Flashcards in Information Management from a U.S. Perspective Deck (24)
What types of risks should be considered when using PI ?
1. Legal Risks
2. Reputation Risks
3. Operational Risks
4. Investment Risks
What do the Legal Risks stem from?
Failure to comply with applicable law, contractual commitments, privacy promises, and industry standards.
What do the Reputational Risks stem from?
Legal enforcement and if they announce privacy policies but do not carry them out. .
What do the Operational Risks stem from?
Administrative efficiency and cost effectiveness.
What do the Investment Risks stem from?
The ability to receive an appropriate return on it investments in information, information technology, etc.
What are the 4 basic steps for Information Management?
What should practices and controls that organizations use for managing PI address?
1. Data Inventory
2. Data Classification
3. Documenting Data Flows
4. Determining Data Accountability
What does Data Inventory involve?
An inventory of the PI (employee and customer) that the organization collects, stores, uses, or discloses. It should document data location and flow as well as evaluate how, when, and with whom the organization shares such information - and the means for data transfer used.
What does Data Classification involve?
Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for that data.
What does Documenting Data Flows involve?
The mapping and documenting of the systems, applications, and processes handling data.
What does Determining Data Accountability involve?
The responsibility to assure compliance with privacy laws and policies.
What do Privacy Policies do?
They inform relevant employees about how PI must be handled, and in some cases are made public in the form of a privacy notice.
When an organization has a consistent set of values and practices for all its operations.
When do multiple Privacy Policies make sense?
When a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically, share PI with other divisions and is perceived in the marketplace as a different business.
1. Announce the change to employees
2. Announce the change to current and former customers
3. Per the FTC, obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations
What methods may a company communicate its Privacy Notice?
1. Make the notice accessible in places of business
2. Make the notice accessible online
3. Provide updates and revisions
4. Ensure that the appropriate personnel are knowledgeable about the policy.
What is an opt-in?
One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.
What legal bodies require opt-ins?
COPPA, HIPPA, FCRA
What is an opt-out?
One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.
What is no consumer choice or no option?
When companies use consumer data for practices that are consistent with the context of the transaction, consistent with the company's relationship with the consumer, or as required or specifically authorized by law.
What are some management challenges of user preferences?
1. The scope of the opt-out or other user preference can vary.
2. The mechanism for providing an opt-out or other user preference can vary.
3, Linking of a user's interactions.
4. The time period for implementing user preferences.
5. Third party vendors often process PI on behalf of the company.
What laws give consumers the right to access the PI held about them?
3. Statements on fair information practices - OECD Guidelines, APEC Principles
What precautions should be included in vendor contracts?
1. Confidentiality provision
2. No further use of shared information.
3. Use of subcontractors.
4. Requirement to notify and to disclose breach
5. Information security provisions