Information Management from a U.S. Perspective Flashcards

Question 1

Q

Define:

information management

Answer

A

establishing, implementing and monitoring the organization’s privacy program under the direction of a senior person in the organization

Question 2

Q

duties of a chief private officer

Answer

A

developing and implementing policies related to data processing and properly handling of personal information

Question 3

Q

duties of a data protection officer

Answer

A

ensures organization’s processing and handling of personal info is in compliance with legal privacy requirements
cannot be directly involved with decision-making regarding data processing activities

Question 4

Q

duties of a privacy engineer

Answer

A

works to ensure that compliance with legal requirements has occurred through the technical processes of the organization

Question 5

Q

duties of a privacy manager

Answer

A

responsible for development, maintenance and enforcement of privacy policies and procedures within an organization

Question 6

Q

duties of a privacy analyst

Answer

A

manages legal and operational risks related to personal information held by the organization

Question 7

Q

what are the stages of a data life cycle?

Answer

A

data creation
data storage
data sharing and usage
data archival
data deletion

Question 8

Q

Define:

data inventory

Answer

A

undertake an inventory of the PI it collects, stores, uses or discloses within the organization and to outside entities

Question 9

Q

Define:

data classification

Answer

A

classify data according to its level of sensitivity
defines clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data

Question 10

Q

Define:

data flow mapping

Answer

A

examine and document data flows

Question 11

Q

top-down vs. bottom-up data flow mapping

Answer

A

top-down: starts with record of processing activities (RoPA) which is required under GDPR
RoPA process involves documenting the purpose for processing the PI; parties to whom any PI was disclosed; retention period for PI; and details about the safeguards in place for PI
bottom-up: understanding data assets; data inventory and classification; delineating data processes (RoPA); documenting data lineage

Question 12

Q

privacy program should…

Answer

A

demonstrate effective and auditable framework to enable compliance with applicable privacy laws and regulations
promote trust and confidence in the organization’s handling of personal data
respond effectively to requests by consumers
address privacy and security breaches
continually monitor and improve the maturity of the privacy program

Question 13

Q

privacy mission statement

Answer

A

describes core function of privacy within the org

Question 14

Q

How to ensure appropriate metrics for privacy program framework?

Answer

A

identifying intended audience for metrics
defining reporting sources
defining privacy metrics for oversight and governance
identifying systems/application collection points

Question 15

Q

What are the four stages of privacy operatonal life cycle?

Answer

A

assess
protect
sustain
respond

Question 16

Q

assess

Answer

A

document baseline of privacy program
evaluate processors and third parties
identify operational risks
document the assessment

Question 17

Q

protect

Answer

A

review access controls and technical controls
review incident response plan
integrate privacy requirements into functional areas of the organization

Question 18

Q

sustain

Answer

A

monitor compliance with privacy policies
monitor regulatory changes
audit compliance with privacy policies and standards
hold employee, management and contractor trainings

Question 19

Q

respond

Answer

A

consumer requests
address privacy incidents

Question 20

Q

Define:

privacy policy

Answer

A

high-level document that helps an organization meet policy goals contained within an org’s privacy vision or mission statement

Question 21

Q

typical components of a privacy policy

Answer

A

purpose
scope
appliability
roles and responsibilities
compliance
penalties and sanctions for noncompliance

Question 22

Q

revision to privacy policy

Answer

A

according to FTC, companies obtain express affirmative consent before making material retroactive changes to privacy representations
material change at a minimum includes sharing consumer information with 3Ps after committing at the time of collection not to share the data

Question 23

Q

Define:

privacy notice

Answer

A

external statement that provides transparency concerning the org’s privacy practices
how it collects, uses, shares, retains and discloses PI based on org’s privacy policy

Question 24

Q

organization can communicate privacy notice to consumer by:

Answer

A

making notice accessible online
making notice accessible in places of business

Question 25

Q

GLBA requirement for privacy notice

Answer

A

financial institutions must provide customers with privacy notice annually with clear notice of customer’s right to opt out

Question 26

Q

layered privacy notice approach

Answer

A

short notice: top layer that summarizes notice’s scope and basic points about the org’s practice for personal information, collection, choice, use and disclosure
full notice: comprehensive information on disclosure that articulates organization’s privacy notice in its entirety

Question 27

Q

Define:

just-in-time notice

Answer

A

notice at or before point of info collection or before a consumer accepts a service or product

Question 28

Q

Define:

privacy dashboard

Answer

A

offers a summary of privacy-related info in a format that is intended to be easy to access and navigate

Question 29

Q

Define:

opt-in

Answer

A

express or affirmative consent before data is used or collected

Question 30

Q

examples of opt-in under U.S. law

Answer

A

Children’s Online Privacy Protection Act (COPPA) requires express consent from a parent before a child’s PI is collected
HIPAA requires opt-in consent before protected health information (PHI) is disclosed to 3Ps, subject to important exceptions
Fair Credit Reporting Act (FCRA) requires opt-in before a consumer’s credit report may be provided to an employer, lender or other authorized recipient
FTC believes opt-in consent should occur before PI collected under one privacy notice is processed under a materially changed privacy notice

Question 31

Q

Define:

double or confirmed opt-in

Answer

A

consumer first indicates interest in a communication list and then confirms that interest in response to the follow-up email

Question 32

Q

opt-out / consumer choice

Answer

A

gives consumer the choice to opt out

Question 33

Q

examples of opt-out under U.S. law

Answer

A

GLBA requires an individual have opportunity to opt out before financial institution transfers customer’s PI to unaffiliated third party for latter’s own use
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) requires email marketers to provide consumers with a means to opt out of unwanted communications
Do Not Call rules provide opportunity to opt out of telemarketing phone calls

Question 34

Q

no option to opt

Answer

A

when an organization uses or collects the consumer’s data because that org has been given implied authority to share PI
e.g., a consumer who orders her product online expects her PI to be shared with the shipping company, credit card processor, etc.

Question 35

Q

good rule of thumb: channel for marketing should be…

Answer

A

chanel for exercising a user preference

Question 36

Q

privacy risk management

Answer

A

process that identifies and assesses the risk to an org’s information assets and then implements appropriate mitigation strategies to reduce or eliminate those risks
often includes conducting PIAs, vendor/third-party risk aseessments, data breach readiness assessments

Question 37

Q

Define:

organizational code of ethics

Answer

A

helps in assessing benefits and risks of processing personal data
focuses on topics such as how to respect individuals whose PI held by org; downstream uses of personal data; consequences of utilizing analytical tools; whether to collect data that the org does not need; how should the org design practices to ensure transparency, accountability and auditability

Question 38

Q

Define:

privacy risk

Answer

A

likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur

Question 39

Q

Define:

privacy impact assessment

Answer

A

provides analysis of how personal information is handled to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
determine risks and effects of collecting, maintaining and disseminating personal info in identifiable form
examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks

Question 40

Q

Define:

privacy risk assessment

Answer

A

core of PIA
focuses on determining level of privacy risk by looking at the privacy impact and likelihood given the controls

Question 41

Q

precautions to consider in written contract with third-party vendor

Answer

A

confidentiality provision
no further use of shared information
subcontractors should follow privacy and security protection terms in vendor’s K
requirement to notify and to disclose breach
information security provisions
end of relationship → return of data or deletion of data at conclusion of relationship

Question 42

Q

standards for vendor selection

Answer

A

reputation
financial condition and insurance
information security controls to ensure data isn’t lost or stolen (e.g., SOC 2)
point of transfer → need secure transfer mechanisms for data
disposal of information → appropriate destruction of data in any format or media
employee training and user awareness
vendor incident response
audit rights → org should be able to monitor vendor’s activities to ensure compliance with contractual obligations

Question 43

Q

Define:

information security

Answer

A

protection of information for the purpose of preventing loss, unauthorized access, or misuse

Question 44

Q

What are the three key attributes of information security?

Answer

A

confidentiality
integrity
availability

Question 45

Q

Define:

confidentiality

Answer

A

access to data is limited to authorized parties

Question 46

Q

Define:

integrity

Answer

A

assurance that the data is authentic and complete

Question 47

Q

Define:

availability

Answer

A

knowledge that the data is accessible, as needed, by those who are authorized to use it

Question 48

Q

Define:

security controls

Answer

A

mechanisms put in place to prevent, detect or correct a security incident

Question 49

Q

What are the three types of security controls?

Answer

A

physical controls such as locks, security cameras and fences
administrative controls such as incident response procedures and training
technical controls such as firewalls, antivirus software, and access logs

Question 50

Q

Define:

NIST Cybersecurity Framework

Answer

A

voluntary tool for orgs to better manage and reduce cybersecurity risks with following core elements:
* **identify **→ looks at people, systems, data and capabilities to understand what a potential risk could be
* protect → focuses on safeguards for risks that an organization wants to mitigate
* detect → activities that identify a cybersecurity incident
* respond → what activities an org takes when there is an incident
* recover → plans to restore business operations from a cybersecurity incident

Question 51

Q

Define:

data breach readiness assessment

Answer

A

examines level of risk of a data breach coupled with the likelihood and severity of a personal data breach by looking at following factors:
* types and nature of personal data involved, particularly sensitive personal information
* whether appropriate technical safeguards have been applied
* whether the data subject will be directly or indirectly affected
* possibility that personal data can be maliciously used
* possibility of substantial damage on a physical level

Question 52

Q

What are mechanisms for cross-border data flows?

Answer

A

domestic approaches (or unilateral mechanism) → more than ½ of countries with safeguards for cross-border data flows employ pre-authorization safeguards
multilateral arrangements such as OECD Privacy Guidelines; APEC Cross-Border Privacy Rules; COuncil of Europe Convention 108 and 108+
trade agreements which may contain provisions
standards and technology-driven initiatives such as ISO standards and privacy-enhancing technologies (PETs)

Question 53

Q

What are the six key provisions in the GDPR?

Answer

A

requirements for processing data
individual rights
notification of security breaches
designation of data protection officers
sanctions of up to four percent of worldwide revenues
rules for international transfers

Question 54

Q

When does GDPR apply?

Answer

A

when EU-based establishments process personal data of any subjects and
when establishment based outside of the EU monitors behavior of or target goods or services to data subjects in the EU

Question 55

Q

Define:

personal data (under GDPR)

Answer

A

any data related to an identified or identifiable natural person (can be identified directly or indirectly)

Question 56

Q

Define:

sensitive personal data (under GDPR)

Answer

A

special category of personal data that gets additional protections under GDPR and requires the business to obtain “explicit consent” from the person to process the data for a specified purpose

Question 57

Q

Examples of sensitive personal data under GDPR?

Answer

A

race or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
health data, sex life
sexual orientation

Question 58

Q

Define:

data subject

under GDPR

Answer

A

any natural person whose data is being collected, stored or processed

Question 59

Q

controller

under GDPR

Answer

A

individual or entity that determines the purposes and the means of the processing of personal data

Question 60

Q

What are obligations of a controller?

Answer

A

implement data protection by default and by design
provide instructions to processors
ensure data security
report data breaches
cooperate with DPAs
appoint a DPO for the business
identify legal basis for processing
maintain data processing records
conduct data protection impact assessments

Question 61

Q

Define

processor

under GDPR

Answer

A

an individual or entity that processes personal data on behalf of the controller

Question 62

Q

What are obligations of a processor?

Answer

A

confidentiality
record of processing activities
data security
data breach reporting
cooperation with DPAs

Question 63

Q

Define

consent

under GDPR

Answer

A

freely given, specific, informed and an unambiguous indication of the data subject’s wishes

Question 64

Q

For consent to be informed, it must contain:

under GDPR

Answer

A

controller’s identity
purpose of processing for which consent is sought
types of data that will be collected
information about the right to withdraw consent
information about automated processing
risks of transfers outside the EU

Answer 65

A

independent public authorities that investigate and enforce data protection laws at a national level

Answer 66

A

primary point of contact on data protection issues within a business that is based in the EU

Answer 67

A

lawfulness, fairness and transparency
purpose limitation
data minimization
accuracy
storage limitation
integrity and confidentiality
accountability

Answer 68

A

companies should have a legal basis for processing personal data
data subjects should be made aware of the rules and safeguards as well as the risks associated with their data

Answer 69

A

communications must be concise, easily accessible and written using clear and plain language that is easy to understand

Answer 70

A

personal data must be collected for specified, explicit and legitimate purposes
personal data shouldn’t be further processed in a manner that is incompatible with the original purpose for which it was collected

Answer 71

A

processing of personal data must be adequate, relevant and limited to what is necessary considering the purposes of processing
requires deletion or anonymization of personal data that is no longer necessary and any data retention period be limited to a strict minimum

Answer 72

A

personal data must be accurate and, where necessary, kept up to date

Answer 73

A

personal data must be kept for no longer than is necessary for the purposes of processing

Answer 74

A

personal data must be processed in a way that ensures a level of security appropriate to the risk of processing the personal data through appropriate technical and organizational measures

Answer 75

A

controller is responsible for and must be able to demonstrate compliance with the six principles in Section 14.3.1 - 14.3.6

Answer 76

A

right to be informed of transparent communication and information
right of access
right to rectification
right to erase / right to be forgotten
right to restriction of processing
right to data portability
right to object
right not to be subject to automated decision-making

Answer 77

A

within one month of request (or, where necessary, within three months) in writing or, if requested, orally

Answer 78

A

privacy notice to provide info

Answer 79

A

right to obtain following from controllers:
* confirmation as to whether a controller is processing the data subject’s personal data
* a copy of the personal data
* other information that should already be provided in a privacy notice

Answer 80

A

when data subjects exercise their right of access

Answer 81

A

allows data subjects to require controllers to confirm the accuracy of their personal data

Answer 82

A

right to have personal data erased in circumstances where:
* personal data no longer necessary for purposes collected or otherwise processed
* data subject withdraws consent on which the processing is based and there is no other legal ground for processing
* data subject objects to processing based on legitimate interests and no overriding legitimate grounds for the processing
* personal data was unlawfully processed
* personal data has to be erased for compliance with a legal obligation
* personal data has been collected to offer info society services to children

Answer 83

A

controller must delete personal data and if has made public data publicly available online, must use reasonable measures to inform other controllers processing the personal data to erase

Answer 84

A

can limit the way their personal data is processed

Answer 85

A

accuracy of personal data is contested and controller is verifying accuracy
processing is unlawful and data subject prefers to have the use of their personal data restricted rather than having it erased
controller no longer needs the personal data but the data subject requires it for the establishment, exercise or defense of legal claims
data subject has objected to processing pursuant to the GDPR and controller is verifying whether its legitimate grounds override those of the data subject

Answer 86

A

data subjects can port data to themselves or to another controller

Answer 87

A

only applies to:
1. personal data provided by data subject
2. where processing based on consent or the performance of a contract
3. when processing carried out by automated means

Answer 88

A

data subjects can require controllers to stop processing their personal data

Answer 89

A

if controller is processing their personal data for:
* direct marketing purposes
* on legal basis of legitimate interests
* on legal basis of task carried out in public interest
* on legal basis of exercise of official authority

Answer 90

A

general prohibition on fully automated decision-making, including profiling, that has a legal or similarly significant effect

Answer 91

A

when:
1. necessary for performance of a K between data subject and controller
2. authorized by law or
3. based on data subject’s explicit consent

Answer 92

A

breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted stored or otherwise processed

Answer 93

A

to relevant DPA within 72 hours of becoming aware where feasible UNLESS unlikely to result in risk to individuals’ rights and freedoms

Answer 94

A

have reasonably degree of certainty that a security incident has compromised personal data

Answer 95

A

if data breach occurs that is likely to result in high risk to individuals’ rights and freedoms, then without undue delay

Answer 96

A

notice must be in clear and plain language and must include name and contact of the DPO, likely consequences of the data breach, and any measures taken by controller to mitigate the risk

Answer 97

A

initiate administrative complaint
go to national court (if unsatisfied with decision of DPA or DPA doesn’t inform give update on complaint within three months)
seek judicial remedy

Answer 98

A

can be initiated by data subject or by DPA

Answer 99

A

assessment to determine lead DPA (if more than one DPA has complaint)
assess to determine whether to impose adminisrtative fine

Answer 100

A

each is liable for entire damage if both involved in same processing and once data subjects compensated, then they can get comp from each other

Answer 101

A

greater of 20 mil Euros or 4% of global annual revenues

Answer 102

A

greater of 10 mil Euros or 2% of global annual revenues

Answer 103

A

infringements related to basic principles of processing, rights of data subject and transfers of personal data to a recipient outside EU

Answer 104

A

EU and Norway, Liechtenstein and Iceland

Answer 105

A

prohibited unless can rely upon adequacy decision, appropriate safeguard or a derogation

Answer 106

A

data transfer to a country that has adopted protections that the EU law deems “adequate” (essentially equivalent to those found in the GDPR)

Answer 107

A

legally binding and enforceable instrument between public authorities or bodies
binding corporate rules
standard contractual clauses
standard data protection clauses adopted by European Commission
standard data protection clauses adopted by a DPA and approved by European Commission
approved code of conduct, together with binding and enforceable commitments of the non-EEA controller or processor
approved certification mechanism together with binding and enforceable commitments of non-EEA controller or processor
contractual clauses authorized by DPA or of the controller/processor transferring the data outside the EEA
administrative arrangements between public authorities authorized by the DPA in the country from which the transfer is made

Answer 108

A

provide that a multinational company can transfer data between countries, including among affiliated entities, after certification of its practices by a DPA

Answer 109

A

company contractually promises to comply with EU law and to submit to supervision of a DPA

Answer 110

A

allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for one of following:
* performance of K between data subject and controller and transfer is occasional
* performance or conclusion of a K concluded in interest of data subject between controller and 3P and transfer is occasional
* important reasons of public interest
* establishment, exercise or defense of legal claims and the transfer is occasional
* protection of vital interests of an individual incapable of giving consent

Answer 111

A

transfer can take place if necessary for purposes of compelling legitimate interest and meets all of specified requirements under the GDPR

Answer 112

A

Safe Harbor program under EU Data Protection Directive until 2015
Schrems I case (2015)
Privacy Shield (2016)
Schrems II case (2020)
Data Privacy Framework finalized in July 2023

Answer 113

A

CJEU struck down Safe Harbor program

Answer 114

A

CJEU struck down Privacy Shield and raised concerns about perceived lack of legal protection from U.S. government surveillance for EU data being transferred to Facebook

Answer 115

A

U.S. agreed to ensure that surveillance activities would comply with the “necessity and proportionality” standard and to establish an independent data protection review court to provide European citizens the ability to complain when they believe their personal data has been collected inappropriately by U.S. intelligence agencies/U.S. designed EU and member states as qualifying states

Answer 116

A

APEC issued declaration concerning an international approach to allow trade between participating countries while providing assurances how data will be handled
Global Cross-Border Privacy Rules Forum: establishment of international certificaiton system based on existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems announced in 2022
OECD adopted a declaration on common principles for government access, both for law enforcement and national security purposes, to personal data held by private companies

Brainscape's Knowledge GenomeTM

Information Management from a U.S. Perspective Flashcards

18-22 questions

Brainscape's Knowledge Genome^TM