Notes

Question 1

Nissenbaum’s Contexual Integrity

Risk Framwork Model. Defining privacy harm is an important step, but there are many ways to do this.

Answer 1

Privacy risks may be identified based upon whether the use of personal information is in alignment with the norms of a particular context, norms are domain specific.

Question 2

Calo’s Harm Dimensions

Risk Framwork Model. Defining privacy harm is an important step, but there are many ways to do this.

Answer 2

Privacy risks may be identified based upon whether they are:
- measurable and objective, or whether they are
- perceived and subjective;

perception of harm can be just as likely to cause negaive impact.

Question 3

Solove’s Taxonomy of Privacy

Modeling privacy risk begins with an understanding of how privacy should be defined. A privacy professional must be able adaptable to a Privacy Pluralistic World—i.e., a world where privacy is defined in multiple unique ways based on the user’s individual perspective. In the academic field, several risk models have been developed to help better conceptualize privacy, each approaching from a different perspective or developed for the purpose of highlighting a specific component of privacy.

Answer 3

Privacy risk arising from four types of activity:
1) Information collection
2) Information processing
3) Information dissemeination
4) Invasions.

Solove’s Taxonomy of Privacy defines 16 potential harms based upon these activities.

Question 4

Factors Analysis of Information Risk (FAIR Model)

Modeling privacy risk begins with an understanding of how privacy should be defined. A privacy professional must be able adaptable to a Privacy Pluralistic World—i.e., a world where privacy is defined in multiple unique ways based on the user’s individual perspective. In the academic field, several risk models have been developed to help better conceptualize privacy, each approaching from a different perspective or developed for the purpose of highlighting a specific component of privacy.

Answer 4

A quantitative method for providing a numerical risk estimate;
Decomposes risks into constituent parts to provide a sufficiently accurate risk score that is within an acceptable range.

The FAIR model looks at the component parts of risk in order to find factors that estimate the overall risk to an organization. It is a more granular approach to modeling harm to privacy interests.

Question 5

Double opt-in consent

Answer 5

Double opt-in consent, also referred to as confirmed opt-in consent, is a technique whereby a consumer initially expresses interest and is then asked a second time to confirm their interest.

Confirmation emails that require consumers to click a link are typical examples.

Question 6

Which components play a role in enforcing the AI Act?

Answer 6

To police compliance, the AI Act put in place an enforcement system broadly similar to the GDPR. Compliance is supervised by member states, which are obligated to establish or designate as

National Competent Authorities

at least one

Notifying Authority and one Market Surveillance Authority.

Additionaly, a European Artificial Intelligence Board (EAIB) is established to ensure consistent application of the AI Act across the E.U.

Question 7

Indirect Costs of a Data Breach

Answer 7

• Loss in productivity
• Large turnover in customer base
• Liability from follow-on lawsuits

Question 8

Types of Trend Analysis

Answer 8

The term trend analysis is a generalized term, and there are many specific types of trend analysis that can be conducted.
Examples include a
- time series analysis,
- a cyclical component analysis and
- a irregular component analysis.

Privacy professionals can use trend analysis to spot tendencies over time (e.g. a degrease or increase in the number of privacy incidents), which can serve as useful privacy metrics.

Two other examples include analyses that incldue a cyclical component that measures patterns in data at regular fluctuations (e.g. a decrease in privacy incidents in the days following a formal employee privacy training session) or analysis that attempt to remove irregular occurrences, often called “noise” (e.g. measuring the absence of data breaches).

Question 9

To determine the effectiveness of its privacy training, Company X measures the rate of privacy incidents that occurs in the 30 days following a training event. What type of analysis is this?

Answer 9

Cyclical component trend analysis

Question 10

You find that MBL Games already has some informal privacy practices in place, but almost none of these procedures have been put in writing and they are inconsistently applied. What stage of the Privacy Maturity Model does this best represent?

Answer 10

Ad-hoc

The “ad hoc” step is when procedures and processes exist that are informal, incomplete, and inconsistently applied.

Initially developed by the American Institute of Certified Public Accountants (“AICPA”) and the Canadian Institute of Chartered Accountants (“CICA”), the Privacy Maturity Model (“PMM”) had gained widespread acceptance as a means of measuring the sophistication of an organization’s privacy program. The PMM uses five levels of maturity to describe the robustness of an organization’s privacy program: Ad hoc, repeatable, defined, managed, and optimized.

Question 11

What are Appropriate Safeguards under the GDPR that permit the transfer of data between the U.S. and E.U.?

Answer 11

There are three types of means by which an orgainzation may transfer data between the EU and non EU under GDPR:
1) Adequacy Decision
2) Derogations
3) Implementation of “appropriate sageguards”
a) Binding Corporate Rules
b) Standard Contractual Clauses
c) Ad hoc contract clauses
d) Codes of Conduct or Certification Mechanism

Question 12

Data Life Cycle Management

Answer 12

Data Life Cycle Management is a policy-based appraoch to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data.

There are several elements typically associated with DLM:
1) Enterprise Objectives
2) Minimalism
3) Simplicity
4) Adequacy of infrastructure
5) Information Security
6) Authenticity
7) Retrievability
8) Distribution Controls
9) Auditability
10) Consistancy
11) Enforcement

Question 13

Building a Privacy Program steps:

Answer 13

• Creating the organizational privacy vision and mission statement
• Defining the scope of the privacy program
• Selecting an appropriate privacy framework
• Developing the organizational privacy strategy
• Structuring the privacy team

Question 14

Current Privacy Program Frameworks

Answer 14

Principles and Standards:
* FIPs
* OECD Guidelines
* GAPP
* CSA Privacy Code
* APEC Fremwork
* ETSI standards
* ISO Standards

Laws, regulations, and programs
* PIPEDA
* APPs
* GDPR
* LGPD
* PIPL
* HIPAA
* Juristictional and sectoral laws and guidance

Privacy program management
* PdD
* COBIT 2019
* NIST
* WebTrust
* Vendor Solutions

Question 15

Audience Types

Answer 15

Primary Audience: Those that directly deal with the privacy function (Board/CISO etc.)
Secondary Audience: Those interested in the ancillary aspects of a privacy program (CFO)
Tertiary Audience: Those interested in the broader functioning of the organization

Question 16

Privacy Program Maturity Model

Answer 16

1) Ad hoc Procedures or processes are generally informal, incomplete, and inconsistently applied
2) Repeatable Procedures or processes exist, however, they are not fully documented and do not cover all relevant aspects
3) Defined Procedures and processes are fully documented and implemented and cover all relevant aspects
4) Managed Reviews are conducted to assess the effectiveness of the controls in place
5) Optimized Regular review and feedback are used to ensure continuous improvement towards optimization of the given process

Developed by AICPA and CICA and therefore directly tied to the General Acceptable Privacy Practices (GAPP)
Does not need to be highest level to be an acceptable level

Question 17

GAPP (General Accepted Privacy Principles)

Answer 17

Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.

Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.

Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.

Collection. The entity collects personal information only for the purposes identified in the notice.

Use, Retention and Disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

Access. The entity provides individuals with access to their personal information for review and update.

Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Security for Privacy. The entity protects personal information against unauthorized access (both physical and logical).

Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.

Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

Question 18

Foundational A.I. Model

Answer 18

Are trained on broad data sets with a wide scope and scale; they provide more generalized output and can be used for a wide range of different, more specific tasks.

Referred to in the AI Act as “General-Purpose AI Models” (GPAI)

These are defined as “any AI model that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications. GPAI models have a number of additional requirements placed upon them under the AI Act.

Question 19

Generative A.I. Systems

Answer 19

Based on foundational models and trained to generate content.

Question 20

How to identify the data source for a privacy metric?

Answer 20

When defining a privacy metric, the data source - i.e. the collection point - for the metric should be identified.

When identifying a collection point, details should include
* The database on which the information is held,
* The tracking tools that process that information,
* What part of the organization has ownership of the information, and
* The specific roles within the org that can provide required information.

As with other aspects of privacy program development, tools such as a data inventory and data maps are invaluable for this task.

Question 21

GDPR Consent must be:

Answer 21

1) Freely Given
2) Specific to the processing at issue
3) Informed
4) Unambiguous

Art. 9 - Special Categories of Personal Data requires
5) Explicit

Question 22

Audit Types

Answer 22

First-Party - Internal
Second-Party - Data controllers on data processor (Supplier Audit)
Third-Party - Provides the greatest confidence in the outcome of the audit.

Question 23

AI Act Fines

Answer 23

€35 million or 7% of total worldwide turnover (revenue) - For operating an AI system with unaccaptable risk in violation of Art. 5

€7.5 million or 1% of worldwide turnover - Supplying incorrect, incomplete or misleading information to notified bodies or national competent authorities

€15 million or 3% of worldwide turnove - other violations

whichever is higher

Question 24

Privacy by Design vs Privacy by Default

Answer 24

The GDPR treats Pb Design and Pb Default as separate concepts but requires the implementation of both.

Question 25

Privacy by Design Principles

Answer 25

(1) Proactive, not Reactive; Preventative, not Remedial
(2) Privacy by Default
(3) Privacy Embedded into Design
(4) Full Functionality; Positive Sum, Not Zero Sum
(5) End-to-End Security; Life Cycle Protection
(6) Visibility and Transparency
(7) Respect for User Privacy

Applies only to controllers (of any size), not processors, but applies indirectly to processors to the extent it enables controllers to fulfill obligations

Question 26

No-option consent

Answer 26

According to the 2012 FTC Report, a no option form of consent may be used for most first-party marketing.

As set forth in this report, there are four additional principles that should be followed when sharing information for these purposes:
(1) companies should provide consumers with a choice whether to be tracked across other parties’ websites;
(2) affiliates should be treated as third parties unless that affiliate relationship is clear to consumers;
(3) cross-channel marketing is generally permitted without offering a choice of consent because it is consistent with the context of a consumer’s interaction with a company; and
(4) companies should implement measures to improve the transparency of data enhancement.

Question 27

Privacy Impact Assessment

Answer 27

Analyzes discrete products, services, processes, or events to determine the risks associated with processing data in a particular way
- Should be conducted before a new type of processing data is implemented
- Sometimes required by law (Canada Privacy Act, U.S. E-Government Act of 2002, Virginia’s VCDPA; Brazil’s LGPD)

Question 27

Privacy Assessment

Answer 27

A holistic review of an organization’s entire privacy risk profile.
Analyzes an organization’s compliance with the entirety of its porgram; both objective (e.g. system logs) and subjective (e.g. employee interview) analysis.

It includes the review of both applicable laws and internal policies

Question 28

Privacy Theshold Analysis

Answer 28

A short analysis looking at risk of processing data in a particular way to determine whether a full PIA is necessary.

Question 29

Data Protection Impact Assessment (DPIA)

Answer 29

An analysis similar to a PIA that is subject to specific rules set forth in the GDPR
- Two goals: 1) helps lower risk and 2) shows GDPR compliance
- Supervisory authority may need to be consulted if a DPIA shows a hirh risk to individuals
- Must be performed when the contemplated processing “is likely to result in a high risk to the rights and freedoms of natural persons,” including: (1) systemic automated processing that results in legal or similar effects; (2) large-scale processing of “special” categories of information; and (3) systemic monitoring of publicly accessible area
- If a decision is made not to conduct a DPIA, the reasons why should be documented
- Must include: (1) description of processing and legitimate interest pursued; (2) an assessment of necessity and proportionality; (3) an assessment of the risks to individual freedoms of data subjects; and (4) identification of measures to address any risks

Question 30

Article 29 Working Party: Processing is likely to present a high risk to the rights and freedoms of data subject. (Triggers a DPIA)

Answer 30

(1) processing involves evaluation or scoring;
(2) automated decision-making results in legal or similar consequences;
(3) there is systemic monitoring;
(4) sensitive or highly-personal data is processed;
(5) data is processed on a large scale;
(6) different data sets about a subject are matched or combined;
(7) data about vulnerable data subjects is processed;
(8) new technologies or innovative techniques are used; and
(9) processing prevents data subjects from exercising rights or using a product or service.

Question 31

ISOs recommended steps to conduct a PIA (Privacy Impact Assessment)

Answer 31

1) Conducting an analysis of whether a PIA is needed
2) Preparing to conduct the PIA
3) Performing a PIA
4) Following up on the PIA