Glossary of Terms

Question 1

Accountability

Answer 1

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles

Question 2

Adequate Level of Protection

Answer 2

A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data.

Question 3

Adverse Action

Answer 3

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action

Question 4

American Institute of Certified Public Accountants (AICPA)

Answer 4

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program

Question 5

Americans with Disabilities Act (ADA)

Answer 5

A US law that bars discrimination against qualified individuals with disabilities

Question 6

Anti-discrimination Laws

Answer 6

Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR (general data protection regulation) or otherwise.

Question 7

APEC Privacy Principles

Answer 7

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs

Question 8

Background Screening/Checks

Answer 8

Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such checks vary by member state and may be negotiated with local works councils.

Question 9

The Bank Secrecy Act (BSA)

Answer 9

A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities

Question 10

Behavioral Advertising (OBA) - Online Behavioral Advertising

Answer 10

Advertising that is targeted at individuals based on the observation of their behavior over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear comprehensive information.

Question 11

Binding Corporate Rules (BCRs)

Answer 11

Binding Corporate Rules are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between various entities of a corporate group worldwide. They do so by ensuring that same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and they are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved

Question 12

Binding Safe Processor Rules (BSPR)

Answer 12

Previously, the EU distinguished between Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both

Question 13

Breach Disclosure

Answer 13

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure

Question 14

Bring your own Device

Answer 14

Use of employees’ own personal computing devices for work purposes

Question 15

California Investigative Consumer Reporting Agencies Act (CICRAA)

Answer 15

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report

Question 16

Case Law

Answer 16

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to past decisions as precedents and decide the new case in a manner that is consistent with past decisions

Question 17

CCTV

Answer 17

Originally an acronym for “closed circuit television”, CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be assessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

Question 18

Children’s Online Privacy Protection Act (COPPA) of 1998

Answer 18

US federal law that applies to the operators of commercial websites and online services that are directed to children under 13. It also applies to general audience websites and online services that have actual knowledge that hey are collecting personal information from children under 13. COPPA requires these website operators: to post a privacy notice on homepage of website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to 3rd parties; provide parents access and opportunity to delete the child’s personal information and opt out of future collection of use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Question 19

Choice

Answer 19

In the context of consent, choice refers to idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation

Question 20

Cloud Computing

Answer 20

The provision of information services over the Internet. These services may be provided by a company for its internal users in a “private cloud” or by 3rd party suppliers. The service can include software, infrastructure (servers), hosting, and platforms (operating systems). Cloud computing has numerous applications, from personal web-mail to corporate data storage, and can be subdivided into different types of service models

Question 21

Collection Limitation

Answer 21

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Question 22

Commercial Activity

Answer 22

Under Canada’s PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition

Question 23

Commercial Electronic Message (CEM)

Answer 23

Any form of electronic messaging, including email, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter, or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

Question 24

Common Law

Answer 24

Unwritten legal principles that have developed over time based on social customs and expectations

Question 25

Communications Privacy

Answer 25

One of the four classes of privacy, along with information privacy, bodily privacy, and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic email and other forms of communicative behavior and apparatus

Question 26

Comprehensive Laws

Answer 26

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.

Question 27

Computer Forensics

Answer 27

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit

Question 28

Confidentiality

Answer 28

Data is “confidential” if it is protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligations

Question 29

Confirmed Opt-In

Answer 29

An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing email.

Question 30

Consent

Answer 30

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative (opt-in); or implied (individual didn’t opt out)

(1) Affirmative/Explicit Consent: a requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual

Question 31

Consent Decree

Answer 31

A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between US federal or state agency and adverse party.

Question 32

Consumer Financial Protection Bureau (CFPB)

Answer 32

Created by the Dodd-Frank Act, the consumer financial protection bureau is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created CFPB took rule-making authority over FCRA (fair credit reporting act) and GLBA (Gramm-Leach-Bliley Act) regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act.

Question 33

Consumer Reporting Agency (CRAs)

Answer 33

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

Question 34

Cookie

Answer 34

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as “first-party” (if they are placed by the website that is visited) or “third-party” (if they are placed by a party other than the visited website). Notably, the General Data Protection Regulation lists this latter category, so called “cookie identifiers,” as an example of personal information. The use of cookies is regulated both by GDPR and the ePrivacy Directive

Question 35

Credit Freeze

Answer 35

A consumer-initiated security measure which locks an individual’s data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

Question 36

Credit Reporting Agency (CRA)

Answer 36

Under the Fair Credit Reporting Act, any organization that regularly engages in assembling or evaluating consumer credit or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee

Question 37

Customer Access

Answer 37

A customer’s ability to access the personal information collected on them as well as review, correct, or delete any incorrect information

Question 38

Customer Information

Answer 38

In contrast to employee information, customer information includes data relating to the clients of private-sector organization, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Question 39

Data Breach

Answer 39

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector - provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure

Question 40

Data Classification

Answer 40

A scheme that provides the basis for managing access to, and protection of, data assets

Question 41

Data Controller

Answer 41

The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law

Question 42

Data Elements

Answer 42

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data

Question 43

Data Matching

Answer 43

An activity that involves comparing personal data obtained from a variety of sources including personal information banks, for the purposes of making decisions about individuals to whom the data permits

Question 44

Data Processing

Answer 44

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Question 45

Data Processor

Answer 45

A natural or legal person (other than employee of the controller), public authority, agency, or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing

Question 46

Data Quality

Answer 46

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date. The quality of data is judged by four criteria: 1) Does it meet the business needs? 2) is it accurate? 3) is it complete? AND 4) is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application