Glossary

Question 1

Accountability

Answer 1

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Question 2

Active Scanning Tools

Answer 2

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.

Question 3

American Institute of Certified Public Accountants

Answer 3

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust

Question 4

Anonymization

Answer 4

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.
Associated law(s):Anonymous Data, De-Identification, Mircodata Sets, Re-identification

Question 5

APEC Privacy Principles

Answer 5

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Question 6

Assess

Answer 6

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.
Associated term(s): Privacy Operational Life Cycle; Protect; Sustain; Respond

Question 7

Audit Life Cycle

Answer 7

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

Question 8

Behavioral Advertising

Answer 8

Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Acronym(s): OBA
Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising

Question 9

Binding Corporate Rules

Answer 9

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.
Acronym(s): BCR

Question 10

Bureau of Competition

Answer 10

The United States’ Federal Trade Commission’s Bureau of Competition enforces the nation’s antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.
Associated term(s): Bureau of Consumer Protection; Bureau of Economics

Question 11

Bureau of Consumer Protection

Answer 11

The United States’ Federal Trade Commission’s Bureau of Consumer Protection stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.
Associated term(s): Bureau of Competition; Bureau of Economics

Question 12

Bureau of Economics

Answer 12

The United States’ Federal Trade Commission’s Bureau of Economics helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers.
Associated term(s): Bureau of Competition; Bureau of Consumer Protection

Question 13

Business case

Answer 13

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.

Question 14

Business Continuity and Disaster Recovery Plan

Answer 14

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.
Acronym(s): BCDR

Question 15

Business Continuity Plan

Answer 15

The business continuity plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a BCP often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.
Acronym(s): BCP

Question 16

Canadian Institute of Chartered Accountants

Answer 16

The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications
Acronym(s): CICA

Question 17

Centralized governance

Answer 17

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.

Question 18

Children’s Online Privacy Protection Act (COPPA) of 1998

Answer 18

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Acronym(s): COPPA

Question 19

Choice

Answer 19

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
Associated term(s): Consent

Question 20

CIA Triad

Answer 20

Also known as information security triad; three common information security principles from the 1960s: Confidentiality, integrity, availability.
Associated term(s): Information Security Triad

Question 21

Collection Limitation

Answer 21

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Question 22

Consent

Answer 22

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
(1) Affirmative/Explicit Consent: A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Associated term(s): Choice

Question 23

Consumer Reporting Agency

Answer 23

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
Acronym(s): CRAs
Associated term(s): Credit Reporting Agency

Question 24

Current baseline

Answer 24

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.

Question 25

Cyber liability insurance

Answer 25

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. Cyber liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

Question 26

Data Breach

Answer 26

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
Associated term(s): Breach, Privacy Breach (Canadian)

Question 27

Data Controller

Answer 27

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Associated term(s): Data Processor

Question 28

Data Inventory

Answer 28

Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

Question 29

Data Life Cycle Management

Answer 29

Also known as Information Life Cycle Management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.
Acronym(s): DLM; ILM
Associated term(s): Information Life Cycle Management

Question 30

Data Minimization Principle

Answer 30

The idea that one should only collect and retain that personal data which is necessary.
Link to text of law: Directive 95/46/EC
Link to text of law: Regulation EC (No) 45/2001

Question 31

Data Protection Authority

Answer 31

Independent public authorities that supervise the application of data protection laws in the EU. DPAs provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own DPA. Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines that total 4% of a company’s global annual revenue.
Acronym(s): DPA

Question 32

Data Protection Impact Assessment

Answer 32

The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide. It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimise the risk of those impacts. DPIAs are required by the General Data Protection Regulation in some instances, particularly where a new product or service is likely to result in a high risk to the rights and freedoms of natural persons.
Acronym (s): DPIA
Associated term(s): Privacy Impact Assessments (PIAs)

Question 33

Data Quality

Answer 33

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Question 34

Decentralized Governance

Answer 34

Also known as “local governance,” this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.
Associated term(s): Local Governance

Question 35

Direct Marketing

Answer 35

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Question 36

Do Not Track

Answer 36

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.
Acronym(s): DNT

Question 37

Electronic Communications Privacy Act of 1986

Answer 37

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.
Link to text of law: Electronic Communications Privacy Act of 1986
Acronym(s): ECPA
Associated law(s): Stored Communications Act, Stored Wire Electronic Communications Act, USA Patriot Act

Question 38

EU Data Protection Directive

Answer 38

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.
Associated term(s): Data Protection Directive

Question 39

Five-Step Metric Life Cycle

Answer 39

See Metrics

Question 40

Gap Analysis

Answer 40

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit or privacy assessment, if any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure.

Question 41

Generally Accepted Privacy Principles

Answer 41

A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.
Acronym(s): GAPP

Question 42

Gramm-Leach-Bliley Act

Answer 42

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt-out of some sharing of personal financial information.
Link to text of law: Gramm-Leach-Bliley Act
Acronym(s): GLBA

Question 43

Health Insurance Portability and Accountability Act, The

Answer 43

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.
Link to text of law: The Health Insurance Portability and Accountability Act
Acronym(s): HIPAA
Related terms: HITECH, The Privacy Rule, The Security Rule

Question 44

Hybrid Governance

Answer 44

This privacy governance model allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body.

Question 45

Individual Participation

Answer 45

It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Associated term(s): FIPs

Question 46

Information Life Cycle

Answer 46

The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.

Question 47

Information Life Cycle Management

Answer 47

Also known as data life cycle management (DLM) or data governance, ILM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. ILM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.
Acronym(s): DLM, ILM
Associated term(s): Data Life Cycle Management

Question 48

Information Security Practices

Answer 48

Provide management, technical and operational controls to reduce probable damage, loss, modification or unauthorized data access.

Question 49

Information Security Triad

Answer 49

Also known as “the C-I-A triad”; consists of three common information security principles: Confidentiality, integrity, and availability.
Associated law(s): C-I-A Triad

Question 50

Internal Partners

Answer 50

Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology.

Question 51

Jurisdiction

Answer 51

The authority of a court to hear a particular case. Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject-matter to which such authority applies.

Question 52

Local Governance

Answer 52

Also known as “decentralized governance,” this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.
Associated term(s): Decentralized Governance

Question 53

Metric Life Cycle

Answer 53

The processes and methods to sustain a metric to match the ever-changing needs of an organization. Consists of a 5-step process: (1) Identification of the intended audience; (2) Definition of data sources; (3) Selection of privacy metrics; (4) Collection and refinement of systems/application collection points; and (5) Analysis of the data/metrics to provide value to the organization and provide a feedback quality mechanism.