Glossary Flashcards
Abstract
Limit the amount of detail in which personal information is processed.
Access Control Entry
An element in anaccess control list(ACL). Each ACE controls, monitors, or records access to an object by a specified user. - Acronym(s): ACE - Associated term(s):Access Control List(ACL)
Access Control List
A list ofaccess control entries(ACE) that apply to an object. Each ACE controls or monitors access to an object by a specified user. In adiscretionary access controllist (DACL), the ACL controls access; in a system access control list (SACL) the ACL monitors access in a security event log which can comprise part of an audit trail. - Acronym(s): ACL - Associated term(s):Access Control Entry(ACE)
Accountability
The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Active Data Collection
When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons. - Associated term(s) - Passive Data Collection,First-party Collection,Surveillance Collection,Repurposing,Third-party Collection
AdChoices
A program run by theDigital Advertising Allianceto promote awareness and choice in advertising for internet users. Websites with ads from participating DAA members will have an AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon, users may set preferences for behavioral advertising on that website or with DAA members generally across the web. - Associated term(s) - Digital Advertising Alliance
Adequate Level of Protection
A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements - (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred - (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules - (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data. - Associated term(s) - Adequacy
Advanced Encryption Standard
Anencryptionalgorithm for security sensitive non-classified material by the U.S. Government. This algorithm was selected in 2001 to replace the previous algorithm, the Data Encryption Standard (DES), by theNational Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. - Acronym(s) - AES - Associated term(s) - Authentication,Encryption
Adverse Action
Under theFair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action. - Associated law(s) - FCRA
Agile Development Model
A process of software system and product design that incorporates new system requirements during the actual creation of the system, as opposed to thePlan-Driven Development Model. Agile development takes a given project and focuses on specific portions to develop one at a time. An example of Agile development is the Scrum Model. - Associated term(s) - Plan-Driven Development Model,User Stories,SRS
Algorithms
Mathematical applications applied to a block of data.
Anonymization
The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data. - Associated law(s) - Anonymous Data,De-Identification,Mircodata Sets,Re-identification
Anonymous Information
In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR. - Associated term(s) - Pseudonymous Data,De-Identification,Re-Identification
Anthropomorphism
Attributing human characteristics or behaviors to non-human objects.
Anti-discrimination Laws
Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.
Application or field encryption
Ability to encrypt specific fields of data - specifically sensitive data such as credit cards numbers or health-related information.
Application-Layer Attacks
Attacks that exploit flaws in the network applications installed on network servers. Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks.
Appropriation
Using someone’s identity for another person’s purposes.
Asymmetric Encryption
A form of dataencryptionthat uses two separate but relatedkeysto encrypt data. The system uses apublic key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key - decryption of the data encrypted by the private key requires the public key. - Associated term(s) - Symmetric Encryption,Encryption
Attribute-Based Access Control
Anauthorizationmodel that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access. - Acronym(s) - ABAC - Associated term(s) - User-based Access Control
Audit Trail
A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity. The term originates in accounting as a reference to the chain of paperwork used to validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce, to track customer’s activity, or cyber-security, to investigate cybercrimes.
Authentication
The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. - Associated term(s) - Authorization
Authorization
In the context ofinformation security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset. Authorization criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. When effective, authentication validates that the entity requesting access is who or what it claims to be. - Associated term(s) - Authentication
Automated decision making
The process of making a decision without human involvement.
Basel III
A comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector.
Behavioral Advertising
Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information. - Acronym(s) - OBA - Associated term(s) - Online Behavioral Advertising, Behavioral Targeting,Contextual Advertising,Demographic Advertising,Premium Advertising,Psychographic Advertising,Remnant Advertising
Big Data
A term used to describe the large data sets which exponential growth in the amount and availability of data have allowed organizations to collect. Big data has been articulated as “the three V’s - volume (the amount of data), velocity (the speed at which data may now be collected and analyzed), and variety (the format, structured or unstructured, and type of data, e.g. transactional or behavioral). - Associated term(s) - Metadata
Biometrics
Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists biometric data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances. - Associated term(s) - Personal Information
Blackmail
The threat to disclose an individual’s information against his or her will.
Breach Disclosure
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure. - Associated law(s) - FCRA,GLBA,HIPAA, various U.S. state laws - Associated term(s) - Breach notification
Breach of confidentiality
Revealing an individual’s personal information, despite a promise not to do so.
Bring Your Own Device
Use of employees’ own personal computing devices for work purposes. - Acronym(s) - BYOD - Associated term(s) - Consumerization of information technology (COIT)
Browser Fingerprinting
As technology has advanced, it has become easier to differentiate between users just based on the given instance of the browser they are using. Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.
Caching
The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that displaypersonal informationshould be set to prohibit caching.
California Online Privacy Protection Act
Requires that all websites catering to California citizens provide a privacy statement to visitors and a easy-to-find link to it on their web pages. Websites that carrypersonal dataon children less than 18 years of age must permit those children to delete data collected about them. Websites also must inform visitors of the type ofDo Not Trackmechanisms they support or if they do not support any at all. - Link to text of law - California Online Privacy Protection Act - Acronym(s) - CalOPPA - Associated term(s) - Do Not Track
CCTV
Originally an acronym for “closed circuit television,” CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns. - Associated term(s) - Video Surveillance
Chat bots
Computerized intelligence that simulates human interactions and may be used to handle basic customer requests and interactions.
Children’s Online Privacy Protection Act (COPPA) of 1998
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators - to post aprivacy noticeon the homepage of the website - provide notice about collection practices to parents - obtain verifiable parentalconsentbefore collecting personal information from children - give parents a choice as to whether their child’spersonal informationwill be disclosed to third parties - provide parents access and the opportunity to delete the child’s personal information andopt outof future collection or use of the information, and maintain theconfidentiality, security and integrity of personal information collected from children. - Acronym(s) - COPPA - Link to text of law - 15 U.S.C. §§ 6501-6508
Choice
In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation. - Associated term(s) - Consent
Ciphertext
Encrypted(enciphered) data. - Associated term(s) - NIST SP 800-21
Cloud Computing
The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a “private cloud” or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.
Code audits
Provide analysis of source code that detect defects, security breaches or violations within a technology ecosystem.
Code reviews
Generally in-person meeting organized by developers who authored the code. The review may consist of a reader, moderator and privacy specialist.
Collection Limitation
Afair information practicesprinciple, it is the principle stating there should be limits to the collection ofpersonal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge orconsentof the data subject.
Communications Privacy
One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.
Completeness Arguments
Used as a means of assuring compliance with privacy rules and policies in the design of new software systems. Completeness arguments take privacy rules and compare them to the system requirements that have been used to design a new software system. By pairing privacy rules with specific system requirements, necessary technical safeguards can be accounted for, preventing the software from being designed in such a way that would violate privacy policies and regulations. - Associated term(s) - SRS,User Stories,Plan-driven Development Model,Agile Development Model
Computer Forensics
The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.
Concept of Operations
Used inPlan-driven Development Models, a Concept of Operations is a detailed outline of how a software product or system will work once it is fully operational. This is used to shape how a product or system will be designed and implemented. - Acronym - CONOPS - Associated term(s) - Plan-driven Development Model,SRS
Confidentiality
Data is “confidential” if it is protected against unauthorised or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Consent
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative - i.e., opt-in - or implied - i.e., the individual didn’t opt out. - (1) Affirmative/Explicit Consent - A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties. - (2) Implicit Consent - Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Content Delivery Network
The servers that contain most or all of the visible elements of a web page and that are contacted to provide those elements. In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.
Context aware computing
When a technological device adapts itself to the environment. This includes characteristics as location, video, audio, brightness.
Context of authority
Control over the access to resources on a network is based on the context in which the employee is connected to the network.
Contextual Advertising
The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user. - Associated term(s) - Behavioral Advertising,Demographic Advertising,Premium Advertising,Psychographic Advertising,Remnant Advertising.
Contextual Integrity
A concept developed by Helen Nissenbaum, contextual integrity is a way to think about and quantify potentialprivacy risksin software systems and products. Contextual Integrity focuses on what consumer expectations are in a given situation and how the product or system differs from that expectation. The more a product or system deviates from those expectations, the more likely a consumer will perceive a privacy harm. - Associated term(s) - Privacy Risk
Cookie
A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as “first-party” (if they are placed by the website that is visited) or “third-party” (if they are placed by a party other than the visited website). Additionally, they may be referred to as “session cookies” if they are deleted when a session ends, or “persistent cookies” if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called “cookie identifiers,” as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive (seeCookie Directive). - Associated term(s) - First-Party Cookie,Persistent Cookie,Third-Party Cookie, Tracking Cookie, Web Cookie
Coupling
The interdependence between objects within a technology ecosystem and controls the flow of information within a design. Tightening the coupling, allows objects to depend on the inner working of other objects. Loosening the coupling reduces object’s dependency on other objects. Loosening isolates information processing to a select group of approved classes and reduces the chance of unintentionally re-purposing data.
Cross-site Scripting
Code injected by malicious web users into web pages viewed by other users. - Acronym(s) - XSS
Cryptography
The science or practice of hiding information, usually through its transformation. Common cryptographic functions include - encryption, decryption,digital signatureandnon-repudiation. - Associated term(s) - Digital signature,encryption,non-repudiation,PKI
Cryptosystem
The materials necessary toencryptand decrypt a given message, usually consisting of the encryption algorithm and the security key. - Associated term(s) - Encryption
Customer Access
A customer’s ability to access thepersonal informationcollected on them as well as review, correct or delete any incorrect information.
Customer Data Integration
The consolidation and managing ofcustomer informationin all forms and from all sources allowable. CDI is a vital component of customer relationship management. - Acronyms - CDI - Associated term(s) - Customer Relationship Management
Customer Information
In contrast toemployee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.
Cyberbullying
Exposing a person’s private details or re-characterizing the person beyond the person’s control via technology.
Dark patterns
Recurring solutions that are used to manipulate individuals into giving up personal information.
Data Aggregation
Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should - (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and - (3) not include data that would be unique to a single individual in a data set. - Associated term(s) - De-identification,Re-identification,Pseudonymous Data,Anonymous Information,Identifiability,Identifiers.
Data Breach
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure. - Associated term(s) - Breach,Privacy Breach (Canadian)
Data Centers
Facilities that store, manage and disseminate data and house a network’s most critical systems. Data centers can serve either as a centralized facility for a single organization’s data management functions or as a third-party provider for organization’s data management needs.
Data Controller
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law. - Associated term(s) - Data Processor
Data Elements
A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.
Data Flow Diagrams
A graphical representation of the flow of data in an information system thus allowing the visualization of how the system operates to accomplish its purpose. DFDs are used both by systems analysts to design information systems and by management to model the flow of data within organizations. - Acronym(s) - DFD
Data Loss Prevention
Term used to describe both the strategy for ensuring end users do not disseminate sensitive information, whether intentionally or unintentionally, to outside ineligible sources and the software products that aid network administrators in controlling what data end users can transfer. - Acronym - DLP
Data Masking
The process ofde-identifying,anonymizing, or otherwise obscuring data so that the structure remains the same but the content is no longer sensitive in order to generate a data set that is useful for training or software testing purposes. - Associated term(s) - Obfuscation
Data Matching
An activity that involves comparingpersonal dataobtained from a variety of sources, includingpersonal informationbanks, for the purpose of making decisions about the individuals to whom the data pertains.
Data Minimization Principle
The idea that one should only collect and retain that personal data which is necessary. - Link to text of law - Directive 95/46/EC - Link to text of law - Regulation EC (No) 45/2001
Data Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. - Associated term(s) - Data Processor, Processing, Processor
Data Processor
A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing. - Associated term(s) - Data Controller, Processor
Data Protection Authority
Independent public authorities that supervise the application of data protection laws in the EU. DPAs provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own DPA. Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines that total 4% of a company’s global annual revenue. - Acronym(s) - DPA
Data Quality
A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria - Does it meet the business needs? - Is it accurate? - Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.
Data Recipient
A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Data schema
Used to separate customer information. Data schema formulates all the constraints to be applied on the data, defines its entities and relationships among them.
Data Subject
An identified or identifiable natural person.
Declared Data
Personal informationthat is directly given to a social network or other website by a user. - Associated term(s) - Consent
Deep learning
A subset of artificial intelligence and machine learning. It learns by performing a tasks repeatedly and adding layers of data to improve the outcome.
Demographic Advertising
Web advertising based on information about an individual such as age, height, weight, geographic location or gender. - Associated term(s) - Behavioral Advertising,Contextual Advertising,Premium Advertising,Psychographic Advertising,Remnant Advertising.
Design patterns
Describes shared solutions to recurring problems. Design patterns serve to improve program code maintenance by providing developers with a common mental module when approaching a recurring problem.
Design Thinking Process
Used in combination withvalue-sensitive design. The design thinking process has five phases - empathize, define, ideate, prototype and test.
Differential identifiability
Setting parameters that limits the confidence that any particular individual has contributed to an aggregated value.
Digital Advertising Alliance
A non-profit organization that sets standards for consumer privacy, transparency and control in online advertising. Over 100 advertising companies participate in and comply with their standards. The DAA has an agreement with both theCouncil on Better Business Bureausand theDirect Marketing Associationto enforce the self-regulatory standards set down by theDigital Advertising AllianceincludingAdChoices, a programming offering user control overbehavioral advertising. - Acronym - DAA - Associated term(s) - AdChoices
Digital Fingerprinting
The use oflog filesto identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include - the IP address of the visitor - a time stamp - theURLof the requested page or file - a referrer URL, and the visitor’s web browser, operating system and font preferences. In some cases, combining this information can be used to “fingerprint” a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies - however, have questioned what would constitute sufficient notice and consent for digital fingerprinting techniques to be used for targeted advertising. - Associated term(s) - Biometric Data,Authentication,Authorization
Digital Rights Management
The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law. - Acronym(s) - DRM
Digital Signature
A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file. If anything is changed in the electronic document after the digital signature is attached, the signature is rendered invalid. - Associated term(s) - Authentication,Encryption
Directive on Privacy and Electronic Communications Act 2002/58EC
A continuation of policy directives for theEuropean UnionMember States as set forth in theData Protection Directive. It has been amended by theCookie Directive 2009/136EC, which added a requirement that all websites using tracking cookies obtain user consent unless the cookie is “strictly necessary for the delivery of a service requested by the use.” This policy recognizes the importance of cookies for the functioning of modern websites while still making users aware of any tracking the user may not want to participate in. - Link to text of law - Directive on Privacy and Electronic Communications Act 2002/58EC - Acronyms - ePrivacy Directive, Cookie Directive - Associated term(s) - Data Protection Directive
Disassociability
Minimization of connections between data and individuals to the extent compatible with system operational requirements.
Discretionary Access Control
A type of access control that allows an owner of an object, within a given computer-based information system, to grant or deny access. - Acronym(s) - DAC - Associated term(s) - Mandatory Access Control
Distortion
Spreading false and inaccurate information about an individual.
DMZ (Demilitarized Zone) Network
A firewall configuration for securinglocal area networks(LANs). In a DMZ configuration, there are a set of computers that act as a broker for traffic between the LAN and an outside network allowing the majority of computers to run safely behind a firewall. Thus these computers act as a broker similar to a joint security area in a political demilitarized zone.
Do Not Track
A proposed regulatory policy, similar to the existingDo-Not-Call Registryin the United States, which would allow consumers toopt outof web-usage tracking. - Acronym(s) - DNT
E-Commerce Websites
Websites with online ordering capabilities have special privacy advantages and risks. Unlike other web advertisers, E-Commerce websites have direct access to information regarding user purchases and payment information. While creating a great opportunity for targeted advertising, it also puts extra onus on these websites to protect user information.
Electronic Communications Data
Consists of three main categories of personal data, as defined in the European Union under the ePrivacy Directive - the content of a communication, traffic data, and location data.
Electronic Communications Network
Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks - fixed and mobile terrestrial networks - electricity cable systems, to the extent that they are used for the purpose of transmitting signals - networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed. In the discussions surrounding the update of the ePrivacy Directive to the ePrivacy Regulation, so-called “over the top” providers, like app-based messaging services, are beginning to be considered as part of the electronic communications network. - Acronym(s) - ECN
Electronic Communications Service
Any service which provides to users thereof the ability to send or receive wire or electronic communications. - Acronym(s) - ECS
Electronic Surveillance
Monitoring through electronic means - i.e., video surveillance, intercepting communications, stored communications or location based services. - Associated law(s) - Electronic Communications Privacy Act,Stored Communications Act, Wiretap Act
Encryption
The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge - i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.
Encryption Key
Acryptographicalgorithm applied to unencrypted text to disguise its value or used to decrypt encrypted text.
End-User License Agreement
A contract between the owner of the software application and the user. The user agrees to pay for the use of the software and promises to comply with certain restrictions on that use. - Acronym(s) - EULA - Associated term(s) - Terms of Service
Enterprise Architecture
A conceptual outline, blueprint, or diagram that defines the structure and the operation of an organization, normally in the context of developing a strategy for the realization of current and future goals or objectives. - Acronym(s) - EA - Associated term(s) - IT Architecture
EU Data Protection Directive
The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use. - Associated term(s) - Data Protection Directive
Exclusion
Denies an individual knowledge of and/or participation in what is being done with their information.
Exposure
The revelation of information that we normally conceal from most others, including private physical details about our bodies.
Extensible Markup Language
A markup language that facilitates the transport, creation, retrieval and storage of documents. Similar toHTML,XMLuses tags to describe the contents of a web page or file. XML describes content of a web page in terms of the data that is being produced, potentially creating automaticprocessing of datain ways that may require attention for privacy issues, unlike HTML, which describes the content of a web page in terms of how it should be displayed. - Acronym(s) - XML
Extranet
A network system formed through the connection of two or more corporate intranets. These external networks create inherent security risks, while often also meeting important organizational goals. An extranet opens a backdoor into the internal network and provides a third party with a level of trust. While these risks cannot be eliminated, they can be assessed, managed and mitigated. The foundation of this management is a thorough and detailed e-business contract that specifies who may access data, what data will be accessed and what security controls the partner has in place. It should also detail how shared devices will be managed, procedures for cooperating with technical staff in the event of problems and escalation procedures for resolving difficult technical problems.