Chapter 1 - Intro to Privacy

Question 1

_____ privacy is concerned with rules that govern the collection and handling of personal information.

Examples included financial info, medical info, government records and records of a person’s internet activities

Answer 1

Information Privacy

Question 2

_____ privacy is focused on a personals physical being and an invasion thereof. Invasions can take the form of genetic testing, drug testing, or body cavity searches. This also encompasses issues such as birth control, abortion and adoption.

Answer 2

Bodily Privacy

Question 3

_____ privacy is concerned with the ability to intrude into another individual’s environment. “Environment” isnt limited to home; it includes workplace or public space. Intrusions typically take the form of monitoring (i.e., video surveillance, ID checks and the like)

Answer 3

Territorial Privacy

Question 4

_____ privacy encompasses the means of correspondence, including postal mail, phone convos, email and other forms of communication

Answer 4

Communication Privacy

Question 5

What are FIPs/FIPPs?

Answer 5

1. FIP - Fair Information Practices/FIPP - Fair Information Privacy Practices (or Principles)
2. FIPS are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.

Examples include:
OECD Guidelines
Convention 108
APEC

Question 6

What are the 4 main categories of FIPs?

Answer 6

1- rights of individuals
2- controls on the information
3- information lifecycle
4- management

Question 7

Re: “(FIP) Rights of Individuals”, organizations should address what 3 areas?

Answer 7

1-Notice
2- Choice and Consent
3- Data Subject Access

Question 8

(FIP) Rights of Individuals - Re: NOTICE, orgs should….

Answer 8

provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained and disclosed.

Question 9

(FIP) “Rights of Individuals” - Re: CHOICE AND CONSENT orgs should….

Answer 9

describe the che choices available to individuals and should get implicit/explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is especially important for disclosures of personal info to other data controllers.

Question 10

(FIP) “Rights of Individuals” - Re: DATA SUBJECT ACCESS, orgs should….

Answer 10

provide individuals with access to their personal info for review and update.

Question 11

Re: (FIP) “Controls on the Information”, organizations should address what 2 areas?

Answer 11

1- Information Security

2- Information Quality

Question 12

(FIP) “Controls on the Information” - Re: INFORMATION SECURITY, orgs should…

Answer 12

use reasonable administrative, technical and physical safeguards to protect personal info against unauthorized access, use, disclosure, modification and destruction.

Question 13

(FIP) “Controls on the Information” - Re: INFORMATION QUALITY, orgs should…

Answer 13

maintain accurate, complete and relevant personal info for the purposes identified in the notice

Question 14

Re: (FIP) “Information Lifecycle”, organizations should address what 3 areas?

Answer 14

1- Collection
2- Use and Retention
3- Disclosure

Question 15

(FIP) “Information Lifecycle” - Re: COLLECTION, orgs should…

Answer 15

collect personal information only for the purposes identified in the notice

Question 16

(FIP) “Information Lifecycle” - Re: USE AND RETENTION, orgs should…

Answer 16

limit the use of personal info for the purposes identified in the notice and for which the individual has provided implicit or explicit consent; orgs should also retain personal info for only as long as necessary to fulfill the state purpose

Question 17

(FIP) “Information Lifecycle” - Re: DISCLOSURE, orgs should…

Answer 17

disclose personal info to 3rd parties only for the purposes identified in the notice and with the implicit/explicit consent of the individual

Question 18

Re: (FIP) “Management”, organizations should address what 2 areas?

Answer 18

1- Management and Administration

2- Monitoring and Enforcement

Question 19

(FIP) “Information Lifecycle” - Re: MANAGEMENT AND ADMINISTRATION, orgs should…

Answer 19

define, document, communicate and assign accountability for their privacy policies and procedures

Question 20

(FIP) “Information Lifecycle” - Re: MONITORING AND ENFORCEMENT, orgs should…

Answer 20

monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes

Question 21

5 Key Principles in US Health, Education and Welfare FIPs

Answer 21

1 - There must be no personal data record-keeping systems whose very existence is secret

2- There must be a way for a person to find out what info about them is in a record and how it is used

3- There must be a way for a person to prevent info about them that was obtained for one purpose from being used or made available for other purposes w/o the person’s consent

4- There must be a way for a person to correct or amend a record of identifiable info about the person

5 - Any org creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for its intended use and must take precautions to prevent misuse of the data

Question 22

The most widely recognized framework for FIPs and have been endorsed by the US FTC and many other government organizations

Answer 22

OECD Guidelines (updated in 2013)

Question 23

OECD - Collection Limitation Prinicple

Answer 23

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate, with the knowledge or consent of the data subject

Question 24

OECD - Quality Principle

Answer 24

Personal data should be relevant to the purposes for which they are to be used, and as needed for those purposes, should be accurate, complete and kept up-to-date

Question 25

OECD - Purpose Specification Principle

Answer 25

Purposes for which personal data are collected should be specified not later than at the time of the data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

Question 26

OECD - Use Limitation Principle

Answer 26

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except (i) with the consent of the data subject or (b) by the authority of law

Question 27

OECD - Security Safeguards Principle

Answer 27

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Question 28

OECD - Openness Principle

Answer 28

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Question 29

OECD - Individual Participation Principle

Answer 29

An individual should have the right:

(i) to obtain confirmation of whether or not the data controller has data relating to them
(ii) to have communicated to him, data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him
(iii) to be given reasons if a request made under the preceding clauses is denied, and to be able to challenge such denial
(iv) to challenge data relating to him and if the challenge is successful, to have the data erased, rectified, completed or amended

Question 30

OECD - Accountability Principle

Answer 30

A data controller should be accountable for complying with measures which give effect to the OECD principles.

Question 31

Personal Identifiable Information (PII) includes…

Answer 31

information that makes it possible to identify and individual (i.e., social security numbers, passport numbers, street address, telephone number, email address)

Question 32

De-identified/Anonymized Data

Answer 32

Data where element used to identify the individual are removed and the remaining data becomes nonpersonal info.

Question 33

Pseudonymized Data

Answer 33

Data where info about individuals is retained under pseudonymns, such as a unique numerical doce for each person, that renders data temporarily nonpersonal. Pseudonmyized data can be reversed.

Question 34

Practice Note - Personal & Nonpersonal Information

Answer 34

The line between these 2 categories is not always clear, and regulators and courts in different jurisdictions may disagree on what counts as personal information. For example, IP addresses dont constitute personal information under the Privacy Act, , but the FTC has stated that in the context of breaches of healthcare information, IP addresses ARE personal information.

Question 35

Information Assets of an Organization that isnt “personal information” but should be protected and secured to ensure confidentiality include:

Answer 35

1 - financial data
2- operational data
3- intellectual property
4- info about the org’s products and services

Question 36

The term “Processing” refers to…

Answer 36

the collection, recording, organization, storage, updating or modification, retrieval, consultation and use of personal information; it also includes disclosure by transmission, dissemination or making available in any other form, linking, alignment, or combination, blocking, erasure, or destruction of personal information.

Question 37

Practice Note re: Sources of Personal Information

Answer 37

Information may be public record, publicly, available, and nonpublic all at once, and to understand how to use the underlying information, one must understand the source that provided the information (i.e., restrictions may apply to use of the name and address in a patient file, but not to public records or publicly available information)

Question 38

A Data Controller is…

Answer 38

an org that has the authority to decide how and why personal info is to be processed.

Question 39

A Data Processor is…

Answer 39

a 3rd party outsourcing services, that processes data on behalf of the data controller. Data processors arent authorized to do additional data processing outside of the scope of what is permitted for the data controller itself.

Under HIPPA, data processors are called “business associates”.