Privacy Program Vocabulary Flashcards

1
Q

What is accountability in the context of privacy laws?

A

The ability to demonstrate that technical and organisational measures for personal data handling have been implemented and comply with relevant laws, such as GDPR and APEC’s Cross Border Privacy Rules. It is a foundational principle of fair information practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are active scanning tools, and what are they used for?

A

Tools like Data Loss Prevention (DLP) systems and privacy tools that identify security and privacy risks to personal information. They can monitor compliance and block unauthorised transfers based on data categories.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is anonymization, and what are the three primary techniques?

A

A process where identifiable data is altered so it cannot be linked back to an individual. Techniques include:
Suppression: Removing identifying values.
Generalization: Broadening specific data (e.g., age 18 → 18-24).
Noise Addition: Mixing identifying values within a dataset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the APEC Privacy Principles?

A

Non-binding principles adopted by the Asia-Pacific Economic Cooperative, mirroring OECD Fair Information Privacy Practices. They aim to balance information privacy with business needs to promote electronic commerce in the Asia-Pacific region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is behavioural advertising, and what does GDPR require regarding it?

A

Advertising targeted at individuals based on observed behaviour, often through automated data processing or profiling. GDPR requires users to be informed of processing logic, consequences, and allows opt-out options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are Binding Corporate Rules, and what do they enable?

A

BCRs are safeguards under GDPR that allow cross-border transfers of personal data within a corporate group. They ensure consistent, high-level data protection and require approval by a data protection authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a Business Continuity and Disaster Recovery Plan?

A

A risk mitigation plan ensuring that critical business functions continue during a crisis. It covers recovery actions for events like natural disasters or cyberattacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose of COPPA?

A

Children’s Online Privacy Protection Act (COPPA) is a U.S. law requiring websites directed at children under 13 to post privacy notices, obtain parental consent for data collection, and allow parents to manage their child’s data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does “consent” mean under GDPR?

A

Individuals must actively agree to data collection and processing, which can be explicit (opt-in) or implied. Consent must be freely given, informed, and revocable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the Data Minimisation Principle advocate?

A

Only collect and retain the personal data necessary for the specific purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When is a Data Protection Impact Assessment required under GDPR?

A

When processing activities are likely to result in high risks to individual rights, such as introducing new systems or significant changes to data use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Privacy by Design?

A

A framework ensuring privacy is integrated into system and process design from the outset, following principles like minimal data collection and robust security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Who is a Data Controller?

A

An entity or individual that determines the purposes and means of processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What constitutes a data breach?

A

The unauthorised acquisition of data that compromises its confidentiality, integrity, or security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the components of the Information Security Triad?

A

Confidentiality, Integrity, and Availability (CIA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a data inventory?

A

A record of personal data as it moves across systems, identifying its location, categorisation, and any inconsistencies to enable better management and compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Data Life Cycle Management?

A

A policy-based approach to managing data from creation to final disposition, ensuring security, retrievability, and compliance across its life cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a Data Protection Authority under GDPR?

A

An independent public authority that supervises the application of data protection laws, provides advice, and enforces compliance, including imposing fines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does the principle of individual participation entail?

A

Individuals have the right to access their data, request corrections, and challenge any denied requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a gap analysis in privacy management?

A

A review of current privacy capabilities to identify and address gaps between existing measures and required standards or laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is jurisdiction in the context of privacy law?

A

The authority of a court or regulatory body to enforce laws over certain geographical areas, individuals, or subject matters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How are metrics used in privacy management?

A

Metrics evaluate the effectiveness of privacy programs by measuring progress, compliance, and outcomes through quantifiable data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is pseudonymous data?

A

Data that is not directly linked to an individual but can be indirectly associated through identifiers like codes or IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is purpose specification under GDPR?

A

The principle that personal data should be collected for specified, explicit, and legitimate purposes and not used in incompatible ways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does the retention principle involve?

A

Retaining personal data only as long as necessary for the stated purpose and securely disposing of it when no longer needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a Privacy Impact Assessment?

A

An analysis to evaluate privacy risks of data handling processes and identify ways to mitigate potential impacts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Who is a privacy champion?

A

An executive advocate for privacy who promotes privacy as a core organisational concept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a Privacy Threshold Analysis?

A

A preliminary tool used to determine whether a Privacy Impact Assessment (PIA) is required for a specific process or project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is Protected Health Information?

A

Any identifiable health data held or processed by a HIPAA-covered entity related to health conditions, care, or payments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are security safeguards?

A

Measures to protect personal data against risks like unauthorised access, loss, or modification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is social engineering in cybersecurity?

A

A method attackers use to manipulate individuals into divulging sensitive information or compromising security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Who are stakeholders in a privacy program?

A

Executives or teams responsible for privacy activities within an organisation, such as legal, HR, IT, or compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is vendor management in privacy compliance?

A

The assessment of third-party vendors for privacy and security practices, ensuring compliance with data protection laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is WebTrust?

A

A self-regulating seal program created by the AICPA and CICA for licensed certified public accountants to validate trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the AICPA?

A

American Institute of Certified Public Accountants (AICPA). A U.S. professional organisation for certified public accountants, co-creator of the WebTrust seal program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the role of the CICA?

A

Canadian Institute of Chartered Accountants (CICA). The Canadian professional body responsible for setting standards, ethics, and education for chartered accountants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are the main requirements of COPPA?

A

Children’s Online Privacy Protection Act (COPPA). Requires websites directed at children under 13 to:
- Post a privacy notice.
- Obtain parental consent before collecting data.
- Allow parents to review, delete, or manage their child’s data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are the three principles of the CIA triad?

A

Confidentiality, Integrity, and Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the principle of collection limitation?

A

Personal data should only be collected by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is a consumer reporting agency?

A

An entity that compiles or evaluates personal information to furnish consumer reports to third parties for a fee.

42
Q

What does cyber liability insurance cover?

A

Insurance for breach-related expenses, including:
- Forensic investigations.
- Legal fees.
- Breach notifications.
- Crisis management services.

43
Q

What is direct marketing?

A

Marketing where the seller directly contacts an individual rather than using mass media like TV or radio.

44
Q

What is the Do Not Track initiative?

A

A proposed regulation allowing consumers to opt-out of web tracking, similar to the Do-Not-Call Registry.

45
Q

What does the ECPA protect?

A

Electronic Communications Privacy Act (ECPA) Protects wire, oral, and electronic communications during transmission and when stored electronically.

46
Q

What did the EU Data Protection Directive (95/46/EC) establish?

A

A framework for personal data protection in the EU, replaced by the GDPR in 2018.

47
Q

What is GAPP?

A

Generally Accepted Privacy Principles (GAPP). A framework developed by the AICPA and CICA with ten principles, including notice, choice, security, and accountability.

48
Q

What does the GLBA regulate?

A

Gramm-Leach-Bliley Act (GLBA) regulates financial institutions’ handling of non-public personal information, requiring notice, security, and opt-out options for data sharing.

49
Q

What is HIPAA’s primary purpose?

A

Health Insurance Portability and Accountability Act’s (HIPAA) purpose is to create national standards for electronic healthcare transactions and protect patient health information

50
Q

What is hybrid governance in privacy?

A

A model combining centralised oversight with decentralised execution, often used by large organisations.
Typically seen when a large organisation assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfil and support the policies and directives from the central governing body.

51
Q

What are information security practices?

A

Controls that reduce risks like data loss, unauthorised access, or modification.

51
Q

What are the stages of the information life cycle?

A

Collection, processing, use, disclosure, retention, and destruction.

52
Q

What constitutes negligence in privacy?

A

Failing to protect personal information, leading to harm or breach of legal duty

53
Q

What is non-public personal information under GLBA?

A

Personally identifiable financial information provided to or collected by financial institutions, excluding publicly available information.

54
Q

What is the principle of openness?

A

Organisations should maintain transparency about data collection, usage, and protection practices.

55
Q

What does opt-in mean?

A

A model where individuals actively agree to data collection or sharing.

56
Q

What does opt-out mean?

A

A model where data collection or sharing proceeds unless the individual actively declines.

57
Q

What is a privacy program framework?

A

A structured roadmap for implementing and managing an organisation’s privacy initiatives.

58
Q

What are privacy-enhancing technologies?

A

Tools designed to protect privacy, such as encryption, anonymisation, and the Platform for Privacy Preferences (P3P).

59
Q

What does the GDPR say about fully automated decisions?

A

Individuals can object to decisions made solely by automated processing, especially if it impacts their rights.

60
Q

What is social engineering in privacy and security?

A

Manipulating individuals into divulging confidential information or compromising security protocols.

61
Q

What is the Platform for Privacy Preferences (P3P)?

A

A machine-readable language that expresses a website’s data management practices to facilitate automated privacy decisions by users.

62
Q

What does the Privacy Maturity Model provide?

A

A standardised reference for assessing the maturity level of a privacy program.

63
Q

What are the phases of the privacy operational life cycle?

A

Assess, Protect, Sustain, and Respond—focused on refining and improving privacy management processes.

64
Q

When is a Privacy Threshold Analysis used?

A

To determine whether a Privacy Impact Assessment (PIA) is necessary for a particular process, project, or system.

65
Q

What is protected health information under HIPAA?

A

Any health data that identifies an individual and is created, used, or disclosed by a covered entity or business associate.

66
Q

What is a Qualified Protective Order in healthcare privacy?

A

A legal order that restricts the use and disclosure of protected health information during litigation.

67
Q

What is the Respond phase in the privacy operational life cycle?

A

A phase focused on handling information requests, legal compliance, and incident response to mitigate risks and ensure compliance.

68
Q

How is ROI applied in privacy programs?

A

It measures the financial value of privacy investments by evaluating their effectiveness in protecting assets and ensuring compliance.

69
Q

What does the retention principle in data management state?

A

Personal data should only be retained as long as necessary for its intended purpose and securely deleted afterward.

70
Q

What is the principle of security safeguards?

A

Personal data must be protected by reasonable security measures to prevent risks like unauthorised access, loss, or destruction.

71
Q

Who are stakeholders in a privacy program?

A

Individuals or departments responsible for privacy activities, such as legal, compliance, IT, and marketing teams.

71
Q

What is substitute notice in data breach laws?

A

An alternative notification method when notifying individuals directly is impractical, often involving email, website postings, or media announcements.

72
Q

What happens in the Sustain phase of the privacy operational life cycle?

A

Monitoring, auditing, and communicating privacy processes to maintain ongoing compliance and effectiveness.

73
Q

What is US-CERT’s role in cybersecurity?

A

A partnership between the U.S. Department of Homeland Security and private sectors to coordinate responses to internet security threats.

74
Q

What are the 14 competency areas of the US-CERT IT Security Essential Body of Knowledge?

A

Digital Security;
Digital Forensics;
Enterprise Continuity;
Incident Management;
IT Security and Training Awareness;
IT Systems Operation and Maintenance;
Network and Telecommunications Security;
Personnel Security;
Physical and Environmental Security;
Procurement;
Regulatory and Standards Compliance;
Security Risk Management;
Strategic Security Management; and
System and Application Security.

75
Q

What is the purpose of vendor management in privacy?

A

To assess third-party vendors for compliance with privacy and security policies and reduce risks associated with outsourcing.

76
Q

What does video surveillance typically exclude?

A

Sound recording, focusing solely on visual monitoring.

77
Q

What are the five steps of the metrics life cycle?

A

Identify the audience, define data sources, select metrics, refine collection points, and analyse data for feedback and improvement.

78
Q

What is the purpose of the PCI Data Security Standard?

A

A self-regulatory framework ensuring the secure handling of payment card data.

79
Q

How does negligence relate to data privacy?

A

It occurs when an organisation fails to protect personal data, breaching a legal duty and causing harm.

80
Q

What are the five phases of the audit life cycle?

A

Audit Planning, Audit Preparation, Conducting the Audit, Reporting, and Follow-up.

81
Q

What is the purpose of a business case in privacy management?

A

It defines the organization’s privacy needs and aligns them with business goals, such as compliance and customer trust.

82
Q

What is a Business Continuity Plan?

A

A document outlining steps to maintain critical operations during crises, such as natural disasters or cyberattacks.

83
Q

What is decentralised governance?

A

A model that delegates privacy decision-making authority to lower organisational levels for flexibility and localised control.

84
Q

What are Fair Information Practices?

A

Principles like notice, choice, access, and accountability that form the foundation of many privacy laws and frameworks.

85
Q

What is generalisation in anonymisation?

A

A method that broadens specific data points (e.g., age 30 → age range 30–40) to reduce identifiability.

86
Q

What is Information Life Cycle Management?

A

A comprehensive framework for managing data from creation to destruction, emphasising security, retrievability, and compliance.

87
Q

What rights does the individual participation principle grant?

A

The right to access, verify, and request corrections to personal data held about them.

88
Q

Who are internal partners in privacy management?

A

Departments or teams, like HR or IT, that collaborate on privacy-related activities within an organisation.

89
Q

What is the role of NIST in privacy and security?

A

National Institute of Standards and Technology (NIST): To develop and issue standards and guidelines, including the NIST Privacy Framework and cybersecurity protocols.

90
Q

What is performance measurement in privacy management?

A

The process of defining and tracking metrics to evaluate the effectiveness of privacy processes and controls.

91
Q

How is personal data defined under GDPR?

A

Any information relating to an identified or identifiable natural person.

92
Q

What is PIPEDA?

A

Personal Information Protection and Electronic Documents Act (PIPEDA): Canada’s federal privacy law regulating private sector organisations to instil trust in electronic commerce and transactions.

93
Q

What are Privacy by Design’s seven foundational principles?

A

Proactive, preventative, privacy as default, embedded into design, end-to-end security, visibility and transparency, and user-centric

94
Q

What does a privacy program framework include?

A

Checklists, processes, and structure to guide organisations in managing privacy effectively.

95
Q

How does pseudonymous data differ from anonymised data?

A

Pseudonymous data can still be linked to an individual through indirect identifiers, whereas anonymised data cannot.

96
Q

What is the right to challenge under FIPs?

A

The individual’s ability to dispute inaccuracies in their data and request corrections.

97
Q

What does the transparency principle require?

A

Organisations must clearly communicate their data practices, including how data is collected, used, and shared.

98
Q

What is the WebTrust seal program?

A

A self-regulatory initiative by the AICPA and CICA to certify websites for trusted data practices.

99
Q

What is an incident response plan?

A

A structured approach for handling data breaches and other security incidents, focusing on minimising harm and restoring normal operations.