I-A: Introduction to Privacy

Question 1

Data Processing

Answer 1

Anything that’s done with personal information (e.g., collection, storage, use, disclosure, transmission, destruction)

Question 2

Data Subject

Answer 2

The person whose data is being processed

Question 3

Data Controller

Answer 3

The organization that decides how information is processed

Question 4

Data Processor

Answer 4

The organization that processes information on behalf of the data controller

Question 5

Identified vs. Identifiable

Answer 5

Identified - one who can be ascertained with certainty

Identifiable - one that can be indirectly identified through a combination of factors (e.g., name, ID number, location, etc.)

Question 6

Encryption

Answer 6

Putting data into an unrecognizable form

Question 7

Anonymization

Answer 7

Stripping data of identifying information

Question 8

Pseudonymization

Answer 8

Information is associated with a pseudonym such that it can no longer be attributed to a specific person with additional information

Question 9

Fair Information Practices

Answer 9

Guidelines for handling, storing, and managing data with privacy, security, and fairness.

Question 10

Fair Information Practices Categories

Answer 10

Data Subject Rights: Notice, Consent, Access

Organizational Responsibilities: Security Controls, Data Quality Limitation Principles, Accountability

Question 11

Rights of the Individual

Answer 11

Notice
Choice and Consent
Data Subject Access

Question 12

Notice

Answer 12

Providing information to consumers related to how an organization processes personal information

Question 13

Choice and Consent

Answer 13

Providing consumers the ability to determine whether and/or how their personal information is collected, used, and retained by an organization

Question 14

Data Subject Access

Answer 14

Providing data subjects with access to the information an organization processes about the individual

Question 15

Express Consent

Answer 15

Express affirmative consent, a.k.a. “opt-in”

Requires an affirmative indication or act that provides consent to collect or use a person’s information

Question 16

Implied Consent

Answer 16

Passive acceptance a.k.a. “opt-out”

Implied by a person’s conduct or actions as well as the context of the transaction.

Question 17

FIP: Information Security

Answer 17

Organizations should use reasonable administrative, technical, and physical safeguards to protect personal information

Question 18

FIP: Information Quality

Answer 18

Organizations should maintain accurate, complete, and relevant personal information for the purposes identified in the notice.

Question 19

FIP: Collection

Answer 19

Organizations should collect personal information only for the purpose identified in the notice.

Question 20

FIP: Use and Retention

Answer 20

Organizations should limit the use of personal information to the purposes identified in the notice.

Organizations should also retain personal information for only as long as necessary to fulfill the stated purpose.

Question 21

FIP: Disclosure

Answer 21

Organizations should disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Question 22

FIP: Management and Administration

Answer 22

Organizations should define, document, communicate, and assign accountability for privacy policies and procedures.

Question 23

FIP: Monitoring and Enforcement

Answer 23

Organizations should monitor compliance with their privacy policies and procedures

Question 24

OECD Guideline’s for FIPs

Answer 24

1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use Limitation Principle
5. Security Safeguards Principle
6. Openness Principle
7. Individual Participation Principle
8. Accountability Principle

Question 25

OECD: Collection Limitation Principle

Answer 25

Data collected from consumers should be limited solely to the purposes for which it is relevant and as identified in the data controller's privacy notice.

Question 26

OECD: Data Quality

Answer 26

Data collected should be accurate, complete, and relevant to the purposes for which it is used

Question 27

OECD: Purpose Specification Principle

Answer 27

The processing of personal data should be limited to the fulfillment of the specific, explicit, and legitimate purposes for which it is collected.

Question 28

OECD: Use Limitation Principle

Answer 28

Data should not be disclosed, made available, or otherwise used for purposes other than those specified or (a) with the consent of the data subject, or (b) by the authority of law

Question 29

OECD: Security Safeguards Principle

Answer 29

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data

Question 30

OECD: Openness Principle

Answer 30

There should be a general policy of openness about developments, practices, and policies with respect to personal data.

Question 31

OECD: Individual Participation Principle

Answer 31

Individuals should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such a denial, (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

Question 32

OECD: Accountability Principle

Answer 32

Data controller should for complying with measures which give effect to the principles stated above.

Question 33

Council of Europe Convention (1981) FIP

Answer 33

Quality of data Special categories of data Data security Transborder data flow

Question 34

APEC Privacy Framework (2004) FIP

Answer 34

1. Preventing Harm 2. Notice 3. Collection Limitation 4. Uses of Personal Information 5. Choice 6. Integrity of Personal Information 7. Security Safeguards 8. Access and Correction 9. Accountability

Question 35

Madrid Resolution (2009) FIP

Answer 35

Principle of Lawfulness and Fairness Purpose Specification Principle Proportionally Principle Data Quality Openness Principle Accountability

Question 36

Madrid Resolution: Principle of Lawfulness and Fairness

Answer 36

Personal data must be fairly processed, respecting the applicable national legislation and the rights and freedoms of individuals.

Question 37

Madrid Resolution: Purpose Specification Principle

Answer 37

The processing of personal data should be limited to fulfilling the specific, explicit, and legitimate purposes for which it is collected.

Question 38

Madrid Resolution: Proportionality Principle

Answer 38

The collection and processing of personal data should be limited to such processing as is adequate, relevant, and not excessive with the purposes for which it is collected.

Question 39

Madrid Resolution: Data Quality Principle

Answer 39

Personal data should be accurate and updated to fulfill the purposes for which they are processed. Retention should be limited to the minimum necessary and deleted or rendered anonymous when no longer needed.

Question 40

Madrid Resolution: Openness Principle

Answer 40

Policies should be transparent, and data subjects should receive notice about the intended purpose of processing personal data. Data subjects must be able to access the data collected about them.

Question 41

Madrid Resolution: Accountability Principle

Answer 41

Data controllers (a.k.a. “responsible persons”) must observe the Madrid Resolution’s principles and obligations, as well as applicable national legislation.

Question 42

Sources of Privacy Protections

Answer 42

Legal Protections Market Protections Self-Regulatory Protections Technology

Question 43

Source of Privacy Protection: Legal Protections

Answer 43

Privacy protections are defined by statute, agency, regulations, or court decisions.

Question 44

Source of Privacy Protection: Market Protections

Answer 44

Consumers may react to an organization's data protection policies (or lack thereof) by favoring companies with stronger protection.

Question 45

Source of Privacy Protection: Self-Regulatory Protections

Answer 45

An entire industry comes together to regulate itself as a result of market concerns and forces. E.g., Payment Card Industry Data Security Standard (PCI-DSS).

Question 46

Source of Privacy Protection: Technology

Answer 46

The rapid advancement of technology, such as encryption, provides people with new and advanced means of protecting themselves.

Question 47

Models of Privacy Protections

Answer 47

Comprehensive Model Sectoral Model Co-Regulatory Model Self-Regulatory Model

Question 48

Comprehensive Model

Answer 48

Government regulates privacy uniformly across the entire economy E.g., EU's GDPR

Question 49

Sectoral Model

Answer 49

Government enacts laws that address a particular industry sector. E.g., U.S.

Question 50

Co-Regulatory & Self-Regulatory Models

Answer 50

Industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements. E.g., Australia