Glossary Flashcards
Accountability
The implementation of appropriate technical and organizational measures to demonstrate that handling of personal data is performed in accordance with relevant law–an idea codified in the EU General Data Protection Regulation and other frameworks.
Accountability is a fair information practices principle that due diligence and reasonable steps will be taken to ensure personal information will be protected and handled consistently with the law and other fair use principles.
Act Respecting the Protection of Personal Information in the Private Sector
A QC privacy law that is similar to PIPEDA
Came into force in 1994 and espouses three principles:
1. Every person who establishes a file on another person must have a serious and legit reason for doing so;
2. The person establishing the file may not deny the individual concerned access to the information contained in the file;
3. The person must also respect certain rules relating to collection, storage, use and communication of information
Adequate Level of Protection
A transfer of PI from the EU to a 3rd country or international org may take place where Euro Commission has decided that the 3rd party ensures an adequate level of protection by taking into account the following:
A. The rule of law, respect for Human Rights and fundamental freedoms, general and sectoral regulations, data protection rules and security measures, effective and enforceable data subject rights and effective redress for data subjects
B. The existence of independent supervisory authorities with responsibility for ensuring compliance with data protection rules; and
C. The international commitments the 3rd party/nation has entered into in relation to the protection of data
Administrative Purpose
The use of personal information about an individual in Canada in a decision-making process that directly affects that individual
Adverse Action
Under the Fair Credit Reporting Act, “adverse action” means all business, credit and employment actions affecting consumers that can be considered to have a negative impact.
Examples: denying or cancelling credit or insurance, denying employment or promotion.
No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
Adverse action requires decision-maker to provide the recipient with a copy of the credit report
Alberta PIPA
Privacy law in Alberta, similar to PIPEDA, that came into force in 1994
Unlike PIPEDA, this act clearly applies to employee information
American Institute of Certified Public Accountants
US Professional Org, (AICPA) co-creator of the WebTrust Seal program
APEC Privacy Principles
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative that mirror the OECD Fair Information Privacy Practices.
They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
Authentication
The process by which an entity determines whether another entity is who it claims to be
Background Screening/Checks
Orgs may want to verify an applicant’s ability to function in the working environment as well as assuring the safety/security of existing workers
Checks range from checking educational background to checking on past criminal activity
Employee consent requirements vary by jurisdiction
BC PIPA
Privacy law in BC, similar to PIPEDA, came into force in 2004.
Unlike PIPEDA, clearly applies to employee information
Behavioral Advertising
Advertising targeted at individuals based on observations of their behaviour over time.
Most often done via automated processing of personal data. GDPR requires that people be able to opt-out of any automated processing, be informed of the logic involved in any automatic personal data processing, and be informed of the consequences of such processing.
If cookies are used to store or access info for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent after having been provided with clear and comprehensive information
Bodily Privacy
One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy.
Focuses on person’s physical being and any invasion thereof.
Such an invasion can take the form of genetic testing, drug testing or body cavity searches
Breach Disclosure / Breach Notification
The requirement that an org notify regulators and/or victims of incidents affecting the confidentiality and security of personal data.
Requirements vary by jurisdiction.
A transparency mechanism that highlights operational failures, which helps mitigate damage and aids in understanding of causes of failure.
Canada’s Anti-Spam Legislation
CASL applies to all forms of electronic messaging. Requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with.
Typically, consent from recipient must be obtained before a CEM is sent (although there are exceptions)
Canadian Institute of Chartered Accountants
CICA, pursuant to the 2006 Protocol, is entrusted with providing strategic leadership, standard setting and communications for the Canadian CA profession.
Canadian Organization for the Advancement of Computers in Health
COACH is a health informatics association whose mission is to promote health technology systems and the effective use of health information
In 2013 published the Guidelines for Protection of Health Information
In 2017 became “Digital Health Canada”
Canadian Standards Association
Non-profit org that developed its own set of privacy principles and broke OECD’s code into ten principles:
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
These 10 principles would go on to be mentioned in PIPEDA
CCTV
Shorthand for any video surveillance system. Today, most are hosted via TCP/IP networks and can be accessed remotely, eliciting new and different privacy concerns.
Charter Rights
Rights created by the Canadian Charter of Rights and Freedoms. Privacy rights located in s. 7, life, liberty and security of the person.
Children’s Online Privacy Protection Act (COPPA) of 1998
US federal law applying to websites directed at children under the age of 13, as well as to general audience websites that have knowledge they are collecting info from children.
Requires a privacy notice, notice about collection practices to parents, obtaining consent before collecting personal information, give a choice about whether info will be shared with 3rd parties, provide parents access and the opportunity to delete child’s personal info and the ability to opt-out
Choice
In the context of consent, refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not - if not true choice, unlikely consent will be deemed valid under the GDPR
Collection Limitation
A fair information practices principle, means there should be limits to collection of personal data.
Any data should be obtained by lawful and fair means, with the knowledge and consent of the data subject (where appropriate)
Commercial Activity
Under PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct that is of a commercial character.
This includes the selling, bartering, or leasing of donor, membership or other fundraising lists.
Non-profit associations, unions and private schools are likely to not be considered “commercial activity”
Commercial Electronic Message
Any form of electronic messaging, including e-mail, SMS text, and messages sent via social network where it would be reasonable to conclude its purpose is to encourage participation in a commercial activity.
Acronym: CEM.
Communications Privacy
One of the four classes of privacy (information, bodily and territorial are the others).
Includes protection of the means of correspondence, postal mail, telephone conversations, e-mail and other forms of communicative behavior and apparatus
Comprehensive Laws
Laws that govern the collection, use and dissemination of personal information in the public and private sectors
Computer Forensics
The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.
Confidentiality
Data is “confidential” if it is protected against unauthorised or unlawful processing.
GDPR requires an org be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for additional security.
GDPR requires that persons authorized to process personal data have committed themselves to confidentiality
Consent
One of the fair information practices.
Individuals must be able to prevent the collection of their PI, unless disclosure is required by law. Consent is the individual’s way of giving permission for use or disclosure.
Consent may be affirmative (opt-in) or implied (did not opt-out)
Convention 108
Legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information
Cookie
A small text file stored on a client machine that may be retrieved by a web server. Cookies allow servers to track user’s browser activities.
May be “first party” if they are placed by website that is visited, or “third party” if they are placed by a party other than the website.
GDPR lists “persistent cookies” that aren’t deleted when a session ends as an example of personal information.
GDPR and ePrivacy Directive regulate the use of cookies
CSA Privacy Principles
The 10 privacy principles of the Canadian Standards Association, based on the OECD guidelines and the basis of PIPEDA.
- Accountability
- Identifying purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Customer Access
Customer ability to access personal information collected on them as well as review, correct or delete any incorrect info
Customer Information
In contrast to employee information, customer info includes data relating to the clients of private-sector orgs, patients within the healthcare sector and general public (in the context of public-sector agencies that provide services)
Data Breach
The unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a data collector.
Breaches do not include good faith acquisitions of PI by an employee or agent of data collector for a legit purpose, provided PI isn’t used for purpose unrelated to business or subject to further unauthorized disclosure
Data Controller
The person/public authority/agency which determines the purposes and means of processing personal data.
Data Elements
A unit of data that cannot be broken down further or has a distinct meaning.
Examples: date of birth, numerical identifier, location coordinates.
Data elements in isolation may not be personal data, but, when combined, become personally identifiable and therefore are personal data
Data Processing
Any operation performed on personal data, such as collection, recording, organizing, structuring, storage, retrieval, etc.
Data Processor
Any person (other than employee of the data controller) which processes personal data on behalf of the controller. An org can be a processor and controller at the same time.
Data Protection Authority
Independent public authorities that supervise the application of data protection laws (particularly in the EU).
DPAs provide advice and field complaints from individuals alleging violations of the GDPR.
DPAs can impose fines that total 4% of a company’s global annual revenue.
Data Quality
A fair information practices principle - personal data should be relevant to the purposes for which it is used, and should be accurate, complete, and kept up-to-date.
Four criteria:
1. Does it meet the business needs?
2. Is it accurate?
3. Is it complete?
4. Is it recent?
Data Recipient
A person to whom personal data is disclosed.
Public authorities that receive personal data in a framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients-processing of data by those public authorities shall be in compliance with applicable rules according to the purposes of the processing.
Data Subject
An identified or identifiable natural person
De Novo
Latin meaning “from the beginning” - a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.
In Canada, the Federal Court will hear privacy complaints de novo (not basing their decision on OPC findings)
Direct marketing
When the seller directly contacts an individual, in contrast to marketing through mass media like
Do Not Track
Proposed regulatory policy, similar to existing Do Not Call Registry in the US, which would allow users to opt-out of web-usage tracking
AKA DNT
Electronic Communications Network (ECN)
Transmission systems and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks.
In discussions surrounding update of the ePrivacy Directive, “over the top” providers like app-based messaging services are beginning to be considered as part of the ECN
Electronic Communications Service (ECS)
Any service which provides to users the ability to send or receive wire/electronic communications
Electronic Health Record
Computer record of individual’s medical file that may be shared across multiple healthcare settings.
EHRs may include a range of data include demographics, medical history, medication and allergies, immunization status, etc.
Accessibility and standardization can facilitate large-scale data collection for researchers
Employee Information
Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating an employment/volunteer relationship.
Does not include personal information about the individual that is unrelated to that relationship.
Employee Personal Data
Artcile 88 of the GDPR recognises that member states may provide for more specific rules around processing employee’s personal data.
Rules must include suitable and specific measures to safeguard subject’s human dignity, legitimate interests and fundamental rights, with regard to transparency of processing, transfer of personal data within an undertaking
Because of power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data
Encryption
The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge (i.e. the use of decryption keys).
Encryption mentioned in GDPR as a potential way to mitigate risk. Certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed
EU Data Protection Directive
Replaced by the General Data Protection Regulation in 2018. The directive was adopted in 1995, became effective in 1998, and was the first EU-wide legislation that protected individual’s privacy and personal data use.
European Commission
The executive body of the EU. Main function is to implement the EU’s decisions and policies, along with other functions.
Responsible for making adequacy determinations with regard to data transfers to third-party countries
The Fair Credit Reporting Act
FCRA - enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability to access and correct their information, and limit the use of consumer reports to permissible purposes
Federal Trade Commission
US Primary consumer protection agency; the FTC collects complaints about companies, business practices and identity theft.
Section 5 of the FTC Act which prohibits unfair and deceptive trade practices.
Generally Accepted Privacy Principles (GAPP)
Framework promulgated by the AICPA and CICA. Ten principles are:
1. Management
2. Notice
3. Choice and consent
4. Collection
5. Use and retention
6. Access
7. Disclosure to third parties
8. Security for privacy
9. Quality
10. Monitoring and enforcement
GET Method
GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs, allowing passwords and other sensitive information collected in a form to be visible in the browswer’s address bar, and it hus less secure than the POST method
Global Privacy Enforcement Network
Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws.
Collection of Data Protection Authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and support of joint enforcement initiatives and awareness campaigns
As of 2018, GPEN counted 50 member countries
House of Commons
One of two chambers of the Canadian Parliament, along with the Senate. Members of the HoC are elected at least every five years
Identifying Purposes
Orgs are obligated to identify and document the purposes for the collection of any personal information at or before the time of collection.
Individual Access
One of 10 privacy principles in PIPEDA. Orgs must be able to respond to requests from individuals for access to their personal information
Individual Participation
It is a fair information practices principle that an individual should have the right:
a) to obtain confirmation of whether a data controller has data relating to them;
b) to have data relating to them communicated to them within a reasonable time frame;
c) to be given reasons if a request made under a/b above is denied; and to be able to challenge a denial; and
d) to challenge data relating to them, and have data erased, rectified, completed or amended
Information Banks
Repositories of personal information kept by the Canadian Government to comply with the Privacy Act
Information Life Cycle
Data has different value, and requires different approaches, as it moves through an org from collection to deletion.
Collection -> Processing -> Use, -> Disclosure -> Retention -> Destruction
Information Privacy
One of four classes of privacy (territorial, bodily, communications are the others). The claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others
Information Security
The protection of information for the purposes of preventing loss, unauthorized access and/or misuse.
Also the process of assessing threats and risks to information
Model Code for the Protection of Personal Information
A set of privacy principles developed by the Canadian Standards Association, that parallel the OECD’s Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data with 10 principles:
1. Accountability
2. Identifying Purpose
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
Multi-Factor Authentication
An authentication process that requires more than one verification method (see authentication) such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number
OECD Guidelines
First released in 1980, then updated in 2013, these guidelines represent the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries.
The principles include:
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
Omnibus Laws
Distinguished from sectoral laws, omnibus laws are those that cover a broad spectrum of orgs, rather than simply a certain market sector or population
Online Behavioral Advertising
Websites that engage in tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking
Online Privacy Alliance
A coalition composed of numerous online companies and trade associations specifically established to encourage the self-regulation of online privacy. The OPA introduced the Online Privacy Guidelines.
Openness
A fair information practices principle. There should be a general policy of openness about developments, practices and policies with respect to person data.
Should have means to establish the existence and nature of personal data, the main purposes of their use, as well as the identity and usual residence of the data controller. Closely linked with transparency
Opt-In
A central concept of choice - it means an individual makes an active affirmative indication of choice (e.g. checking a box signaling a desire to share his or her information with peers)
Opt-Out
Another central concept of choice. It means an individuals lack of action implies a choice has been made (e.g. unless an individual checks a box, their information will be shared with third parties)
Organization for Economic Cooperation and Development (OECD)
International Org that promotes policies designed to achieve the highest sustainable economic growth, employment and rising standard of living in both member and non-member countries
Outsourcing
Contracting business processes, which may include the processing of personal information, to third parties
Perimeter Controls
Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside
Associated Terms: Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Internet Protocol Security (IPSEC), Secure Sockets Layer (SSL)
Personal Data
The predominant term for personal information in the EU, defined broadly in the GDPR as any information relating to an identified or identifiable natural person
Personal Information
A synonym for “personal data” - a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer
Personal Information Protection and Electronic Documents Act - Goals
- Instill trust in electronic commerce and private sector transactions for citizens
- Establish a level playing field where the same marketplace rules apply to all businesses
POST Method
POST HTML method is more secure than GET Method (GET Method appends the form data to the URL, so passwords and other sensitive info may be visible in the browser’s address bar)
The Privacy Act (Canadian)
Enacted in 1983, the Act sets out how institutions of the federal government must deal with personal information of individuals. It has been revised by many minor amendments, but remains substantially unaltered
Privacy Breach
A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial legislation
Privacy Breach Response
Drafted in 2007. Four steps:
1. Containment of the breach and preliminary assessment
2. Evaluating the associated risks
3. Notifying affected parties
4. Taking adequate steps to prevent future breaches
Privacy by Design
Synonym for Data Protection by Design - outlined in a framework from the mid-1990s by Privacy Commissioner of Ontario
Privacy by Design - The 7 Principles
- Proactive not Reactive - Preventative not Remedial
- Privacy as the Default Setting
- Privacy embedded into Design
- Full Functionality - Positive-sum, not Zero Sum
- End-to-End security - Full Lifecycle protection
- Visibility and Transparency - Keep it Open
- Respect for User Privacy - Keep it User-Centric
Privacy Commissioner of Canada
Individual mandated by PIPEDA to enforce the act. The commissioner has broad power to examine documents, but some docs may be shielded by solicitor-client privilege.
Commissioner conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued.
Aggrieved individuals have a right to complain to the commissioner
Privacy Impact Assessments
Canadian government requires all gov’t institutions subject to the Privacy Act conduct these assessments.
Purpose of PIA is to evaluate whether program/services that involve the collection, use, or disclosure of personal information are in compliance with statutory obligations
Privacy Notice
A statement made to a data subject that describes how an org collects, uses, retains and discloses personal information.
AKA privacy statement, fair processing statement, or privacy policy.
Many global privacy laws require privacy notices.
Privacy of the person
Protects bodily integrity, and in particular the right not to have our bodies touched or explored to disclose objects or matters we wish to conceal
Privacy Officer
General term in many orgs for the head of privacy compliance and operations.
In US federal gov’t, term for official responsible for privacy and confidentiality efforts within a department.
Privacy Policy
A statement that governs an org’s handling of personal info.
Directed at those members of the org who might handle or make decisions relating to personal information.
AKA Data protection policy.
Professional Regulatory Body
Body enacted pursuant to an act under which a professional group is organized.
Provides regulation of the members of the profession
Public Records
Information collected and maintained by a government entity and available to the general public
Radio-Frequency Identification (RFID)
Tech that uses radio waves to identify people or objects carrying encoded microchips
Re-identification
Reattaching identifying characteristics to pseudonymized or de-identified data.
Often invoked as a “risk of re-identification” which would nullify the de-identification actions previously applied to data.
Rectification
Individual right to have personal data corrected or amended by a business or other org if it is inaccurate - associated with principle of Access
Retention
Concept that orgs should retain personal information only as long as necessary to fulfill the stated purpose
Right of Access
Individual’s right to request and receive their personal data from an org
Right to Correct
Right for individuals to correct or amend information about themselves that is inaccurate
Seal Programs
Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance.
Companies that abide by the terms of the seal program are allowed to display the programs seal on their website
Sectoral Laws/Model
Laws that exist only in areas where the legislative body has found a particular need
Semayne’s Case
Case recognized as establishing the “knock and announce rule”, an important concept relating to privacy in one’s home and 4th amendment search and seizure jurisprudence in the US
Senate (Canadian)
One of two chambers of Canadian Parliament - Senators are appointed by governor in council based on recommendations of the Prime Minister
Sensitive Personal Information
Data which is more significantly related to the notion of a reasonable expectation of privacy, such as medical or financial information. Data may be considered more or less sensitive depending on context or jurisdiction.
Recently the FTC classified TV-viewing data as “sensitive”
SPAM
Unsolicited commercial e-mail
Technology-based Model
Utilizes technological security measures to protect individual’s personal data.
Commonplace for companies to use tech to protect data, but also consumers are able to buy tech which establishes privacy protections for their own online activity
Territorial Privacy
One of four classes of privacy (information privacy, bodily privacy, and communications are the others).
Concerned with placing limitations on the ability of one to intrude into another individual’s environment. May be home, workplace, public space and environmental considerations can extend internationally.
Typical invasions of this privacy may be video surveillance, ID checks and use of similar tech and procedures.
Transfer
Movement of personal data from one org to another
Transparency
Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible, and easily accessible form, using clear and plain language
Universal Declaration of Human Rights
Also called the Human Rights Declaration, the declaration recognized the universal values and traditions of inherent dignity, freedom, justice and peace. Adopted in 1948.
Declared “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”.
Article 12 of the Declaration describes both territorial and communications notions of privacy
Value-Added Services
Telecom term for non-core services.
More broadly used in service sector to refer to services available at little or no cost that promote businesses.
For mobile phones, SMS, MMS, and GPRS are usually considered value-add, but distinction may be made between standard (peer-to-peer) content and premium-charged content
Mobile Value-Added Services (MVAS) sometimes called VAs, supplied in-house by mobile network operator or by third party service provider (VASP AKA Content Provider or CP).
VASPs typically connect to operator using protocols like short message peer-to-peer protocol (SMPP), either directly or to the short message service center (SMSC) or to a messaging gateway with better control of content
Video Surveillance Guidelines
Guidelines discouraging video as an initial security option with the following constraints:
1. Video should be taken only in the absence of less intrusive alternatives;
2. The use should be disclosed to the public;
3. Individuals should have access to their personal information;
4. Video surveillance should be subject to independent audit;
5. Fair information practices should be respected
Work Product Information
Canadian term referring to information about an individual that is related to that person’s position, functions, and/or performance of his or her job.
Not defined in PIPEDA - OPC has decided that work product may at times fall under the definition of personal information; access to such information addressed on a case-by-case basis
