Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-US > Introduction and US Legal Framework > Flashcards

Introduction and US Legal Framework Flashcards

1
Q

Data protection authority (DPA)

A

Official or agency that enforces privacy or data protection laws and regulations.

U.S. has no national data protection authority per se, but several groups oversee privacy matters (FTC, state attorneys general, federal financial regulators).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data controller

A

An organization or individual with the authority to decide how and why information about data subjects is to be processed

This entitty is the focus of most obligations under privacy and data protection laws (usually a corporation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data subject

A

An individual about whom information is being processed. E.g. consumer, employee, patient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data processor

A

An organization or individual, often a third-party outsourcing service that processes data on behalf of the data controller

  • HIPAA - known as “business associates”
  • Can delegate out to subsequent data processor
  • No data processor or subsequent data processor can exceed scope of processing authority given by data controller
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information privacy

A

Establishes rules that govern the collection and handling of personal info, such as financial and medical info, government records, or internet activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Communications privacy

A

Establishes protection of the means of correspondence, such as postal mail, telephone conversations, and e-mail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Bodily privacy

A

Establishes protections of a person’s physical being and any invasion thereof, such as genetic and drug testing; body cavity searches; and birth control, adoption, and abortion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Territorial privacy

A

Establishes placing limits on the ability to intrude into another individual’s environment, including the home, workplace, and public space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Fair information practices (FIPs)

A

Guidelines for handling, storing, and managing personal info properly

Categories of principals and practices associated with each principal:

  1. The rights of individuals
    • Notice
    • Choice and consent
    • Data subject access
  2. Controls on the info
    • Info security
    • Info quality
  3. The information lifecycle
    • Collection
    • Use and retention
    • Disclosure
  4. Management
    • Management and administration
    • Monitoring and enforcement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

OECD Guidelines (1980)

A

Updated in 2013. OECD is an international org including US, Europe, and others.

Most widely recognized framework for FIPs and have been endorsed by the US FTC and many other government orgs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Examples of personal info and sensitive personal info

A

Examples of personal info

SSNs, passport numbers, names; street address, telephone number, e-mail address

Examples of sensitive personal info (definition depends on JX and particular regulations)

SSNs, financial info, drivers license numbers, health info

IP addresses are context-dependent – federal agencies operating under Privacy Act don’t consider IP addresses to be personal info, but the FTC says it is personal info when it comes to breaches of healthcare information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Classes of Privacy (Table)

A

Information privacy

Collection and handling of personal info

Financial info, medical info, government records, internet activity

Bodily privacy

Person’s physical being and any invasion thereof

Genetic testing, drug testing, body cavity searches; birth control, abortion, adoption

Territorial privacy

Intrusion into individual’s environment

Home, workplace, or public place; monitoring via video surveillance, ID checks, use of similar tech and procedures

Communications privacy

Means of correspondence

Postal mail, telephone convos, e-mail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Processing (definition)

A

Collection, recording, organization, storage, updating or modification, retrieval, consultation and use of personal info

Disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of personal info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Sources of personal info

A
  1. Public records
  2. Publicly available info - names and addresses in phone boks ad info published in newspapers and/or other public media (e.g. search engines)
  3. Non-public info - not generally available or easily accessed due to law or custom; company’s customer or employee database usually contains non-public info
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Self-regulation and co-regulation

A

Legislation: who defines privacy rules?

  • Privacy policy of a company or other entity
  • Industry association

Enforcement: who initiates enforcement action?

  • Data protection authorities
  • Other government agencies
  • Industry code enforcement
  • Affected individuals

Adjudication: who decides whether an org has violated a privacy rule?

  • Industry association
  • Government agency
  • Judicial officer

Privacy professionals should consider all 3 for clear understanding of data privacy responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Comprehensive vs sectoral data protection laws

A

Comprehensive - gov has defined requirements throughout the economy

Sectoral - laws exist in selected market segments, often in response to particular need or problem (like in US)

17
Q

Co-regulatory model

A

Industry development of enforceable codes or standards for privacy and data protection

e.g. Children’s Online Privacy Protection Act (COPPA) - allows compliance with codes to be sufficient for compliance with statute once codes have been approved by FTC

18
Q

Self-regulatory model

A

Company, industry or independent body creates codes of practice for protection of personal info; no generally applicable legal framework in place

e.g.

  • Payment Card Industry Data Security Standard (PCI-DSS) - enhances cardholder data security and facilitates broad adoption of consistent data security measures globally
  • Seal programs
19
Q

Seal programs

A

When a company abides by codes of information practices and submits to some variation of monitoring to ensure compliance, it is allowed to display the program’s privacy seal on website

20
Q

Consent decree (definition)

A

Agreements or settlements that resolve a dispute between 2 parties w/o admission of guilt or liability

Thru legal doc approved by a judge, defendant may have to take specific action, such as agreeing to stop the alleged illegal activity or pay money to gov and agree not to violate relevant law in future

21
Q

Role of Federal Trade Commission (FTC)

A
  • General authority to enforce rules against unfair and deceptive trade practices
  • Can bring deception enforcement actions where an organization has broken a privacy promise
  • Has statutory responsibility for issues such as children’s online privacy and commercial e-mail marketing
22
Q

Role of Dept of Health and Human Services (DHHS)

A
  • Created regulations to protect privacy and security of healthcare information
  • Responsible for enforcement of HIPAA laws
  • Shares rulemaking and enforcement power with FTC for data breaches related to medical records under Health Information Technology for Economic and Clinical Health (HITECH) Act
23
Q

Role of Federal Communications Commission (FCC)

A
  • Governs communication industry (tv, radio, telemarketing, online marketing)
    • Online marketing laws: Telemarketing Sales Rule, CAN-SPAM Act
  • Enforces privacy law w/ FTC
24
Q

Role of Department of Commerce (DOC)

A
  • Leading role in federal privacy policy development and administers Privacy Shield Framework b/w US and EU
  • Works w/ FTC on enforcement of privacy and security standards set by organizations, particularly those with self-regulatory programs
25
Q

Role of Federal Reserve Board

A
  • Federal financial regulator
  • Enforces provisions by specific federal mandates like Gramm-Leach-Bliley Act (GLBA)
  • Contains CFPB, which has rulemaking authority for laws related to financial privacy and oversees the relationship b/w consumers and financial product and service providers
26
Q

Role of State Attorney General

A
  • Chief legal advisor to state government and state’s chief law enforcement officer
  • May take enforcement action on:
    • state’s unfair and deceptive practice laws
    • HIPAA
    • GLBA
    • Telemarketing Sales Rule
    • violations of breach notification laws
27
Q

Role of Office of the Comptroller of the Currency (OCC)

A
  • Independent bureau of US Treasury
  • Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks
  • Ensures fair access to financial services and compliance w/ financial privacy laws and regulations

CIPP-US (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions