Vocabulary Flashcards

1
Q

Accountability

A

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Adequate Level of Protection

A
A transfer of personal data from the European Union to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data.
Associated term(s): Adequacy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Adverse Action

A
Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.
Associated law(s): FCRA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

American Institute of Certified Public Accountants

AICPA

A

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Anti-discrimination Laws

A

Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

APEC Privacy Principles

A

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

APEC

A

Asia-Pacific Economic Cooperative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Background Screening/Checks

A

Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Bank Secrecy Act (BSA)

A

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.
Link to text of law: The Bank Secrecy Act (BSA)
Acronym(s): BSA
Associated term(s): Financial Record Keeping and Reporting Currency and Foreign Transactions Act of 1970

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Behavioral Advertising

A

Advertising that is targeted at individuals based on the observation of their behavior over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Acronym(s): OBA Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Binding Corporate Rules

A

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.
Acronym(s): BCR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Binding Safe Processor Rules (BSPR)

A

Previously, the EU distinguished between Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both.
Acronym(s): BSPR
Associated term(s): Binding Corporate Rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Breach Disclosure

A
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.
Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws
Associated term(s): Breach notification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Bring Your Own Device

A

Use of employees’ own personal computing devices for work purposes.

Acronym(s): BYOD
Associated term(s): Consumerization of information technology (COIT)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

California Consumer Privacy Act

A

The first state-level comprehensive privacy law in the U.S. The CCPA applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights. In Nov. 2020, California passed the California Privacy Rights Act, which amends the CCPA and includes additional consumer protections and business obligations. The majority of the CPRA’s provisions will enter into force Jan. 1. 2023, with a look back to Jan. 2022.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

California Investigative Consumer Reporting Agencies Act

A

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.

Link to text of law: California Investigative Consumer Reporting Agencies Act
Acronym(s): CICRAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

California Online Privacy Protection Act

A

Requires that all websites catering to California citizens provide a privacy statement to visitors and a easy-to-find link to it on their web pages. Websites that carry personal data on children less than 18 years of age must permit those children to delete data collected about them. Websites also must inform visitors of the type of Do Not Track mechanisms they support or if they do not support any at all.

Link to text of law: California Online Privacy Protection Act
Acronym(s): CalOPPA
Associated term(s): Do Not Track

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

California Privacy Rights Act

A

The CPRA amends the California Consumer Privacy Act and includes additional privacy protections for consumers. It also creates an enforcement agency, the California Privacy Protection Agency. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022. The CPRA passed as a ballot initiative in Nov. 2020

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Case Law

A

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

CCTV

A
Originally an acronym for "closed circuit television," CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.
Associated term(s): Video Surveillance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Children’s Online Privacy Protection Act (COPPA) of 1998

A

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Acronym(s): COPPA
Link to text of law: 15 U.S.C. §§ 6501-6508

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Choice

A
In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.
Associated term(s): Consent
23
Q

Cloud Computing

A

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a “private cloud” or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.

24
Q

Collection Limitation

A

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

25
Q

Commercial Activity

A

Under Canada’s PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

26
Q

Commercial Electronic Message (CEM)

A

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.
Acronym(s): CEM

27
Q

Common Law

A

Unwritten legal principles that have developed over time based on social customs and expectations.

28
Q

Communications Privacy

A

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

29
Q

Comprehensive Laws

A
Laws that govern the collection, use and dissemination of personal information in the public and private sectors.
Associated term(s): Omnibus Laws
30
Q

Computer Forensics

A

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

31
Q

Confidentiality

A

Data is “confidential” if it is protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

32
Q

Confirmed Opt-In

A
An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.
Associated term(s): Double Opt-In
33
Q

Consent

A

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
(1) Affirmative/Explicit Consent: A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Associated term(s): Choice

34
Q

Consent Decree

A
A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.
Associated term(s): FTC
35
Q

Consumer Financial Protection Bureau

A
Created by the Dodd-Frank Act, the consumer financial protection bureau is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created CFPB took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act.
Acronym: CFPB
Associated law(s):Dodd-Frank Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Federal Trade Commission
36
Q

Consumer Reporting Agency

A

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
Acronym(s): CRAs
Associated term(s): Credit Reporting Agency

37
Q

Cookie

A
A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called "cookie identifiers," as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive (see Cookie Directive).
Associated term(s): First-Party Cookie, Persistent Cookie, Third-Party Cookie, Tracking Cookie, Web Cookie
38
Q

Credit Freeze

A

A consumer-initiated security measure which locks an individual’s data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

39
Q

Credit Reporting Agency

A

Under the Fair Credit Reporting Act, any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee.
Acronym(s): CRA
Associated term(s): Consumer reporting agency
Associated law(s): FCRA

40
Q

Customer Access

A

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

41
Q

Customer Information

A

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

42
Q

Data Breach

A
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Associated term(s): Breach, Privacy Breach (Canadian)
43
Q

Data Classification

A

A scheme that provides the basis for managing access to, and protection of, data assets.

44
Q

Data Controller

A
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Associated term(s): Data Processor
45
Q

Data Elements

A

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.

46
Q

Data Matching

A

An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.

47
Q

Data Processing

A
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Associated term(s): Data Processor, Processing, Processor
48
Q

Data Processor

A
A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.
Associated term(s): Data Controller, Processor
49
Q

Data Quality

A

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

50
Q

Data Recipient

A

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

51
Q

Data Subject

A

An identified or identifiable natural person.

52
Q

Deceptive Trade Practices

A

In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by the Federal Trade Commission at the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.
Associated term(s): Unfair Trade Practices
Link to text of law: U.S. Federal Trade Commission Act

53
Q

Defamation

A
Common law tort focuses on a false or defamatory statement, defined as a communication tending “so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.”
Associated term(s): Common Law
54
Q

Digital Fingerprinting

A
The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor’s web browser, operating system and font preferences. In some cases, combining this information can be used to “fingerprint” a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for digital fingerprinting techniques to be used for targeted advertising.
Associated term(s): Biometric Data, Authentication, Authorization