Glossary Flashcards

1
Q

Accountability

A

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Active Scanning Tools

A

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

American Institute of Certified Public Accountants

A

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Anonymization

A

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.
Associated law(s):Anonymous Data, De-Identification, Mircodata Sets, Re-identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

APEC Privacy Principles

A

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Assess

A

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.
Associated term(s): Privacy Operational Life Cycle; Protect; Sustain; Respond

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Audit Life Cycle

A

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Behavioral Advertising

A

Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Acronym(s): OBA
Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Binding Corporate Rules

A

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.
Acronym(s): BCR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Bureau of Competition

A

The United States’ Federal Trade Commission’s Bureau of Competition enforces the nation’s antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.
Associated term(s): Bureau of Consumer Protection; Bureau of Economics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Bureau of Consumer Protection

A

The United States’ Federal Trade Commission’s Bureau of Consumer Protection stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.
Associated term(s): Bureau of Competition; Bureau of Economics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Bureau of Economics

A

The United States’ Federal Trade Commission’s Bureau of Economics helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers.
Associated term(s): Bureau of Competition; Bureau of Consumer Protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Business case

A

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Business Continuity and Disaster Recovery Plan

A

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.
Acronym(s): BCDR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Business Continuity Plan

A

The business continuity plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a BCP often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.
Acronym(s): BCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Canadian Institute of Chartered Accountants

A

The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications
Acronym(s): CICA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Centralized governance

A

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Children’s Online Privacy Protection Act (COPPA) of 1998

A

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Acronym(s): COPPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Choice

A

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
Associated term(s): Consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

CIA Triad

A

Also known as information security triad; three common information security principles from the 1960s: Confidentiality, integrity, availability.
Associated term(s): Information Security Triad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Collection Limitation

A

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Consent

A

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
(1) Affirmative/Explicit Consent: A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Associated term(s): Choice

23
Q

Consumer Reporting Agency

A

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
Acronym(s): CRAs
Associated term(s): Credit Reporting Agency

24
Q

Current baseline

A

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.

25
Q

Cyber liability insurance

A

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. Cyber liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

26
Q

Data Breach

A

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
Associated term(s): Breach, Privacy Breach (Canadian)

27
Q

Data Controller

A

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Associated term(s): Data Processor

28
Q

Data Inventory

A

Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

29
Q

Data Life Cycle Management

A

Also known as Information Life Cycle Management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.
Acronym(s): DLM; ILM
Associated term(s): Information Life Cycle Management

30
Q

Data Minimization Principle

A

The idea that one should only collect and retain that personal data which is necessary.
Link to text of law: Directive 95/46/EC
Link to text of law: Regulation EC (No) 45/2001

31
Q

Data Protection Authority

A

Independent public authorities that supervise the application of data protection laws in the EU. DPAs provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own DPA. Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines that total 4% of a company’s global annual revenue.
Acronym(s): DPA

32
Q

Data Protection Impact Assessment

A

The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide. It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimise the risk of those impacts. DPIAs are required by the General Data Protection Regulation in some instances, particularly where a new product or service is likely to result in a high risk to the rights and freedoms of natural persons.
Acronym (s): DPIA
Associated term(s): Privacy Impact Assessments (PIAs)

33
Q

Data Quality

A

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

34
Q

Decentralized Governance

A

Also known as “local governance,” this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.
Associated term(s): Local Governance

35
Q

Direct Marketing

A

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

36
Q

Do Not Track

A

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.
Acronym(s): DNT

37
Q

Electronic Communications Privacy Act of 1986

A

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.
Link to text of law: Electronic Communications Privacy Act of 1986
Acronym(s): ECPA
Associated law(s): Stored Communications Act, Stored Wire Electronic Communications Act, USA Patriot Act

38
Q

EU Data Protection Directive

A

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.
Associated term(s): Data Protection Directive

39
Q

Five-Step Metric Life Cycle

A

See Metrics

40
Q

Gap Analysis

A

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit or privacy assessment, if any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure.

41
Q

Generally Accepted Privacy Principles

A

A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.
Acronym(s): GAPP

42
Q

Gramm-Leach-Bliley Act

A

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt-out of some sharing of personal financial information.
Link to text of law: Gramm-Leach-Bliley Act
Acronym(s): GLBA

43
Q

Health Insurance Portability and Accountability Act, The

A

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.
Link to text of law: The Health Insurance Portability and Accountability Act
Acronym(s): HIPAA
Related terms: HITECH, The Privacy Rule, The Security Rule

44
Q

Hybrid Governance

A

This privacy governance model allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body.

45
Q

Individual Participation

A

It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Associated term(s): FIPs

46
Q

Information Life Cycle

A

The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.

47
Q

Information Life Cycle Management

A

Also known as data life cycle management (DLM) or data governance, ILM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. ILM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.
Acronym(s): DLM, ILM
Associated term(s): Data Life Cycle Management

48
Q

Information Security Practices

A

Provide management, technical and operational controls to reduce probable damage, loss, modification or unauthorized data access.

49
Q

Information Security Triad

A

Also known as “the C-I-A triad”; consists of three common information security principles: Confidentiality, integrity, and availability.
Associated law(s): C-I-A Triad

50
Q

Internal Partners

A

Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology.

51
Q

Jurisdiction

A

The authority of a court to hear a particular case. Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject-matter to which such authority applies.

52
Q

Local Governance

A

Also known as “decentralized governance,” this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.
Associated term(s): Decentralized Governance

53
Q

Metric Life Cycle

A

The processes and methods to sustain a metric to match the ever-changing needs of an organization. Consists of a 5-step process: (1) Identification of the intended audience; (2) Definition of data sources; (3) Selection of privacy metrics; (4) Collection and refinement of systems/application collection points; and (5) Analysis of the data/metrics to provide value to the organization and provide a feedback quality mechanism.