All Questions Flashcards
What are the goals of a privacy program manager?
- identify privacy obligations for the org
- identify business, employee and customer privacy risks
- identify existing documentation, policies and procedures
- create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program
What is accountability?
Accountable organisations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws.
They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.
How can the IT group carry the mantle of privacy by design?
By implementing privacy principles into the realm of technology development by limiting the data fields built into a tool or application to only those actually required to perform a process or action, or by building in functions that enable the user to easily delete data according to a Retention schedule.
What is privacy governance?
The components that guide a privacy function toward compliance with privacy laws and regulations and enable it to support the organization’s broader business objectives and goals.
What are the components of privacy governance?
- creating the organisational privacy vision and Mission statement
- defining the scope of the privacy program
- selecting an appropriate privacy framework
- developing the organisational privacy strategy
- structuring the privacy team
What two steps are usually adopted to identify the privacy program’s scope?
- Identify the personal information collected and processed
- Identify in-scope privacy and data protection laws and regulations
Which Article of the GDPR has formalized the maintenance of written documentation about personal information (including info about how the org processes data, the categories of individuals impacted, and the recipients of data)
Article 30
What country takes the sectoral approach to privacy and data protection?
US
Enactment of laws that specifically address a particular industry sector, such as
- financial transactions
- credit records
- law enforcement
- medical records
- communications
What countries employ the comprehensive model for data protection?
EU member states and Canada
Govern the collection, use and dissemination of personal information in private and public sectors with an official oversight enforcement agency that:
- remedies past injustices
- promotes electronic commerce
- ensures consistency with pan-European laws
What country adopts the co-regulatory model for data protection?
Australia
Variant of the comprehensive model, where industry develops enforcement standards that are overseen by a privacy agency
What countries adopt the self- regulatory model for data protection?
US, Japan and Singapore
Companies use a code of practice by industry bodies. The Online Privacy Alliance, TrustArc, BBBOnline and Webtrust are examples of this type of model.
What entities are subject to the Gramm-Leach-Bliley Act?
Financial institutions
When is a DPO required under s37 GDPR?
(A) by public authorities or bodies
(B) Where the organization’s “core” activities consist of processing operations that require “regular and systematic monitoring of data subjects on a large scale
(C) Where the org’s core activities consist of processing “special” categories of data on a large scale
Formally appointing a DPO will subject the organisation to what DPO requirements?
- reporting structure and independence (Article 38) : DPO is required to report to highest management level.
- qualifications and responsibilities : expert knowledge of data protection law and practices
What are the requirements on a DPO under Article 39 GDPR?
(A) Monitoring company’s compliance with GDPR
(B) providing advice during data protection impact assessments
(C) Cooperating with supervisory authorities
What is the maximum amount of penalty for breach of HITECH?
1.5 million
What are the differences between privacy assessments, PIAs and DPIAs in terms of type of assessment?
Privacy assessment - measures an organisation’s compliance with laws and internal policies.
PIA- Analysis of privacy risks associated with processing information in relation to a project, product or service
DPIA- under GDPR, process designed to identify risks arising from the processing of personal data and to minimise these risks as much and as early as possible.
What are the differences between how privacy assessments, PIAs and DPIAs are triggered?
Privacy assessments- BAU audit at a predefined time period or in response to a security or privacy event or at a request of an enforcement authority.
PIAs - emanate from industry codes, organisational policy, laws, regulations, or supervisory authorities
DPIAs - when Processing is likely to result in high risk to the rights and freedoms of natural persons
What are the differences between the standards used for privacy assessments, vs PIAs and DPIAs?
Privacy assessments- subject like employee interviews, or objective like info system logs
PIAs - ISO 29134
DPIAs- minimum features : (a) description of processing, including its purpose and the legitimate interest being pursued; (b) the necessity of the processing, its proportionality and the risks it poses to data subjects; and (c) measures to address the risks specified
Which of privacy assessments, PIAs and DPIAs facilitate privacy by design?
PIAs
Which US government act requires PIAs from government agencies?
E-Government Act
When are PIAs required by the US gov pursuant to the E-Government Act of 2002?
(A) When developing or procuring IT systems containing PII of the public; or
(B) when initiating an electronic collection of PII
Under the E-Government Act of 2002, what requirements precedes a PIA to determine whether a PIA is needed?
Privacy Threshold Analysis
The PTA will seek to determine:
(A) from whom data is collected
(B) what types of personal data are collected
(C) how such data is shared
(D) whether the data has been merged
(E) Whether any determinations have been made as to the info security aspects of the system
Under ISO 29134, what is the performing phase?
- Identifying information flows of PII
- analysing the implications of the use case
- Determining the relevant privacy-safeguarding requirements
- Assessing privacy risks using steps or risk identification, risk analysis and risk evaluation
- Privacy risk treatment option