data privacy?
A lack of uniformity can cause gaps and overlaps in coverage and can lead to complexity and burdensome compliance costs.
What does the Co-Regulatory Model emphasize?
Industry development of enforceable codes or standard for privacy and data protection against the backdrop of legal requirements by the government. This model can exist under both comprehensive and sectoral models.
Names some countries that use a co-regulatory approach to data privacy.
Australia and New Zealand - some elements are found in the Netherlands, Ireland and the US (COPPA - code compliance is sufficient to satisfy the statute after codes have been approved by the FTC).
What does the Self-Regulatory approach to data privacy protection emphasize?
The creation of codes of practice for the protection of PI by a company, industry or independent body. There may be no generally applicable data protection law that creates a legal framework for this model unlike the co-regulatory model.
What are two examples of self-regulatory models that had a global impact?
The Payment Card Industry Data Security Standard & The Groupe Speciale Mobile Association.
Name an early self-regulatory effort.
Online Privacy Alliance (OPA). This was a coalition of online companies and trade associations est. in 1998 to encourage the self-regulation of online privacy.
What are “seal programs”?
A form of self-regulation that requires participants to abide by certain codes of information practices and submit to monitoring to ensure compliance.
Give some examples of seal programs
TRUSTe, BBBOnline, Web Trust, EuroPriSe, AMIPCI Trust Mark and TrustSG.
What are some pros and cons of the self-regulatory approach to data privacy?
This model can be very flexible and it is thought that industry experts know best how handle the challenges associate with their industry. However, there are concerns over adequacy and enforcement. Are the needs of consumers and other stakeholders taken into account?
What is the Technology-Based model of data privacy protection?
This can be considered as an alternative to protections that arise from an org’s administrative compliance with laws or self-reg codes. Think Google or Microsoft using encryption on global web-mail - this makes the protection practices of the local ISP less relevant to protect the content of a communication.
What law did the EU pass in 1995 with regards to data privacy?
Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data (the EU Data Protection Directive)
When did the EU Data Protection Directive go into effect?
1998
In what year was a new regulation to revise and replace the Directive proposed?
2012
Who does the EU Directive apply to?
Any person who collects or processes data pertaining to individuals.
Is the EU Directive a law of exclusion or inclusion?
Exclusion - the law prohibits all processing, generally, unless permitted by law.
What are the data protection principles on which the EU Directive is based?
legitimate basis for processing, purpose limitation, data quality, proportionality, transparency, security and confidentiality.
