Introduction to privacy

Question 1

How do you define privacy?

Answer 1

The right to be let alone, an individuals right to control the collection, use and disclosure of personal information. Also includes the right to keep personal information private.

Question 2

what are fair information practices?

Answer 2

set of guidelines for handling, storing, protecting and managing personal information

Question 3

what are the four categories of FIPs (CRIM)

Answer 3

1. controls of the information(information security, information quality)
2. rights of individuals- notice, choice and consent, data subject access
3. information life cycle- collection, use and retention, disclosure, destruction
4. management- management and administration, monitoring, and enforcement

Question 4

what states have privacy laws?

Answer 4

Virginia, California, Utah and Colorado

Question 5

What is the definition of personal information?

Answer 5

any information relating to an identified or identifiable living individual.
note: applies to both electronic and paper records.

Question 6

what are examples of personal information?

Answer 6

name, gender, address, telephone number, email address, martial status

Question 7

what is sensitive information examples

Answer 7

SSN number, financial information, driver’s license number, medical records.

Question 8

what is the definition of sensitive information?

Answer 8

data that is more significantly related to the notice of a reasonable expectation of privacy, such as medical or financial information.

Question 9

When does personal information become non-personal?

Answer 9

when the information is anonymized to the point that the associated individual can no longer be identified.

Question 10

T or F unless personal information is truly anonymized, privacy and data protection laws still apply

Answer 10

true

Question 11

What is pseudonymized data?

Answer 11

data that has been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information

For example: hashing, using blockchain, differential privacy

Question 12

What are sources of personal information on a data subject?

Answer 12

public records, publicly available information, nonpublic information

Question 13

what is non public information

Answer 13

information not easily accessible due to law or custom(e.g. medical records, financial information, adoption records.)

Question 14

T or false, the same information may be public record publicly available and nonpublic

Answer 14

T

Question 15

what is a data subject?

Answer 15

an individual about whom information is being processed (e.g. employee, consumer, patient)

Question 16

what is a data controller?

Answer 16

an organization or individual with the authority to decide how and why information about data subjects is to be processed

Question 17

what is a data processor

Answer 17

an organization or individual that processes data on behalf of the data controller

Question 18

what is a data protection authority?

Answer 18

supervisory authority chartered to enforce privacy or data protection laws and regulations (DPA)

Question 19

Does the U.S have a national data protection authority ?

Answer 19

No., but the FTC, state attorney generals, federal financial regulators play a role

Question 20

Hypo: Identify who fulfills each role in the following scenario

Jim is employed by ABC company. The HR department keeps much of his personal data on file, and it contracts with a payroll company that directly deposits Jim’s paychecks into his bank account.

who is the data subject? data controller and data processor?

Answer 20

Jim- data subject
ABC company- data controller
HR company- data processor

Question 21

Name ways to protect personal information

Answer 21

Markets, technology, law, self regulation/co-regulation

Question 22

Name the privacy protection models

Answer 22

1. few or no laws(Cuba)
2. co-regulatory (Australia)
3. sectoral- covers industry specific laws -(U.S.)
4. Comprehensive omnibus laws- EU

Question 23

what are the branches of the U.S. Government

Answer 23

executive, legislative, judicial

Question 24

T or F? state constitutions may create stronger privacy rights that the federal constitution?

Answer 24

True

Question 25

what is a consent decree/order in a data privacy context

Answer 25

an agreement or settlement that resolves a dispute between a regulator and a private party without admission of guilt or liability. It also describes the actions the defendant will take(e.g. defendant agrees to stop alleged illegal activity)

Question 26

T or F- the FTC can assess fines directly in consent orders or decrees?

Answer 26

No, the matter must go to court

Question 27

Does CAN-SPAM supersede a stricter state law?

Answer 27

Yes. it prempts a stricter state law

Question 28

what is a privacy notice

Answer 28

a description of an organizations information management practices

Question 29

what is the initial mechanism used by regulatory agencies to determine if a controller or a processor is complying with the law and with the organizations own privacy commitments?

Answer 29

privacy notices do this. privacy notices help data subjects enforce their rights

Question 30

what is another name for a privacy notice?

Answer 30

privacy policy or privacy statement

Question 31

what must a privacy notice include 4 things? (DEWI)

Answer 31

1. Description of what information is collected
2. how the information is used and disclosed,
3. how to exercise any choices about uses or disclosures
4. whether the individual can access or update the information

Question 32

what is choice in a data privacy context?

Answer 32

the ability to specify whether personal information will be collected and/or how it will be used or disclosed.

E.g.- opt in, or opt out

Question 33

what is “opting in”

Answer 33

individual actively gives consent (express consent) to the use of their data

Question 34

what is “opt out”

Answer 34

consent assumed unless the affected individual specifically withdraws consent (implied consent)

Question 35

what is access in a privacy context

Answer 35

the ability to view personal information held by an organization.

Question 36

What is the GDPR?

Answer 36

General data protection regulation

Question 37

who does the GDPR apply to?

Answer 37

The GDPR applies to all organizations who do business in the EU

Question 38

T or F? Does the GDPR apply to nonprofits and for profit organizations?

Answer 38

It applies to both.

Question 39

how many days after a data breach must the breach be reported under the GDPR?

Answer 39

72 hours.

Question 40

what fines are associated with the GDPR?

Answer 40

2 percent of annual global revenue or up to 10 million euros of revenue per infraction, whatever is higher.

Question 41

What are the data subjects rights under the GDPR? ARE-RDO

Answer 41

Access to personal data
rectification of inaccurate information
erasure- have personal data erased and no longer processed
restriction of processing- object to data processing of legitimate interests
data portability- receive their personal data in a structured, commonly used machine readable format
no profiling-

Question 42

how is personal data defined under the GDPR?

Answer 42

any information related to an identified or identifiable natural person

Question 43

Does the GDPR apply whether the organization or individual processing the personal data is physically located in the EU or not

Answer 43

Yes, it still applies

Question 44

Yes or no,

Must data under the GDPR be processed by wholly or partly by automated means?

Answer 44

Yes

Question 45

what is the material scope of the GDPR

Answer 45

data must be processed in part or in whole by automated means, personal data which forms a part of a filing system, exclusions. (including activities outside of the scope of the EU

Question 46

what are mechanisms for the lawful transfer of personal data from the EU to the US under the GDPR?

Answer 46

Binding corporate rules and standard contractual clauses, codes of conduct

Question 47

What are the recommended steps for global data flows?

Answer 47

1. map your transfers
2. verify that the transfer tool relied on is on the approved list under Chapter V of the GDPR
3. Assess the sufficiency of non-EEA protections
4. identify and adopt supplementary measures
5. take formal procedural steps
6. re-evaluate at appropriate intervals.

Question 48

What is a data protection officer under the GDPR?

Answer 48

a staff member or contractor tasked with

1. advising the controller or processor,
2. facilitating communications with applicable supervisory authorities,
3. engaging with data subjects, monitoring and testing the controller or processors compliance with EU data

Question 49

T or F the DPO does not have to be an expert in data protection law and pratices

Answer 49

false

Question 50

when is a DPO a required role?

Answer 50

when processing large scale monitoring of data subjects, processing sensitive data or criminal convictions/offenses on a large scale, processing by public bodies

Question 51

what is the California consumer Privacy Act

Answer 51

law that provides a comprehensive regime of consumer privacy rights similar to those found in data protection laws outside the US.

Question 52

when did the CCPA’s general regulations go into effect?

Answer 52

August 14, 2020

Question 53

T or F, the CCPA only applies to commercial entities

Answer 53

T

Question 54

what businesses are covered under the CCPA? Must meet at least one

Answer 54

1. for-profit businesses (and non profits that co-brand with a for profit) that does more than 25 million USD in annual revenue
2. holds the personal information of 50k people, households or devices(e.g. website visitors)
3. derives 50 percent or more of its annual revenues from selling consumer’s personal information

Question 55

how is personal information defined under the CCPA?

Answer 55

any information that relates to a particular consumer or household.
note: includes more than a specific individual

Question 56

who are protected individuals under the CCPA

Answer 56

any consumer - defined as a natural person who is a California resident, including those in the state for a temporary or transitory purpose OR those domiciled in the state and currently outside of the state temporarily

Question 57

What are consumer rights under the CCPA? (NA-ORD)

Answer 57

Notice, access, opt-out, right of erasure, right to to not be discriminated against

Question 58

T or F under the CCPA, consumers b/t the ages of 13-16 must affirmatively opt in to authorize the sale of their personal info

Answer 58

T

Question 59

What must businesses do under the CCPA

Answer 59

1. provide disclosures to consumers
2. provide the info free of charge within 45 days in a portable format
3. include a do not sell my personal information link on website
4. provide a method to receive consumer requests(e.g. a 800 number, web form, etc)
5. have a verification process so consumers can prove their identity
6. train employees
7. disclose to consumers the third parties to whom the business sells PI

Question 60

how is the CCPA enforced?

Answer 60

1. enforced by the state attorney general- $2500 fine per violation addressed within 30 days
   $7500 fine per record for intentional violations not addressed within 30 days
2. private right of action

Question 61

what is the CPRA?

Answer 61

AMENDS AND EXPANDS ON THE CCPA- REQUIRES THE ESTABLISHMENT OF AN ENFORCEMENT AGENCY TO IMPLEMENT AND ENFORCE CONSUMER PRIVACY LAWS

Question 62

when is the CPRA enforceable?

Answer 62

January 1, 2023

Question 63

what are the steps to develop a privacy program for a company?

Answer 63

1. Discover- identify issues and best practices, perform self assessments.
2. Build- policies and inventories
3. Communicate- effective communication to employees and contractors
4. Evolve- process for review and update-

Question 64

what is meant by “opting in”

Answer 64

affirmative consumer consent to data collection or use

note: usually by requiring the data subject to confirm their choice via a response to a follow up email

Question 65

what is meant by “opt out”

Answer 65

when consent is assumed unless the consumer specifically denies consent(e.g. unchecks a box)

Question 66

T or F- an organization should have retention policies that limit the time that PI is stored

Answer 66

True

Question 67

what is FACTA

Answer 67

the fair and accurate credit transactions act

Question 68

T or F FACTA preempts most stricter state laws

Answer 68

T

Question 69

what entities are covered under HIPPA?

Answer 69

healthcare providers, health plans(insurers) and clearinghouse(where records are stored)

Question 70

T or F HIPPA pre-empts stricter state laws

Answer 70

False

Question 71

what is the maximum fine under HIPAA?

Answer 71

1.7 MILLION

Question 72

T or F- entities covered under HIPAA must designate a privacy official who is responsible for the development and implementation of privacy protections

Answer 72

T

Question 73

what is the notification period under the HIPAA notification rule

Answer 73

1. affected individuals must be notified within 60 days of the breach
2. the media(if more than 500 people affected)
3. HHS secretary- within 60 days if more than 500 individuals affected, otherwise annually.

Question 74

what law creates national limits on the use of genetic information in health insurance and employment?

Answer 74

GINA

Question 75

Under GINA, can insurance providers implement higher premiums based on genetic tests?

Answer 75

No

Question 76

Under GINA employers can discriminate based on genetic information

Answer 76

No

Question 77

what type of entity does HITECH extend liability to?

Answer 77

to business associates for compliance.