Privacy Program Vocabulary Flashcards
What is accountability in the context of privacy laws?
The ability to demonstrate that technical and organisational measures for personal data handling have been implemented and comply with relevant laws, such as GDPR and APEC’s Cross Border Privacy Rules. It is a foundational principle of fair information practices.
What are active scanning tools, and what are they used for?
Tools like Data Loss Prevention (DLP) systems and privacy tools that identify security and privacy risks to personal information. They can monitor compliance and block unauthorised transfers based on data categories.
What is anonymization, and what are the three primary techniques?
A process where identifiable data is altered so it cannot be linked back to an individual. Techniques include:
Suppression: Removing identifying values.
Generalization: Broadening specific data (e.g., age 18 → 18-24).
Noise Addition: Mixing identifying values within a dataset.
What are the APEC Privacy Principles?
Non-binding principles adopted by the Asia-Pacific Economic Cooperative, mirroring OECD Fair Information Privacy Practices. They aim to balance information privacy with business needs to promote electronic commerce in the Asia-Pacific region.
What is behavioural advertising, and what does GDPR require regarding it?
Advertising targeted at individuals based on observed behaviour, often through automated data processing or profiling. GDPR requires users to be informed of processing logic, consequences, and allows opt-out options.
What are Binding Corporate Rules, and what do they enable?
BCRs are safeguards under GDPR that allow cross-border transfers of personal data within a corporate group. They ensure consistent, high-level data protection and require approval by a data protection authority.
What is a Business Continuity and Disaster Recovery Plan?
A risk mitigation plan ensuring that critical business functions continue during a crisis. It covers recovery actions for events like natural disasters or cyberattacks.
What is the purpose of COPPA?
Children’s Online Privacy Protection Act (COPPA) is a U.S. law requiring websites directed at children under 13 to post privacy notices, obtain parental consent for data collection, and allow parents to manage their child’s data.
What does “consent” mean under GDPR?
Individuals must actively agree to data collection and processing, which can be explicit (opt-in) or implied. Consent must be freely given, informed, and revocable.
What does the Data Minimisation Principle advocate?
Only collect and retain the personal data necessary for the specific purpose.
When is a Data Protection Impact Assessment required under GDPR?
When processing activities are likely to result in high risks to individual rights, such as introducing new systems or significant changes to data use.
What is Privacy by Design?
A framework ensuring privacy is integrated into system and process design from the outset, following principles like minimal data collection and robust security.
Who is a Data Controller?
An entity or individual that determines the purposes and means of processing personal data.
What constitutes a data breach?
The unauthorised acquisition of data that compromises its confidentiality, integrity, or security.
What are the components of the Information Security Triad?
Confidentiality, Integrity, and Availability (CIA).
What is a data inventory?
A record of personal data as it moves across systems, identifying its location, categorisation, and any inconsistencies to enable better management and compliance.
What is Data Life Cycle Management?
A policy-based approach to managing data from creation to final disposition, ensuring security, retrievability, and compliance across its life cycle.
What is a Data Protection Authority under GDPR?
An independent public authority that supervises the application of data protection laws, provides advice, and enforces compliance, including imposing fines.
What does the principle of individual participation entail?
Individuals have the right to access their data, request corrections, and challenge any denied requests.
What is a gap analysis in privacy management?
A review of current privacy capabilities to identify and address gaps between existing measures and required standards or laws.
What is jurisdiction in the context of privacy law?
The authority of a court or regulatory body to enforce laws over certain geographical areas, individuals, or subject matters.
How are metrics used in privacy management?
Metrics evaluate the effectiveness of privacy programs by measuring progress, compliance, and outcomes through quantifiable data.
What is pseudonymous data?
Data that is not directly linked to an individual but can be indirectly associated through identifiers like codes or IP addresses.
What is purpose specification under GDPR?
The principle that personal data should be collected for specified, explicit, and legitimate purposes and not used in incompatible ways.
What does the retention principle involve?
Retaining personal data only as long as necessary for the stated purpose and securely disposing of it when no longer needed.
What is a Privacy Impact Assessment?
An analysis to evaluate privacy risks of data handling processes and identify ways to mitigate potential impacts.
Who is a privacy champion?
An executive advocate for privacy who promotes privacy as a core organisational concept.
What is a Privacy Threshold Analysis?
A preliminary tool used to determine whether a Privacy Impact Assessment (PIA) is required for a specific process or project.
What is Protected Health Information?
Any identifiable health data held or processed by a HIPAA-covered entity related to health conditions, care, or payments.
What are security safeguards?
Measures to protect personal data against risks like unauthorised access, loss, or modification.
What is social engineering in cybersecurity?
A method attackers use to manipulate individuals into divulging sensitive information or compromising security.
Who are stakeholders in a privacy program?
Executives or teams responsible for privacy activities within an organisation, such as legal, HR, IT, or compliance.
What is vendor management in privacy compliance?
The assessment of third-party vendors for privacy and security practices, ensuring compliance with data protection laws.
What is WebTrust?
A self-regulating seal program created by the AICPA and CICA for licensed certified public accountants to validate trust.
What is the AICPA?
American Institute of Certified Public Accountants (AICPA). A U.S. professional organisation for certified public accountants, co-creator of the WebTrust seal program.
What is the role of the CICA?
Canadian Institute of Chartered Accountants (CICA). The Canadian professional body responsible for setting standards, ethics, and education for chartered accountants.
What are the main requirements of COPPA?
Children’s Online Privacy Protection Act (COPPA). Requires websites directed at children under 13 to:
- Post a privacy notice.
- Obtain parental consent before collecting data.
- Allow parents to review, delete, or manage their child’s data.
What are the three principles of the CIA triad?
Confidentiality, Integrity, and Availability.
What is the principle of collection limitation?
Personal data should only be collected by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject