Notes Flashcards
Nissenbaum’s Contexual Integrity
Risk Framwork Model. Defining privacy harm is an important step, but there are many ways to do this.
Privacy risks may be identified based upon whether the use of personal information is in alignment with the norms of a particular context, norms are domain specific.
Calo’s Harm Dimensions
Risk Framwork Model. Defining privacy harm is an important step, but there are many ways to do this.
Privacy risks may be identified based upon whether they are:
- measurable and objective, or whether they are
- perceived and subjective;
perception of harm can be just as likely to cause negaive impact.
Solove’s Taxonomy of Privacy
Modeling privacy risk begins with an understanding of how privacy should be defined. A privacy professional must be able adaptable to a Privacy Pluralistic World—i.e., a world where privacy is defined in multiple unique ways based on the user’s individual perspective. In the academic field, several risk models have been developed to help better conceptualize privacy, each approaching from a different perspective or developed for the purpose of highlighting a specific component of privacy.
Privacy risk arising from four types of activity:
1) Information collection
2) Information processing
3) Information dissemeination
4) Invasions.
Solove’s Taxonomy of Privacy defines 16 potential harms based upon these activities.
Factors Analysis of Information Risk (FAIR Model)
Modeling privacy risk begins with an understanding of how privacy should be defined. A privacy professional must be able adaptable to a Privacy Pluralistic World—i.e., a world where privacy is defined in multiple unique ways based on the user’s individual perspective. In the academic field, several risk models have been developed to help better conceptualize privacy, each approaching from a different perspective or developed for the purpose of highlighting a specific component of privacy.
A quantitative method for providing a numerical risk estimate;
Decomposes risks into constituent parts to provide a sufficiently accurate risk score that is within an acceptable range.
The FAIR model looks at the component parts of risk in order to find factors that estimate the overall risk to an organization. It is a more granular approach to modeling harm to privacy interests.
Double opt-in consent
Double opt-in consent, also referred to as confirmed opt-in consent, is a technique whereby a consumer initially expresses interest and is then asked a second time to confirm their interest.
Confirmation emails that require consumers to click a link are typical examples.
Which components play a role in enforcing the AI Act?
To police compliance, the AI Act put in place an enforcement system broadly similar to the GDPR. Compliance is supervised by member states, which are obligated to establish or designate as
National Competent Authorities
at least one
Notifying Authority and one Market Surveillance Authority.
Additionaly, a European Artificial Intelligence Board (EAIB) is established to ensure consistent application of the AI Act across the E.U.
Indirect Costs of a Data Breach
- Loss in productivity
- Large turnover in customer base
- Liability from follow-on lawsuits
Types of Trend Analysis
The term trend analysis is a generalized term, and there are many specific types of trend analysis that can be conducted.
Examples include a
- time series analysis,
- a cyclical component analysis and
- a irregular component analysis.
Privacy professionals can use trend analysis to spot tendencies over time (e.g. a degrease or increase in the number of privacy incidents), which can serve as useful privacy metrics.
Two other examples include analyses that incldue a cyclical component that measures patterns in data at regular fluctuations (e.g. a decrease in privacy incidents in the days following a formal employee privacy training session) or analysis that attempt to remove irregular occurrences, often called “noise” (e.g. measuring the absence of data breaches).
To determine the effectiveness of its privacy training, Company X measures the rate of privacy incidents that occurs in the 30 days following a training event. What type of analysis is this?
Cyclical component trend analysis
You find that MBL Games already has some informal privacy practices in place, but almost none of these procedures have been put in writing and they are inconsistently applied. What stage of the Privacy Maturity Model does this best represent?
Ad-hoc
The “ad hoc” step is when procedures and processes exist that are informal, incomplete, and inconsistently applied.
Initially developed by the American Institute of Certified Public Accountants (“AICPA”) and the Canadian Institute of Chartered Accountants (“CICA”), the Privacy Maturity Model (“PMM”) had gained widespread acceptance as a means of measuring the sophistication of an organization’s privacy program. The PMM uses five levels of maturity to describe the robustness of an organization’s privacy program: Ad hoc, repeatable, defined, managed, and optimized.
What are Appropriate Safeguards under the GDPR that permit the transfer of data between the U.S. and E.U.?
There are three types of means by which an orgainzation may transfer data between the EU and non EU under GDPR:
1) Adequacy Decision
2) Derogations
3) Implementation of “appropriate sageguards”
a) Binding Corporate Rules
b) Standard Contractual Clauses
c) Ad hoc contract clauses
d) Codes of Conduct or Certification Mechanism
Data Life Cycle Management
Data Life Cycle Management is a policy-based appraoch to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data.
There are several elements typically associated with DLM:
1) Enterprise Objectives
2) Minimalism
3) Simplicity
4) Adequacy of infrastructure
5) Information Security
6) Authenticity
7) Retrievability
8) Distribution Controls
9) Auditability
10) Consistancy
11) Enforcement
Building a Privacy Program steps:
- Creating the organizational privacy vision and mission statement
- Defining the scope of the privacy program
- Selecting an appropriate privacy framework
- Developing the organizational privacy strategy
- Structuring the privacy team
Current Privacy Program Frameworks
Principles and Standards:
* FIPs
* OECD Guidelines
* GAPP
* CSA Privacy Code
* APEC Fremwork
* ETSI standards
* ISO Standards
Laws, regulations, and programs
* PIPEDA
* APPs
* GDPR
* LGPD
* PIPL
* HIPAA
* Juristictional and sectoral laws and guidance
Privacy program management
* PdD
* COBIT 2019
* NIST
* WebTrust
* Vendor Solutions
Audience Types
Primary Audience: Those that directly deal with the privacy function (Board/CISO etc.)
Secondary Audience: Those interested in the ancillary aspects of a privacy program (CFO)
Tertiary Audience: Those interested in the broader functioning of the organization