Information Management from a U.S. Perspective Flashcards

Question 1

Q

Define:

information management

Answer

A

establishing, implementing and monitoring the organization’s privacy program under the direction of a senior person in the organization

Question 2

Q

duties of a chief privacy officer

Answer

A

developing and implementing policies related to data processing and properly handling of personal information

Question 3

Q

duties of a data protection officer

Answer

A

ensures organization’s processing and handling of personal info is in compliance with legal privacy requirements
cannot be directly involved with decision-making regarding data processing activities

Question 4

Q

duties of a privacy engineer

Answer

A

works to ensure that compliance with legal requirements has occurred through the technical processes of the organization

Question 5

Q

duties of a privacy manager

Answer

A

responsible for development, maintenance and enforcement of privacy policies and procedures within an organization

Question 6

Q

duties of a privacy analyst

Answer

A

manages legal and operational risks related to personal information held by the organization

Question 7

Q

what are the stages of a data life cycle?

Answer

A

data creation
data storage
data sharing and usage
data archival
data deletion

Question 8

Q

Define:

data inventory

Answer

A

undertake an inventory of the PI it collects, stores, uses or discloses within the organization and to outside entities

Question 9

Q

Define:

data classification

Answer

A

classify data according to its level of sensitivity
defines clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data

Question 10

Q

Define:

data flow mapping

Answer

A

examine and document data flows

Question 11

Q

top-down vs. bottom-up data flow mapping

Answer

A

top-down: starts with record of processing activities (RoPA) which is required under GDPR
RoPA process involves documenting the purpose for processing the PI; parties to whom any PI was disclosed; retention period for PI; and details about the safeguards in place for PI
bottom-up: understanding data assets; data inventory and classification; delineating data processes (RoPA); documenting data lineage

Question 12

Q

privacy program should…

Answer

A

demonstrate effective and auditable framework to enable compliance with applicable privacy laws and regulations
promote trust and confidence in the organization’s handling of personal data
respond effectively to requests by consumers
address privacy and security breaches
continually monitor and improve the maturity of the privacy program

Question 13

Q

privacy mission statement

Answer

A

describes core function of privacy within the org

Question 14

Q

How to ensure appropriate metrics for privacy program framework?

Answer

A

identifying intended audience for metrics
defining reporting sources
defining privacy metrics for oversight and governance
identifying systems/application collection points

Question 15

Q

What are the four stages of privacy operatonal life cycle?

Answer

A

assess
protect
sustain
respond

Question 16

Q

assess

Answer

A

document baseline of privacy program
evaluate processors and third parties
identify operational risks
document the assessment

Question 17

Q

protect

Answer

A

review access controls and technical controls
review incident response plan
integrate privacy requirements into functional areas of the organization

Question 18

Q

sustain

Answer

A

monitor and audit compliance with privacy policies
monitor regulatory changes
hold employee, management and contractor trainings

Question 19

Q

respond

Answer

A

consumer requests
address privacy incidents

Question 20

Q

Define:

privacy policy

Answer

A

high-level document that helps an organization meet policy goals contained within an org’s privacy vision or mission statement

Question 21

Q

typical components of a privacy policy

Answer

A

purpose
scope
applicability
roles and responsibilities
compliance
penalties and sanctions for noncompliance

Question 22

Q

revision to privacy policy

Answer

A

according to FTC, companies should obtain express affirmative consent before making material retroactive changes to privacy representations
material change at a minimum includes sharing consumer information with 3Ps after committing at the time of collection not to share the data

Question 23

Q

Define:

privacy notice

Answer

A

external statement that provides transparency concerning the org’s privacy practices
how it collects, uses, shares, retains and discloses PI based on org’s privacy policy

Question 24

Q

organization can communicate privacy notice to consumer by:

Answer

A

making notice accessible online
making notice accessible in places of business

Question 25

Q

layered privacy notice approach

Answer

A

short notice: top layer that summarizes notice’s scope and basic points about the org’s practice for personal information, collection, choice, use and disclosure
full notice: comprehensive information on disclosure that articulates organization’s privacy notice in its entirety

Question 26

Q

Define:

just-in-time notice

Answer

A

notice at or before point of info collection or before a consumer accepts a service or product

Question 27

Q

Define:

privacy dashboard

Answer

A

offers a summary of privacy-related info in a format that is intended to be easy to access and navigate

Question 28

Q

Define:

double or confirmed opt-in

Answer

A

consumer first indicates interest in a communication list and then confirms that interest in response to the follow-up email

Question 29

Q

no option to opt

Answer

A

when an organization uses or collects the consumer’s data because that org has been given implied authority to share PI
e.g., a consumer who orders her product online expects her PI to be shared with the shipping company, credit card processor, etc.

Question 30

Q

good rule of thumb: channel for marketing should be…

Answer

A

chanel for exercising a user preference

Question 31

Q

privacy risk management

Answer

A

process that identifies and assesses the risk to an org’s information assets and then implements appropriate mitigation strategies to reduce or eliminate those risks
often includes conducting PIAs, vendor/third-party risk aseessments, data breach readiness assessments

Question 32

Q

Define:

organizational code of ethics

Answer

A

helps in assessing benefits and risks of processing personal data
focuses on topics such as how to respect individuals whose PI held by org; downstream uses of personal data; consequences of utilizing analytical tools; whether to collect data that the org does not need; how should the org design practices to ensure transparency, accountability and auditability

Question 33

Q

Define:

privacy risk

Answer

A

likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur

Question 34

Q

Define:

privacy impact assessment

Answer

A

provides analysis of how personal information is handled to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
determine risks and effects of collecting, maintaining and disseminating personal info in identifiable form
examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks

Question 35

Q

Define:

privacy risk assessment

Answer

A

core of PIA
focuses on determining level of privacy risk by looking at the privacy impact and likelihood given the controls

Question 36

Q

precautions to consider in written contract with third-party vendor

Answer

A

confidentiality provision
no further use of shared information
subcontractors should follow privacy and security protection terms in vendor’s K
requirement to notify and to disclose breach
information security provisions
end of relationship → return of data or deletion of data at conclusion of relationship

Question 37

Q

standards for vendor selection

Answer

A

reputation
financial condition and insurance
information security controls to ensure data isn’t lost or stolen (e.g., SOC 2)
secure transfer mechanisms for data
appropriate disposal of information → appropriate destruction of data in any format or media
employee training and user awareness
vendor incident response
org should be able to audit vendor’s activities to ensure compliance with contractual obligations

Question 38

Q

Define:

information security

Answer

A

protection of information for the purpose of preventing loss, unauthorized access, or misuse

Question 39

Q

What are the three key attributes of information security?

Answer

A

confidentiality
integrity
availability

Question 40

Q

Define:

confidentiality

Answer

A

access to data is limited to authorized parties

Question 41

Q

Define:

integrity

Answer

A

assurance that the data is authentic and complete

Question 42

Q

Define:

availability

Answer

A

knowledge that the data is accessible, as needed, by those who are authorized to use it

Question 43

Q

Define:

security controls

Answer

A

mechanisms put in place to prevent, detect or correct a security incident

Question 44

Q

What are the three types of security controls?

Answer

A

physical controls such as locks, security cameras and fences
administrative controls such as incident response procedures and training
technical controls such as firewalls, antivirus software, and access logs

Question 45

Q

Define:

NIST Cybersecurity Framework

Answer

A

voluntary tool for orgs to better manage and reduce cybersecurity risks with following core elements:

identify→ looks at people, systems, data and capabilities to understand what a potential risk could be
protect → focuses on safeguards for risks that an organization wants to mitigate
detect → activities that identify a cybersecurity incident
respond → what activities an org takes when there is an incident
recover → plans to restore business operations from a cybersecurity incident

Question 46

Q

Define:

data breach readiness assessment

(include factors)

Answer

A

examines level of risk of a data breach coupled with the likelihood and severity of a personal data breach by looking at following factors:

types and nature of personal data involved, particularly sensitive personal information
whether appropriate technical safeguards have been applied
whether the data subject will be directly or indirectly affected
possibility that personal data can be maliciously used
possibility of substantial damage on a physical level

Question 47

Q

What are mechanisms for cross-border data flows?

Answer

A

domestic approaches (or unilateral mechanism) → more than ½ of countries with safeguards for cross-border data flows employ pre-authorization safeguards
multilateral arrangements such as OECD Privacy Guidelines; APEC Cross-Border Privacy Rules; Council of Europe Convention 108 and 108+
trade agreements which may contain provisions
standards and technology-driven initiatives such as ISO standards and privacy-enhancing technologies (PETs)

Question 48

Q

When does GDPR apply?

Answer

A

when EU-based establishments process personal data of any subjects and
when establishment based outside of the EU monitors behavior of or targets goods or services to data subjects in the EU

Question 49

Q

Define:

personal data (under GDPR)

Answer

A

any data related to an identified or identifiable natural person (can be identified directly or indirectly)

Question 50

Q

Define:

sensitive personal data (under GDPR)

Answer

A

special category of personal data that gets additional protections under GDPR and requires the business to obtain “explicit consent” from the person to process the data for a specified purpose

Question 51

Q

Examples of sensitive personal data under GDPR?

Answer

A

race or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
health data, sex life
sexual orientation

Question 52

Q

Define:

data subject

under GDPR

Answer

A

any natural person whose data is being collected, stored or processed

Question 53

Q

controller

under GDPR

Answer

A

individual or entity that determines the purposes and the means of the processing of personal data

Question 54

Q

What are obligations of a controller?

Answer

A

implement data protection by default and by design
provide instructions to processors
ensure data security
report data breaches
cooperate with DPAs
appoint a DPO for the business
identify legal basis for processing
maintain data processing records
conduct data protection impact assessments

Question 55

Q

Define

processor

under GDPR

Answer

A

an individual or entity that processes personal data on behalf of the controller

Question 56

Q

What are obligations of a processor?

Answer

A

confidentiality
record of processing activities
data security
data breach reporting
cooperation with DPAs

Question 57

Q

Define

consent

under GDPR

Answer

A

freely given, specific, informed and an unambiguous indication of the data subject’s wishes

Question 58

Q

For consent to processing of data to be informed, it must contain:

under GDPR

Answer

A

controller’s identity
purpose of processing for which consent is sought
types of data that will be collected
information about the right to withdraw consent
information about automated processing
risks of transfers outside the EU

Question 59

Q

Define:

data protection authority

under GDPR

Answer

A

independent public authorities that investigate and enforce data protection laws at a national level

Question 60

Q

Define:

data protection officer

under GDPR

Answer

A

primary point of contact on data protection issues within a business that is based in the EU

Question 61

Q

What are the seven key principles of GDPR?

Answer

A

lawfulness, fairness and transparency
purpose limitation
data minimization
accuracy
storage limitation
integrity and confidentiality
accountability

Question 62

Q

Define:

lawfulness, fairness and transparency

under GDPR

Answer

A

companies should have a legal basis for processing personal data
data subjects should be made aware of the rules and safeguards as well as the risks associated with their data

Question 63

Q

What is considered “transparent” under GDPR?

Answer

A

communications must be concise, easily accessible and written using clear and plain language that is easy to understand

Question 64

Q

Define:

purpose limitation

under GDPR

Answer

A

personal data must be collected for specified, explicit and legitimate purposes
personal data shouldn’t be further processed in a manner that is incompatible with the original purpose for which it was collected

Answer 65

A

processing of personal data must be adequate, relevant and limited to what is necessary considering the purposes of processing
requires deletion or anonymization of personal data that is no longer necessary and any data retention period be limited to a strict minimum

Answer 66

A

personal data must be accurate and, where necessary, kept up to date

Answer 67

A

personal data must be kept for no longer than is necessary for the purposes of processing

Answer 68

A

personal data must be processed in a way that ensures a level of security appropriate to the risk of processing the personal data through appropriate technical and organizational measures

Answer 69

A

controller is responsible for and must be able to demonstrate compliance with the other six principles

Answer 70

A

right to be informed of transparent communication and information
right of access
right to rectification
right to erase / right to be forgotten
right to restriction of processing
right to data portability
right to object
right not to be subject to automated decision-making

Answer 71

A

within one month of request (or, where necessary, within three months) in writing or, if requested, orally

Answer 72

A

privacy notice to provide info

Answer 73

A

right to obtain following from controllers:

confirmation as to whether a controller is processing the data subject’s personal data
a copy of the personal data
other information that should already be provided in a privacy notice

Answer 74

A

when data subjects exercise their right of access

Answer 75

A

allows data subjects to require controllers to confirm the accuracy of their personal data

Answer 76

A

right to have personal data erased in circumstances where:

personal data no longer necessary for purposes collected or otherwise processed
data subject withdraws consent on which the processing is based and there is no other legal ground for processing
data subject objects to processing based on legitimate interests and no overriding legitimate grounds for the processing
personal data was unlawfully processed
personal data has to be erased for compliance with a legal obligation
personal data has been collected to offer info society services to children

Answer 77

A

controller must delete personal data and if has made public data publicly available online, must use reasonable measures to inform other controllers processing the personal data to erase

Answer 78

A

can limit the way their personal data is processed

Answer 79

A

accuracy of personal data is contested and controller is verifying accuracy
processing is unlawful and data subject prefers to have the use of their personal data restricted rather than having it erased
controller no longer needs the personal data but the data subject requires it for the establishment, exercise or defense of legal claims
data subject has objected to processing pursuant to the GDPR and controller is verifying whether its legitimate grounds override those of the data subject

Answer 80

A

data subjects can port data to themselves or to another controller

Answer 81

A

only applies to:
1. personal data provided by data subject
2. where processing based on consent or the performance of a contract
3. when processing carried out by automated means

Answer 82

A

data subjects can require controllers to stop processing their personal data

Answer 83

A

if controller is processing their personal data for:

direct marketing purposes
on legal basis of legitimate interests
on legal basis of task carried out in public interest
on legal basis of exercise of official authority

Answer 84

A

general prohibition on fully automated decision-making, including profiling, that has a legal or similarly significant effect

Answer 85

A

when:
1. necessary for performance of a K between data subject and controller
2. authorized by law or
3. based on data subject’s explicit consent

Answer 86

A

breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted stored or otherwise processed

Answer 87

A

to relevant DPA within 72 hours of becoming aware where feasible UNLESS unlikely to result in risk to individuals’ rights and freedoms

Answer 88

A

have reasonably degree of certainty that a security incident has compromised personal data

Answer 89

A

if data breach occurs that is likely to result in high risk to individuals’ rights and freedoms, then without undue delay

Answer 90

A

notice must be in clear and plain language and must include name and contact of the DPO, likely consequences of the data breach, and any measures taken by controller to mitigate the risk

Answer 91

A

initiate administrative complaint
go to national court (if unsatisfied with decision of DPA or DPA doesn’t inform give update on complaint within three months)
seek judicial remedy

Answer 92

A

can be initiated by data subject or by DPA

Answer 93

A

assessment to determine lead DPA (if more than one DPA has complaint)
assess to determine whether to impose adminisrtative fine

Answer 94

A

each is liable for entire damage if both involved in same processing and once data subjects compensated, then they can get comp from each other

Answer 95

A

greater of 20 mil Euros or 4% of global annual revenues

Answer 96

A

greater of 10 mil Euros or 2% of global annual revenues

Answer 97

A

infringements related to basic principles of processing, rights of data subject and transfers of personal data to a recipient outside EU

Answer 98

A

EU and Norway, Liechtenstein and Iceland

Answer 99

A

prohibited unless can rely upon adequacy decision, appropriate safeguard or a derogation

Answer 100

A

data transfer to a country that has adopted protections that the EU law deems “adequate” (essentially equivalent to those found in the GDPR)

Answer 101

A

legally binding and enforceable instrument between public authorities or bodies
binding corporate rules
standard contractual clauses
standard data protection clauses adopted by European Commission
standard data protection clauses adopted by a DPA and approved by European Commission
approved code of conduct, together with binding and enforceable commitments of the non-EEA controller or processor
approved certification mechanism together with binding and enforceable commitments of non-EEA controller or processor
contractual clauses authorized by DPA or of the controller/processor transferring the data outside the EEA
administrative arrangements between public authorities authorized by the DPA in the country from which the transfer is made

Answer 102

A

provide that a multinational company can transfer data between countries, including among affiliated entities, after certification of its practices by a DPA

Answer 103

A

company contractually promises to comply with EU law and to submit to supervision of a DPA

Answer 104

A

allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for one of following:

performance of K between data subject and controller and transfer is occasional
performance or conclusion of a K concluded in interest of data subject between controller and 3P and transfer is occasional
important reasons of public interest
establishment, exercise or defense of legal claims and the transfer is occasional
protection of vital interests of an individual incapable of giving consent

Answer 105

A

transfer can take place if necessary for purposes of compelling legitimate interest and meets all of specified requirements under the GDPR

Answer 106

A

Safe Harbor program under EU Data Protection Directive until 2015
Schrems I case (2015)
Privacy Shield (2016)
Schrems II case (2020)
Data Privacy Framework finalized in July 2023

Answer 107

A

CJEU struck down Safe Harbor program

Answer 108

A

CJEU struck down Privacy Shield and raised concerns about perceived lack of legal protection from U.S. government surveillance for EU data being transferred to Facebook

Answer 109

A

U.S. agreed to ensure that surveillance activities would comply with the “necessity and proportionality” standard and to establish an independent data protection review court to provide European citizens the ability to complain when they believe their personal data has been collected inappropriately by U.S. intelligence agencies/U.S. designed EU and member states as qualifying states

Answer 110

A

APEC issued declaration concerning an international approach to allow trade between participating countries while providing assurances how data will be handled
Global Cross-Border Privacy Rules Forum: establishment of international certification system based on existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems announced in 2022
OECD adopted a declaration on common principles for government access, both for law enforcement and national security purposes, to personal data held by private companies

Brainscape's Knowledge GenomeTM

Information Management from a U.S. Perspective Flashcards

18-22 questions

Brainscape's Knowledge Genome^TM