IAPP Glossary

Question 1

Abstract

Answer 1

Limit the amount of detail in which personal information is processed.

Question 2

Access Control Entry

Answer 2

An element in an access control list (ACL). Each ACE controls, monitors, or records access to an object by a specified user.

Acronym(s): ACE
Associated term(s):  Access Control List (ACL)

Question 3

Access Control List

Answer 3

A list of access control entries (ACE) that apply to an object. Each ACE controls or monitors access to an object by a specified user. In a discretionary access control list (DACL), the ACL controls access; in a system access control list (SACL) the ACL monitors access in a security event log which can comprise part of an audit trail.

Acronym(s): ACL
Associated term(s): Access Control Entry (ACE)

Question 4

Accountability

Answer 4

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Question 5

Active Data Collection

Answer 5

When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.

Question 6

AdChoices

Answer 6

A program run by the Digital Advertising Alliance to promote awareness and choice in advertising for internet users. Websites with ads from participating DAA members will have an AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon, users may set preferences for behavioral advertising on that website or with DAA members generally across the web.

Question 7

Adequate Level of Protection

Answer 7

A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.

Question 8

Advanced Encryption Standard

Answer 8

An encryption algorithm for security sensitive non-classified material by the U.S. Government. This algorithm was selected in 2001 to replace the previous algorithm, the Data Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.

Question 9

Agile Development Model

Answer 9

A process of software system and product design that incorporates new system requirements during the actual creation of the system, as opposed to the Plan-Driven Development Model. Agile development takes a given project and focuses on specific portions to develop one at a time. An example of Agile development is the Scrum Model.

Question 10

Algorithms

Answer 10

Mathematical applications applied to a block of data.

Question 11

Anonymization

Answer 11

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized.
- Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability.
-Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).
- Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set
Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.

Question 12

Anonymous information

Answer 12

In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

Question 13

Antropomorphism

Answer 13

Attributing human characteristics or behaviors to non-human objects.

Question 14

Application or field encryption

Answer 14

Ability to encrypt specific fields of data; specifically sensitive data such as credit cards numbers or health-related information.

Question 15

Application-Layer Attacks

Answer 15

Attacks that exploit flaws in the network applications installed on network servers. Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks.

Question 16

Appropriation

Answer 16

Using someone’s identity for another person’s purposes.

Question 17

Asymmetric Encryption

Answer 17

A form of data encryption that uses two separate but related keys to encrypt data. The system uses a public key, made available to other parties, and a private key, which is kept by the first party. Decryption of data encrypted by the public key requires the use of the private key; decryption of the data encrypted by the private key requires the public key.

Question 18

Attribute-Based Access Control

Answer 18

An authorization model that provides dynamic access control by assigning attributes to the users, the data, and the context in which the user requests access (also referred to as environmental factors) and analyzes these attributes together to determine access.

Question 19

Audit trail

Answer 19

A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity. The term originates in accounting as a reference to the chain of paperwork used to validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce, to track customer’s activity, or cyber-security, to investigate cybercrimes.

Question 20

Authentication

Answer 20

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.

Question 21

Authorisation

Answer 21

In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset. Authorization criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. When effective, authentication validates that the entity requesting access is who or what it claims to be.

Question 22

Automated decision making

Answer 22

The process of making a decision without human involvement.