CIPP - Foundation Workshop Flashcards

Terms Definitions
Define Privacy
Privacy is the appropriate use of personal information under the circumstances. It is an individual's right to control the collection, use and disclosure of personal information.
Define Data Protection
The management of personal information.
What is ID theft really a US problem?
Because of credit structures.
Why is it important for a privacy professional to understand privacy classes?
Because you need to understand the classes about which your clients are concerned.
What is Personal Information?
Any information relating to an identified or identifiable individual.
What is Personal Data?
Any information relating to an identified or identifiable natural person.
What are the two categories of personal information elements?
General information & organizational information
What term is used in the US for data elements that generally require additional privacy and security limitations?
Sensitive Personal Information
What term is used in the EU for data that generally requires additional privacy and security limitations?
Special categories
What is one data element that is considered sensitive personal information but not in a special category in Europe?
Driver's license numbers - though they are still protected in Europe (national IDs)
What data elements are sensitive in all countries everywhere?
medical information
What is unique about criminal record data elements between the US and the EU?
They are considered with special categories in the EU and public record in the US.
Name one data element from the US/EU that is considered special in one and not the other.
Financial data in the US (not in the EU) and racial/ethic origin in the EU (not in the US).
What types of data triggers security breach notification laws?
Sensitive personal information
Do special categories of data trigger security breach notification laws?
not yet
Can business information ever be considered personal information?
Yes, in Europe if business info is a proxy for personal information.
When should you treat data as personal information on the CIPP exam?
When you can use it to ID, locate, or contact a person.
What is the person about which data is targeted called in Japan?
A principal
What do you call a person about whom data is used, collected, etc in Mexico?
Data subject
When is the line between personal and professional information blurred?
When your are dealing with data in the EU.
What are 4 key data protection roles to know?
(1) Data protection authority (2) Data controller (3) Data processor (4) Data subject
How broadly should you construe processing on the CIPP exam?
From the moment an individual organization comes into contact with personal information, anything they do with that information should be considered processing.
Does every country with privacy laws have data protection authorities?
What is the difference between a privacy policy and a privacy notice?
A privacy policy is an internal document that articulates an organization's policies/positions on the privacy, protection and use of personal information. A privacy notice is an outward facing statement made to customers, job applicants, anyone outside the organization describing how the organization is collecting, using, retaining, and disclosing personal information. A privacy policy is a document - a privacy notice is the thing on the website.
Is "Data Subject" used in the US?
No - this is the term for a data owner in Mexico - in the US we talk about employees, consumers, individuals.
What can you authorize a data processor to do on your behalf as a data controller?
Anything that you can do legally to data you can get someone else to do for you.
What are the two things that processors need to do to act on behalf of a controller?
Follow instructions and take reasonable security measures.
What is a data processor called in Korea?
An "entrusting agent"
Who do controllers answer to in the US?
Different supervising authorities - FTC-most, FCC-telephone service providers, HHS-HIPAA.
What actions are covered by the definition of data processing?
Define Consent.
Consent is a data subject's indication of agreement to his or her personal data being processed.
Define Choice.
Choice allows a data subject two options: opt-in or opt-out.
Define Opt-Out.
Personal information will be processed unless the data subject objects.
Define Opt-In.
Personal information will be processed only if the data subject agrees. If I don't make a choice - you do nothing!
How is consent used inappropriately in the US?
We often use the term consent to indicate that we are waiving a legal right, US consent is take it or leave it (note - this is the way everything is in Korea & Japan). In the US there are consequences to not providing consent (i.e. you don't get the job). In the EU, consent is not take it or leave it - you just cant do it and there cannot be adverse consequences.
Is a pre-checked box ever an opt-in?
NO - a pre-checked box is an opt-out no matter what the words are.
What are some types of risk managed by privacy controls?
legal compliance, reputation/brand management, investment risk, reticence (using data to deliver value) CRM.
Is a privacy notice an enforceable contract?
Give some general parameters regarding a privacy timeline.
1970s - US, 1980 - OECD, 1981 Council of Europe, 1995 - European Union, 2004 - APEC.
What government agency produced a report in the 1970s containing the original code of fair information practices?
The US Department of Health Education and Welfare
What are the concepts and ideas that were presented in the original US Dept of Health Education and Welfare report?
notice, choice and consent, data subject access, information security, information quality, collection limitation, appropriate use, retention, limited disclosure, management and administration, and monitoring and enforcement.
What is the full name of the OECD Guidelines?
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
What concepts are included in the OECD Guidelines?
Collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability
What was passed in 1981 by the Council of Europe?
The Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data.
What is the 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data also known as?
The CoE Conventions
What do the basic principles within the CoE Conventions focus on?
Data quality, special categories of data, data security, data subject safeguards, sanctions and remedies, and extended protection by states.
What other two concepts are also addressed in the CoE Conventions?
Trans-border data flows and mutual assistance.
What is EVERY global privacy law based on?
The same set of principles - associate these with the OECD.
What is the answer if you are asked what is the foundation for the EU Data Directive?
Did the COE and the OECD develop in paralell?
What two things provided the framework for the EU Data Directive?
CoE Convention & OECD Guidelines provided the framework for the Directive 95/46/EC passed by the European Union 1995.
What was the EU Directive drafted to address?
The processing of personal data and on the free movement of such data.
When did the Directive go into affect?
When was the Asia-Pacific Economic Cooperation Privacy Framework approved?
What does the APEC Privacy Framework address?
Principles such as preventing harm, notice, collections limitation, use of PI, choice, integrity of PI, security safeguards, access and correction, and accountability.
What type of framework is APEC?
A non-legal guideline framwewo
Was APEC totally derived from OECD?
What are the eight OECD Guidelines that you MUST understand in order to form the basis for understanding privacy frameworks across the globe?
Collection Limitation (consent not required if...), Security Safeguards (reasonable), Data Quality, Openness, Purpose Specification, Individual Participation, Use Limitation, Accountability
What was the whole point of the EU Directive?
To ENABLE data flows across Europe
What else does the EU Directive do?
Sets privacy standards, sets a floor for privacy in Europe, places restrictions on data leaving Europe.
Who are members of APEC?
all countries that have a border on the Pacific Ocean - this includes the US, South American countries, Japan, etc.
What is one of the main differences between APEC Privacy Framework and the EU Directive?
The APEC Framework is voluntary (i.e. you may enact a law to meet the standards - here is a framework for you to use). The EU Directive is mandatory - you MUST enact a law.
What is important to note about the concept of compatible purpose?
The secondary purpose needs consent unless it is for lawful purposes.
What is the standard for security measures?
What does "erase"/"delete" means in Europe?
In the EU this means ALL deletion.
What are some of the similarities of FIPPs, OECD and APEC?
Each principle contains information surrounding rights of the individual, information lifecycle, controls on information, and management.
Describe what rights of the individual covers.
Topics such as notice, choice and consent, and access.
Describe what topics are covered within the information lifecycle.
Collection, use and retention, and disclosure.
Describe what topics controls on information covers.
Information security and quality.
Describe what topics management covers.
Management and administration, and monitoring and enforcement.
Must companies have structures in place to meet management requriements?
Describe some elements of the information lifecycle
Collect/Derive, Use/Process, Disclose/Transfer (rights of data subject must be maintained even if data is transferred to a third party), store/retain/delete(?) - see page 18
What is an example of how the rights of individuals are addressed by FIPPs, OECD, APEC?
By the requirements for privacy statements set forth in the laws.
How are the rights of individuals manifested in the privacy world?
Through choice
What is an expression of choice?
How can one evidence consent?
Through legal documents or other documentation
Describe the idea of "choice" over "consent."
You may legally need consent - however, choice isnt always appropriate (i.e. fraud prevention and risk management) - you want to always ask yourself "is choice appropriate" - make choice real - "opt in" and "opt out." Opt out/in is often required by law but not always necessary though "opt out" is very common.
Which method of expressing consent to processing through choice implicit?
Opt-out - Opt-in is considered explicit - but thing about this - which one is correct? It all depends on the use. (UNLESS IN GERMANY)
On the Exam know what choice is appropriate
Consent - background checks in the US / Secondary uses in the EU.
Also know Security Controls for the exam
again the standard is reasonableness - some controls are always going to be reasonable - having someone in charge/administrative controls, etc.
Describe the OECD Principles. When should choice and consent solicitations be made? (data collection and secondary use, before use that requires consent (when legally required to do so, if not req. then don't do that). Describe key information principles (see page 18).
/ 82

Leave a Comment ({[ getComments().length ]})

Comments ({[ getComments().length ]})


{[ comment.comment ]}

View All {[ getComments().length ]} Comments
Ask a homework question - tutors are online