Glossary Flashcards

1
Q

Accountability

A

The implementation of appropriate technical and organizational measures to demonstrate that handling of personal data is performed in accordance with relevant law–an idea codified in the EU General Data Protection Regulation and other frameworks.

Accountability is a fair information practices principle that due diligence and reasonable steps will be taken to ensure personal information will be protected and handled consistently with the law and other fair use principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Act Respecting the Protection of Personal Information in the Private Sector

A

A QC privacy law that is similar to PIPEDA
Came into force in 1994 and espouses three principles:
1. Every person who establishes a file on another person must have a serious and legit reason for doing so;
2. The person establishing the file may not deny the individual concerned access to the information contained in the file;
3. The person must also respect certain rules relating to collection, storage, use and communication of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Adequate Level of Protection

A

A transfer of PI from the EU to a 3rd country or international org may take place where Euro Commission has decided that the 3rd party ensures an adequate level of protection by taking into account the following:
A. The rule of law, respect for Human Rights and fundamental freedoms, general and sectoral regulations, data protection rules and security measures, effective and enforceable data subject rights and effective redress for data subjects
B. The existence of independent supervisory authorities with responsibility for ensuring compliance with data protection rules; and
C. The international commitments the 3rd party/nation has entered into in relation to the protection of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Administrative Purpose

A

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Adverse Action

A

Under the Fair Credit Reporting Act, “adverse action” means all business, credit and employment actions affecting consumers that can be considered to have a negative impact.

Examples: denying or cancelling credit or insurance, denying employment or promotion.

No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.

Adverse action requires decision-maker to provide the recipient with a copy of the credit report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Alberta PIPA

A

Privacy law in Alberta, similar to PIPEDA, that came into force in 1994

Unlike PIPEDA, this act clearly applies to employee information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

American Institute of Certified Public Accountants

A

US Professional Org, (AICPA) co-creator of the WebTrust Seal program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

APEC Privacy Principles

A

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative that mirror the OECD Fair Information Privacy Practices.

They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Authentication

A

The process by which an entity determines whether another entity is who it claims to be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Background Screening/Checks

A

Orgs may want to verify an applicant’s ability to function in the working environment as well as assuring the safety/security of existing workers

Checks range from checking educational background to checking on past criminal activity

Employee consent requirements vary by jurisdiction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

BC PIPA

A

Privacy law in BC, similar to PIPEDA, came into force in 2004.

Unlike PIPEDA, clearly applies to employee information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Behavioral Advertising

A

Advertising targeted at individuals based on observations of their behaviour over time.

Most often done via automated processing of personal data. GDPR requires that people be able to opt-out of any automated processing, be informed of the logic involved in any automatic personal data processing, and be informed of the consequences of such processing.

If cookies are used to store or access info for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent after having been provided with clear and comprehensive information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Bodily Privacy

A

One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy.

Focuses on person’s physical being and any invasion thereof.

Such an invasion can take the form of genetic testing, drug testing or body cavity searches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Breach Disclosure / Breach Notification

A

The requirement that an org notify regulators and/or victims of incidents affecting the confidentiality and security of personal data.

Requirements vary by jurisdiction.

A transparency mechanism that highlights operational failures, which helps mitigate damage and aids in understanding of causes of failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Canada’s Anti-Spam Legislation

A

CASL applies to all forms of electronic messaging. Requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with.

Typically, consent from recipient must be obtained before a CEM is sent (although there are exceptions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Canadian Institute of Chartered Accountants

A

CICA, pursuant to the 2006 Protocol, is entrusted with providing strategic leadership, standard setting and communications for the Canadian CA profession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Canadian Organization for the Advancement of Computers in Health

A

COACH is a health informatics association whose mission is to promote health technology systems and the effective use of health information

In 2013 published the Guidelines for Protection of Health Information

In 2017 became “Digital Health Canada”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Canadian Standards Association

A

Non-profit org that developed its own set of privacy principles and broke OECD’s code into ten principles:
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

These 10 principles would go on to be mentioned in PIPEDA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

CCTV

A

Shorthand for any video surveillance system. Today, most are hosted via TCP/IP networks and can be accessed remotely, eliciting new and different privacy concerns.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Charter Rights

A

Rights created by the Canadian Charter of Rights and Freedoms. Privacy rights located in s. 7, life, liberty and security of the person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Children’s Online Privacy Protection Act (COPPA) of 1998

A

US federal law applying to websites directed at children under the age of 13, as well as to general audience websites that have knowledge they are collecting info from children.

Requires a privacy notice, notice about collection practices to parents, obtaining consent before collecting personal information, give a choice about whether info will be shared with 3rd parties, provide parents access and the opportunity to delete child’s personal info and the ability to opt-out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Choice

A

In the context of consent, refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not - if not true choice, unlikely consent will be deemed valid under the GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Collection Limitation

A

A fair information practices principle, means there should be limits to collection of personal data.

Any data should be obtained by lawful and fair means, with the knowledge and consent of the data subject (where appropriate)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Commercial Activity

A

Under PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct that is of a commercial character.

This includes the selling, bartering, or leasing of donor, membership or other fundraising lists.

Non-profit associations, unions and private schools are likely to not be considered “commercial activity”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Commercial Electronic Message

A

Any form of electronic messaging, including e-mail, SMS text, and messages sent via social network where it would be reasonable to conclude its purpose is to encourage participation in a commercial activity.

Acronym: CEM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Communications Privacy

A

One of the four classes of privacy (information, bodily and territorial are the others).

Includes protection of the means of correspondence, postal mail, telephone conversations, e-mail and other forms of communicative behavior and apparatus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Comprehensive Laws

A

Laws that govern the collection, use and dissemination of personal information in the public and private sectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Computer Forensics

A

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Confidentiality

A

Data is “confidential” if it is protected against unauthorised or unlawful processing.

GDPR requires an org be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for additional security.

GDPR requires that persons authorized to process personal data have committed themselves to confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Consent

A

One of the fair information practices.

Individuals must be able to prevent the collection of their PI, unless disclosure is required by law. Consent is the individual’s way of giving permission for use or disclosure.

Consent may be affirmative (opt-in) or implied (did not opt-out)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Convention 108

A

Legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Cookie

A

A small text file stored on a client machine that may be retrieved by a web server. Cookies allow servers to track user’s browser activities.

May be “first party” if they are placed by website that is visited, or “third party” if they are placed by a party other than the website.

GDPR lists “persistent cookies” that aren’t deleted when a session ends as an example of personal information.

GDPR and ePrivacy Directive regulate the use of cookies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

CSA Privacy Principles

A

The 10 privacy principles of the Canadian Standards Association, based on the OECD guidelines and the basis of PIPEDA.

  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Customer Access

A

Customer ability to access personal information collected on them as well as review, correct or delete any incorrect info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Customer Information

A

In contrast to employee information, customer info includes data relating to the clients of private-sector orgs, patients within the healthcare sector and general public (in the context of public-sector agencies that provide services)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Data Breach

A

The unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a data collector.

Breaches do not include good faith acquisitions of PI by an employee or agent of data collector for a legit purpose, provided PI isn’t used for purpose unrelated to business or subject to further unauthorized disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Data Controller

A

The person/public authority/agency which determines the purposes and means of processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Data Elements

A

A unit of data that cannot be broken down further or has a distinct meaning.

Examples: date of birth, numerical identifier, location coordinates.

Data elements in isolation may not be personal data, but, when combined, become personally identifiable and therefore are personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Data Processing

A

Any operation performed on personal data, such as collection, recording, organizing, structuring, storage, retrieval, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Data Processor

A

Any person (other than employee of the data controller) which processes personal data on behalf of the controller. An org can be a processor and controller at the same time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Data Protection Authority

A

Independent public authorities that supervise the application of data protection laws (particularly in the EU).

DPAs provide advice and field complaints from individuals alleging violations of the GDPR.

DPAs can impose fines that total 4% of a company’s global annual revenue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Data Quality

A

A fair information practices principle - personal data should be relevant to the purposes for which it is used, and should be accurate, complete, and kept up-to-date.

Four criteria:
1. Does it meet the business needs?
2. Is it accurate?
3. Is it complete?
4. Is it recent?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Data Recipient

A

A person to whom personal data is disclosed.

Public authorities that receive personal data in a framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients-processing of data by those public authorities shall be in compliance with applicable rules according to the purposes of the processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Data Subject

A

An identified or identifiable natural person

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

De Novo

A

Latin meaning “from the beginning” - a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.

In Canada, the Federal Court will hear privacy complaints de novo (not basing their decision on OPC findings)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Direct marketing

A

When the seller directly contacts an individual, in contrast to marketing through mass media like

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Do Not Track

A

Proposed regulatory policy, similar to existing Do Not Call Registry in the US, which would allow users to opt-out of web-usage tracking

AKA DNT

48
Q

Electronic Communications Network (ECN)

A

Transmission systems and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks.

In discussions surrounding update of the ePrivacy Directive, “over the top” providers like app-based messaging services are beginning to be considered as part of the ECN

49
Q

Electronic Communications Service (ECS)

A

Any service which provides to users the ability to send or receive wire/electronic communications

50
Q

Electronic Health Record

A

Computer record of individual’s medical file that may be shared across multiple healthcare settings.

EHRs may include a range of data include demographics, medical history, medication and allergies, immunization status, etc.

Accessibility and standardization can facilitate large-scale data collection for researchers

51
Q

Employee Information

A

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating an employment/volunteer relationship.

Does not include personal information about the individual that is unrelated to that relationship.

52
Q

Employee Personal Data

A

Artcile 88 of the GDPR recognises that member states may provide for more specific rules around processing employee’s personal data.

Rules must include suitable and specific measures to safeguard subject’s human dignity, legitimate interests and fundamental rights, with regard to transparency of processing, transfer of personal data within an undertaking

Because of power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data

53
Q

Encryption

A

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge (i.e. the use of decryption keys).

Encryption mentioned in GDPR as a potential way to mitigate risk. Certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed

54
Q

EU Data Protection Directive

A

Replaced by the General Data Protection Regulation in 2018. The directive was adopted in 1995, became effective in 1998, and was the first EU-wide legislation that protected individual’s privacy and personal data use.

55
Q

European Commission

A

The executive body of the EU. Main function is to implement the EU’s decisions and policies, along with other functions.

Responsible for making adequacy determinations with regard to data transfers to third-party countries

56
Q

The Fair Credit Reporting Act

A

FCRA - enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability to access and correct their information, and limit the use of consumer reports to permissible purposes

57
Q

Federal Trade Commission

A

US Primary consumer protection agency; the FTC collects complaints about companies, business practices and identity theft.

Section 5 of the FTC Act which prohibits unfair and deceptive trade practices.

58
Q

Generally Accepted Privacy Principles (GAPP)

A

Framework promulgated by the AICPA and CICA. Ten principles are:
1. Management
2. Notice
3. Choice and consent
4. Collection
5. Use and retention
6. Access
7. Disclosure to third parties
8. Security for privacy
9. Quality
10. Monitoring and enforcement

59
Q

GET Method

A

GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs, allowing passwords and other sensitive information collected in a form to be visible in the browswer’s address bar, and it hus less secure than the POST method

60
Q

Global Privacy Enforcement Network

A

Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws.

Collection of Data Protection Authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and support of joint enforcement initiatives and awareness campaigns

As of 2018, GPEN counted 50 member countries

61
Q

House of Commons

A

One of two chambers of the Canadian Parliament, along with the Senate. Members of the HoC are elected at least every five years

62
Q

Identifying Purposes

A

Orgs are obligated to identify and document the purposes for the collection of any personal information at or before the time of collection.

63
Q

Individual Access

A

One of 10 privacy principles in PIPEDA. Orgs must be able to respond to requests from individuals for access to their personal information

64
Q

Individual Participation

A

It is a fair information practices principle that an individual should have the right:
a) to obtain confirmation of whether a data controller has data relating to them;
b) to have data relating to them communicated to them within a reasonable time frame;
c) to be given reasons if a request made under a/b above is denied; and to be able to challenge a denial; and
d) to challenge data relating to them, and have data erased, rectified, completed or amended

65
Q

Information Banks

A

Repositories of personal information kept by the Canadian Government to comply with the Privacy Act

66
Q

Information Life Cycle

A

Data has different value, and requires different approaches, as it moves through an org from collection to deletion.

Collection -> Processing -> Use, -> Disclosure -> Retention -> Destruction

67
Q

Information Privacy

A

One of four classes of privacy (territorial, bodily, communications are the others). The claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others

68
Q

Information Security

A

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse.

Also the process of assessing threats and risks to information

69
Q

Model Code for the Protection of Personal Information

A

A set of privacy principles developed by the Canadian Standards Association, that parallel the OECD’s Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data with 10 principles:
1. Accountability
2. Identifying Purpose
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

70
Q

Multi-Factor Authentication

A

An authentication process that requires more than one verification method (see authentication) such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number

71
Q

OECD Guidelines

A

First released in 1980, then updated in 2013, these guidelines represent the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries.

The principles include:
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability

72
Q

Omnibus Laws

A

Distinguished from sectoral laws, omnibus laws are those that cover a broad spectrum of orgs, rather than simply a certain market sector or population

73
Q

Online Behavioral Advertising

A

Websites that engage in tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking

74
Q

Online Privacy Alliance

A

A coalition composed of numerous online companies and trade associations specifically established to encourage the self-regulation of online privacy. The OPA introduced the Online Privacy Guidelines.

75
Q

Openness

A

A fair information practices principle. There should be a general policy of openness about developments, practices and policies with respect to person data.

Should have means to establish the existence and nature of personal data, the main purposes of their use, as well as the identity and usual residence of the data controller. Closely linked with transparency

76
Q

Opt-In

A

A central concept of choice - it means an individual makes an active affirmative indication of choice (e.g. checking a box signaling a desire to share his or her information with peers)

77
Q

Opt-Out

A

Another central concept of choice. It means an individuals lack of action implies a choice has been made (e.g. unless an individual checks a box, their information will be shared with third parties)

78
Q

Organization for Economic Cooperation and Development (OECD)

A

International Org that promotes policies designed to achieve the highest sustainable economic growth, employment and rising standard of living in both member and non-member countries

79
Q

Outsourcing

A

Contracting business processes, which may include the processing of personal information, to third parties

80
Q

Perimeter Controls

A

Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside

Associated Terms: Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Internet Protocol Security (IPSEC), Secure Sockets Layer (SSL)

81
Q

Personal Data

A

The predominant term for personal information in the EU, defined broadly in the GDPR as any information relating to an identified or identifiable natural person

82
Q

Personal Information

A

A synonym for “personal data” - a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer

83
Q

Personal Information Protection and Electronic Documents Act - Goals

A
  1. Instill trust in electronic commerce and private sector transactions for citizens
  2. Establish a level playing field where the same marketplace rules apply to all businesses
84
Q

POST Method

A

POST HTML method is more secure than GET Method (GET Method appends the form data to the URL, so passwords and other sensitive info may be visible in the browser’s address bar)

85
Q

The Privacy Act (Canadian)

A

Enacted in 1983, the Act sets out how institutions of the federal government must deal with personal information of individuals. It has been revised by many minor amendments, but remains substantially unaltered

86
Q

Privacy Breach

A

A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial legislation

87
Q

Privacy Breach Response

A

Drafted in 2007. Four steps:
1. Containment of the breach and preliminary assessment
2. Evaluating the associated risks
3. Notifying affected parties
4. Taking adequate steps to prevent future breaches

88
Q

Privacy by Design

A

Synonym for Data Protection by Design - outlined in a framework from the mid-1990s by Privacy Commissioner of Ontario

89
Q

Privacy by Design - The 7 Principles

A
  1. Proactive not Reactive - Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy embedded into Design
  4. Full Functionality - Positive-sum, not Zero Sum
  5. End-to-End security - Full Lifecycle protection
  6. Visibility and Transparency - Keep it Open
  7. Respect for User Privacy - Keep it User-Centric
90
Q

Privacy Commissioner of Canada

A

Individual mandated by PIPEDA to enforce the act. The commissioner has broad power to examine documents, but some docs may be shielded by solicitor-client privilege.

Commissioner conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued.

Aggrieved individuals have a right to complain to the commissioner

91
Q

Privacy Impact Assessments

A

Canadian government requires all gov’t institutions subject to the Privacy Act conduct these assessments.

Purpose of PIA is to evaluate whether program/services that involve the collection, use, or disclosure of personal information are in compliance with statutory obligations

92
Q

Privacy Notice

A

A statement made to a data subject that describes how an org collects, uses, retains and discloses personal information.

AKA privacy statement, fair processing statement, or privacy policy.

Many global privacy laws require privacy notices.

93
Q

Privacy of the person

A

Protects bodily integrity, and in particular the right not to have our bodies touched or explored to disclose objects or matters we wish to conceal

94
Q

Privacy Officer

A

General term in many orgs for the head of privacy compliance and operations.

In US federal gov’t, term for official responsible for privacy and confidentiality efforts within a department.

95
Q

Privacy Policy

A

A statement that governs an org’s handling of personal info.

Directed at those members of the org who might handle or make decisions relating to personal information.

AKA Data protection policy.

96
Q

Professional Regulatory Body

A

Body enacted pursuant to an act under which a professional group is organized.

Provides regulation of the members of the profession

97
Q

Public Records

A

Information collected and maintained by a government entity and available to the general public

98
Q

Radio-Frequency Identification (RFID)

A

Tech that uses radio waves to identify people or objects carrying encoded microchips

99
Q

Re-identification

A

Reattaching identifying characteristics to pseudonymized or de-identified data.

Often invoked as a “risk of re-identification” which would nullify the de-identification actions previously applied to data.

100
Q

Rectification

A

Individual right to have personal data corrected or amended by a business or other org if it is inaccurate - associated with principle of Access

101
Q

Retention

A

Concept that orgs should retain personal information only as long as necessary to fulfill the stated purpose

102
Q

Right of Access

A

Individual’s right to request and receive their personal data from an org

103
Q

Right to Correct

A

Right for individuals to correct or amend information about themselves that is inaccurate

104
Q

Seal Programs

A

Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance.

Companies that abide by the terms of the seal program are allowed to display the programs seal on their website

105
Q

Sectoral Laws/Model

A

Laws that exist only in areas where the legislative body has found a particular need

106
Q

Semayne’s Case

A

Case recognized as establishing the “knock and announce rule”, an important concept relating to privacy in one’s home and 4th amendment search and seizure jurisprudence in the US

107
Q

Senate (Canadian)

A

One of two chambers of Canadian Parliament - Senators are appointed by governor in council based on recommendations of the Prime Minister

108
Q

Sensitive Personal Information

A

Data which is more significantly related to the notion of a reasonable expectation of privacy, such as medical or financial information. Data may be considered more or less sensitive depending on context or jurisdiction.

Recently the FTC classified TV-viewing data as “sensitive”

109
Q

SPAM

A

Unsolicited commercial e-mail

110
Q

Technology-based Model

A

Utilizes technological security measures to protect individual’s personal data.

Commonplace for companies to use tech to protect data, but also consumers are able to buy tech which establishes privacy protections for their own online activity

111
Q

Territorial Privacy

A

One of four classes of privacy (information privacy, bodily privacy, and communications are the others).

Concerned with placing limitations on the ability of one to intrude into another individual’s environment. May be home, workplace, public space and environmental considerations can extend internationally.

Typical invasions of this privacy may be video surveillance, ID checks and use of similar tech and procedures.

112
Q

Transfer

A

Movement of personal data from one org to another

113
Q

Transparency

A

Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible, and easily accessible form, using clear and plain language

114
Q

Universal Declaration of Human Rights

A

Also called the Human Rights Declaration, the declaration recognized the universal values and traditions of inherent dignity, freedom, justice and peace. Adopted in 1948.

Declared “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”.

Article 12 of the Declaration describes both territorial and communications notions of privacy

115
Q

Value-Added Services

A

Telecom term for non-core services.

More broadly used in service sector to refer to services available at little or no cost that promote businesses.

For mobile phones, SMS, MMS, and GPRS are usually considered value-add, but distinction may be made between standard (peer-to-peer) content and premium-charged content

Mobile Value-Added Services (MVAS) sometimes called VAs, supplied in-house by mobile network operator or by third party service provider (VASP AKA Content Provider or CP).

VASPs typically connect to operator using protocols like short message peer-to-peer protocol (SMPP), either directly or to the short message service center (SMSC) or to a messaging gateway with better control of content

116
Q

Video Surveillance Guidelines

A

Guidelines discouraging video as an initial security option with the following constraints:
1. Video should be taken only in the absence of less intrusive alternatives;
2. The use should be disclosed to the public;
3. Individuals should have access to their personal information;
4. Video surveillance should be subject to independent audit;
5. Fair information practices should be respected

117
Q

Work Product Information

A

Canadian term referring to information about an individual that is related to that person’s position, functions, and/or performance of his or her job.

Not defined in PIPEDA - OPC has decided that work product may at times fall under the definition of personal information; access to such information addressed on a case-by-case basis