Information Management from a U.S. Perspective Flashcards
18-22 questions
Define:
information management
establishing, implementing and monitoring the organization’s privacy program under the direction of a senior person in the organization
duties of a chief privacy officer
developing and implementing policies related to data processing and properly handling of personal information
duties of a data protection officer
- ensures organization’s processing and handling of personal info is in compliance with legal privacy requirements
- cannot be directly involved with decision-making regarding data processing activities
duties of a privacy engineer
works to ensure that compliance with legal requirements has occurred through the technical processes of the organization
duties of a privacy manager
responsible for development, maintenance and enforcement of privacy policies and procedures within an organization
duties of a privacy analyst
manages legal and operational risks related to personal information held by the organization
what are the stages of a data life cycle?
- data creation
- data storage
- data sharing and usage
- data archival
- data deletion
Define:
data inventory
undertake an inventory of the PI it collects, stores, uses or discloses within the organization and to outside entities
Define:
data classification
- classify data according to its level of sensitivity
- defines clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data
Define:
data flow mapping
examine and document data flows
top-down vs. bottom-up data flow mapping
- top-down: starts with record of processing activities (RoPA) which is required under GDPR
- RoPA process involves documenting the purpose for processing the PI; parties to whom any PI was disclosed; retention period for PI; and details about the safeguards in place for PI
- bottom-up: understanding data assets; data inventory and classification; delineating data processes (RoPA); documenting data lineage
privacy program should…
- demonstrate effective and auditable framework to enable compliance with applicable privacy laws and regulations
- promote trust and confidence in the organization’s handling of personal data
- respond effectively to requests by consumers
- address privacy and security breaches
- continually monitor and improve the maturity of the privacy program
privacy mission statement
describes core function of privacy within the org
How to ensure appropriate metrics for privacy program framework?
- identifying intended audience for metrics
- defining reporting sources
- defining privacy metrics for oversight and governance
- identifying systems/application collection points
What are the four stages of privacy operatonal life cycle?
- assess
- protect
- sustain
- respond
assess
- document baseline of privacy program
- evaluate processors and third parties
- identify operational risks
- document the assessment
protect
- review access controls and technical controls
- review incident response plan
- integrate privacy requirements into functional areas of the organization
sustain
- monitor and audit compliance with privacy policies
- monitor regulatory changes
- hold employee, management and contractor trainings
respond
- consumer requests
- address privacy incidents
Define:
privacy policy
high-level document that helps an organization meet policy goals contained within an org’s privacy vision or mission statement
typical components of a privacy policy
- purpose
- scope
- applicability
- roles and responsibilities
- compliance
- penalties and sanctions for noncompliance
revision to privacy policy
- according to FTC, companies should obtain express affirmative consent before making material retroactive changes to privacy representations
- material change at a minimum includes sharing consumer information with 3Ps after committing at the time of collection not to share the data
Define:
privacy notice
- external statement that provides transparency concerning the org’s privacy practices
- how it collects, uses, shares, retains and discloses PI based on org’s privacy policy
organization can communicate privacy notice to consumer by:
- making notice accessible online
- making notice accessible in places of business
layered privacy notice approach
- short notice: top layer that summarizes notice’s scope and basic points about the org’s practice for personal information, collection, choice, use and disclosure
- full notice: comprehensive information on disclosure that articulates organization’s privacy notice in its entirety
Define:
just-in-time notice
notice at or before point of info collection or before a consumer accepts a service or product
Define:
privacy dashboard
offers a summary of privacy-related info in a format that is intended to be easy to access and navigate
Define:
double or confirmed opt-in
consumer first indicates interest in a communication list and then confirms that interest in response to the follow-up email
no option to opt
- when an organization uses or collects the consumer’s data because that org has been given implied authority to share PI
- e.g., a consumer who orders her product online expects her PI to be shared with the shipping company, credit card processor, etc.
good rule of thumb: channel for marketing should be…
chanel for exercising a user preference
privacy risk management
- process that identifies and assesses the risk to an org’s information assets and then implements appropriate mitigation strategies to reduce or eliminate those risks
- often includes conducting PIAs, vendor/third-party risk aseessments, data breach readiness assessments
Define:
organizational code of ethics
- helps in assessing benefits and risks of processing personal data
- focuses on topics such as how to respect individuals whose PI held by org; downstream uses of personal data; consequences of utilizing analytical tools; whether to collect data that the org does not need; how should the org design practices to ensure transparency, accountability and auditability
Define:
privacy risk
likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur
Define:
privacy impact assessment
- provides analysis of how personal information is handled to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
- determine risks and effects of collecting, maintaining and disseminating personal info in identifiable form
- examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks
Define:
privacy risk assessment
- core of PIA
- focuses on determining level of privacy risk by looking at the privacy impact and likelihood given the controls
precautions to consider in written contract with third-party vendor
- confidentiality provision
- no further use of shared information
- subcontractors should follow privacy and security protection terms in vendor’s K
- requirement to notify and to disclose breach
- information security provisions
- end of relationship → return of data or deletion of data at conclusion of relationship
standards for vendor selection
- reputation
- financial condition and insurance
- information security controls to ensure data isn’t lost or stolen (e.g., SOC 2)
- secure transfer mechanisms for data
- appropriate disposal of information → appropriate destruction of data in any format or media
- employee training and user awareness
- vendor incident response
- org should be able to audit vendor’s activities to ensure compliance with contractual obligations
Define:
information security
protection of information for the purpose of preventing loss, unauthorized access, or misuse
What are the three key attributes of information security?
- confidentiality
- integrity
- availability
Define:
confidentiality
access to data is limited to authorized parties
Define:
integrity
assurance that the data is authentic and complete
Define:
availability
knowledge that the data is accessible, as needed, by those who are authorized to use it
Define:
security controls
mechanisms put in place to prevent, detect or correct a security incident
What are the three types of security controls?
- physical controls such as locks, security cameras and fences
- administrative controls such as incident response procedures and training
- technical controls such as firewalls, antivirus software, and access logs
Define:
NIST Cybersecurity Framework
voluntary tool for orgs to better manage and reduce cybersecurity risks with following core elements:
- identify→ looks at people, systems, data and capabilities to understand what a potential risk could be
- protect → focuses on safeguards for risks that an organization wants to mitigate
- detect → activities that identify a cybersecurity incident
- respond → what activities an org takes when there is an incident
- recover → plans to restore business operations from a cybersecurity incident
Define:
data breach readiness assessment
(include factors)
examines level of risk of a data breach coupled with the likelihood and severity of a personal data breach by looking at following factors:
- types and nature of personal data involved, particularly sensitive personal information
- whether appropriate technical safeguards have been applied
- whether the data subject will be directly or indirectly affected
- possibility that personal data can be maliciously used
- possibility of substantial damage on a physical level
What are mechanisms for cross-border data flows?
- domestic approaches (or unilateral mechanism) → more than ½ of countries with safeguards for cross-border data flows employ pre-authorization safeguards
- multilateral arrangements such as OECD Privacy Guidelines; APEC Cross-Border Privacy Rules; Council of Europe Convention 108 and 108+
- trade agreements which may contain provisions
- standards and technology-driven initiatives such as ISO standards and privacy-enhancing technologies (PETs)
When does GDPR apply?
- when EU-based establishments process personal data of any subjects and
- when establishment based outside of the EU monitors behavior of or targets goods or services to data subjects in the EU
Define:
personal data (under GDPR)
any data related to an identified or identifiable natural person (can be identified directly or indirectly)
Define:
sensitive personal data (under GDPR)
special category of personal data that gets additional protections under GDPR and requires the business to obtain “explicit consent” from the person to process the data for a specified purpose
Examples of sensitive personal data under GDPR?
- race or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data, sex life
- sexual orientation
Define:
data subject
under GDPR
any natural person whose data is being collected, stored or processed
controller
under GDPR
individual or entity that determines the purposes and the means of the processing of personal data
What are obligations of a controller?
- implement data protection by default and by design
- provide instructions to processors
- ensure data security
- report data breaches
- cooperate with DPAs
- appoint a DPO for the business
- identify legal basis for processing
- maintain data processing records
- conduct data protection impact assessments
Define
processor
under GDPR
an individual or entity that processes personal data on behalf of the controller
What are obligations of a processor?
- confidentiality
- record of processing activities
- data security
- data breach reporting
- cooperation with DPAs
Define
consent
under GDPR
freely given, specific, informed and an unambiguous indication of the data subject’s wishes
For consent to processing of data to be informed, it must contain:
under GDPR
- controller’s identity
- purpose of processing for which consent is sought
- types of data that will be collected
- information about the right to withdraw consent
- information about automated processing
- risks of transfers outside the EU
Define:
data protection authority
under GDPR
independent public authorities that investigate and enforce data protection laws at a national level
Define:
data protection officer
under GDPR
primary point of contact on data protection issues within a business that is based in the EU
What are the seven key principles of GDPR?
- lawfulness, fairness and transparency
- purpose limitation
- data minimization
- accuracy
- storage limitation
- integrity and confidentiality
- accountability
Define:
lawfulness, fairness and transparency
under GDPR
- companies should have a legal basis for processing personal data
- data subjects should be made aware of the rules and safeguards as well as the risks associated with their data
What is considered “transparent” under GDPR?
communications must be concise, easily accessible and written using clear and plain language that is easy to understand
Define:
purpose limitation
under GDPR
- personal data must be collected for specified, explicit and legitimate purposes
- personal data shouldn’t be further processed in a manner that is incompatible with the original purpose for which it was collected
Define:
data minimization
under GDPR
- processing of personal data must be adequate, relevant and limited to what is necessary considering the purposes of processing
- requires deletion or anonymization of personal data that is no longer necessary and any data retention period be limited to a strict minimum
Define:
accuracy
under GDPR
personal data must be accurate and, where necessary, kept up to date
Define:
storage limitation
under GDPR
personal data must be kept for no longer than is necessary for the purposes of processing
Define:
integrity and confidentiality
under GDPR
personal data must be processed in a way that ensures a level of security appropriate to the risk of processing the personal data through appropriate technical and organizational measures
Define:
accountability
under GDPR
controller is responsible for and must be able to demonstrate compliance with the other six principles
What are the eight primary data subject rights?
under GDPR
- right to be informed of transparent communication and information
- right of access
- right to rectification
- right to erase / right to be forgotten
- right to restriction of processing
- right to data portability
- right to object
- right not to be subject to automated decision-making
How soon must controllers respond to rights requests?
under GDPR
within one month of request (or, where necessary, within three months) in writing or, if requested, orally
Define:
right to be informed of transparent communication and information
under GDPR
privacy notice to provide info
Define:
right of access
under GDPR
right to obtain following from controllers:
- confirmation as to whether a controller is processing the data subject’s personal data
- a copy of the personal data
- other information that should already be provided in a privacy notice
Define:
subject access request
under GDPR
when data subjects exercise their right of access
Define:
right to rectification
under GDPR
allows data subjects to require controllers to confirm the accuracy of their personal data
Define:
right to erase (“right to be forgotten”)
under GDPR
right to have personal data erased in circumstances where:
- personal data no longer necessary for purposes collected or otherwise processed
- data subject withdraws consent on which the processing is based and there is no other legal ground for processing
- data subject objects to processing based on legitimate interests and no overriding legitimate grounds for the processing
- personal data was unlawfully processed
- personal data has to be erased for compliance with a legal obligation
- personal data has been collected to offer info society services to children
What does a controller do if a data subject requests their personal data to be deleted?
under GDPR
controller must delete personal data and if has made public data publicly available online, must use reasonable measures to inform other controllers processing the personal data to erase
Define:
right to restriction of processing
under GDPR
can limit the way their personal data is processed
When does the right to restriction of processing apply?
- accuracy of personal data is contested and controller is verifying accuracy
- processing is unlawful and data subject prefers to have the use of their personal data restricted rather than having it erased
- controller no longer needs the personal data but the data subject requires it for the establishment, exercise or defense of legal claims
- data subject has objected to processing pursuant to the GDPR and controller is verifying whether its legitimate grounds override those of the data subject
Define:
right to data portability
under GDPR
data subjects can port data to themselves or to another controller
When does the right to data portability apply?
under GDPR
only applies to:
1. personal data provided by data subject
2. where processing based on consent or the performance of a contract
3. when processing carried out by automated means
Define:
right to object
under GDPR
data subjects can require controllers to stop processing their personal data
When can a data subject exercise their right to object?
under GDPR
if controller is processing their personal data for:
- direct marketing purposes
- on legal basis of legitimate interests
- on legal basis of task carried out in public interest
- on legal basis of exercise of official authority
Define:
right not to be subject to automated decision-making
under GDPR
general prohibition on fully automated decision-making, including profiling, that has a legal or similarly significant effect
When can a controller carry out automated decision-making based on processing of personal data?
when:
1. necessary for performance of a K between data subject and controller
2. authorized by law or
3. based on data subject’s explicit consent
Define:
data breach
under GDPR
breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted stored or otherwise processed
When does a controller have to report a data breach to a DPA?
under GDPR
to relevant DPA within 72 hours of becoming aware where feasible UNLESS unlikely to result in risk to individuals’ rights and freedoms
Define
aware
under GDPR related to breach
have reasonably degree of certainty that a security incident has compromised personal data
When does a controller have to report a data breach to data subjects?
under GDPR
if data breach occurs that is likely to result in high risk to individuals’ rights and freedoms, then without undue delay
What should be contained in the controller’s notice to data subjects of a data breach?
under GDPR
notice must be in clear and plain language and must include name and contact of the DPO, likely consequences of the data breach, and any measures taken by controller to mitigate the risk
How can a data subject take action?
under GDPR
- initiate administrative complaint
- go to national court (if unsatisfied with decision of DPA or DPA doesn’t inform give update on complaint within three months)
- seek judicial remedy
How is the complaint process initiated?
under GDPR
can be initiated by data subject or by DPA
What does a DPA do with a complaint?
under GDPR
- assessment to determine lead DPA (if more than one DPA has complaint)
- assess to determine whether to impose adminisrtative fine
liability of processor vs. controller
under GDPR
each is liable for entire damage if both involved in same processing and once data subjects compensated, then they can get comp from each other
higher-level fines
under GDPR
greater of 20 mil Euros or 4% of global annual revenues
lower-level fines
under GDPR
greater of 10 mil Euros or 2% of global annual revenues
What do higher-level fines cover?
under GDPR
infringements related to basic principles of processing, rights of data subject and transfers of personal data to a recipient outside EU
Define:
European Economic Area
EU and Norway, Liechtenstein and Iceland
What is required for data transfers from the EEA to non-EEA countries?
prohibited unless can rely upon adequacy decision, appropriate safeguard or a derogation
Define:
adequate transfer
international data transfers
data transfer to a country that has adopted protections that the EU law deems “adequate” (essentially equivalent to those found in the GDPR)
Define:
appopriate safeguard
international data transfers
- legally binding and enforceable instrument between public authorities or bodies
- binding corporate rules
- standard contractual clauses
- standard data protection clauses adopted by European Commission
- standard data protection clauses adopted by a DPA and approved by European Commission
- approved code of conduct, together with binding and enforceable commitments of the non-EEA controller or processor
- approved certification mechanism together with binding and enforceable commitments of non-EEA controller or processor
- contractual clauses authorized by DPA or of the controller/processor transferring the data outside the EEA
- administrative arrangements between public authorities authorized by the DPA in the country from which the transfer is made
Define:
binding corporate rules
international data transfers
provide that a multinational company can transfer data between countries, including among affiliated entities, after certification of its practices by a DPA
Define:
standard contractual clause
international data transfers
company contractually promises to comply with EU law and to submit to supervision of a DPA
define
derogations
international data transfers
allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for one of following:
- performance of K between data subject and controller and transfer is occasional
- performance or conclusion of a K concluded in interest of data subject between controller and 3P and transfer is occasional
- important reasons of public interest
- establishment, exercise or defense of legal claims and the transfer is occasional
- protection of vital interests of an individual incapable of giving consent
Define:
last-resort derogation
international data transfers
transfer can take place if necessary for purposes of compelling legitimate interest and meets all of specified requirements under the GDPR
history of data transfers from EU to U.S.
- Safe Harbor program under EU Data Protection Directive until 2015
- Schrems I case (2015)
- Privacy Shield (2016)
- Schrems II case (2020)
- Data Privacy Framework finalized in July 2023
Schrems I case (2015)
CJEU struck down Safe Harbor program
Schrems II case (2020)
CJEU struck down Privacy Shield and raised concerns about perceived lack of legal protection from U.S. government surveillance for EU data being transferred to Facebook
key points of EU-U.S. Data Privacy Framework
U.S. agreed to ensure that surveillance activities would comply with the “necessity and proportionality” standard and to establish an independent data protection review court to provide European citizens the ability to complain when they believe their personal data has been collected inappropriately by U.S. intelligence agencies/U.S. designed EU and member states as qualifying states
recent developments in global data flows
- APEC issued declaration concerning an international approach to allow trade between participating countries while providing assurances how data will be handled
- Global Cross-Border Privacy Rules Forum: establishment of international certification system based on existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems announced in 2022
- OECD adopted a declaration on common principles for government access, both for law enforcement and national security purposes, to personal data held by private companies