I-D: Information Management & Privacy Program Development Flashcards
(91 cards)
1
Q
Data Assessment
A
A process that identifies privacy risks by creating a data inventory, conducting a data flow analysis, and classifying categories of data.
2
Q
Data Inventory
A
Identifies what personal data an organization processes and how it is processed, including who it is shared with and its location.
a.k.a. “record of authority”
3
Q
Data Location
A
- The folder structure where the data is located
- The physical servers holding the data are located (a.k.a. Data Residency)
4
Q
Data Access
A
Who has access to data and how and when data is shared
5
Q
Data Flow Map
A
A map of how information flows through an organization across the entire life cycle of that data
6
Q
Data Classification Schema
A
A classification system that provides the basis for managing access to and protection of data assets.
Allows restriction of access based on sensitivity.
7
Q
Data Life Cycle
A
Data Creation
Data Storage
Data Sharing & Usage
Data Archival
Data Deletion
8
Q
Data Classification: Typical Levels of Sensitivity
A
- Confidential
2 Proprietary - Sensitive
- Restricted
- Public
9
Q
Examples of Legally Mandated Data Inventories
A
- E.U.’s GDPR
- U.S.’s GBLA Safeguard Rule for financial institutions
10
Q
A Data Assessment Requires:
A
Asking and answering numerous questions geared toward compliance with applicable laws and policies
11
Q
Data Mapping Should Answer:
A
- What data does the organization process?
- Where does the organization process data?
- Why does the organization process data?
12
Q
Data Flow Mapping:
Top Down Approach
A
Employed for regulatory purposes (e.g., GDPR)
Looks at the legal requirements for processing data and tailors questions to ask based on those requirements
13
Q
Data Flow Mapping:
Bottom-Up Approach
A
Used by privacy professionals
Starts with data assets and follows that data through its lineage, asking pertinent questions as they arise (e.g., is this stored on local servers or cloud-based servers?)
14
Q
Privacy Program
A
The process organizations use to meet their legal compliance obligations, market expectations, and data security goals for handling personal information.
15
Q
Data Protection Officer (DPO)
A
The most common title for employees in the privacy function.
Note: GDPR requires most organizations to appoint a DPO
16
Q
GLBA Safeguards Rule
A
Requires financial institutions to appoint a designated person to assess, monitor, and improve the GLBA-mandated information security program.
17
Q
Privacy Leader
A
The most senior employee responsible for privacy within an organization who has oversight of its privacy program.
E.g., Chief Privacy Officer, DPO, Director of Privacy, etc.
18
Q
Privacy First Responders
A
Employees who are responsible for managing the organization’s response to privacy incidents.
19
Q
Privacy Champion
A
Someone at the executive level acting as an advocate and sponsor to further privacy as a core organizational concept
(e.g., Chief Operating Officer or Chief Information Officer)
20
Q
Privacy Programs Balance 4 Types of Risk:
A
Legal Risk
Reputational Risk
Operational Risk
Investment Risk
21
Q
Privacy Framework
A
Guides the privacy professional through privacy management and decision making
22
Q
Two Components of a Privacy Framework
A
- The creation of policies and standards
- The establishment of privacy program activities
23
Q
Privacy Policy
A
An internal document that dictates how an organization governs its privacy function and handles personal information.
24
Q
Privacy Policy Components
A
Purpose of the policy
Scope of the policy
Designation of responsibilities
Actual policies (i.e., compliance obligations)
Consequences to the organization for failing to comply
25
Privacy Metric
A measurement that is intended to help an organization determine whether it's meeting its privacy-related goals and program effectiveness
26
Privacy Operational Life Cycle
A process of continuous refinement of a privacy program.
27
Privacy Operational Life Cycle Steps
1. Asses
- Identify privacy risks
2. Protect
- Develop data protection policies & practices
3. Sustain
- Communicate, monitor, and audit internal policies and processes
4. Respond
- Handle data subject requests and complaints, and respond to privacy incidents
28
Privacy Policy Life Cycle
Drafting policies
Getting necessary approvals
Communicating policies throughout the organization
Training the necessary stakeholders
Reviewing policies to better refine them
29
Privacy Program Activities
Education and Awareness
Internal Policy Compliance
Data Inventories, Data Flows, and Data Classification
Risk Assessments
Incident Response
Internal Audit and Risk Management
30
Privacy Program Implementation
1. The framework must be communicated and explained to internal and external stakeholders
2. The privacy program must remain in alignment with applicable laws and regulations
31
How Do Privacy Professionals Develop Privacy Metrics?
Identify the intended audience for the metric
Define the metric itself
Identify the sources of data that can be used for the metric
32
User Consent
Individuals must be able to prevent the processing of their personal information, with some limited exceptions as required by law (e.g., criminal investigation)
33
Opt-In Consent
An express consent that requires some affirmative act by the consumer
34
Double Opt-In Consent
Technique of obtaining consent and then confirming that consent was obtained
35
Opt-Out Consent
A passive form of consent that allows the collection and use of data unless the user expressly states his or her desire not to have their information used or collected.
36
No Option Consent
The authority to collect and use data is implied from the situation
E.g., product fulfillment, fraud prevention, internal operations, legal compliance, public purpose, etc.
37
Scope of Consent
An organization must decide how broadly or narrowly to tailor consent.
38
Scope of Consent: FTC's Position
A consumer should provide affirmative, express consent before data collected under one privacy notice is used in a manner that is materially different in accordance with an updated privacy notice
39
Form of Consent
Involves considerations regarding the exact mechanism for obtaining that consent
40
Consumer Access
Consumers should:
1. Have actual access to the information collected and
2. The ability to correct that information
Note: Consumer access is required by FCRA, FERPA, and HIPAA
41
Privacy Notice
A written document that sets forth how a company collects, stores, and uses the personal information that it gathers.
42
Privacy Notice Purposes
1. Informs employees how information should be stored, accessed, and utilized
2. Sets forth the limits around which information may be used
3. Informs consumers how their data will be utilized
43
Who reviews and approves Privacy Notices?
Legal counsel and executive management
44
Layered Notice
A type of privacy notice that includes a short notice at the top of the document that sets forth the key points of a privacy policy, followed by an option for users to review a more detailed privacy notice
45
Just-In-Time Notice
The practice of providing a privacy notice at the time that information is collected.
May take the form of a layered notice.
46
Privacy Dashboard
A single point provided to consumers where they can view privacy information and make choices about how their data is processed.
47
Privacy Icons
Symbols used to indicate that an organization processes information in a particular manner (e.g., AdChoices)
48
COPPA Privacy Notice Requirements
Website operators must provide:
(1) Notice of what information it collects,
(2) How it uses that information, and
(3) Whether that information is disclosed to third parties
49
GLBA Privacy Notice Requirement
Financial institutions must send customers a copy of the organization's privacy policy on an annual basis.
50
California Online Privacy Protection Act (CALOPPA) Privacy Notice
Requires any company that collects personally identifiable information through the internet about individual consumers residing in CA to "conspicuously post" its privacy policies on its website and mobile apps
51
FTC Jurisdiction over Privacy Notices
The FTC's unfair or deceptive trade practices jurisdiction allows it to bring enforcement actions where an organization misrepresents its privacy practices to its users or where an organization fails to disclosure certain privacy practices.
52
Updating a Privacy Notice
A privacy notice should be periodically updated through a process that involves:
Designing and developing policies
Testing the policies
Releasing the policies
Reviewing and updating the policy
53
Should data be processed according to the privacy notice currently in effect or the privacy notice in effect at the time data was collected?
The privacy notice in effect at the time the data was collected.
54
Workforce Training
Employees, vendors, and others should receive training appropriate to their role
55
Which laws and regulations mandate privacy-related workforce training?
HIPAA's Privacy and Security Rules
GLBA Safeguard Rule
FTC's Red Flag Rules
Massachusetts Data Security Law
56
HIPAA's Privacy and Security Rules
(Workforce Training Requirements)
Covered entities "must train all members of its workforce on the policies and procedures with respect to protected health information . . . As necessary and appropriate for the members of the workforce to carry out their functions within the covered entity"
Employees must be trained within a reasonable time after being hired and re-trained any time there is a "material change" in policies or procedures.
57
GLBA's Safeguard Rules
(Workforce Training Requirements)
Organizations must "identify reasonably foreseeable internal and external risks . . . Including Employee training and management."
58
FTC Red Flag Rules
(Workforce Training Requirements)
Fair and Accurate Credit Transactions Act of 2003 (FACTA) - requires organizations that maintain "covered accounts" to establish an identity theft program.
Mandates workforce training as "necessary, to effectively implement the program"
59
Massachusetts Workforce Training Requirements
Regulations require any person that "owns or licenses personal information" about a Massachusetts resident to have a comprehensive information security program in effect, including ongoing employee training."
Regulations mandate that "every person that owns or licenses personal information about a resident of MA and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers"
60
Self-Regulatory Programs - Workforce Training Requirements
The Payment Card Industry Data Security Standard (PCI-DSS) - requires the implementation of a security awareness program "to make all personnel aware of the importance of cardholder data security"
Training must be done upon hiring and again no less frequent than on an annual basis, and training must be verified
61
Accountability Principle
Organizations must hold themselves accountable for maintaining adequate privacy protections
62
IAPP's Accountability Principle Definition:
"The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law."
63
Demonstrating Compliance
Organizations must be able to prove compliance with internal policies and procedures
Note: requires a significant amount of documentation
64
General Data Protection Regulation (GDPR)
Data controller has the responsibility to ensure that personal information is processed in compliance with the other provisions of the GDPR
65
The Data Life Cycle
1. Collection
2. Use
3. Disclosure
4. Retention
5. Destruction
66
Data Life Cycle Governance
a.k.a. Data Life Cycle Management (DLM)
A policy-based approach to managing the flow of data through a life cycle from collection to final disposition
67
How to limit risk in the Data Life Cycle?
Limiting the length of time that data is retained.
Data cannot present privacy risks if it does not exist (e.g., via destruction)
68
How long should an organization retain data?
Data should be retained only so long as necessary to achieve its purpose.
Determined by: business goals, laws, regulations, and industry standards
69
Data destruction plan should outline
When and how data will be destroyed in detail, including backup data and cached data
70
How can electronic and physical data be destroyed?
Electronic Data: overwriting or the process of degaussing
Physical Data: shredded, melted, or burned
71
FACTA's Disposal Rule
Requires proper disposal of consumer reports that will avoid unauthorized access and data misuse
72
3 Questions to Answer in Developing Data Retention and Destruction Policies:
1. Why was the information originally collected?
2. Why is the organization retaining it?
3. How long does the information remain useful to the organization?
73
What 11 key elements are important in developing data retention and destruction policies?
1. Data Creation
2. Storage
3. Processing
4. Analysis
5. Usage
6. Archiving
7. Security
8. Governance
9. Retention
10. Deletion
11. Compliance
74
Five steps to prepare for a data breach:
1.Develop an incident response plan
2. Implement appropriate training
3. Understand key roles and responsibilities
4. Obtain insurance coverage, if appropriate
5. Effectively manage third-party data vendors
75
Data Breach Readiness Response Assessment
Ensures an organization is ready when a privacy incident or data breach.
76
What 2 things do Data Breach Readiness Response Assessment look at?
The level of risk of a data breach and the severity of the data breach
77
FTC Guidelines for Incident Response:
Preliminary Step - Confirm the Breach
Step 1: Secure Operations and Contain the Breach
Step 2: Analyze and Fix Vulnerabilities
Step 3: Notify Appropriate Parties
Step 4: Take Proactive Steps to Avoid Future Breaches
78
Office of Management and Budget (OMB)'s guidelines for data breach responses:
Create a breach response team
Identify applicable privacy compliance documentation
Sharing information concerning the breach to understand the extent of it
Determining the necessary reporting requirements
Assessing the risk of harm for individuals affected by the breach
79
FTC recommends the following steps when notifying individuals of a data breach:
1. Consult with a law enforcement contact so as not to impede any investigation
2. Designate a point person within the organization for releasing information
3. Consider offering a year of free credit monitoring and other support to affected individuals
80
Third Party Data Processors Include:
Vendors that provide data analysis or data management
Organizations that buy personal information
81
Vicarious Liability & Third Party Vendors
The principal organization (data controller) remains legally responsible for any misuse of data by vendors (third-party data processors)
82
HIPAA's Data Processing Agreement Law
HIPAA requires "covered entities" (i.e., data controllers) to have written contracts in place with their "business associates" (i.e., data processors)
83
GDPR Data Processing Agreement Law
1. A data processor is not permitted to process data "except on the instructions from the controller" unless required by law
2. GDPR requires "sufficient guarantees" from third-party vendors (vendors must be properly vetted, and a contract must be in place as a control measure)
84
Due Diligence Standards for Selecting Vendors
Reputation
Financial Condition and Insurance
Information Security Controls
Point of Transfer
Disposal of Information
Employee Training and User Awareness
Vendor Incident Response
Audit Rights
85
Vendor Contracts - General Terms
Confidentiality Provisions
Security Protections
Audit Rights
"No Further Use" Provisions
Subcontractor Use
Information Sharing
Breach Notifications
Consumer Consent
End of Relationship Provisions
86
Contractual Provisions for Vendor Incident Response
A vendor contract should set forth the protocol that should be followed in the event of a vendor incident
87
Steps in Vendor Incident Response
1. Operations should be secured to contain the incident
2. Vulnerabilities should be analyzed and fixed
3. Appropriate parties should be notified
4. A review should be undertaken to ensure similar incidents are not repeated (e.g., terminating the relationship with the vendor)
88
Cloud Computing
The provision of software and other information technology services over the internet
89
Cloud Contacts Should:
Receive sign-off from appropriate high-ranking executives in an organization because cloud computing poses particular privacy risks
90
What is Third-Party Data Sharing?
Data brokers or advertising firms process a controller's data in some manner
91
