Information Management from a U.S. Perspective Flashcards

Question

layered privacy notice approach

Answer 1

* **short notice**: top layer that summarizes notice’s scope and basic points about the org’s practice for personal information, collection, choice, use and disclosure * **full notice**: comprehensive information on disclosure that articulates organization’s privacy notice in its entirety

Answer 2

notice at or before point of info collection or before a consumer accepts a service or product

Answer 3

offers a summary of privacy-related info in a format that is intended to be easy to access and navigate

Answer 4

consumer first indicates interest in a communication list and then confirms that interest in response to the follow-up email

Answer 5

* when an organization uses or collects the consumer's data because that org has been given implied authority to share PI * e.g., a consumer who orders her product online expects her PI to be shared with the shipping company, credit card processor, etc.

Answer 6

chanel for exercising a user preference

Answer 7

* process that identifies and assesses the risk to an org’s information assets and then implements appropriate mitigation strategies to reduce or eliminate those risks * often includes conducting PIAs, vendor/third-party risk aseessments, data breach readiness assessments

Answer 8

* helps in assessing benefits and risks of processing personal data * focuses on topics such as how to respect individuals whose PI held by org; downstream uses of personal data; consequences of utilizing analytical tools; whether to collect data that the org does not need; how should the org design practices to ensure transparency, accountability and auditability

Answer 9

likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur

Answer 10

* provides analysis of how personal information is handled to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy * determine risks and effects of collecting, maintaining and disseminating personal info in identifiable form * examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks

Answer 11

* core of PIA * focuses on determining level of privacy risk by looking at the privacy impact and likelihood given the controls

Answer 12

* confidentiality provision * no further use of shared information * subcontractors should follow privacy and security protection terms in vendor’s K * requirement to notify and to disclose breach * information security provisions * end of relationship → return of data or deletion of data at conclusion of relationship

Answer 13

* reputation * financial condition and insurance * information security controls to ensure data isn’t lost or stolen (e.g., SOC 2) * secure transfer mechanisms for data * appropriate disposal of information → appropriate destruction of data in any format or media * employee training and user awareness * vendor incident response * org should be able to audit vendor’s activities to ensure compliance with contractual obligations

Answer 14

protection of information for the purpose of preventing loss, unauthorized access, or misuse

Answer 15

* confidentiality * integrity * availability

Answer 16

access to data is limited to authorized parties

Answer 17

assurance that the data is authentic and complete

Answer 18

knowledge that the data is accessible, as needed, by those who are authorized to use it

Answer 19

mechanisms put in place to prevent, detect or correct a security incident

Answer 20

* **physical** controls such as locks, security cameras and fences * **administrative** controls such as incident response procedures and training * **technical** controls such as firewalls, antivirus software, and access logs

Answer 21

voluntary tool for orgs to better manage and reduce cybersecurity risks with following core elements: * **identify**→ looks at people, systems, data and capabilities to understand what a potential risk could be * **protect** → focuses on safeguards for risks that an organization wants to mitigate * **detect** → activities that identify a cybersecurity incident * **respond** → what activities an org takes when there is an incident * **recover** → plans to restore business operations from a cybersecurity incident

Answer 22

examines level of risk of a data breach coupled with the likelihood and severity of a personal data breach by looking at following factors: * types and nature of personal data involved, particularly sensitive personal information * whether appropriate technical safeguards have been applied * whether the data subject will be directly or indirectly affected * possibility that personal data can be maliciously used * possibility of substantial damage on a physical level

Answer 23

* domestic approaches (or unilateral mechanism) → more than ½ of countries with safeguards for cross-border data flows employ pre-authorization safeguards * multilateral arrangements such as OECD Privacy Guidelines; APEC Cross-Border Privacy Rules; Council of Europe Convention 108 and 108+ * trade agreements which may contain provisions * standards and technology-driven initiatives such as ISO standards and privacy-enhancing technologies (PETs)

Answer 24

* when EU-based establishments process personal data of any subjects *and* * when establishment based outside of the EU monitors behavior of or targets goods or services to data subjects in the EU

Answer 25

any data related to an identified or identifiable natural person (can be identified directly or indirectly)

Answer 26

special category of personal data that gets additional protections under GDPR and requires the business to obtain “explicit consent” from the person to process the data for a specified purpose

Answer 27

* race or ethnic origin * political opinions * religious or philosophical beliefs * trade union membership * genetic data * biometric data * health data, sex life * sexual orientation

Answer 28

any natural person whose data is being collected, stored or processed

Answer 29

individual or entity that determines the purposes and the means of the processing of personal data

Answer 30

* implement data protection by default and by design * provide instructions to processors * ensure data security * report data breaches * cooperate with DPAs * appoint a DPO for the business * identify legal basis for processing * maintain data processing records * conduct data protection impact assessments

Answer 31

an individual or entity that processes personal data on behalf of the controller

Answer 32

* confidentiality * record of processing activities * data security * data breach reporting * cooperation with DPAs

Answer 33

freely given, specific, informed and an unambiguous indication of the data subject’s wishes

Answer 34

1. controller’s identity 2. purpose of processing for which consent is sought 3. types of data that will be collected 4. information about the right to withdraw consent 5. information about automated processing 6. risks of transfers outside the EU

Answer 35

independent public authorities that investigate and enforce data protection laws at a national level

Answer 36

primary point of contact on data protection issues within a business that is based in the EU

Answer 37

1. lawfulness, fairness and transparency 2. purpose limitation 3. data minimization 4. accuracy 5. storage limitation 6. integrity and confidentiality 7. accountability

Answer 38

* companies should have a legal basis for processing personal data * data subjects should be made aware of the rules and safeguards as well as the risks associated with their data

Answer 39

communications must be concise, easily accessible and written using clear and plain language that is easy to understand

Answer 40

* personal data must be collected for specified, explicit and legitimate purposes * personal data shouldn’t be further processed in a manner that is incompatible with the original purpose for which it was collected

Answer 41

* processing of personal data must be adequate, relevant and limited to what is necessary considering the purposes of processing * requires deletion or anonymization of personal data that is no longer necessary and any data retention period be limited to a strict minimum

Answer 42

personal data must be accurate and, where necessary, kept up to date

Answer 43

personal data must be kept for no longer than is necessary for the purposes of processing

Answer 44

personal data must be processed in a way that ensures a level of security appropriate to the risk of processing the personal data through appropriate technical and organizational measures

Answer 45

controller is responsible for and must be able to demonstrate compliance with the other six principles

Answer 46

1. right to be informed of transparent communication and information 2. right of access 3. right to rectification 4. right to erase / right to be forgotten 5. right to restriction of processing 6. right to data portability 7. right to object 8. right not to be subject to automated decision-making

Answer 47

within one month of request (or, where necessary, within three months) in writing or, if requested, orally

Answer 48

privacy notice to provide info

Answer 49

right to obtain following from controllers: * confirmation as to whether a controller is processing the data subject’s personal data * a copy of the personal data * other information that should already be provided in a privacy notice

Answer 50

when data subjects exercise their right of access

Answer 51

allows data subjects to require controllers to confirm the accuracy of their personal data

Answer 52

right to have personal data erased in circumstances where: * personal data no longer necessary for purposes collected or otherwise processed * data subject withdraws consent on which the processing is based and there is no other legal ground for processing * data subject objects to processing based on legitimate interests and no overriding legitimate grounds for the processing * personal data was unlawfully processed * personal data has to be erased for compliance with a legal obligation * personal data has been collected to offer info society services to children

Answer 53

controller must delete personal data and if has made public data publicly available online, must use reasonable measures to inform other controllers processing the personal data to erase

Answer 54

can limit the way their personal data is processed

Answer 55

* accuracy of personal data is contested and controller is verifying accuracy * processing is unlawful and data subject prefers to have the use of their personal data restricted rather than having it erased * controller no longer needs the personal data but the data subject requires it for the establishment, exercise or defense of legal claims * data subject has objected to processing pursuant to the GDPR and controller is verifying whether its legitimate grounds override those of the data subject

Answer 56

data subjects can port data to themselves or to another controller

Answer 57

only applies to: 1. personal data provided by data subject 2. where processing based on consent or the performance of a contract 3. when processing carried out by automated means

Answer 58

data subjects can require controllers to stop processing their personal data

Answer 59

if controller is processing their personal data for: * direct marketing purposes * on legal basis of legitimate interests * on legal basis of task carried out in public interest * on legal basis of exercise of official authority

Answer 60

general prohibition on fully automated decision-making, including profiling, that has a legal or similarly significant effect

Answer 61

when: 1. necessary for performance of a K between data subject and controller 2. authorized by law *or* 3. based on data subject’s explicit consent

Answer 62

breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted stored or otherwise processed

Answer 63

to relevant DPA within 72 hours of becoming aware where feasible UNLESS unlikely to result in risk to individuals' rights and freedoms

Answer 64

have reasonably degree of certainty that a security incident has compromised personal data

Answer 65

if data breach occurs that is likely to result in high risk to individuals’ rights and freedoms, then without undue delay

Answer 66

notice must be in clear and plain language and must include name and contact of the DPO, likely consequences of the data breach, and any measures taken by controller to mitigate the risk

Answer 67

* initiate administrative complaint * go to national court (if unsatisfied with decision of DPA or DPA doesn't inform give update on complaint within three months) * seek judicial remedy

Answer 68

can be initiated by data subject or by DPA

Answer 69

1. assessment to determine lead DPA (if more than one DPA has complaint) 2. assess to determine whether to impose adminisrtative fine

Answer 70

each is liable for entire damage if both involved in same processing and once data subjects compensated, then they can get comp from each other

Answer 71

greater of 20 mil Euros or 4% of global annual revenues

Answer 72

greater of 10 mil Euros or 2% of global annual revenues

Answer 73

infringements related to basic principles of processing, rights of data subject and transfers of personal data to a recipient outside EU

Answer 74

EU and Norway, Liechtenstein and Iceland

Answer 75

prohibited unless can rely upon adequacy decision, appropriate safeguard or a derogation

Answer 76

data transfer to a country that has adopted protections that the EU law deems “adequate” (essentially equivalent to those found in the GDPR)

Answer 77

* legally binding and enforceable instrument between public authorities or bodies * binding corporate rules * standard contractual clauses * standard data protection clauses adopted by European Commission * standard data protection clauses adopted by a DPA and approved by European Commission * approved code of conduct, together with binding and enforceable commitments of the non-EEA controller or processor * approved certification mechanism together with binding and enforceable commitments of non-EEA controller or processor * contractual clauses authorized by DPA or of the controller/processor transferring the data outside the EEA * administrative arrangements between public authorities authorized by the DPA in the country from which the transfer is made

Answer 78

provide that a multinational company can transfer data between countries, including among affiliated entities, after certification of its practices by a DPA

Answer 79

company contractually promises to comply with EU law and to submit to supervision of a DPA

Answer 80

allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for one of following: * performance of K between data subject and controller and transfer is occasional * performance or conclusion of a K concluded in interest of data subject between controller and 3P and transfer is occasional * important reasons of public interest * establishment, exercise or defense of legal claims and the transfer is occasional * protection of vital interests of an individual incapable of giving consent

Answer 81

transfer can take place if necessary for purposes of compelling legitimate interest and meets all of specified requirements under the GDPR

Answer 82

1. Safe Harbor program under EU Data Protection Directive until 2015 2. Schrems I case (2015) 3. Privacy Shield (2016) 4. Schrems II case (2020) 5. Data Privacy Framework finalized in July 2023

Answer 83

CJEU struck down Safe Harbor program

Answer 84

CJEU struck down Privacy Shield and raised concerns about perceived lack of legal protection from U.S. government surveillance for EU data being transferred to Facebook

Answer 85

U.S. agreed to ensure that surveillance activities would comply with the “necessity and proportionality” standard and to establish an independent data protection review court to provide European citizens the ability to complain when they believe their personal data has been collected inappropriately by U.S. intelligence agencies/U.S. designed EU and member states as qualifying states

Answer 86

* APEC issued declaration concerning an international approach to allow trade between participating countries while providing assurances how data will be handled * **Global Cross-Border Privacy Rules Forum**: establishment of international certification system based on existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems announced in 2022 * OECD adopted a declaration on common principles for government access, both for law enforcement and national security purposes, to personal data held by private companies

Information Management from a U.S. Perspective Flashcards

18-22 questions