Foundations I. Common Principles and Approaches to Privacy Flashcards
• Historical descriptions, definitions and classes of privacy • Types and elements of information • Privacy policies and notices and processing of personal data • Information risk management and information lifecycle principles • Modern privacy principles, including FIPs, OECD and APEC, and common themes
1
Q
What was “The Right to Privacy”?
A
The Harvard Law Review article written by Samuel Warren and Louis Brandies in 1890 that defined privacy as the “right to be left alone.”
2
Q
What are the 4 classes of privacy?
A
- Information
- Bodily
- Territorial
- Communications
3
Q
What was one of the first privacy laws in the UK?
A
The Justices of the Peace Act enacted in 1361
4
Q
What country enacted the Access to Public Records Act in 1776?
A
Sweden - The Swedish Parliament
5
Q
What is the Universal Declaration of Human Rights?
A
Adopted by the General Assembly of the United Nations in 1948.
6
Q
What does Article 12 of the Universal Declaration of Human Rights say?
A
It describes both the territorial and communications notions of privacy.
7
Q
What document predated the Universal Declaration of Human Rights in 1948?
A
The American Declaration of the Rights and Duties of Man adopted by the Organization of American States. It predated the UDHR by 6 months.
8
Q
What is the ECHR?
A
The European Convention for the Protection of Human Rights and Fundamental Freedoms set forth by the Council of Europe in 1950. It acknowledged the goals of the UDHR.
9
Q
What does Article 8 of the ECHR state?
A
This treaty provision limits a public authority’s interference with an individual’s right to privacy, but acknowledges an exception for actions in accordance with the law that are necessary to preserve a democratic society.
10
Q
How did the Council of Europe respond to concerns that privacy was not protected in light of emerging technology in the late 1960s?
A
Recommendation 509 on Human Rights and Modern and Scientific Technological Developments - establishes a framework of specific principles and standards to prevent unfair collection and processing of personal information. This was later built upon to protect personal data in data banks and set in motion national legislation.
11
Q
What country enacted the first modern data protection law?
A
The German State of Hesse in 1970.
12
Q
What was the first national privacy law enacted in the US?
A
The Fair Credit Reporting Act in 1970.
13
Q
How does the EU define “personal data”?
A
“Any and all data that’s related to an identified or identifiable individual.”
14
Q
What term is used in the US to cover information covered by privacy laws?
A
personally identifiable information (PII)
15
Q
What is not included in the definition of “personal information” in Canada?
A
Certain business information is not covered in this country. NOTE: The types of data elements commonly found on a business card are excluded from coverage by the act.
16
Q
How is “personal information” defined in Japan?
A
information that’s related to living individuals and that can be used to identify specific individuals by name, date of birth or other description.
17
Q
What is Sensitive Personal Information?
A
A subset of personal information that may vary depending on jurisdiction and particular regulations.
18
Q
What is Sensitive Personal Information called under the EU Data Protection Directive?
A
Special categories of data.
19
Q
What are the categories of special categories of data?
A
Racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life information.
20
Q
What is important to note about sensitive categories of data?
A
Such data can be considered sensitive depending on jurisdiction and type and subject to strict rules (e.g. SSNs, biometric data in France, the context of data is important under PIPEDA, etc.).
21
Q
Do privacy and data protection law apply to non-personal information?
A
Generally no.
22
Q
How can data become non-personal?
A
Through removal of the elements used to identify an individual (i.e. de-identified, anonymized, pseudonymized).
23
Q
What is the difference between personal and non-personal information?
A
It depends on what is “identifiable” - regulators and courts from jurisdiction to jurisdiction may differ on this.
24
Q
What other information assets, though not personal information, need to be protected within an organization?
A
- Financial Data
- Operational Data
- Intellectual Property
- Information about the organizations products and services
25
What does Recital 26 of the EU Data Directive state?
"The principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable."
26
Is retraceably pseudonymized data data about an identifiable individual?
Indirectly yes.
Article 29 Working Party cautions that such data is subject to protection.
27
Are IP addresses "personal data"
In the EU yes, thought a court in Ireland said no. Federal agencies in the US operating under the Privacy Act say no, though the FTC has stated yes in the context of breaches of healthcare information.
28
How does IPv6 show how technology can shift the line between personal and nonpersonal information?
IPv6 uses a new numbering scheme that by default uses information about the specific computer to generate an IPv6 address unlike an old IP address that was assigned anew by the ISP each time they logged on to the Internet.
29
Name 3 sources of personal information
1. Public Records
2. Publicly Available Information
3. Nonpublic information
30
What are public records?
information collected and maintained by the government and available to the general public.
31
What is publicly available information?
Information generally available to a wide range of people. Examples include info in telephone books, info in newspapers and on search engines.
32
What is nonpublic information
Information that is not generally available to the public such as medical records, financial information and adoption records.
33
Can information be from multiple sources?
Yes, it is important to understand the source of the information in order to know how to properly handle the info.
34
What is the definition of "processing" in the context of personal information?
This term refers to the collection, recording, organization, storage, updating or modification, retrieval, consultation, and use of personal information. It also includes the disclosure by transmission, dissemination, or making available in any other form, linking, alignment, or combination, blocking, erasure or destruction of personal information.
35
What is a "data subject"?
The individual about whom information is being processed.
36
What is a "data controller"?
This term refers to the organization that has the authority to decide how and why PI is to be processed. Can be an individual.
37
What is a "data processor"
An individual or org, often an outsourced entity, that processes data on behalf of the data controller.
38
Can data processors process outside the scope of the direction of the data controller?
No, and all sub-contracting processors must act consistently within the scope of what is permitted for the controller itself.
39
What are some elements of personal information?
Name, gender, contact info, age, DOB, marital status, other demographic info, languages spoken.
40
What are some elements of HR information?
Salary, job title, productivity and performance stats, medical and pension benefits, employee evaluations, disabled, veteran, or other relevant status, location info (e.g. through GPS), nationality.
41
Is employee and other HR info treated like PI?
Comprehensive data protection laws do treat HR info under the same general rules for PI, but some countries may have specific obligations for HR data.
42
Is PI in the workplace only limited to current employes?
No, PI in the HR context can also apply to applicants and former/retired employees, dependents, vendors, contractors, volunteers, beneficiaries. etc.
43
What types of PI might "customer information" include?
Purchase history, other interaction history, leads or prospect info, former customers, market research participants, voice recordings, telephone calls, citizens or others who receive SS, health or other benefits from the govt, tax records or other records about individuals held by the government. (in this context "customer info" includes govt info.
44
Can PI exist outside of the HR and customer context?
Yes. Example, companies that gather data about non-customers for a range of business reasons (i.e. to identify members of the press).
45
What is the difference between a privacy policy and a privacy notice?
A privacy policy is an internal statement that governs how an organization handles personal info. It is directed at the users of PI. A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains, and discloses PI.
46
What are two purposes of a privacy notice?
(1) consumer education
| (2) organizational accountability.
47
What are some forms of a privacy notice?
contracts, application forms, signs, Icons (IABAO Icon), brochures, etc.
48
Describe some of the drivers of risk associated with data privacy.
Compliance with laws & regulations, prevention of breaches, avoiding enforcement actions, staying up to date with evolving technology, meeting customer expectations. Meeting the demands of outsourcing and off-shoring, extended global enterprise.
49
What is one, often neglected, step in the data life cycle where breaches result?
Data destruction
50
What are the three categories of safeguards?
(1) Administrative
(2) Technical
(3) Physical
51
Describe the principles that track the information life cycle
Collection, Use, Disclosure, Storage, Destruction
52
What limitations are placed on the collection stage?
Personal data should be collected for lawful and fair means, with the consent of the subject where appropriate, limited to identified purposes, proportionate and executed through fair and lawful means.
53
Expand on the principle of Use in the information life cycle.
Organizations should limit the use of PI to the purposes explained in the notice and to which the subject gave consent either implicitly or explicitly.
54
What concepts are covered by the principle of limited disclosure?
Disclosure should be within the use and notice/consent limits and rights should be maintained even when transfer to other parties occur. Increases in scope should be subject to notice and consent.
55
What are the limits on storage and destruction?
PI should be retained for only as long as necessary to fulfill the stated purpose. Data not retained should be disposed of in a secure manner or returned.
56
What are some common approaches to manage information risk through privacy risk assessments?
(1) Privacy Impact Assessments (PIAs) (2) Privacy assessments/audits (3) Privacy by Design
57
What are PIAs?
checklists or tools used to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind.
58
When should a PIA be completed?
Before implementation of the privacy project, product or service and ongoing through it's deployment.
59
What attributes should a PIA capture?
(1) what info is collected (2) and why (3) intended uses (4) with whom the info is shared (5) consent and choice rights of data subjects.
60
When should PIAs be used?
To assess new systems and significant changes to existing systems, etc. Before, during and after mergers and acquisitions.
61
What does an effective PIA do?
This evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards and maintains consistency between policy and practice.
62
What is a privacy assessment/audit?
Reviews of an organizations compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.
63
When are assessments or audits conducted?
On a regular basis or ad hoc as a result of privacy or security events or requests from an enforcement authority.
64
What is Privacy by Design?
This is the concept that organizations should build privacy directly into technology systems and practices at the design phase to ensure privacy from the outset.
65
Where did Privacy by Design originate?
In the mid-90s with the Information and Privacy Commissioner of Ontario.
66
What are the seven principles of Privacy by Design as set forth by the Privacy Commissioner of Ontario.
(1) Proactive not Reactive; Preventative not Remedial (2) Privacy as the Default Setting (3) Privacy Embedded into Design (4) Full Functionality - Positive-Sum, not Zero-Sum (5) End-to-End Security - Full Life Cycle Protection (6) Visibility and Transparency - Keep it Open (7) Respect for User-Privacy - Keep it User-Centric.
67
Which principles of Privacy by Design have been adopted by the FTC
Privacy Embedded into Design and End-to-End Security.
68
What are FIPs?
Fair Information Practices - significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to PI since the 1970s. Their definitions have varied over time and there are exceptions to various rules.
69
List some important codifications of FIPs
1973 - US Dept of Health, Education & Welfare Fair Information Practice Principles 1980 - OECD Guidelines Governing the Protection and Privacy of Transborder Data Flowsor Personal Data 1981 - Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (COE Convention). 2004 - APEC agreed to a Privacy Framework. 2009 Madrid Resolution - International Standards on the Protection of Personal Data and Privacy.
70
What convention was codified in the 1995 EU Data Protection Directive
The COE Convention.
71
What are the FIPs with regards to the Rights of Individuals?
(1) Notice (2) Choice and consent (3) Data subject access.
72
What are the differences between the choice concepts of "opt in" and "opt out"
Opt-in: means an individual actively affirms that info can be shared with third parties. Opt-out: means that in the absence of action by the individual, information can be shared with third parties.
73
What are the FIPs related to Controls on the Information?
(1) Information Security (2) Information Quality
74
What are the FIPs related to the Information Life Cycle?
(1) Collection (2) Use & Retention (3) Disclosure
75
What are the FIPs related to Management?
(1) Management and Administration (2) Monitoring and Enforcement. Orgs should define, document, communicate and assign accountability for their privacy policies and procedures / Orgs should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes.
76
From where do the FIPs used widely today come from?
The 1973 report by the US Department of Health, Education and Welfare Advisory Committee on Automated Systems. There were 5 listed in the text.
77
What are the 8 OECD Guidelines (1980)?
1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principles 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle
78
What was one of the main issues underlying the development of the EU Directive?
The problem associated with the differences between privacy laws of individual European nations and assuring adequate protection in the context of trans-border data flows.
79
When was the Directive adopted and when did it go into effect?
1995 & 1998
80
What are the twin goals of the EU Directive?
(1) a unified economic market within the EU, permitting flows of PI among member states. (2) strong overall privacy protection within the EU.
81
When was a draft regulation proposed to update the EU Directive?
2012
82
How does the APEC Privacy Framework (2004) differ from the EU Directive?
The APEC Framework is non-binding.
83
How many information privacy principles are part of the APEC Privacy Framework?
9 principles that mirror the OECD Guidelines but are more explicit about exceptions.
84
What are the 9 information privacy principles in the APEC Privacy Framework?
(1) Preventing Harm
(2) Notice
(3) Collection Limitation
(4) Uses of Personal Information
(5) Choice
(6) Integrity of Personal Information
(7) Security Safeguards
(8) Access and Correction
(9) Accountability
85
What are some of the explicit exceptions in the APEC Privacy Framework?
With regards to notice, use, choice, and access/correction.
86
Under what APEC principles is proportionality incorporated?
This is not necessarily comprehensive - preventing harm and security.
87
What are the exceptions to the APEC Use Principle?
PI should be used only to fulfill the purposes of the collection and compatible purposes except:
(1) with consent
(2) when necessary to provide a service or product requested by the individual
(3) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect.
88
What are the exceptions to the access and correction APEC principle?
Access and the opportunity for correction should be provided except where: (1) burden or expense would be unreasonable or disproportionate to the risks to the individual's privacy (2) info should not be disclosed due to legal, security, or commercial proprietary reasons (3) info privacy or persons other than the individual would be violated.
89
When, where and by whom was the Madrid Resolution approved?
By the independent data protection and privacy commissioners (not the govts) as the annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain in 2009.
90
What was the purposes of the Madrid Resolution?
There was a dual purpose: to define a set of principles and rights guaranteeing (1) the effective and internationally uniform protection of privacy with regards to the processing of personal data and (2) the facilitation of the international flow of personal data needed in a globalized world.
91
What are the basic principles of the Madrid Resolution?
The principle of lawfulness and fairness, purpose specification principle, proportionality principle, data quality, openness, accountability.
92
What country has required a data protection office (DPO) for many companies since the early 1990s?
Germany
93
What are some of the functions fulfilled by privacy professionals?
governance structure, personal data inventory, data privacy policies, operational policies and procedures, ongoing training and awareness, security controls, contracts, notices, inquires/complaints/disputes, new operational practices, data privacy breaches, data handling practices, tracking of external developments. NOTE - see Figure 1-1 on page 24 of text - Responsible Management Processes for Data Privacy Compliance.
94
What is an important distinction between the OECD and the CoE?
The involvement of the US government.
95
What are sources of privacy protection?
Markets, Technology, Legal Controls, Self-Regulation/Co-Regulation
96
What are the components of self-regulation in the privacy context?
Legislation: Who defines privacy rules? Enforcement: Who should initiate an enforcement action? Adjudication: Who should decide whether an organization has violated a privacy rule?
97
As of Nov. 2011 how many countries had data protection regimes?
80 - and over half first enacted their laws after 2000.
98
Name the major data protection models
Comprehensive, sectoral, co-regulatory/self-regulatory, technology-based
99
Describe the Comprehensive Model of data protection
This model governs the collection, use and dissemination of PI in the public & private spheres. Generally, they have a official or agency that oversees enforcement (DPA).
100
What are the main reasons for enacting a comprehensive approach to data privacy?
1. Remedy past injuries 2. Ensure consistency with European privacy laws 3. Promote electronic commerce.
101
What are two common criticisms of the Comprehensive approach to data privacy?
1. The costs of regulation can outweigh benefits - one-size-fits-all doesnt always work and can be expensive. 2. May hinder innovation in data processing.
102
Name two countries that take a Sectoral approach to data privacy?
United States & Japan
103
What is the main characteristic of the Sectoral approach to data privacy?
PI is protected by enacting laws that address a particular industry sector.
104
What are the benefits of a Sectoral approach to data privacy?
Different sectors have different needs with regards to data privacy. This approach is flexible to meet different industry challenges.
105
What are some of the criticisms of the Sectoral approach to data privacy?
A lack of uniformity can cause gaps and overlaps in coverage and can lead to complexity and burdensome compliance costs.
106
What does the Co-Regulatory Model emphasize?
Industry development of enforceable codes or standard for privacy and data protection against the backdrop of legal requirements by the government. This model can exist under both comprehensive and sectoral models.
107
Names some countries that use a co-regulatory approach to data privacy.
Australia and New Zealand - some elements are found in the Netherlands, Ireland and the US (COPPA - code compliance is sufficient to satisfy the statute after codes have been approved by the FTC).
108
What does the Self-Regulatory approach to data privacy protection emphasize?
The creation of codes of practice for the protection of PI by a company, industry or independent body. There may be no generally applicable data protection law that creates a legal framework for this model unlike the co-regulatory model.
109
What are two examples of self-regulatory models that had a global impact?
The Payment Card Industry Data Security Standard & The Groupe Speciale Mobile Association.
110
Name an early self-regulatory effort.
Online Privacy Alliance (OPA). This was a coalition of online companies and trade associations est. in 1998 to encourage the self-regulation of online privacy.
111
What are "seal programs"?
A form of self-regulation that requires participants to abide by certain codes of information practices and submit to monitoring to ensure compliance.
112
Give some examples of seal programs
TRUSTe, BBBOnline, Web Trust, EuroPriSe, AMIPCI Trust Mark and TrustSG.
113
What are some pros and cons of the self-regulatory approach to data privacy?
This model can be very flexible and it is thought that industry experts know best how handle the challenges associate with their industry. However, there are concerns over adequacy and enforcement. Are the needs of consumers and other stakeholders taken into account?
114
What is the Technology-Based model of data privacy protection?
This can be considered as an alternative to protections that arise from an org's administrative compliance with laws or self-reg codes. Think Google or Microsoft using encryption on global web-mail - this makes the protection practices of the local ISP less relevant to protect the content of a communication.
115
What law did the EU pass in 1995 with regards to data privacy?
Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data (the EU Data Protection Directive)
116
When did the EU Data Protection Directive go into effect?
1998
117
In what year was a new regulation to revise and replace the Directive proposed?
2012
118
Who does the EU Directive apply to?
Any person who collects or processes data pertaining to individuals.
119
Is the EU Directive a law of exclusion or inclusion?
Exclusion - the law prohibits all processing, generally, unless permitted by law.
120
What are the data protection principles on which the EU Directive is based?
legitimate basis for processing, purpose limitation, data quality, proportionality, transparency, security and confidentiality.
121
What are the data subjects rights under the EU Directive?
Access, rectification, deletion, and objection
122
Is onward transfer restricted under the EU Directive?
Yes
123
Under what circumstances are additional protections afforded under the Directive?
Where special categories of data or direct marketing are involved.
124
Are automated individual decisions prohibited under 95/46/EC?
YEs
125
What are EU Member states required to do under the Directive?
Promulgate a national law.
126
What section of the Directive codified the fair information practices first developed in the US in the 1970s?
Section 1, Article 6
127
Section 1, Article 6 states that EU member states shall provide that personal data must be:
Processed.... ; Collected for specified.... further processing of data for historical or scientific..... ; adequate, relevant, and.... ; accurate and, where necessary....every reasonable step must be taken to..... ; kept in a form which permits identification of data subjects for no longer....member states shall lay down....
128
What does the Directive regulate?
The processing of personal data.
129
How is personal data defined under the Directive?
Broadly - data that related to an identified or identifiable individual.
130
Does the EU Directive cover data collected from public sources?
Yes
131
What characteristics of data make it likely to be considered personal?
Relates to an identifiable individual (whether in personal or family life, or in business or profession), is obviously about the individual, is used to inform or influence actions or decisions affecting an identifiable individual, is linked to an individual so that it provides particular information about the individual.
132
How does the Directive define "processing"
Processing covers all operations performed on personal data including collection, storage, handling, use, AND deletion.
133
Are only manual processing activities covered by the Directive?
No - automated processing is covered too.
134
Under what circumstances are partial exemptions granted?
Processing for certain activities such as journalism and research but only to reconcile privacy rights with free expression and if "appropriate safeguards" are taken.
135
When is processing permitted under the Directive?
When the "unambiguous consent" of the data subject is obtained. When processing is necessary for the performance of a contract to which the data subject is a party (applied narrowly). When "necessary for the purposes of the legitimate interests" of the company or a third party or parties to whom data is disclosed.
136
What must be done in order for processing to be permitted for "legitimate interests"
A balancing test must be performed in every such case. The business interests must be balanced against the interests for fundamental rights and freedoms of the consumer.
137
What is the dual purpose of the Directive?
To enhance the free flow of data among the EU member states while also providing for a high level of data protection.
138
Do European data protection laws impose restrictions on data flows within the EU?
No, though registration and notification requirements may still apply.
139
When can data be lawfully transferred outside the EU under the Directive?
When a jurisdiction offers an "adequate level of protection" or when another basis for transfer exists.
140
If there is an "adequate level of protection" under the Directive what is allowed?
The transfer of data without further approvals or processes.
141
As recently as 2012, what jurisdictions were deemed "adequate" under the Directive?
Canada (as long as the recipient of information is subject to PIPEDA), Switzerland, Argentina, Israel, Jersey, the Isle of Man, Guernsey, Faroe Islands, Andorra.
142
What are two other mechanisms that can facilitate data transfer?
Model Contracts and Binding Corporate Rules
143
What are Model Contracts?
Model Contracts contain standard clauses which are defined by the EU and the Article 29 Working Party to meet the adequacy standards under the Directive.
144
What obligations come with Model Contracts?
Data protection commitments and liability requirements. They must be implemented for each business process or personal data flow from an EU country to a country not deemed "adequate." These helps companies avoid enforcement actions and business interruptions.
145
What are BCRs?
Binding Corporate Rules - legally binding internal corporate privacy rules for transferring PI within a corporate group.
146
Who established BCRs?
The Article 29 Working Party
147
Who typically users BCRs?
Companies that operate in multiple jurisdictions.
148
What must happen before BCRs become effective?
They must be approved by the EU data protection authorities in the different states where the corporation operates.
149
What must be designated under the requirements for BCRs?
A lead authority as the point of contact.
150
What does the BCR authority do?
Handles the procedure for the review of the BCR and coordinates the authorization process in the various member states.
151
How does one choose a lead authority under BCRs?
consider the location of the group's European headquarters, the location of the company within the group that has delegated data protection responsibilities, the location of the company within the group best placed to deal with application and enforce BCRs, the location where most decisions are made in relation to processing, the location where most transfers outside the EU take place.
152
The lead authority for purposes of BCRs is...
One of the DPAs from an EU member state....
153
What is the procedure for approval of BCRs?
The finalization of the draft BCR usually requires exchanges between the company and the lead DPA, upon satisfaction, the lead DPA forwards them to two other DPAs, they have 1 months to review and comment, then the lead DPA sends the draft BCR to all DPAs in all countries from which the data is transferred.
154
What was the e-Privacy directive originally called?
It was called the Telecommunications Directive passed in 1997.
155
What is the formal name of the e-Privacy Directive?
The directive on privacy and electronic communications (2002/58/EC).
156
What does the e-Privacy Directive regulate?
Online marketing practices - it extends the controls unsolicited direct marketing to all forms of electronic communications.
157
What are some of the key provisions of the e-Privacy directive?
#NAME?
158
What does the Cookie Directive add to the e-Privacy Directive?
The Cookie Directive or 2009/136/EC revises the e-Privacy directive to require member states to pass legislation requiring opt-in mechanisms before cookies are installed. Not met by implementation deadline over controversy of what cookies are covered and how to practically provide for an opt-in mechanism.
159
How was the Article 29 Working Party formed?
By the 1998 Data Protection Directive.
160
What is the Article 29 Working Party?
a group of data protection authorities that has provided guidance on a range of data protection issues.
161
Who enforces data protection laws?
national DPAs of the EU member states as well as the data protection authority of the European Commission itself.
162
How does the treatment of employment data differ in the EU?
Privacy concerns tend to predominate security concerns and employee rights are very prominent. Employers often have to jump through more hoops to monitor or background check employees.
163
Does the US have "adequate data protection" according to the EU?
No
164
Who developed the "Safe Harbor" framework?
The US Department of Commerce in consultation with the European Commission.
165
How does a corporation become "Safe Harbor" certified?
They self-certify with the Dept of Commerce that they abide by certain fair information practices and subject themselves to enforcement actions by the FTC and the DOT. The FTC considers it a deceptive trade practice to say that you are SH but fail to abide by the principles.
166
What are the "Safe Harbor" requirements?
Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement
167
Is Safe Harbor choice opt-out or opt-in?
Both - generally an individual must have the opportunity to opt-out whether their PI will be disclosed outside of the scope of original use. For sensitive info, affirmative or explicit (opt-in) choice must be given if used other than original purpose or authorized purpose.
168
Describe the concept of onward transfer.
To disclose information to a 3rd party organizations must apply notice and choice principles. To transfer to a third party that party must subscribe to SH, subject to the Directive, be "adequate" - or at least have a written agreement in place that they provide the same level of protection are required by relevant principles.
169
How is Safe Harbor enforced?
There must be independent resources to investigate complaints and disputes and provide for damages. Verification of compliance. obligations to remedy problems arising out of a failure to comply. Sanctions must be severe enough to ensure compliance. And if no letter - not on list and no benefits.
170
What are alternative to Safe Harbor?
Model Contracts, Consent (or other exception under the Directive).
171
Is consent enough to authorize data transfer?
generally, but it must be freely given and unambiguous. But the details of what constitutes consent differs across EU member states.
172
Is consent valid if there are consequences for it not being given?
No, there must be no adverse consequences if consent is withheld or revoked.
173
Is Consent always recognized in the HR context?
No, because of the subordinate nature of the employer-employee relationship.
174
What type of model approach does the US have towards privacy protection?
A Sectoral Model - it has grown piecemeal over time.
175
What often applies for sectors that are not subject to specific statues?
Self-regulation
176
Does the US Constitution provide for an explicit right to privacy?
No
177
When did legal attention to privacy first become prominent in the US?
1890 with the growth of photography - Brandeis and Warren - right to be left alone. Then 70 years later Proser's law review article setting forth privacy torts (there are four now).
178
How has privacy developed over time in terms of the Constitution vs. statues
Over the years courts have set forth privacy rights based on the Constitution. These are "decisional" in nature - birth control, abortion, sexual activity. NOT "information" privacy. Statues provide the primary source of legal obligation in the information realm.
179
What two approaches to privacy legislation are prominent in the US today?
fair information practices and "permissible purpose" approach.
180
What are two key principles in the fair information practices approach to privacy legislation?
notice and choice
181
What law exemplifies the fair information practices approach to privacy legislation?
Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act)
182
What is the best example of the permissible purpose approach to privacy legislation?
The Fair Credit Reporting Act
183
What was announced in 2012 as an update to the Fair Information Practice Principles from the early 1970s?
Obama's Consumer Privacy Bill of Rights - NOTE: This BoR has not been enacted into law.
184
Under Obama, what principles should apply to personal information in modern online commercial settings?
Individual control, transparency, respect for context, security, access & accuracy, focused collection, accountability.
185
Name four key private sector privacy laws:
(1) Fair Credit Reporting Act (FCRA) (1970) (2) Health Insurance Portability and Accountability Act of 1996 (HIPAA) (3) Gramm-Leach-Bliley Act (GLBA) (1999), & (4) Children's Online Privacy Protection Act of 1998 (COPPA).
186
What is the basic rule under HIPAA?
Patients have to opt-in before their information can be shared with other organizations though there are exceptions for treatment, payment and healthcare operations.
187
What law amended HIPAA in 2009?
The HITECH Act
188
What are GLBA's basic requirements?
securely store personal financial information, give notice of policies regarding the sharing of personal financial info, give consumers the ability to opt-out of some sharing of personal financial info.
189
What does COPPA apply to?
Operators of commercial websites and online services that are directed to children under the age of 13 AND general audience websites and online services that have actual knowledge that they are collecting PI from children under 13.
190
Describe some of the broad powers of the FTC with regards to privacy
The FTC has authority under Section 5 of the FTC Act to bring enforcement actions against "unfair and deceptive" trade practices. Jurisdiction extended broadly to commercial entities with exceptions for the financial services industry and other sectors.
191
What are two key public sector laws?
The Privacy Act of 1974 and The Freedom of Information Act (FOIA)
192
What does the Privacy Act of 1974 regulate?
The federal government's use of computerized databases of information about U.S. citizens and permanent, legal residents.
193
When was FOIA enacted?
1966
194
What does FOIA apply to?
FOIA covers all federal agency records, not just those that contain PI, under the federal executive branch.
195
What does FOIA not apply to?
legislative or judicial records and state or local records.
196
What law was enacted to update FOIA?
E-FOIA in 1996
197
What types of laws have the states implemented?
Data breach laws, identity theft laws, medical privacy.
198
Does the FCRA preempt state law?
Yes
199
Does HIPAA preempt state law?
no - and stricter privacy protections can be added at the state level.
200
What type of info privacy model does Australia have?
A co-regulatory model - Federal Privacy Act - contains 11 information privacy principles that apply to Commonwealth and ACT government agencies (Australian Capital Territory). Amendments have extended the 10 existing National Privacy Principles into the private sector. Note: Privacy Amendment Act 2000.
201
What are the 10 National Privacy Principles in Australia?
fair and lawful collection, use and disclosure only with consent, reasonable quality and accuracy, reasonable security, openness, means for access and correction, limits on use of govt issued IDs, reasonable anonymity options must be offered, trans-border flows should be limited, special protection for sensitive data
202
Does Australia encourage self-regulation?
yes, ones that reflect the National Privacy Principles
203
What is the standard for the obligations of an organization regarding privacy?
"Reasonableness" under the circumstances
204
What type of framework exists in China?
The PRC has not enacted a comprehensive privacy or data protection law. Though an individual right to privacy is established in the Constitution of the PRC (Articles 40 and 38).
205
What were the draft guidelines published in China in 2011 and who published them?
"Information Security Technology - Guide of Personal Information Protection" published by The General Administration of Quality Supervision inspection and Quarantine and the Standards Administration of the PRC. If passed they would provide for broad privacy rules for the collection, use and handling of PI.
206
What is the general approach of data protection in Europe?
To not allow any collection or use of personal data unless permitted by law.
207
What countries are covered by the Directive?
27 EU States and 3 EFTA countries
208
What are the 3 EFTA countries?
Norway Liechtenstein and Iceland
209
Is Switzerland under the Directive?
No - it is an EFTA member but not an EEA member.
210
What is the EEA?
The European Economic Area - the 27EU states and the 3 EFTA countries that have signed on to the EEA agreement.
211
What are the 27 EU countries?
A, B, B, C, CR, D, E, F, F, G, G, H, I, I, L, L, L, M, N, P, P, R, S, S, S, S, UK
212
What is the law of Andorra
The Qualified Law 15/2003
213
What is the law of Armenia?
The Law of the Republic of Armenia on Personal Data in force since 2003.
214
What is the law of Azerbaijan?
The law of the Republic of Azerbaijan on Information, Information Provisions and Protection of Information (1998)
215
What is the law of Bosnia & Herzegovina?
The Law on the Protection of Personal Data
216
What is the law of Belarus?
The Law on Information, Informatization, and Protection of Information of November 10, 2008.
217
What is the law of Croatia?
The Personal Data Protection Act (2003)
218
What is the law of Kosovo?
The Law on the Protection of Personal Data (May 13, 2010).
219
What is the law of Maldova?
The Law Nr. 17-XVI of 15.02.2007
220
What is the law of Russia?
The Federal Law of 27 July 2006 N 152-FZ on Personal Data.
221
What is the law of Serbia?
The Law on Personal Data Protection (published in the Official Gazette of the Republic of Serbia No. 97/08).
222
What is the law of the Ukraine?
Law No. 2297-VI on Personal Data Protection (January 1, 2011)
223
What are the Canadian government officials who oversee privacy matters called?
information and privacy commissioners or ombudsmen
224
What do Canadian government privacy official not rely on as of 2011?
Fines
225
What is the act that limits Canadian government departments and agents ability to collect use and disclose personal data?
The Privacy Act of 1983
226
What does PIPEDA stand for?
The Personal Information Protection and Electronic Documents Act of 2000 (Canada)
227
What is PIPEDA?
Canada's comprehensive national private sector privacy legislation.
228
When did PIPEDA become fully applicable?
2004
229
What are the 2 goals of PIPEDA?
(1) to instill trust in electronic commerce and private sector transactions for Canadian citizens and (2) to establish a level playing field where the same marketplace rules apply to all businesses.
230
How is PI defined under PIPEDA?
information about an identifiable individual, but does not include business contact information.
231
What type of 'activity' is covered by PIPEDA?
Commercial Activity
232
What entity is responsible for oversight of PIPEDA?
On the national level - the Office of the Information and Privacy Commissioner of Canada located in Ottawa, Ontario.
233
What does PIPEDA require?
Organizations to adhere to 10 standards regarding the information that they collect.
234
How does PIPEDA related to provincial privacy legislation?
PIPEDA provides for the enactment of provincial privacy legislation and if a provincial law is deemed "substantially similar" to PIPEDA then it general supersedes PIPEDA with regards to intra provincial and provincial govt activities.
235
What Canadian provinces have substantially similar privacy laws that govern the private sector?
Alberta, BC and Quebec.
236
What is one law that has been deemed "substantially similar" to PIPEDA?
The province of Ontario's health law, the Personal Health Information Protection Act.
237
What should privacy practitioner be aware of when they encounter healthcare information?
That special rules may apply.
238
What are some reasons why strict privacy and data protection laws are necessary for healthcare privacy information?
1. medical information is related to the inner workings of one's body or mind. 2. most doctors believe that patients will be more open if their info is not revealed. 3. protects employees from unequal treatment.
239
What are some sectors of privacy and data protection law?
Healthcare Sector, Financial Sector, Telecommunications Sector, Online Privacy, Public Sector, Human Resources, Smart Grid and Smart Home, Direct Marketing.
240
What Act established a complicated set of privacy and security requirements for all financial institutions?
Gramm-Leach-Bliley Act of 1999
241
What is the Japanese law that regulates the use of customers' personal information in the financial services sector?
The Act on the Protection of Personal Information and accompanying guidelines.
242
What are two areas where privacy professionals should remain acutely aware?
Confidentiality and disclosure
243
In what areas can financial rules apply?
Financial institutions, financial transactions, special local rules for information about credit histories.
244
What are the four categories of modern telecommunications rules?
1. wiretaps and similar tech which gain access to the CONTENT of communication 2. Access on an ongoing basis to TO/FROM information 3. STORED TELECOMMUNICATIONS RECORDS 4. LOCATION INFORMATION
245
When was the Internet developed?
1990s
246
What is the concept of technology neutrality?
The concept that citizen's rights should not vary depending on a specific technology.
247
How has the Internet created new challenges to privacy protections?
1. Internet problems do not have easy comparisons to the past. 2. It enables far more detailed collection of information than in the past. 3. its inherently global nature.
248
Does the EU Directive apply to both the private and government sectors?
Yes, those there are less strict rules for "first pillar" government organizations, where the police and other government agencies hold personal info, than for data held by private actors.
249
What Act requires the federal government to apply FIPs?
The Privacy Act of 1974.
250
How many levels of privacy law does Canada have?
1. Federal 2. Provincial/Territory 3. Municipaility
251
What is an important issue to explore when dealing with an issue in the public sector?
Special notice should be taken when a local or national government has access to personal information.
252
What is an important aspect of a "public" record?
What is a "public record" varies from country to country. In Sweden salary information is a public record and in the US the owner of real estate is a public record while that info is considered private in many counties.
253
Is HR information considered PI under the EU Directive?
Yes
254
What organization in the US provides a general code of conduct in relation to the protection of HR information?
The International Association for Human Resources Information Management.
255
In addition to internal procedures, what outside regulation must HR professionals consider with regards to data privacy?
HIPAA & the Fair Credit Reporting Act
256
What is the balance in the HR world with regard to personal data?
Privacy rights of employees in the workplace vs. legitimate interests of the organization and customers.
257
What does "smart grid" refer to?
A new energy system that manages electricity consumption through remote computerization and automation.
258
What is the concept of "Privacy by Design?
Building privacy into technology.
259
Which state passed the first consumer protection law regulating the use of consumer energy consumption in 2010?
California
260
What has been done in the EU to address smart grid privacy laws?
In 2011, the EU adopted "Communication Smart Grids: from Innovation to Deployment" focused on developing technical standards and ensuring data protection for consumers, and in 2011 the EU issued an Article 29 Working Party Opinion that clarifies the legal framework applying to smart meters.
261
What is one aspect of smart grid technology that raises privacy concerns?
The fact that it measures energy us continuously rather than at the end of a billing cycle.
262
Smart grid issues set the stage for issues related to what other technology?
Smart home
263
How is direct marketing distinguished from other types of marketing?
Direct marketing occurs when a seller directly contacts and individual, in contrast to marketing through mass media such as television or radio.
264
What are the two traditional privacy issues related to direct marketing?
1. What information is collected and used by default? 2. what rights do individuals have to change that default?
265
What were the circumstances by which a self-regulatory system developed in the US for direct marketing?
In response to magazine subscription lists - the efforts were primarily led by the Direct Marketing Association.
266
What type of system did the Direct Marketing Association establish for consumers receiving mailings?
Opt-out
267
What was the wave of direct marketing efforts with regards to privacy protections?
Telephone calls to households which led to a company by company opt-out list through self-regulation and government rules.
268
What opt-out regulation developing in 2004 in response to telemarketers?
The National Do Not Call Registry.
269
Who enforces Do No Call?
FTC
270
Are there any exceptions to Do Not Call?
Political activities and non-profit organizations (in an effort to uphold free speech rights).
271
What was the argument underlying Do No Call?
How to enable direct marketing vs. protecting privacy
272
What high-profile court case brought the direct marketing debate to light?
DoubleClick - they proposed to merge offline content with info collected by cookies set by DoubleClick's own network.
273
What did the DoubleClick decision also prompt?
The development of a self-regulatory code by the Network Advertising Initiative (NAI) that requires online advertisers to provide for opt-out measures for many forms of online targeted advertising (for those that adopt it).
274
What EU Directive affirmed the right of individuals to to place limits on direct marketing?
The 2002 Privacy and Electronic Communications Directive (e-Privacy Directive)
275
What is the Cookie Directive?
The nickname for the 2009 amendment to the 2002 e-Privacy Directive. Notably, it requires affirmative consent before cookies can be placed on an individual's computer. As of early 2012, national laws implementing the directive are coming into effect and there are ongoing discussions about how to comply with the Directive while maintaining functionality of sites that use cookies.
276
What is Do Not Track?
Do Not Track is a proposal by the FTC which is an update to Do Not Call. The W3C is establishing standards to define Do Not Track. There is another debate surrounding the use of data vs. the collection of data.
277
What is Information Security?
The protection of information in order to prevent loss, unauthorized access or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve the information consistent with three key attributes: CIA
278
Define CIA
Confidentiality - access to data is limited to authorized parties. Integrity - assurance that data is authentic and complete. Availability - Knowledge that the data is accessible, as needed, by those who are authorized to access it.
279
How is IS achieved?
By implementing controls that must be monitored and reviewed.
280
What are the types of security controls?
Physical / Administrative / Technical
281
What do security controls do?
prevent, detect or correct a security incident
282
How does information security differ from information privacy?
IS is the protection of info from unauthorized access, use and disclosure. IP also concerns rules that govern the collection and handling of Personal Information. IS is a necessary component of IP, but IP also involves the data subject's right to control the data such as rights to notice and choice.
283
What are the 3 main sources from which security requirements are derived?
(1) identifying and assessing the security threats to and vulnerabilities of the organization (2) legal, regulatory & contractual obligations (3) an organizations principles, policies & objectives.
284
What are some basic steps to consider when establishing and managing an information security program?
(1) define the scope/boundaries of ISMS (2) Define security policy (3) Define the risk assessment approach (4) identify, analyze, evaluate risks (5) identify and evaluate options for handling risks (6) select control objectives and controls for risks (7) obtain management approval or proposed residual risks (8) monitor and review the security program
285
What are some best practices for a good information identification and assessment process?
technical schematic of the infrastructure and processes but also insight into how the systems are actually used by individuals. Monitoring is also an important aspect - as assessments are essentially backward looking - monitoring is necessary to gain current or real-time information about a system.
286
Define risk
a measure of the extent to which an entity is threatened by a potential circumstance or event. It is typically a function of adverse impacts if the circumstance occurs and likelihood of occurence.
287
Define Threat
any circumstance or event with the potential to adversely impact organizational operations or assets.
288
Define Vulnerability
a weakness in an info system, system security procedures, internal controls or implementation that could be exploited by a threat source.
289
What is the most common form of monitoring?
System logs - they capture a current record of changes to the system and other important events.
290
What should system logs be regularly checked for?
Gaps - that may indicate alterations of conceal a breach.
291
Give one industry standard risk assessment formula
Risk = threat x vulnerability x expected loss
292
What are some metrics to help evaluate risk?
Number of breaches, number of outages, unauthorized access, lost assets, software viruses, investigations
293
Does information have to be stolen or altered for a breach to have occurred?
No - a breach occurs when an attacker enters the organization's system.
294
What is an outage?
This occurs when a component of the IS is offline due to an attack.
295
When should an investigation of an attack begin?
During the attack and continue after the attack
296
What is ISO?
The International Organization for Standardization - consists of over 160 member countries.
297
What are the two main standards for information security?
ISO 27001 - IS Management (mandatory requirements & ISO 27002 (originally named ISO 17799 but renamed in 2007 and outlines international best practices for info security techniques and provides optional guidelines for implementing the requirements of ISO 27001.
298
How many controls are within the ISO 27002 framework?
133 specific controls organized around 39 control objectives. The 11 security clauses of ISO 27002 each have categories of controls and implementation guidance. EXTRA CREDIT - name the 11 security clauses (pg. 82 of Foundations text)
299
What must be a priority in order to maintain security within an organization?
Role and responsibilities must be clearly understood
300
What are 5 things that an org must ensure that employees understand?
(1) the value of security and importance of reporting incidents (2) their roles and responsibilities (3) security policies and procedures (4) basic security issues (5) the importance of compliance with legal/regulatory requirements
