CIPP Glossary Part 1 Flashcards Preview

CIPP-US > CIPP Glossary Part 1 > Flashcards

Flashcards in CIPP Glossary Part 1 Deck (309)
Loading flashcards...

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.

Electronic Health Record


A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence.



What are the eight Fair Information Practice Principles

(1) The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
(2) The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
(3) The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
(4) The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law.
(5) The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
(6) The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.
(7) The Individual Participation Principle. An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended;
(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.



Binding Corporate Rules (BCR)


Also known as a record of authority, identifiespersonal dataas it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

Data Inventory


The now-defunct Data Retention Directive was designed to align the rules on data retention across the EU member states in order to ensure the availability of traffic and location data for serious crime and antiterrorism purposes. The Data Retention Directive is no longer part of EU law, although member states retain competence to adopt their own national data retention laws under Article 15(1) of the ePrivacy Directive (2002/58/EC) provided that those laws comply with the fundamental rights principles that form part of EU law and the CJEU ruling that struck down the Data Retention Directive. Accordingly, EU member states have introduced draft legislative amendments or implemented national data retention laws at an individual country level

Data Retention Directive


A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that (e)veryone has the right to respect for his private and family life, his home and his correspondence. Article 8 of the Convention limits a public authority s interference with an individual s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society. This created the Council of Europe (see Council of Europe) and the European Court of Human Rights (see European Court of Human Rights).

European Convention on Human Rights


The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is significantly engaged in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-publicpersonal information, defined broadly to include a consumer s name and address, and consumers interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability toopt-outof some sharing of personal financial information.

Gramm-Leach-Bliley Act


Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees personal data. These rules must include suitable and specific measures to safeguard the data subject s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.

Employee Personal Data


The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.



A processing operation that is performed without any human intervention. -Profiling- is defined in the General Data Protection Regulation, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to object to such processing.

Automated Processing


is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law.

Court of Justice of the European Union


An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).

EU-U.S. Safe Harbor Agreement


An expansion of theFair Credit Reporting Actwhich focuses on consumer access and identity theft prevention. The act mandates thatcredit reporting agenciesallow consumers to obtain a free credit report once every twelve months. Additionally, it allows consumers to request alerts when a creditor suspects identity theft and gave theFederal Trade Commission(FTC) authority to promulgate rules to prevent identity theft. The FTC used the authority to create theRed Flags Rule.

Fair and Accurate Credit Transactions Act of 2003


One of two chambers of theCanadian Parliament, along with theSenate. Members of theHouse of Commonsare elected at least every five years.

House of Commons


Linked graphic or text that is used to connect an end user to other websites, parts of websites or web-enabled services. TheURLof a web location is embedded in theHTMLcode, so that when certain words or images are selected through the web browser, the end user is transported to the destination website or page.



What are three Bureau of the FTC

Competition, Consumer Protection, and Economics


A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005

Chief Privacy Officer (Agency level) (CPO)


A federal law governing the behavior of federal advisory committees, restricting the formation of such committees to those deemed essential, limiting their powers and their length of operation, requiring open meetings and open records and mandating a publicly-accessible government-wide database.

Federal Advisory Committee Act, The


A federal law requiring agencies found of data mining to submit a yearly report to Congress. The privacy office of that agency must be involved in producing the report. The report will be made public and describe all of the agency s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.

Federal Agency Data Mining Reporting Act


is responsible for the functions that are critical to the success of the Canadian CA profession. -xxx-, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications

Canadian Institute of Chartered Accountants (CICA)


A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

Freedom of Information Act, The


A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13

Childrens Online Privacy Protection Act (COPPA) of 1998


Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.

Electronic Surveillance


FOIA stands for

Freedom of Information Act


An entity that enforces the nation's antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.

FTC, Bureau of Competition


In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

Anonymous Information


One of the General Data Protection Regulation's explicitly stated data protection principles, personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs ; Is it accurate ; Is it complete , and is it recent Data is of an appropriate quality if these criteria are satisfied for a particular application.

Data Quality (EU specific)


A secure network communication method, technically not a protocol in itself, HTTPS is the result of layering theHypertext Transfer Protocol(HTTP) on top of theSSL/TLSprotocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.

Hypertext Transfer Protocol Secure


The saving of local copies of downloaded content, reducing the need to repeatedly download content. To protect privacy, pages that display personal information should be set to prohibit -xxx-