IAPP Glossary for CIPP/E Flashcards Preview

CIPP/E > IAPP Glossary for CIPP/E > Flashcards

Flashcards in IAPP Glossary for CIPP/E Deck (144)
Loading flashcards...


A fair information practices principle, it is the idea that when personal information is to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with other fair use principles.


Adequate Level of Protection

A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.


Adverse Action

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.


Annual Reports

The requirement under the European Data Protection Directive that member state data protection authorities report on their activities at regular intervals.


Antidiscrimination Laws

Refers to the right of people to be treated equally.


Article 29 Working Party

A European Union organization that functions as an independent advisory body on data protection and privacy. While EU data protection laws are actually enforced by the national Data Protection Authoritiesof EU member states.



The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. Authentication identified as an individual based on some credential; i.e. a password, biometrics, etc. Authentication is different from authorization. Proper authentication ensures that a person is who he or she claims to be, but it says nothing about the access rights of the individual.


Background Screening/Checks

Verifying an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity.


Behavioral Advertising

The act of tracking users’ online activities and then delivering ads or recommendations based upon the tracked activities. The most comprehensive form of targeted advertising. By building a profile on a user through their browsing habits such as sites they visit, articles read, searches made, ads previously clicked on, etc., advertising companies place ads pertaining to the known information about the user across all websites visited. Behavioral Advertising also uses data aggregation to place ads on websites that a user may not have shown interest in, but similar individuals had shown interest in.


Binding Corporate Rules

Legally binding internal corporate privacy rules for transferring personal information within a corporate group. BCRs are typically used by corporations that operate in multiple jurisdictions, and they are alternatives to the U.S.-EU Safe Harbor and Model Contract Clauses. BCRs must be approved by the EU data protection authorities of the member states in which the corporation operates.


Binding Safe Processor Rules

Self-regulatory principles (similar to Binding Corporate Rules) for processors that are applicable to customer personal data. Once a supplier’s BSPR are approved, a supplier gains ”safe processor” status and its customers would be able to meet the EU Data Protection Directive’s requirements for international transfers in a similar manner as BCR allow. BSPR are currently being considered as a concept by the Article 29 Working Party and national authorities.



Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait.


Bodily Privacy

One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches.


Breach Disclosure

The requirement that a data controller notify regulators and victims of incidents affecting the confidentiality and security of personal data. It is a transparency mechanism highlights operational failures, this helps mitigate damage and aids in the understanding of causes of failure.



A German national data protection law that including specific requirements for data services outsourcing agreements. The legislation contains ten specific requirements for outsourcing agreements: (1) Subject and duration of work; (2) the extent, type and purpose of data processing; (3) technical and organizational measures to be taken under section 9; (4) the rectification, erasure and blocking of data; (5) the processor's section 4 obligations, particularly with regard to monitoring; (6) rights regarding subcontracting; (7) the controller's monitoring rights; (8) the subcontractor's notification obligations; (9) the extent of the controller's authority to issue instructions to the processor; (10) the return and/or erasure of data by the processor at the conclusion of the work.


Charter of Fundamental Rights

A treaty that consolidates human rights within the EU. The treaty states that everyone has a right to protect their personal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority.


Children’s Online Privacy Protection Act (COPPA) of 1998

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy policy on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.



An individual’s ability to determine whether or how their personal information may be used or disclosed by the entity that collected the information. Also, the ability of an individual to limit certain uses of their personal information. For example; an individual may have choice about whether to permit a company to contact them or share their data with third parties. Can be express or implied.


Closed Circuit Television

Systems of cameras, monitors and recording equipment that are not used for broadcasting but are connected to a closed network by cables. CCTV is used primarily for video surveillance of premises.


Cloud Computing

The storage of information on the Internet. Although it is an evolving concept, definitions typically include on-demand accessibility, scalability, and secure access from almost any location. Cloud storage presents unique security risks.


Collection Limitation

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.


Commercial Activity

Under PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.


Communications Privacy

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.


Comprehensive Laws

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.


Computer Forensics

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.



The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.



This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice (see Choice) about the use or disclosure of his or her information, consent is the individuals’ way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out. (1) Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties. According to the EU Data Protection Directive, explicit consent is required for processing of sensitive information. Further, data controllers cannot infer consent from non-response to a communication. (2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.


Convention 108

The first legally binding international instrument in the area of data protection. It requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information.



A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their user name and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer.


Cookie Directive

Additions to the e-Privacy Directive where websites could allow users to opt out of cookies, such as by selecting a setting on their web browsers. Under the revision, member states are required to pass legislation that gives users the ability to opt in before cookies are placed on their computers.