Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E > Glossary of Privacy Terms > Flashcards

Glossary of Privacy Terms Flashcards

1
Q

Abstract

A

Limit the amount of detail in which personal information is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Control Entry

A

An element in an access control list (ACL). Each ACE controls, monitors, or records access to an object by a specified user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Control List

A

A list of access control entries (ACE) that apply to an object. Each ACE controls or monitors access to an object by a specified user. In a discretionary access control list (DACL), the ACL controls access; in a system access control list (SACL) the ACL monitors access in a security event log which can comprise part of an audit trail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Accountability

A

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Accuracy

A

Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Act Respecting the Protection of Personal Information in the Private Sector

A

A Québéquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Active Data Collection

A

When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Active Scanning Tools

A

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Ad Exchange

A

An ad trafficking system through which advertisers, publishers, and networks meet and do business via a unified platform. An ad exchange allows advertisers and publishers to use the same technological platform, services, and methods, and “speak the same language” in order to exchange data, set prices, and ultimately serve an ad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Ad Network

A

A company that serves as a broker between a group of publishers and a group of advertisers. Networks traditionally aggregate unsold inventory from publishers in order to offer advertisers a consolidated and generally less expensive pool of impressions, but they can have a wide variety of business models and clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AdChoices

A

A program run by the Digital Advertising Alliance to promote awareness and choice in advertising for internet users. Websites with ads from participating DAA members will have an AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon, users may set preferences for behavioral advertising on that website or with DAA members generally across the web.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Adequate Level of Protection

A

A transfer of personal data from the European Union to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Administrative Purpose

A

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Advanced Encryption Standard

A

An encryption algorithm for security sensitive non-classified material by the U.S. Government. This algorithm was selected in 2001 to replace the previous algorithm, the Data Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Adverse Action

A

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Agile Development Model

A

A process of software system and product design that incorporates new system requirements during the actual creation of the system, as opposed to the Plan-Driven Development Model. Agile development takes a given project and focuses on specific portions to develop one at a time. An example of Agile development is the Scrum Model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Alberta PIPA

A

A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Algorithm

A

A computational procedure or set of instructions and rules designed to perform a specific task, solve a particular problem, or produce a machine learning or AI model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

American Institute of Certified Public Accountants

A

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Americans with Disabilities Act

A

A U.S. law that bars discrimination against qualified individuals with disabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Annual Independent Evaluations

A

Under FISMA, U.S. agencies’ information security programs must be independently evaluated yearly. The independent auditor is selected by the agency’s inspector general or the head of the agency. The audit is submitted to the Office of Management and Budget.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Annual Reports

A

The requirement under the General Data Protection Regulation that the European Data Protection Board and each supervisory authority periodically report on their activities. The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organizations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Anonymization

A

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set. Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Anonymous Information

A

In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Anthropomorphism

A

Attributing human characteristics or behaviors to non-human objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Anti-discrimination Laws

A

Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

APEC Privacy Principles

A

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Application or field encryption

A

Ability to encrypt specific fields of data; specifically sensitive data such as credit cards numbers or health-related information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Application-Layer Attacks

A

Attacks that exploit flaws in the network applications installed on network servers. Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Appropriate Safeguards

A

The General Data Protection Regulation refers to appropriate safeguards in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Appropriate Technical and Organizational Measures

A

The General Data Protection Regulation requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These “appropriate technical and organizational measures” might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Appropriation

A

Using someone’s identity for another person’s purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Article 29 Working Party

A

The Article 29 Working Party (WP29) was a European Union organization that functioned as an independent advisory body on data protection and privacy and consisted of the collected data protection authorities of the member states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Artificial Intelligence

A

Artificial intelligence is a broad term used to describe an engineered system where machines learn from experience, adjusting to new inputs, and potentially performing tasks previously done by humans. More specifically, it is a field of computer science dedicated to simulating intelligent behavior in computers. It may include automated decision-making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Assess

A

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Asymmetric Encryption

A

A form of data encryption that uses two separate but related keys to encrypt data. The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Attribute-Based Access Control

A

An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Audit Life Cycle

A

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Audit Trail

A

A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity. The term originates in accounting as a reference to the chain of paperwork used to validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce, to track customer’s activity, or cyber-security, to investigate cybercrimes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Authentication

A

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Authorization

A

In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset. Authorization criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. When effective, authentication validates that the entity requesting access is who or what it claims to be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Automated decision-making

A

The process of making a decision by technological means without human involvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Automated Processing

A

A processing operation that is performed without any human intervention. “Profiling” is defined in the General Data Protection Regulation, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Data subjects, under the GDPR, have a right to object to such processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Availability

A

Data is “available” if it is accessible when needed by the organization or data subject. The General Data Protection Regulation requires that a business be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Background Screening/Checks

A

Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Bank Secrecy Act, The

A

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Basel III

A

A comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

BC PIPA

A

A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Behavioral Advertising

A

Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Big Data

A

A term used to describe the large data sets which exponential growth in the amount and availability of data have allowed organizations to collect. Big data has been articulated as “the three V’s: volume (the amount of data), velocity (the speed at which data may now be collected and analyzed), and variety (the format, structured or unstructured, and type of data, e.g. transactional or behavioral).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Binding Corporate Rules

A

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Binding Safe Processor Rules

A

Previously, the EU distinguished between Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Biometrics

A

Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists biometric data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Blackmail

A

The threat to disclose an individual’s information against his or her will.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Bodily Privacy

A

One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Breach Disclosure

A

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Breach Disclosure (EU specific)

A

The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Breach of confidentiality

A

Revealing an individual’s personal information, despite a promise not to do so.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Bring Your Own Device

A

Use of employees’ own personal computing devices for work purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Browser Fingerprinting

A

As technology has advanced, it has become easier to differentiate between users just based on the given instance of the browser they are using. Each browser keeps some information about the elements it encounters on a given webpage. For instance, a browser will keep information on a text font so that the next time that font is encountered on a webpage, the information can be reproduced more easily. Because each of these saved elements have been accessed at different times and in different orders, each instance of a browser is to some extent unique. Tracking users using this kind of technology continues to become more prevalent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Bundesdatenschutzgesetz-neu

A

Germany’s federal data protection act, implementing the General Data Protection Regulation. With the passage of the GDPR, it replaced a previous law with the same name (hence “neu” in common parlance) and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the new version suggests a procedure for national data protection authorities to challenge adequacy decisions of the EU Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Bureau of Competition

A

The United States’ Federal Trade Commission’s Bureau of Competition enforces the nation’s antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Bureau of Consumer Protection

A

The United States’ Federal Trade Commission’s Bureau of Consumer Protection stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Bureau of Economics

A

The United States’ Federal Trade Commission’s Bureau of Economics helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Business case

A

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Business Continuity and Disaster Recovery Plan

A

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Business Continuity Plan

A

The business continuity plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a BCP often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Caching

A

The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that display personal information should be set to prohibit caching.

68
Q

California Consumer Privacy Act

A

The first state-level comprehensive privacy law in the U.S. The CCPA applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights. In Nov. 2020, California passed the California Privacy Rights Act, which amends the CCPA and includes itional consumer protections and business obligations. The majority of the CPRA’s provisions entered into force Mar. 29 2024, with a look back to Jan. 2022.

69
Q

California Investigative Consumer Reporting Agencies Act

A

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.

70
Q

California Online Privacy Protection Act

A

Requires that all websites catering to California citizens provide a privacy statement to visitors and a easy-to-find link to it on their web pages. Websites that carry personal data on children less than 18 years of age must permit those children to delete data collected about them. Websites also must inform visitors of the type of Do Not Track mechanisms they support or if they do not support any at all.

71
Q

California Privacy Rights Act

A

The CPRA amends the California Consumer Privacy Act and includes itional privacy protections for consumers. It also creates an enforcement agency, the California Privacy Protection Agency. The majority of the CPRA’s provisions entered into force Mar. 29, 2024, with a look back to Jan. 2022. The CPRA passed as a ballot initiative in Nov. 2020.

72
Q

Canada’s Anti-Spam Legislation

A

Canadian anti-SPAM legislation applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.

73
Q

Canadian Institute of Chartered Accountants

A

The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications.

74
Q

Canadian Organization for the Advancement of Computers in Health

A

A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information.

75
Q

Canadian Standards Association

A

A non-profit standards organization that developed its own set of privacy principles and broke the OECD’s code into ten principles: (1) Accountability; (2) Identifying purposes; (3) Consent; (4) Limiting Collection; (5) Limiting Use, Disclosure, and Retention; (6) Accuracy; (7) Safeguards; (8) Openness; (9) Individual Access; (10) Challenging Compliance. These ten principles would go on to be listed in PIPEDA.

76
Q

Case Law

A

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

77
Q

CCTV

A

Originally an acronym for “closed circuit television,” CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

78
Q

Census Bureau

A

The Census Bureau collects data to meet the nation’s statistical needs. Because the data that the Census Bureau collects is often highly personal in nature, and the Census Bureau depends on the trust of the individuals and businesses that supply the data, privacy protection is a high priority.

79
Q

Centralized governance

A

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point

80
Q

Certification Mechanisms

A

Introduced by the General Data Protection Regulation, certification mechanisms are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Certification mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

81
Q

Charter of Fundamental Rights

A

A treaty that consolidates human rights within the EU. The treaty states that everyone has a right to protect their personal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority.

82
Q

Charter Rights

A

Rights created by the Canadian Charter of Rights and Freedoms. They are constitutional rights and thus are considered to be the most valued rights in Canada. The Charter of Rights and Freedoms was made part of the Canadian Constitution in 1982.

83
Q

Chat bots

A

Computerized intelligence that simulates human interactions and may be used to handle basic customer requests and interactions.

84
Q

Chief FOIA Officer

A

Executive Order 13392 supplemented FOIA by reiterating the requirement for agencies to process requests in a courteous and expeditious manner. In addition, it required agencies to appoint a chief FOIA officer. The Open Government Act of 2007 codified this requirement and expanded on the responsibilities of the chief FOIA officer to include the following: have agency-wide responsibility for efficient and appropriate compliance with FOIA; monitor FOIA implementation throughout the agency; recommend to the head of the agency any necessary adjustments in practices, personnel, policies or funding.

85
Q

Chief Privacy Officer (Agency level)

A

A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005.

86
Q

Children’s Online Privacy Protection Act (COPPA) of 1998

A

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

87
Q

Choice

A

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.

88
Q

CIA Triad

A

Also known as information security triad; three common information security principles from the 1960s: Confidentiality, integrity, availability.

89
Q

CIO Council

A

The CIO Council is the principal interagency forum on Federal agency practices for IT management. Originally established by Executive Order 13011 (Federal Information Technology) and later codified by the E-Government Act of 2002, the CIO Council’s mission is to improve practices related to the design, acquisition, development, modernization, use, sharing and performance of Federal Government information resources.

90
Q

Ciphertext

A

Encrypted (enciphered) data.

91
Q

Cloud Computing

A

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a “private cloud” or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.

92
Q

Co-regulatory Model

A

Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models.

93
Q

Code audits

A

Provide analysis of source code that detect defects, security breaches or violations within a technology ecosystem.

94
Q

Code reviews

A

Generally in-person meeting organized by developers who authored the code. The review may consist of a reader, moderator and privacy specialist.

95
Q

Codes of Conduct

A

Introduced by the General Data Protection Regulation, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

96
Q

Collection Limitation

A

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

97
Q

Commercial Activity

A

Under Canada’s PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

98
Q

Commercial Electronic Message

A

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

99
Q

Common Law

A

Unwritten legal principles that have developed over time based on social customs and expectations.

100
Q

Communications Privacy

A

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

101
Q

Completeness Arguments

A

Used as a means of assuring compliance with privacy rules and policies in the design of new software systems. Completeness arguments take privacy rules and compare them to the system requirements that have been used to design a new software system. By pairing privacy rules with specific system requirements, necessary technical safeguards can be accounted for, preventing the software from being designed in such a way that would violate privacy policies and regulations.

102
Q

Comprehensive Laws

A

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.

103
Q

Computer Forensics

A

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

104
Q

Computer Matching and Privacy Protection Act

A

Requires agencies that match data among agency systems granting financial benefits to publicly disclose that matching and explain its scope.

105
Q

Concept of Operations

A

Used in Plan-driven Development Models, a Concept of Operations is a detailed outline of how a software product or system will work once it is fully operational. This is used to shape how a product or system will be designed and implemented.

106
Q

Confidentiality

A

Data is “confidential” if it is protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

107
Q

Confirmed Opt-In

A

An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.

108
Q

Consent

A

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.

(1) Affirmative/Explicit Consent: A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.

(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

109
Q

Consent (EU specific)

A

This privacy requirement is one of the fair information practices. In the General Data Protection Regulation, however, consent is specifically one of the legal bases for processing personal data. According to the GDPR, for consent to be valid, it must be: clearly distinguishable from other matters, intelligible, and in clear and plain language; freely given; as easy to withdraw as it was to provide; specific; informed; and unambiguous. Further, it must be a positive, affirmative action (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain special categories of data, as outlined in Article 9, explicit consent is required for processing, a higher standard than unambiguous consent.

110
Q

Consent Decree

A

A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.

111
Q

Consistency Mechanism

A

In order to ensure the consistent application of the General Data Protection Regulation throughout the European Union, the GDPR establishes a “consistency mechanism” that allows member state supervisory authorities to cooperate with one another. The mechanism applies particularly where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several member states. When a member state supervisory authority intends to take action, such as approving a code of conduct or certification mechanism, it shall provide a draft to the European Data Protection Board, and the EDPB’s members shall render an opinion on that draft, which the supervisory authority shall take into account and then either amend or decide to go forward with the draft in its original form. Should there be significant difference in opinion, the dispute resolution mechanism will be triggered.

112
Q

Consumer Financial Protection Bureau

A

Created by the Dodd-Frank Act, the consumer financial protection bureau is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created CFPB took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act.

113
Q

Consumer Report

A

As defined in the U.S. Fair Credit Reporting Act: Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes, or (2) employment purposes, or (3) other purposes authorized under section 604. The term does not include any (A) any report containing information solely as to transactions or experiences between the consumer and the person making the report; (B) authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; or (C) report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made and such person makes the disclosures to the consumer required under section 615.

114
Q

Consumer Reporting Agency

A

Any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

115
Q

Consumerization of Information Technology (COIT)

A

A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.

116
Q

Content Data

A

The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata. The ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of content data.

117
Q

Content Delivery Network

A

The servers that contain most or all of the visible elements of a web page and that are contacted to provide those elements. In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.

118
Q

Context aware computing

A

When a technological device adapts itself to the environment. This includes characteristics as location, video, audio, brightness.

119
Q

Context of authority

A

Control over the access to resources on a network is based on the context in which the employee is connected to the network.

120
Q

Contextual Advertising

A

The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.

121
Q

Contextual Integrity

A

A concept developed by Helen Nissenbaum, contextual integrity is a way to think about and quantify potential privacy risks in software systems and products. Contextual Integrity focuses on what consumer expectations are in a given situation and how the product or system differs from that expectation. The more a product or system deviates from those expectations, the more likely a consumer will perceive a privacy harm.

122
Q

Contractual Clauses

A

Adopted either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission, contractual clauses are mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

123
Q

Controlled Unclassified Information

A

A system that standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.

124
Q

Convention 108

A

Convention 108 is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.

125
Q

Cookie

A

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as “first-party” (if they are placed by the website that is visited) or “third-party” (if they are placed by a party other than the visited website). Additionally, they may be referred to as “session cookies” if they are deleted when a session ends, or “persistent cookies” if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called “cookie identifiers,” as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive.

126
Q

Cookie Directive

A

The so-called “Cookie Directive” is an amendment made to the European Union’s Directive 2002/58, also known as the ePrivacy Directive, that requires organizations to get consent before placing cookies and other tracking technologies on digital devices. With the passage of the General Data Protection Regulation, this definition of consent has changed and opt-out consent is no longer viable in this area.

127
Q

Cooperation

A

Part of the consistency mechanism of the General Data Protection Regulation, cooperation is required between supervisory authorities when working with controllers or processors handling the personal data of data subjects in multiple member states. This is often referred to as the “one-stop shop,” whereby a lead supervisory authority works with the supervisory authorities of other member states with affected data subjects.

128
Q

Copland v. United Kingdom

A

A case in which the European Court of Human Rights held that monitoring an applicant’s email at work was contrary to Article 8 of the Convention on Human Rights.

129
Q

Corporate Owned, Personally Enabled (COPE)

A

COPE is the IT business strategy of providing employees with company-owned devices. COPE may, nonetheless, implicate BYOD concerns when employees use COPE devices equally for personal use.

130
Q

Costeja

A

Shorthand for the case of Google Spain v AEPD and Mario Costeja González, where Costeja successfully sued Google Spain, Google Inc. and La Vanguardia newspaper. When the Court of Justice of the EU ruled that Google Spain must remove the links to the article, the “right to be forgotten” was effectively established in the European Union. The General Data Protection Regulation subsequently more formally granted data subjects the right to deletion in certain circumstances.

131
Q

Council of Europe

A

The Council of Europe, launched in 1949, is a human rights organization with 47 member countries, including the 28 member states of the European Union. The members have all signed the European Convention on Human rights and are subject to the European Court of Human Rights. The Council’s Convention 108 was the first legally binding international agreement to protect the human right of privacy and data protection.

132
Q

Council of the European Union

A

A council of ministers from the 28 member states of the European Union, this is the main decision-making body of the EU, with a central role in both political and legislative decisions. The council was established by the treaties of the 1950s, which laid the foundations for the EU, and works with the European Parliament to create EU law.

133
Q

Coupling

A

The interdependence between objects within a technology ecosystem and controls the flow of information within a design. Tightening the coupling, allows objects to depend on the inner working of other objects. Loosening the coupling reduces object’s dependency on other objects. Loosening isolates information processing to a select group of approved classes and reduces the chance of unintentionally re-purposing data.

134
Q

Court of Justice of the European Union

A

The Court of Justice is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. Based in Luxembourg, the Court was set up in 1951, and was originally named the Court of Justice of the European Communities. The court is frequently confused with the European Court of Human Rights (ECHR), which oversees human rights laws across Europe, including in many non-EU countries, and is not linked to the EU institutions.

135
Q

Credit Freeze

A

A consumer-initiated security measure which locks an individual’s data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

136
Q

Credit Reporting Agency

A

Under the Fair Credit Reporting Act, any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee.

137
Q

Cross-border Data Transfers

A

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have “adequate” data protection practices.

138
Q

Cross-border Data Transfers (EU specific)

A

Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission. It also applies to onward transfers — from one third country or international organization to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer.

139
Q

Cross-site Scripting

A

Code injected by malicious web users into web pages viewed by other users.

140
Q

Cryptography

A

The science or practice of hiding information, usually through its transformation. Common cryptographic functions include: encryption, decryption, digital signature and non-repudiation.

141
Q

Cryptosystem

A

The materials necessary to encrypt and decrypt a given message, usually consisting of the encryption algorithm and the security key.

142
Q

CSA Privacy Principles

A

The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canada’s PIPEDA.

143
Q

Current baseline

A

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.

144
Q

Customer Access

A

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

145
Q

Customer Data Integration

A

The consolidation and managing of customer information in all forms and from all sources allowable. CDI is a vital component of customer relationship management.

146
Q

Customer Information

A

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

147
Q

Cyber liability insurance

A

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. Cyber liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

148
Q

Cyberbullying

A

Exposing a person’s private details or re-characterizing the person beyond the person’s control via technology.

149
Q

Dark patterns

A

Recurring solutions that are used to manipulate individuals into giving up personal information.

150
Q

Data Aggregation

A

Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.

151
Q

Data Breach

A

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

152
Q

Data Breach (EU specific)

A

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The General Data Protection Regulation instituted new rules for notification of supervisory authorities and data subjects following the discovery of a data breach, depending on the risk the breach presents to the rights and freedoms of data subjects.

153
Q

Data Breach Notification (EU specific)

A

The requirement that a data controller notify regulators, potentially within 72 hours of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects.

154
Q

Data Brokers

A

Entities that collect, aggregate and sell individuals’ personal data, derivatives and inferences from disparate public or private sources.

155
Q

Data Centers

A

Facilities that store, manage and disseminate data and house a network’s most critical systems. Data centers can serve either as a centralized facility for a single organization’s data management functions or as a third-party provider for organization’s data management needs.

156
Q

Data Classification

A

A scheme that provides the basis for managing access to, and protection of, data assets.

157
Q

Data Controller

A

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

158
Q

Data Elements

A

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.

159
Q

Data Flow Diagrams

A

A graphical representation of the flow of data in an information system thus allowing the visualization of how the system operates to accomplish its purpose. DFDs are used both by systems analysts to design information systems and by management to model the flow of data within organizations.

160
Q

Data Integrity Board

A

Under the Privacy Act, federal agencies using computerized means to match data between electronic federal privacy record systems, or to match data from any federal system with non federal records, are required to create a DIB composed of senior officials and the agency’s inspector general. The DIB shall, among other things: review, approve and maintain all matching programs; review all existing matching programs annually to determine compliance with laws, regulations, guidelines and agreements, and; assess the cost and benefits of the agreements.

161
Q

Data Inventory

A

Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

162
Q

Data Life Cycle Management

A

Also known as Information Life Cycle Management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.

163
Q

Data Loss Prevention

A

Term used to describe both the strategy for ensuring end users do not disseminate sensitive information, whether intentionally or unintentionally, to outside ineligible sources and the software products that aid network administrators in controlling what data end users can transfer.

164
Q

Data Masking

A

The process of de-identifying, anonymizing, or otherwise obscuring data so that the structure remains the same but the content is no longer sensitive in order to generate a data set that is useful for training or software testing purposes.

165
Q

Data Matching

A

An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.

166
Q

Data Minimization Principle

A

The idea that one should only collect and retain that personal data which is necessary.

167
Q
A

CIPP/E (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions