Glossary

Question 1

Accountability

Answer 1

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Question 2

Act Respecting the Protection of Personal Information in the Private Sector

Answer 2

A Québéquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.

Question 3

Adequate Level of Protection

Answer 3

A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.
Associated term(s): Adequacy

Question 4

Administrative Purpose

Answer 4

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.

Question 5

Adverse Action

Answer 5

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.
Associated law(s): FCRA

Question 6

Alberta PIPA

Answer 6

A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.
Link to text of law: Alberta PIPA
Associated law(s): PIPEDA

Question 7

American Institute of Certified Public Accountants

Answer 7

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust

Question 8

APEC Privacy Principles

Answer 8

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Question 9

Authentication

Answer 9

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.
Associated term(s): Authorization

Question 10

Background Screening/Checks

Answer 10

Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.

Question 11

BC PIPA

Answer 11

A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.
Link to text of law: BC PIPA
Associated law(s): PIPEDA

Question 12

Behavioral Advertising

Answer 12

Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Acronym(s): OBA
Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising

Question 13

Bodily Privacy

Answer 13

One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches.

Question 14

Breach Disclosure

Answer 14

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.
Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws
Associated term(s): Breach notification

Question 15

Canada’s Anti-Spam Legislation

Answer 15

Canadian anti-SPAM legislation applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.
Link to text of law: Canada’s Anti-Spam Legislation
Acronym(s): CASL

Question 16

Canadian Institute of Chartered Accountants

Answer 16

The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications
Acronym(s): CICA

Question 17

Canadian Organization for the Advancement of Computers in Health

Answer 17

A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information.
Acronym(s): COACH

Question 18

Canadian Standards Association

Answer 18

A non-profit standards organization that developed its own set of privacy principles and broke the OECD’s code into ten principles: (1) Accountability; (2) Identifying purposes; (3) Consent; (4) Limiting Collection; (5) Limiting Use, Disclosure, and Retention; (6) Accuracy; (7) Safeguards; (8) Openness; (9) Individual Access; (10) Challenging Compliance. These ten principles would go on to be listed in PIPEDA.
Acronym(s): CSA
Associated term(s): CSA Privacy Principles

Question 19

CCTV

Answer 19

Originally an acronym for "closed circuit television," CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.
Associated term(s): Video Surveillance

Question 20

Charter Rights

Answer 20

Rights created by the Canadian Charter of Rights and Freedoms. They are constitutional rights and thus are considered to be the most valued rights in Canada. The Charter of Rights and Freedoms was made part of the Canadian Constitution in 1982.
Link to text of law: Canadian Charter of Rights and Freedoms

Question 21

Children’s Online Privacy Protection Act (COPPA) of 1998

Answer 21

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Acronym(s): COPPA
Link to text of law: 15 U.S.C. §§ 6501-6508

Question 22

Choice

Answer 22

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
Associated term(s): Consent

Question 23

Collection Limitation

Answer 23

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Question 24

Commercial Activity

Answer 24

Under Canada’s PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

Question 25

Commercial Electronic Message

Answer 25

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.
Acronym(s): CEM

Question 26

Communications Privacy

Answer 26

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

Question 27

Comprehensive Laws

Answer 27

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.
Associated term(s): Omnibus Laws

Question 28

Computer Forensics

Answer 28

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

Question 29

Confidentiality

Answer 29

Data is “confidential” if it is protected against unauthorised or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Question 30

Consent

Answer 30

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
(1) Affirmative/Explicit Consent: A requirement that an individual ““signifies”” his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Associated term(s): Choice

Question 31

Convention 108

Answer 31

Convention 108 is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.
Link to text of law: The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data

Question 32

Cookie

Answer 32

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called "cookie identifiers," as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive (see Cookie Directive).
Associated term(s): First-Party Cookie, Persistent Cookie, Third-Party Cookie, Tracking Cookie, Web Cookie

Question 33

CSA Privacy Principles

Answer 33

The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canada’s PIPEDA.
Associated term(s): Canadian Standards Association
Associated law(s): PIPEDA

Question 34

Customer Access

Answer 34

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Question 35

Customer Information

Answer 35

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Question 36

Data Breach

Answer 36

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Associated term(s): Breach, Privacy Breach (Canadian)

Question 37

Data Controller

Answer 37

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Associated term(s): Data Processor

Question 38

Data Elements

Answer 38

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.

Question 39

Data Processing

Answer 39

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Associated term(s): Data Processor, Processing, Processor

Question 40

Data Processor

Answer 40

A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.
Associated term(s): Data Controller, Processor

Question 41

Data Protection Authority

Answer 41

Independent public authorities that supervise the application of data protection laws in the EU. DPAs provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own DPA. Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines that total 4% of a company’s global annual revenue.
Acronym(s): DPA

Question 42

Data Quality

Answer 42

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Question 43

Data Recipient

Answer 43

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Question 44

Data Subject

Answer 44

An identified or identifiable natural person.

Question 45

De Novo

Answer 45

A Latin expression meaning “from the beginning,” “anew” or “beginning again.” In a legal context, a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.

Question 46

Direct Marketing

Answer 46

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Question 47

Do Not Track

Answer 47

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.
Acronym(s): DNT

Question 48

Electronic Communications Network

Answer 48

Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed. In the discussions surrounding the update of the ePrivacy Directive to the ePrivacy Regulation, so-called “over the top” providers, like app-based messaging services, are beginning to be considered as part of the electronic communications network.
Acronym(s): ECN

Question 49

Electronic Communications Service

Answer 49

Any service which provides to users thereof the ability to send or receive wire or electronic communications.
Acronym(s): ECS

Question 50

Electronic Health Record

Answer 50

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers.
Acronym(s): EHR
Associated law(s): HIPAA, HITECH

Question 51

Employee Information

Answer 51

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.

Question 52

Employee Personal Data

Answer 52

Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees’ personal data. These rules must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.

Question 53

Encryption

Answer 53

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.

Question 54

EU Data Protection Directive

Answer 54

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.
Associated term(s): Data Protection Directive

Question 55

European Commission

Answer 55

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.

Question 56

Fair Credit Reporting Act, The

Answer 56

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.
Link to text of law: The Fair Credit Reporting Act
Acronym(s): FCRA
Associated law(s): Fair and Accurate Credit Transactions Act of 2003 (FACTA)

Question 57

Federal Trade Commission

Answer 57

The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.
Acronym(s): FTC
Associated law(s): FTC Act

Question 58

Generally Accepted Privacy Principles

Answer 58

A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.
Acronym(s): GAPP

Question 59

GET Method

Answer 59

The GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method.
Associated term(s): POST Method

Question 60

Global Privacy Enforcement Network

Answer 60

Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, GPEN is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, GPEN counted 50 member countries.
Acronym(s): GPEN

Question 61

House of Commons

Answer 61

One of two chambers of the Canadian Parliament, along with the Senate. Members of the House of Commons are elected at least every five years.

Question 62

Identifying Purposes

Answer 62

Integral to privacy protection is the obligation on organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.

Question 63

Individual Access

Answer 63

One of 10 privacy principles of PIPEDA. Organizations must be able to respond to requests from individuals for access to their personal information.
Associated law(s): PIPEDA

Question 64

Individual Participation

Answer 64

It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Associated term(s): FIPs

Question 65

Information Banks

Answer 65

Repositories of personal information that are kept by the Canadian government to comply with the Privacy Act.
Associated law(s): The Canadian Privacy Act

Question 66

Information Life Cycle

Answer 66

The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.

Question 67

Information Privacy

Answer 67

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Question 68

Information Security

Answer 68

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.
Acronym(s): IS

Question 69

Model Code for the Protection of Personal Information

Answer 69

A set of privacy principles developed by the Canadian Standards Association, that parallel the OECD’s Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data and espouse 10 principles: Accountability, Identifying Purpose, Consent, Limiting Collection, Limiting Use, Disclosure, & Retention, Accuracy, Safeguards, Openness, Individual Access and Challenging Compliance.
Link to text of: OECD’s Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data

Question 70

Multi-Factor Authentication

Answer 70

An authentication process that requires more than one verification method (see Authentication), such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.
Associated term(s): Two-Factor Authentication; Two-Step Authentication

Question 71

OECD Guidelines

Answer 71

First released in 1980, and then updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data. The principles, widely emulated in national privacy laws, include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability (see entries for each principle under their own listing elsewhere in the glossary).
Link to text of: OECD Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data

Question 72

Omnibus Laws

Answer 72

Used to distinguish from sectorial laws (see Sectorial Laws), to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population.

Question 73

Online Behavioral Advertising

Answer 73

Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.

Question 74

Online Privacy Alliance

Answer 74

A coalition composed of numerous online companies and trade associations specifically established to encourage the self-regulation of online privacy. The OPA introduced the Online Privacy Guidelines.
Link to: Online Privacy Alliance
Link to: Online Privacy Guidelines
Acronym(s): OPA
Associated term(s): Self-regulation

Question 75

Openness

Answer 75

A fair information practices principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Closely linked with transparency.

Question 76

Opt-In

Answer 76

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.
Associated term(s): Choice; Consent; Opt-Out

Question 77

Opt-Out

Answer 77

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.
Associated term(s): Choice; Consent; Opt-In

Question 78

Organization for Economic Cooperation and Development

Answer 78

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.
Link to: Organization for Economic Cooperation and Development
Acronym(s): OECD

Question 79

Outsourcing

Answer 79

Contracting business processes, which may include the processing of personal information, to a third party.

Question 80

Perimeter Controls

Answer 80

Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.
Associated term(s): Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Internet Protocol Security (IPSEC), Secure Sockets Layer (SSL)

Question 81

Personal Data

Answer 81

The predominant term for Personal Information in the European Union, defined broadly in the General Data Protection Regulation as any information relating to an identified or identifiable natural person.
Associated term(s): Personal Information; Personally Identifying Information; Personally Identifiable Information

Question 82

Personal Information

Answer 82

A synonym for "personal data." It is a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.
Acronym(s): PI
Associated term(s): Personal Data; Personally Identifying Information; Personally Identifiable Information

Question 83

Personal Information Protection and Electronic Documents Act

Answer 83

A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.
Link to text of law: Personal Information Protection and Electronic Documents Act
Acronym(s): PIPEDA

Question 84

POST Method

Answer 84

The GET and POST HTML method attributes specify how form data is sent to a web page. The POST method is more secure than GET as the GET method appends the form data to the URL allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar.
Associated term(s): GET Method

Question 85

Privacy Act, The (Canadian)

Answer 85

Enacted in 1983, the Act sets out rules for how institutions of the federal government must deal with personal information of individuals. It has been revised by many minor amendments, but remains substantially unaltered.
Link to text of law: The Canadian Privacy Act

Question 86

Privacy Breach (Canadian)

Answer 86

A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial privacy legislation.
Associated term(s): Data Breach, Privacy Breach Response (Canadian)

Question 87

Privacy Breach Response (Canadian)

Answer 87

The guidelines for privacy breach responses were drafted in 2007 and consist of four steps: (1) Containment of the breach and preliminary assessment; (2) evaluating the associated risks; (3) notifying affected parties; (4) taking adequate steps to prevent future breaches.
Associated term(s): Data Breach, Privacy Breach (Canadian)

Question 88

Privacy by Design

Answer 88

Generally regarded as a synonym for Data Protection by Design (see Data Protection by Design). However, Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.
Acronym(s): PbD

Question 89

Privacy Commissioner of Canada

Answer 89

The individual who is mandated by PIPEDA to enforce the act. The commissioner has broad power to examine documents, but some documents may be shielded by solicitor-client privilege. The commissioner conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued. This individual is mandated by PIPEDA to enforce PIPEDA. Aggrieved individuals also have a right to complain to the commissioner.
Link to: Privacy Commissioner of Canada
Associated law(s): PIPEDA

Question 90

Privacy Impact Assessments (Canadian)

Answer 90

The Canadian government requires all government institutions subject to the Privacy Act to conduct these assessments. The purpose behind a PIA is to evaluate whether program and service delivery initiatives that involve the collection, use or disclosure of personal information are in compliance with statutory obligations.
Acronym(s): PIAs

Question 91

Privacy Notice

Answer 91

A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices.

Question 92

Privacy of the Person

Answer 92

Protects bodily integrity, and in particular the right not to have our bodies touched or explored to disclose objects or matters we wish to conceal.

Question 93

Privacy Officer

Answer 93

A general term in many organizations for the head of privacy compliance and operations. In the United States federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Department of Homeland Security, or a career professional.

Question 94

Privacy Policy

Answer 94

An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.

Question 95

Professional Regulatory Body

Answer 95

A body enacted pursuant to an act under which a professional or occupational group or discipline is organized and that provides for the membership in the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.

Question 96

Public Records

Answer 96

Information collected and maintained by a government entity and available to the general public.

Question 97

Radio-Frequency Identification

Answer 97

Technologies that use radio waves to identify people or objects carrying encoded microchips.
Acronym(s): RFID

Question 98

Re-identification

Answer 98

The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization) . Often invoked as a “risk of re-identification” or “re-identification risk,” which refers to nullifying the de-identification actions previously applied to data (see De-identification).
Associated term(s): De-identification; Anonymization; Anonymous Data, Pseudonymous Data

Question 99

Rectification

Answer 99

An individual’s right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.
Associated term(s): Access
Associated law(s): EU Data Protection Directive; FCRA

Question 100

Retention

Answer 100

Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.

Question 101

Right of Access

Answer 101

An individual’s right to request and receive their personal data from a business or other organization.

Question 102

Right To Correct

Answer 102

The right for individuals to correct or amend information about themselves that is inaccurate.

Question 103

Seal Programs

Answer 103

Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of the seal program are allowed to display the programs seal on their website.
Associated term(s): Self-regulatory Model, WebTrust

Question 104

Sectoral Laws/Model

Answer 104

Laws that exist only in areas where the legislative body has found a particular need.
Related term(s) Comprehensive Laws, Co-regulatory Model, Self-regulatory Model, Technology Based Model

Question 105

Semayne’s Case

Answer 105

A case recognized as establishing the “knock-and-announce rule,” an important concept relating to privacy in one’s home and Fourth Amendment search and seizure jurisprudence in the U.S.
Link to: Fourth Amendment

Question 106

Senate (Canadian)

Answer 106

One of two chambers of the Canadian Parliament, along with the House of Commons. Unlike the House of Commons, whose members are elected, the Senate is appointed by the governor in council based upon the recommendations of the prime minister.
Associated term(s): Canadian Parliament, House of Commons

Question 107

Sensitive Personal Information

Answer 107

Data which is more significantly related to the notion of a reasonable expectation of privacy, such as medical or financial information. However, data may be considered more or less sensitive depending on context or jurisdiction. Recently the U.S. Federal Trade Commission classified TV-viewing data as “sensitive.”
Acronym(s): SPI

Question 108

SPAM

Answer 108

Unsolicited commercial e-mail.
Associated law(s): CASL; CAN-SPAM Act

Question 109

Technology-Based Model

Answer 109

The technology-based model for data protection utilizes technological security measures to protect individual’s personal data. While it is commonplace for companies to utilize technology to protect data, developments in commercially available hardware and software have enabled consumers to establish privacy protections for their own online activity.
Associated term(s): Comprehensive Laws, Co-regulatory Model, Sectoral Laws, Self-Regulation Model

Question 110

Territorial Privacy

Answer 110

One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into an individual’s territorial privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures.
Associated term(s): Home Privacy

Question 111

Transfer

Answer 111

The movement of personal data from one organization to another.

Question 112

Transparency

Answer 112

Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language.

Question 113

Universal Declaration of Human Rights

Answer 113

Also called the Human Rights Declaration, the declaration recognized the universal values and traditions of inherent dignity, freedom, justice and peace. It was adopted by the General Assembly of the United Nations on 10 December 1948. In December 1948, the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights. This declaration formally announced that “[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence [.]” The statement was intended to encompass a wide range of conduct, as evidenced by Article 12 of the Declaration, which describes both the territorial and the communications notions of privacy.
Link to text of: Universal Declaration of Human Rights
Associated term(s): Declaration of Human Rights

Question 114

Value-Added Services

Answer 114

A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions. More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered value-added services, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.
Associated term(s): MVAS, VASP

Question 115

Video Surveillance Guidelines

Answer 115

Guidelines discouraging video as an initial security option with the following constraints: (1) Video should be taken only in the absence of less intrusive alternatives; (2) the use should be disclosed to the public; (3) individuals should have access to their personal information; (4) video surveillance should be subject to independent audit, and (5) fair information practices should be respected.

Question 116

Work Product Information

Answer 116

A Canadian term referring to information about an individual that is related to that individual’s position, functions and/or performance of his or her job. A term that is undefined by PIPEDA, the privacy commissioner has decided that work product may at times fall under the definition of personal information. Access to such information by the commissioner is addressed on a case-by-case basis. Not to be confused with the American legal term "work product," which refers to legal materials prepared in anticipation of litigation.
Associated term(s): Employee Information
Associated law(s): PIPEDA