Glossary Flashcards
1
Q
Accountability
A
The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
2
Q
Act Respecting the Protection of Personal Information in the Private Sector
A
A Québéquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.
3
Q
Adequate Level of Protection
A
A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data. Associated term(s): Adequacy
4
Q
Administrative Purpose
A
The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.
5
Q
Adverse Action
A
Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action. Associated law(s): FCRA
6
Q
Alberta PIPA
A
A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information. Link to text of law: Alberta PIPA Associated law(s): PIPEDA
7
Q
American Institute of Certified Public Accountants
A
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust
8
Q
APEC Privacy Principles
A
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.
9
Q
Authentication
A
The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. Associated term(s): Authorization
10
Q
Background Screening/Checks
A
Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.
11
Q
BC PIPA
A
A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information. Link to text of law: BC PIPA Associated law(s): PIPEDA
12
Q
Behavioral Advertising
A
Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information. Acronym(s): OBA Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising
13
Q
Bodily Privacy
A
One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches.
14
Q
Breach Disclosure
A
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure. Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws Associated term(s): Breach notification
15
Q
Canada’s Anti-Spam Legislation
A
Canadian anti-SPAM legislation applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.
Link to text of law: Canada’s Anti-Spam Legislation
Acronym(s): CASL
16
Q
Canadian Institute of Chartered Accountants
A
The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications
Acronym(s): CICA
17
Q
Canadian Organization for the Advancement of Computers in Health
A
A Canadian health informatics association whose mission is to promote health technology systems and the effective use of health information.
Acronym(s): COACH
18
Q
Canadian Standards Association
A
A non-profit standards organization that developed its own set of privacy principles and broke the OECD’s code into ten principles: (1) Accountability; (2) Identifying purposes; (3) Consent; (4) Limiting Collection; (5) Limiting Use, Disclosure, and Retention; (6) Accuracy; (7) Safeguards; (8) Openness; (9) Individual Access; (10) Challenging Compliance. These ten principles would go on to be listed in PIPEDA. Acronym(s): CSA Associated term(s): CSA Privacy Principles
19
Q
CCTV
A
Originally an acronym for "closed circuit television," CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns. Associated term(s): Video Surveillance
20
Q
Charter Rights
A
Rights created by the Canadian Charter of Rights and Freedoms. They are constitutional rights and thus are considered to be the most valued rights in Canada. The Charter of Rights and Freedoms was made part of the Canadian Constitution in 1982.
Link to text of law: Canadian Charter of Rights and Freedoms
21
Q
Children’s Online Privacy Protection Act (COPPA) of 1998
A
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Acronym(s): COPPA
Link to text of law: 15 U.S.C. §§ 6501-6508
22
Q
Choice
A
In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation. Associated term(s): Consent
23
Q
Collection Limitation
A
A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
24
Q
Commercial Activity
A
Under Canada’s PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.
25
Commercial Electronic Message
Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.
Acronym(s): CEM
26
Communications Privacy
One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.
27
Comprehensive Laws
```
Laws that govern the collection, use and dissemination of personal information in the public and private sectors.
Associated term(s): Omnibus Laws
```
28
Computer Forensics
The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.
29
Confidentiality
Data is "confidential" if it is protected against unauthorised or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
30
Consent
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual's way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.
(1) Affirmative/Explicit Consent: A requirement that an individual ""signifies"" his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Associated term(s): Choice
31
Convention 108
Convention 108 is a legally binding international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information.
Link to text of law: The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
32
Cookie
```
A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called "cookie identifiers," as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive (see Cookie Directive).
Associated term(s): First-Party Cookie, Persistent Cookie, Third-Party Cookie, Tracking Cookie, Web Cookie
```
33
CSA Privacy Principles
```
The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canada’s PIPEDA.
Associated term(s): Canadian Standards Association
Associated law(s): PIPEDA
```
34
Customer Access
A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.
35
Customer Information
In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.
36
Data Breach
```
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Associated term(s): Breach, Privacy Breach (Canadian)
```
37
Data Controller
```
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
Associated term(s): Data Processor
```
38
Data Elements
A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.
39
Data Processing
```
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Associated term(s): Data Processor, Processing, Processor
```
40
Data Processor
```
A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.
Associated term(s): Data Controller, Processor
```
41
Data Protection Authority
Independent public authorities that supervise the application of data protection laws in the EU. DPAs provide advice on data protection issues and field complaints from individuals alleging violations of the General Data Protection Regulation. Each EU member state has its own DPA. Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines that total 4% of a company’s global annual revenue.
Acronym(s): DPA
42
Data Quality
A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.
43
Data Recipient
A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
44
Data Subject
An identified or identifiable natural person.
45
De Novo
A Latin expression meaning “from the beginning,” “anew” or “beginning again.” In a legal context, a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.
46
Direct Marketing
When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.
47
Do Not Track
A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.
Acronym(s): DNT
48
Electronic Communications Network
Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed. In the discussions surrounding the update of the ePrivacy Directive to the ePrivacy Regulation, so-called "over the top" providers, like app-based messaging services, are beginning to be considered as part of the electronic communications network.
Acronym(s): ECN
49
Electronic Communications Service
Any service which provides to users thereof the ability to send or receive wire or electronic communications.
Acronym(s): ECS
50
Electronic Health Record
```
A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers.
Acronym(s): EHR
Associated law(s): HIPAA, HITECH
```
51
Employee Information
Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.
52
Employee Personal Data
Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees’ personal data. These rules must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.
53
Encryption
The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.
54
EU Data Protection Directive
```
The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.
Associated term(s): Data Protection Directive
```
55
European Commission
The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.
56
Fair Credit Reporting Act, The
One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.
Link to text of law: The Fair Credit Reporting Act
Acronym(s): FCRA
Associated law(s): Fair and Accurate Credit Transactions Act of 2003 (FACTA)
57
Federal Trade Commission
```
The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.
Acronym(s): FTC
Associated law(s): FTC Act
```
58
Generally Accepted Privacy Principles
A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.
Acronym(s): GAPP
59
GET Method
```
The GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method.
Associated term(s): POST Method
```
60
Global Privacy Enforcement Network
Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, GPEN is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, GPEN counted 50 member countries.
Acronym(s): GPEN
61
House of Commons
One of two chambers of the Canadian Parliament, along with the Senate. Members of the House of Commons are elected at least every five years.
62
Identifying Purposes
Integral to privacy protection is the obligation on organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.
63
Individual Access
```
One of 10 privacy principles of PIPEDA. Organizations must be able to respond to requests from individuals for access to their personal information.
Associated law(s): PIPEDA
```
64
Individual Participation
```
It is fair information practices principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Associated term(s): FIPs
```
65
Information Banks
```
Repositories of personal information that are kept by the Canadian government to comply with the Privacy Act.
Associated law(s): The Canadian Privacy Act
```
66
Information Life Cycle
The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.
67
Information Privacy
One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.
68
Information Security
The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.
Acronym(s): IS
69
Model Code for the Protection of Personal Information
A set of privacy principles developed by the Canadian Standards Association, that parallel the OECD's Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data and espouse 10 principles: Accountability, Identifying Purpose, Consent, Limiting Collection, Limiting Use, Disclosure, & Retention, Accuracy, Safeguards, Openness, Individual Access and Challenging Compliance.
Link to text of: OECD's Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data
70
Multi-Factor Authentication
```
An authentication process that requires more than one verification method (see Authentication), such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.
Associated term(s): Two-Factor Authentication; Two-Step Authentication
```
71
OECD Guidelines
First released in 1980, and then updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data. The principles, widely emulated in national privacy laws, include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability (see entries for each principle under their own listing elsewhere in the glossary).
Link to text of: OECD Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data
72
Omnibus Laws
Used to distinguish from sectorial laws (see Sectorial Laws), to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population.
73
Online Behavioral Advertising
Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.
74
Online Privacy Alliance
```
A coalition composed of numerous online companies and trade associations specifically established to encourage the self-regulation of online privacy. The OPA introduced the Online Privacy Guidelines.
Link to: Online Privacy Alliance
Link to: Online Privacy Guidelines
Acronym(s): OPA
Associated term(s): Self-regulation
```
75
Openness
A fair information practices principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Closely linked with transparency.
76
Opt-In
```
One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.
Associated term(s): Choice; Consent; Opt-Out
```
77
Opt-Out
```
One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.
Associated term(s): Choice; Consent; Opt-In
```
78
Organization for Economic Cooperation and Development
An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.
Link to: Organization for Economic Cooperation and Development
Acronym(s): OECD
79
Outsourcing
Contracting business processes, which may include the processing of personal information, to a third party.
80
Perimeter Controls
```
Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.
Associated term(s): Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Internet Protocol Security (IPSEC), Secure Sockets Layer (SSL)
```
81
Personal Data
```
The predominant term for Personal Information in the European Union, defined broadly in the General Data Protection Regulation as any information relating to an identified or identifiable natural person.
Associated term(s): Personal Information; Personally Identifying Information; Personally Identifiable Information
```
82
Personal Information
```
A synonym for "personal data." It is a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.
Acronym(s): PI
Associated term(s): Personal Data; Personally Identifying Information; Personally Identifiable Information
```
83
Personal Information Protection and Electronic Documents Act
A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.
Link to text of law: Personal Information Protection and Electronic Documents Act
Acronym(s): PIPEDA
84
POST Method
```
The GET and POST HTML method attributes specify how form data is sent to a web page. The POST method is more secure than GET as the GET method appends the form data to the URL allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar.
Associated term(s): GET Method
```
85
Privacy Act, The (Canadian)
Enacted in 1983, the Act sets out rules for how institutions of the federal government must deal with personal information of individuals. It has been revised by many minor amendments, but remains substantially unaltered.
Link to text of law: The Canadian Privacy Act
86
Privacy Breach (Canadian)
```
A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial privacy legislation.
Associated term(s): Data Breach, Privacy Breach Response (Canadian)
```
87
Privacy Breach Response (Canadian)
```
The guidelines for privacy breach responses were drafted in 2007 and consist of four steps: (1) Containment of the breach and preliminary assessment; (2) evaluating the associated risks; (3) notifying affected parties; (4) taking adequate steps to prevent future breaches.
Associated term(s): Data Breach, Privacy Breach (Canadian)
```
88
Privacy by Design
Generally regarded as a synonym for Data Protection by Design (see Data Protection by Design). However, Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.
Acronym(s): PbD
89
Privacy Commissioner of Canada
```
The individual who is mandated by PIPEDA to enforce the act. The commissioner has broad power to examine documents, but some documents may be shielded by solicitor-client privilege. The commissioner conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued. This individual is mandated by PIPEDA to enforce PIPEDA. Aggrieved individuals also have a right to complain to the commissioner.
Link to: Privacy Commissioner of Canada
Associated law(s): PIPEDA
```
90
Privacy Impact Assessments (Canadian)
The Canadian government requires all government institutions subject to the Privacy Act to conduct these assessments. The purpose behind a PIA is to evaluate whether program and service delivery initiatives that involve the collection, use or disclosure of personal information are in compliance with statutory obligations.
Acronym(s): PIAs
91
Privacy Notice
A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices.
92
Privacy of the Person
Protects bodily integrity, and in particular the right not to have our bodies touched or explored to disclose objects or matters we wish to conceal.
93
Privacy Officer
A general term in many organizations for the head of privacy compliance and operations. In the United States federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Department of Homeland Security, or a career professional.
94
Privacy Policy
An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.
95
Professional Regulatory Body
A body enacted pursuant to an act under which a professional or occupational group or discipline is organized and that provides for the membership in the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.
96
Public Records
Information collected and maintained by a government entity and available to the general public.
97
Radio-Frequency Identification
Technologies that use radio waves to identify people or objects carrying encoded microchips.
Acronym(s): RFID
98
Re-identification
```
The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization) . Often invoked as a “risk of re-identification” or “re-identification risk,” which refers to nullifying the de-identification actions previously applied to data (see De-identification).
Associated term(s): De-identification; Anonymization; Anonymous Data, Pseudonymous Data
```
99
Rectification
```
An individual’s right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.
Associated term(s): Access
Associated law(s): EU Data Protection Directive; FCRA
```
100
Retention
Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.
101
Right of Access
An individual’s right to request and receive their personal data from a business or other organization.
102
Right To Correct
The right for individuals to correct or amend information about themselves that is inaccurate.
103
Seal Programs
```
Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of the seal program are allowed to display the programs seal on their website.
Associated term(s): Self-regulatory Model, WebTrust
```
104
Sectoral Laws/Model
```
Laws that exist only in areas where the legislative body has found a particular need.
Related term(s) Comprehensive Laws, Co-regulatory Model, Self-regulatory Model, Technology Based Model
```
105
Semayne’s Case
A case recognized as establishing the "knock-and-announce rule," an important concept relating to privacy in one's home and Fourth Amendment search and seizure jurisprudence in the U.S.
Link to: Fourth Amendment
106
Senate (Canadian)
```
One of two chambers of the Canadian Parliament, along with the House of Commons. Unlike the House of Commons, whose members are elected, the Senate is appointed by the governor in council based upon the recommendations of the prime minister.
Associated term(s): Canadian Parliament, House of Commons
```
107
Sensitive Personal Information
Data which is more significantly related to the notion of a reasonable expectation of privacy, such as medical or financial information. However, data may be considered more or less sensitive depending on context or jurisdiction. Recently the U.S. Federal Trade Commission classified TV-viewing data as "sensitive."
Acronym(s): SPI
108
SPAM
```
Unsolicited commercial e-mail.
Associated law(s): CASL; CAN-SPAM Act
```
109
Technology-Based Model
```
The technology-based model for data protection utilizes technological security measures to protect individual’s personal data. While it is commonplace for companies to utilize technology to protect data, developments in commercially available hardware and software have enabled consumers to establish privacy protections for their own online activity.
Associated term(s): Comprehensive Laws, Co-regulatory Model, Sectoral Laws, Self-Regulation Model
```
110
Territorial Privacy
```
One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into an individual’s territorial privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures.
Associated term(s): Home Privacy
```
111
Transfer
The movement of personal data from one organization to another.
112
Transparency
Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language.
113
Universal Declaration of Human Rights
```
Also called the Human Rights Declaration, the declaration recognized the universal values and traditions of inherent dignity, freedom, justice and peace. It was adopted by the General Assembly of the United Nations on 10 December 1948. In December 1948, the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights. This declaration formally announced that “[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence [.]” The statement was intended to encompass a wide range of conduct, as evidenced by Article 12 of the Declaration, which describes both the territorial and the communications notions of privacy.
Link to text of: Universal Declaration of Human Rights
Associated term(s): Declaration of Human Rights
```
114
Value-Added Services
```
A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions. More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered value-added services, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.
Associated term(s): MVAS, VASP
```
115
Video Surveillance Guidelines
Guidelines discouraging video as an initial security option with the following constraints: (1) Video should be taken only in the absence of less intrusive alternatives; (2) the use should be disclosed to the public; (3) individuals should have access to their personal information; (4) video surveillance should be subject to independent audit, and (5) fair information practices should be respected.
116
Work Product Information
```
A Canadian term referring to information about an individual that is related to that individual’s position, functions and/or performance of his or her job. A term that is undefined by PIPEDA, the privacy commissioner has decided that work product may at times fall under the definition of personal information. Access to such information by the commissioner is addressed on a case-by-case basis. Not to be confused with the American legal term "work product," which refers to legal materials prepared in anticipation of litigation.
Associated term(s): Employee Information
Associated law(s): PIPEDA
```
