Introduction to privacy Flashcards
How do you define privacy?
The right to be let alone, an individuals right to control the collection, use and disclosure of personal information. Also includes the right to keep personal information private.
what are fair information practices?
set of guidelines for handling, storing, protecting and managing personal information
what are the four categories of FIPs (CRIM)
- controls of the information(information security, information quality)
- rights of individuals- notice, choice and consent, data subject access
- information life cycle- collection, use and retention, disclosure, destruction
- management- management and administration, monitoring, and enforcement
what states have privacy laws?
Virginia, California, Utah and Colorado
What is the definition of personal information?
any information relating to an identified or identifiable living individual.
note: applies to both electronic and paper records.
what are examples of personal information?
name, gender, address, telephone number, email address, martial status
what is sensitive information examples
SSN number, financial information, driver’s license number, medical records.
what is the definition of sensitive information?
data that is more significantly related to the notice of a reasonable expectation of privacy, such as medical or financial information.
When does personal information become non-personal?
when the information is anonymized to the point that the associated individual can no longer be identified.
T or F unless personal information is truly anonymized, privacy and data protection laws still apply
true
What is pseudonymized data?
data that has been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information
For example: hashing, using blockchain, differential privacy
What are sources of personal information on a data subject?
public records, publicly available information, nonpublic information
what is non public information
information not easily accessible due to law or custom(e.g. medical records, financial information, adoption records.)
T or false, the same information may be public record publicly available and nonpublic
T
what is a data subject?
an individual about whom information is being processed (e.g. employee, consumer, patient)
what is a data controller?
an organization or individual with the authority to decide how and why information about data subjects is to be processed
what is a data processor
an organization or individual that processes data on behalf of the data controller
what is a data protection authority?
supervisory authority chartered to enforce privacy or data protection laws and regulations (DPA)
Does the U.S have a national data protection authority ?
No., but the FTC, state attorney generals, federal financial regulators play a role
Hypo: Identify who fulfills each role in the following scenario
Jim is employed by ABC company. The HR department keeps much of his personal data on file, and it contracts with a payroll company that directly deposits Jim’s paychecks into his bank account.
who is the data subject? data controller and data processor?
Jim- data subject
ABC company- data controller
HR company- data processor
Name ways to protect personal information
Markets, technology, law, self regulation/co-regulation
Name the privacy protection models
- few or no laws(Cuba)
- co-regulatory (Australia)
- sectoral- covers industry specific laws -(U.S.)
- Comprehensive omnibus laws- EU
what are the branches of the U.S. Government
executive, legislative, judicial
T or F? state constitutions may create stronger privacy rights that the federal constitution?
True
what is a consent decree/order in a data privacy context
an agreement or settlement that resolves a dispute between a regulator and a private party without admission of guilt or liability. It also describes the actions the defendant will take(e.g. defendant agrees to stop alleged illegal activity)
T or F- the FTC can assess fines directly in consent orders or decrees?
No, the matter must go to court
Does CAN-SPAM supersede a stricter state law?
Yes. it prempts a stricter state law
what is a privacy notice
a description of an organizations information management practices
what is the initial mechanism used by regulatory agencies to determine if a controller or a processor is complying with the law and with the organizations own privacy commitments?
privacy notices do this. privacy notices help data subjects enforce their rights
what is another name for a privacy notice?
privacy policy or privacy statement
what must a privacy notice include 4 things? (DEWI)
- Description of what information is collected
- how the information is used and disclosed,
- how to exercise any choices about uses or disclosures
- whether the individual can access or update the information
what is choice in a data privacy context?
the ability to specify whether personal information will be collected and/or how it will be used or disclosed.
E.g.- opt in, or opt out
what is “opting in”
individual actively gives consent (express consent) to the use of their data
what is “opt out”
consent assumed unless the affected individual specifically withdraws consent (implied consent)
what is access in a privacy context
the ability to view personal information held by an organization.
What is the GDPR?
General data protection regulation
who does the GDPR apply to?
The GDPR applies to all organizations who do business in the EU
T or F? Does the GDPR apply to nonprofits and for profit organizations?
It applies to both.
how many days after a data breach must the breach be reported under the GDPR?
72 hours.
what fines are associated with the GDPR?
2 percent of annual global revenue or up to 10 million euros of revenue per infraction, whatever is higher.
What are the data subjects rights under the GDPR? ARE-RDO
Access to personal data
rectification of inaccurate information
erasure- have personal data erased and no longer processed
restriction of processing- object to data processing of legitimate interests
data portability- receive their personal data in a structured, commonly used machine readable format
no profiling-
how is personal data defined under the GDPR?
any information related to an identified or identifiable natural person
Does the GDPR apply whether the organization or individual processing the personal data is physically located in the EU or not
Yes, it still applies
Yes or no,
Must data under the GDPR be processed by wholly or partly by automated means?
Yes
what is the material scope of the GDPR
data must be processed in part or in whole by automated means, personal data which forms a part of a filing system, exclusions. (including activities outside of the scope of the EU
what are mechanisms for the lawful transfer of personal data from the EU to the US under the GDPR?
Binding corporate rules and standard contractual clauses, codes of conduct
What are the recommended steps for global data flows?
- map your transfers
- verify that the transfer tool relied on is on the approved list under Chapter V of the GDPR
- Assess the sufficiency of non-EEA protections
- identify and adopt supplementary measures
- take formal procedural steps
- re-evaluate at appropriate intervals.
What is a data protection officer under the GDPR?
a staff member or contractor tasked with
- advising the controller or processor,
- facilitating communications with applicable supervisory authorities,
- engaging with data subjects, monitoring and testing the controller or processors compliance with EU data
T or F the DPO does not have to be an expert in data protection law and pratices
false
when is a DPO a required role?
when processing large scale monitoring of data subjects, processing sensitive data or criminal convictions/offenses on a large scale, processing by public bodies
what is the California consumer Privacy Act
law that provides a comprehensive regime of consumer privacy rights similar to those found in data protection laws outside the US.
when did the CCPA’s general regulations go into effect?
August 14, 2020
T or F, the CCPA only applies to commercial entities
T
what businesses are covered under the CCPA? Must meet at least one
- for-profit businesses (and non profits that co-brand with a for profit) that does more than 25 million USD in annual revenue
- holds the personal information of 50k people, households or devices(e.g. website visitors)
- derives 50 percent or more of its annual revenues from selling consumer’s personal information
how is personal information defined under the CCPA?
any information that relates to a particular consumer or household.
note: includes more than a specific individual
who are protected individuals under the CCPA
any consumer - defined as a natural person who is a California resident, including those in the state for a temporary or transitory purpose OR those domiciled in the state and currently outside of the state temporarily
What are consumer rights under the CCPA? (NA-ORD)
Notice, access, opt-out, right of erasure, right to to not be discriminated against
T or F under the CCPA, consumers b/t the ages of 13-16 must affirmatively opt in to authorize the sale of their personal info
T
What must businesses do under the CCPA
- provide disclosures to consumers
- provide the info free of charge within 45 days in a portable format
- include a do not sell my personal information link on website
- provide a method to receive consumer requests(e.g. a 800 number, web form, etc)
- have a verification process so consumers can prove their identity
- train employees
- disclose to consumers the third parties to whom the business sells PI
how is the CCPA enforced?
- enforced by the state attorney general- $2500 fine per violation addressed within 30 days
$7500 fine per record for intentional violations not addressed within 30 days - private right of action
what is the CPRA?
AMENDS AND EXPANDS ON THE CCPA- REQUIRES THE ESTABLISHMENT OF AN ENFORCEMENT AGENCY TO IMPLEMENT AND ENFORCE CONSUMER PRIVACY LAWS
when is the CPRA enforceable?
January 1, 2023
what are the steps to develop a privacy program for a company?
- Discover- identify issues and best practices, perform self assessments.
- Build- policies and inventories
- Communicate- effective communication to employees and contractors
- Evolve- process for review and update-
what is meant by “opting in”
affirmative consumer consent to data collection or use
note: usually by requiring the data subject to confirm their choice via a response to a follow up email
what is meant by “opt out”
when consent is assumed unless the consumer specifically denies consent(e.g. unchecks a box)
T or F- an organization should have retention policies that limit the time that PI is stored
True
what is FACTA
the fair and accurate credit transactions act
T or F FACTA preempts most stricter state laws
T
what entities are covered under HIPPA?
healthcare providers, health plans(insurers) and clearinghouse(where records are stored)
T or F HIPPA pre-empts stricter state laws
False
what is the maximum fine under HIPAA?
1.7 MILLION
T or F- entities covered under HIPAA must designate a privacy official who is responsible for the development and implementation of privacy protections
T
what is the notification period under the HIPAA notification rule
- affected individuals must be notified within 60 days of the breach
- the media(if more than 500 people affected)
- HHS secretary- within 60 days if more than 500 individuals affected, otherwise annually.
what law creates national limits on the use of genetic information in health insurance and employment?
GINA
Under GINA, can insurance providers implement higher premiums based on genetic tests?
No
Under GINA employers can discriminate based on genetic information
No
what type of entity does HITECH extend liability to?
to business associates for compliance.