Glossary Flashcards
Accountability
The implementation of appropriate technical and organizational measures to demonstrate that handling of personal data is performed in accordance with relevant law–an idea codified in the EU General Data Protection Regulation and other frameworks.
Accountability is a fair information practices principle that due diligence and reasonable steps will be taken to ensure personal information will be protected and handled consistently with the law and other fair use principles.
Act Respecting the Protection of Personal Information in the Private Sector
A QC privacy law that is similar to PIPEDA
Came into force in 1994 and espouses three principles:
1. Every person who establishes a file on another person must have a serious and legit reason for doing so;
2. The person establishing the file may not deny the individual concerned access to the information contained in the file;
3. The person must also respect certain rules relating to collection, storage, use and communication of information
Adequate Level of Protection
A transfer of PI from the EU to a 3rd country or international org may take place where Euro Commission has decided that the 3rd party ensures an adequate level of protection by taking into account the following:
A. The rule of law, respect for Human Rights and fundamental freedoms, general and sectoral regulations, data protection rules and security measures, effective and enforceable data subject rights and effective redress for data subjects
B. The existence of independent supervisory authorities with responsibility for ensuring compliance with data protection rules; and
C. The international commitments the 3rd party/nation has entered into in relation to the protection of data
Administrative Purpose
The use of personal information about an individual in Canada in a decision-making process that directly affects that individual
Adverse Action
Under the Fair Credit Reporting Act, “adverse action” means all business, credit and employment actions affecting consumers that can be considered to have a negative impact.
Examples: denying or cancelling credit or insurance, denying employment or promotion.
No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
Adverse action requires decision-maker to provide the recipient with a copy of the credit report
Alberta PIPA
Privacy law in Alberta, similar to PIPEDA, that came into force in 1994
Unlike PIPEDA, this act clearly applies to employee information
American Institute of Certified Public Accountants
US Professional Org, (AICPA) co-creator of the WebTrust Seal program
APEC Privacy Principles
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative that mirror the OECD Fair Information Privacy Practices.
They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
Authentication
The process by which an entity determines whether another entity is who it claims to be
Background Screening/Checks
Orgs may want to verify an applicant’s ability to function in the working environment as well as assuring the safety/security of existing workers
Checks range from checking educational background to checking on past criminal activity
Employee consent requirements vary by jurisdiction
BC PIPA
Privacy law in BC, similar to PIPEDA, came into force in 2004.
Unlike PIPEDA, clearly applies to employee information
Behavioral Advertising
Advertising targeted at individuals based on observations of their behaviour over time.
Most often done via automated processing of personal data. GDPR requires that people be able to opt-out of any automated processing, be informed of the logic involved in any automatic personal data processing, and be informed of the consequences of such processing.
If cookies are used to store or access info for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent after having been provided with clear and comprehensive information
Bodily Privacy
One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy.
Focuses on person’s physical being and any invasion thereof.
Such an invasion can take the form of genetic testing, drug testing or body cavity searches
Breach Disclosure / Breach Notification
The requirement that an org notify regulators and/or victims of incidents affecting the confidentiality and security of personal data.
Requirements vary by jurisdiction.
A transparency mechanism that highlights operational failures, which helps mitigate damage and aids in understanding of causes of failure.
Canada’s Anti-Spam Legislation
CASL applies to all forms of electronic messaging. Requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with.
Typically, consent from recipient must be obtained before a CEM is sent (although there are exceptions)
Canadian Institute of Chartered Accountants
CICA, pursuant to the 2006 Protocol, is entrusted with providing strategic leadership, standard setting and communications for the Canadian CA profession.
Canadian Organization for the Advancement of Computers in Health
COACH is a health informatics association whose mission is to promote health technology systems and the effective use of health information
In 2013 published the Guidelines for Protection of Health Information
In 2017 became “Digital Health Canada”
Canadian Standards Association
Non-profit org that developed its own set of privacy principles and broke OECD’s code into ten principles:
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
These 10 principles would go on to be mentioned in PIPEDA
CCTV
Shorthand for any video surveillance system. Today, most are hosted via TCP/IP networks and can be accessed remotely, eliciting new and different privacy concerns.
Charter Rights
Rights created by the Canadian Charter of Rights and Freedoms. Privacy rights located in s. 7, life, liberty and security of the person.
Children’s Online Privacy Protection Act (COPPA) of 1998
US federal law applying to websites directed at children under the age of 13, as well as to general audience websites that have knowledge they are collecting info from children.
Requires a privacy notice, notice about collection practices to parents, obtaining consent before collecting personal information, give a choice about whether info will be shared with 3rd parties, provide parents access and the opportunity to delete child’s personal info and the ability to opt-out
Choice
In the context of consent, refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not - if not true choice, unlikely consent will be deemed valid under the GDPR
Collection Limitation
A fair information practices principle, means there should be limits to collection of personal data.
Any data should be obtained by lawful and fair means, with the knowledge and consent of the data subject (where appropriate)
Commercial Activity
Under PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct that is of a commercial character.
This includes the selling, bartering, or leasing of donor, membership or other fundraising lists.
Non-profit associations, unions and private schools are likely to not be considered “commercial activity”
Commercial Electronic Message
Any form of electronic messaging, including e-mail, SMS text, and messages sent via social network where it would be reasonable to conclude its purpose is to encourage participation in a commercial activity.
Acronym: CEM.
Communications Privacy
One of the four classes of privacy (information, bodily and territorial are the others).
Includes protection of the means of correspondence, postal mail, telephone conversations, e-mail and other forms of communicative behavior and apparatus
Comprehensive Laws
Laws that govern the collection, use and dissemination of personal information in the public and private sectors
Computer Forensics
The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.
Confidentiality
Data is “confidential” if it is protected against unauthorised or unlawful processing.
GDPR requires an org be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for additional security.
GDPR requires that persons authorized to process personal data have committed themselves to confidentiality
Consent
One of the fair information practices.
Individuals must be able to prevent the collection of their PI, unless disclosure is required by law. Consent is the individual’s way of giving permission for use or disclosure.
Consent may be affirmative (opt-in) or implied (did not opt-out)
Convention 108
Legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information
Cookie
A small text file stored on a client machine that may be retrieved by a web server. Cookies allow servers to track user’s browser activities.
May be “first party” if they are placed by website that is visited, or “third party” if they are placed by a party other than the website.
GDPR lists “persistent cookies” that aren’t deleted when a session ends as an example of personal information.
GDPR and ePrivacy Directive regulate the use of cookies
CSA Privacy Principles
The 10 privacy principles of the Canadian Standards Association, based on the OECD guidelines and the basis of PIPEDA.
- Accountability
- Identifying purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Customer Access
Customer ability to access personal information collected on them as well as review, correct or delete any incorrect info
Customer Information
In contrast to employee information, customer info includes data relating to the clients of private-sector orgs, patients within the healthcare sector and general public (in the context of public-sector agencies that provide services)
Data Breach
The unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a data collector.
Breaches do not include good faith acquisitions of PI by an employee or agent of data collector for a legit purpose, provided PI isn’t used for purpose unrelated to business or subject to further unauthorized disclosure
Data Controller
The person/public authority/agency which determines the purposes and means of processing personal data.
Data Elements
A unit of data that cannot be broken down further or has a distinct meaning.
Examples: date of birth, numerical identifier, location coordinates.
Data elements in isolation may not be personal data, but, when combined, become personally identifiable and therefore are personal data
Data Processing
Any operation performed on personal data, such as collection, recording, organizing, structuring, storage, retrieval, etc.
Data Processor
Any person (other than employee of the data controller) which processes personal data on behalf of the controller. An org can be a processor and controller at the same time.
Data Protection Authority
Independent public authorities that supervise the application of data protection laws (particularly in the EU).
DPAs provide advice and field complaints from individuals alleging violations of the GDPR.
DPAs can impose fines that total 4% of a company’s global annual revenue.
Data Quality
A fair information practices principle - personal data should be relevant to the purposes for which it is used, and should be accurate, complete, and kept up-to-date.
Four criteria:
1. Does it meet the business needs?
2. Is it accurate?
3. Is it complete?
4. Is it recent?
Data Recipient
A person to whom personal data is disclosed.
Public authorities that receive personal data in a framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients-processing of data by those public authorities shall be in compliance with applicable rules according to the purposes of the processing.
Data Subject
An identified or identifiable natural person
De Novo
Latin meaning “from the beginning” - a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.
In Canada, the Federal Court will hear privacy complaints de novo (not basing their decision on OPC findings)
Direct marketing
When the seller directly contacts an individual, in contrast to marketing through mass media like