CH. 1 Flashcards Preview

CIPP/US > CH. 1 > Flashcards

Flashcards in CH. 1 Deck (20)
Loading flashcards...
1

Define Privacy

"the right to be let alone," HLR. The desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behavior to others.

2

Classes of Privacy

1) Information Privacy - PII
2) Bodily Privacy - intrusion on the physical being
3) Territorial Privacy - intrusion on the environmental or geographical
4) Communications Privacy - Intrusion on the means of correspondence

3

Fair Information Practices

(AKAs: FIP, Fair Information Privacy Practice, FIPP)

Means by which to organize rights and responsibilities as to personal information. Four Principles:

1) Individual's rights
2) Controls on the Information
3) Information Lifecycle
4) Management

4

FIP/FIPP - Individual's rights

- Notice about policy, procedure, and purpose of collection, use, and how its retained and disclosed
- Choice and consent as to above with either explicit or implicit consent
- Data subject access to personal information for review and update

5

FIP/FIPP - Controls on the Information

- Information security showing implemented safeguards
- Information quality standards having accurate, complete, and relevant information

6

FIP/FIPP - Information Lifecycle

- Collection limited to notice
- Use and retention limited to notice and consent "for as long as necessary"
- Disclosure limited to notice and consent

7

FIP/FIPP - Management

- Management and action to define, document, communicate, and assign accountability
- monitoring and enforcement of compliance and complaints

8

PII

Personally Identifiable Information
- as opposed to aggregate o statistical information
- information that makes it possible to identify
- ex. ssn, passport no., street add, telephone, and email

9

Sensitive PII

PII with higher scrutiny
- ex. ssn, fin info, driver license no., and health info

10

Non-Personal Information

De-identified or anonymized information

11

Pseudonymized data

Information on data subject retained under pseudonym
- often reversible
- useful in drug tests, if trial has adverse effects and individuals need to be contacted

12

Gray areas of data collection

ex. operaional data, intellectual proprty, informationabout products and services, IP address

13

Sources of Personal data

The source of data can alter its treatment.
- public records
- publicly available information
- non-public information

14

Processing Personal Information

the collection, recording, organization, storage, updating or modification, transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of personal information.
1) data subject - individual
2) data controller - organization with authority over data
3) data processor - processor on behalf of controller

15

Sources of Privacy Protection

- Markets - concerns of the consumer
- Technology - ability to encrypt
- Law - traditional source
- Self-regulation and co-regulation - where self-regulation is the legislation (who defines privacy rules), enforcement (who initiates action), and/or adjudication (who decides a violation occurred)

16

Data Protection Models

1) Comprehensive Model
2) Sectorial Model
3) Co-Regulatory and Self-Regulatoy Model

17

Data Protection Model - Comprehensive

- governs the collection, use, and dissemination of personal information
- formed as a reaction to remedy past injustices, ensure consistency, and promote e-commerce
- con: its a one size fits all; stifles innovation

18

Data Protection Model - Sectorial

- protection of PII by enacting laws addressing a particular industry standard
- con: no single data protection authority; overlap in laws

19

Data Protection Model - Co-regulatory

- emphasis on industry, development of enforceable codes or standards for privacy and data protection with legal regulations
- ex. U.S.'s Children's Online Privacy Protection Act

20

Data Protection Model - Self-regulatory

- emphasis on creation of codes of practice for the protection of PII by a corporation, industry, or independent body
- generally, no legal framework