I-A: Introduction to Privacy

Question 1

Data Processing

Answer 1

Anything that’s done with personal information (e.g., collection, storage, use, disclosure, transmission, destruction)

Question 2

Data Subject

Answer 2

The person whose data is being processed

Question 3

Data Controller

Answer 3

The organization that decides how information is processed

Question 4

Data Processor

Answer 4

The organization that processes information on behalf of the data controller

Question 5

Identified vs. Identifiable

Answer 5

Identified - one who can be ascertained with certainty

Identifiable - one that can be indirectly identified through a combination of factors (e.g., name, ID number, location, etc.)

Question 6

Encryption

Answer 6

the process of taking data and putting it into an unrecognizable form

Question 7

Anonymization

Answer 7

a technique whereby data is stripped of its identifying information

Question 8

Pseudonymization

Answer 8

process through which information is associated with a pseudonym such that it can no longer be attributed to a specific person with additional information

Question 9

Fair Information Practices

Answer 9

Guidelines for handling, storing, and managing data with privacy, security, and fairness.

Question 10

Fair Information Practices Categories

Answer 10

Rights of the Individual
Controls on the Information
Information Life Cycle
Management

Question 11

Rights of the Individual

Answer 11

Notice
Choice and Consent
Data Subject Access

Question 12

Notice

Answer 12

Providing information to consumers related to how an organization processes personal information

Question 13

Choice and Consent

Answer 13

Providing consumers the ability to determine whether and/or how their personal information is collected, used, and retained by an organization

Question 14

Data Subject Access

Answer 14

Providing data subjects with access to the information an organization processes about the individual

Question 15

Express Consent

Answer 15

Express affirmative consent, a.k.a. “opt-in”

Requires an affirmative indication or act that provides consent to collect or use a person’s information

Question 16

Implied Consent

Answer 16

Passive acceptance a.k.a. “opt-out”

Implied by a person’s conduct or actions as well as the context of the transaction.

Question 17

Controls on the Information

Answer 17

Organizations should focus on information security and information quality

Question 18

Information Security

Answer 18

Organizations should use reasonable administrative, technical, and physical safeguards to protect personal information

Question 19

Information Quality

Answer 19

Organizations should maintain accurate, complete, and relevant personal information for the purposes identified in the notice.

Question 20

Information Life Cycle

Answer 20

Collection
Use and Retention
Disclosure

Question 21

Collection

Answer 21

Organizations should collect personal information only for the purpose identified in the notice.

Question 22

Use and Limitation

Answer 22

Organizations should limit the use of personal information to the purposes identified in the notice.

Organizations should also retain personal information for only as long as necessary to fulfill the stated purpose.

Question 23

Disclosure

Answer 23

Organizations should disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Question 24

Management

Answer 24

Organizations should ensure that they address both management and administration as well as monitoring and enforcement.

Question 25

Management and Administration

Answer 25

Organizations should define, document, communicate, and assign accountability for privacy policies and procedures.

Question 26

Monitoring and Enforcement

Answer 26

Organizations should monitor compliance with their privacy policies and procedures

Question 27

OECD Guideline's for FIPs

Answer 27

1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principle 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle

Question 28

Collection Limitation Principle

Answer 28

Data collected from consumers should be limited solely to the purposes for which it is relevant and as identified in the data controller's privacy notice.

Question 29

Data Quality

Answer 29

Data collected should be accurate, complete, and relevant to the purposes for which it is used

Question 30

Purpose Specification Principle

Answer 30

The processing of personal data should be limited to the fulfillment of the specific, explicit, and legitimate purposes for which it is collected.

Question 31

Use Limitation Principle

Answer 31

Data should not be disclosed, made available, or otherwise used for purposes other than those specified or (a) with the consent of the data subject, or (b) by the authority of law

Question 32

Security Safeguards Principle

Answer 32

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data

Question 33

Openness Principle

Answer 33

There should be a general policy of openness about developments, practices, and policies with respect to personal data.

Question 34

Individual Participation Principle

Answer 34

Individuals should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such a denial, (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

Question 35

Accountability Principle

Answer 35

Data controller should for complying with measures which give effect to the principles stated above.

Question 36

Council of Europe Convention (1981) FIP

Answer 36

Quality of data Special categories of data Data security Transborder data flow

Question 37

APEC Privacy Framework (2004) FIP

Answer 37

1. Preventing Harm 2. Notice 3. Collection Limitation 4. Uses of Personal Information 5. Choice 6. Integrity of Personal Information 7. Security Safeguards 8. Access and Correction 9. Accountability

Question 38

Madrid Resolution (2009) FIP

Answer 38

Principle of Lawfulness and Fairness Purpose Specification Principle Proportionally Principle Data Quality Openness Principle Accountability

Question 39

Madrid Resolution: Principle of Lawfulness and Fairness

Answer 39

Personal data must be fairly processed, respecting the applicable national legislation and the rights and freedoms of individuals.

Question 40

Madrid Resolution: Purpose Specification Principle

Answer 40

The processing of personal data should be limited to fulfilling the specific, explicit, and legitimate purposes for which it is collected.

Question 41

Madrid Resolution: Proportionality Principle

Answer 41

The collection and processing of personal data should be limited to such processing as is adequate, relevant, and not excessive with the purposes for which it is collected.

Question 42

Madrid Resolution: Data Quality Principle

Answer 42

Personal data should be accurate and updated to fulfill the purposes for which they are processed. Retention should be limited to the minimum necessary and deleted or rendered anonymous when no longer needed.

Question 43

Madrid Resolution: Openness Principle

Answer 43

Policies should be transparent, and data subjects should receive notice about the intended purpose of processing personal data. Data subjects must be able to access the data collected about them.

Question 44

Madrid Resolution: Accountability Principle

Answer 44

Data controllers (a.k.a. “responsible persons”) must observe the Madrid Resolution’s principles and obligations, as well as applicable national legislation.

Question 45

Sources of Privacy Protections

Answer 45

Legal Protections Market Protections Self-Regulatory Protections Technology

Question 46

Source of Privacy Protection: Legal Protections

Answer 46

Privacy protections are defined by statute, agency, regulations, or court decisions.

Question 47

Source of Privacy Protection: Market Protections

Answer 47

Consumers may react to an organization's data protection policies (or lack thereof) by favoring companies with stronger protection.

Question 48

Source of Privacy Protection: Self-Regulatory Protections

Answer 48

An entire industry comes together to regulate itself as a result of market concerns and forces. E.g., Payment Card Industry Data Security Standard (PCI-DSS).

Question 49

Source of Privacy Protection: Technology

Answer 49

The rapid advancement of technology, such as encryption, provides people with new and advanced means of protecting themselves.

Question 50

Models of Privacy Protections

Answer 50

Comprehensive Model Sectoral Model Co-Regulatory Model Self-Regulatory Model

Question 51

Comprehensive Model

Answer 51

Government regulates privacy uniformly across the entire economy E.g., EU's GDPR

Question 52

Sectoral Model

Answer 52

Government enacts laws that address a particular industry sector. E.g., U.S.

Question 53

Co-Regulatory & Self-Regulatory Models

Answer 53

Industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements. E.g., Australia