Information Management from a U.S. Perspective

Question 1

What is no consumer choice or no option?

Answer 1

When companies use consumer data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.

Question 2

What are some management challenges of user preferences?

Answer 2

1. The scope of the opt-out or other user preference can vary.
2. The mechanism for providing an opt-out or other user preference can vary.
   3, Linking of a user’s interactions.
3. The time period for implementing user preferences.
4. Third party vendors often process PI on behalf of the company.

Question 3

What precautions should be included in vendor contracts?

Answer 3

1. Confidentiality provision
2. No further use of shared information.
3. Use of subcontractors.
4. Requirement to notify and to disclose breach
5. Information security provisions

Question 4

When do multiple Privacy Policies make sense?

Answer 4

When a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically, share PI with other divisions and is perceived in the marketplace as a different business.

Question 5

What does Determining Data Accountability involve?

Answer 5

The responsibility to assure compliance with privacy laws and policies.

Question 6

What does Data Inventory involve?

Answer 6

An inventory of the PI (employee and customer) that the organization collects, stores, uses, or discloses. It should document data location and flow as well as evaluate how, when, and with whom the organization shares such information - and the means for data transfer used.

Question 7

What laws give consumers the right to access the PI held about them?

Answer 7

1. FCRA
2. HIPAA
3. Statements on fair information practices - OECD Guidelines, APEC Principles

Question 8

What does Data Classification involve?

Answer 8

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for that data.

Question 9

What does Documenting Data Flows involve?

Answer 9

The mapping and documenting of the systems, applications, and processes handling data.

Question 10

What do the Reputational Risks stem from?

Answer 10

Legal enforcement and if they announce privacy policies but do not carry them out. .

Question 11

What do the Investment Risks stem from?

Answer 11

The ability to receive an appropriate return on it investments in information, information technology, etc.

Question 12

What are the 4 basic steps for Information Management?

Answer 12

1. Discover
2. Build
3. Communicate
4. Evolve

Question 13

What should practices and controls that organizations use for managing PI address?

Answer 13

1. Data Inventory
2. Data Classification
3. Documenting Data Flows
4. Determining Data Accountability

Question 14

What is an opt-in?

Answer 14

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Question 15

What is an opt-out?

Answer 15

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

Question 16

What do the Operational Risks stem from?

Answer 16

Administrative efficiency and cost effectiveness.

Question 17

What do Privacy Policies do?

Answer 17

They inform relevant employees about how PI must be handled, and in some cases are made public in the form of a privacy notice.

Question 18

What vender due diligence standards should a company consider using?

Answer 18

1. Reputation.
2. Financial Condition and insurance
3. Information Security Controls
4. Point of Transfer
5. Disposal of information
6. Employee Training and User Awareness
7. Vendor incident response

Question 19

What should a company do if it revises its Privacy Policy?

Answer 19

1. Announce the change to employees
2. Announce the change to current and former customers
3. Per the FTC, obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations

Question 20

What methods may a company communicate its Privacy Notice?

Answer 20

1. Make the notice accessible in places of business
2. Make the notice accessible online
3. Provide updates and revisions
4. Ensure that the appropriate personnel are knowledgeable about the policy.

Question 21

What do the Legal Risks stem from?

Answer 21

Failure to comply with applicable law, contractual commitments, privacy promises, and industry standards.

Question 22

What types of risks should be considered when using PI ?

Answer 22

1. Legal Risks
2. Reputation Risks
3. Operational Risks
4. Investment Risks

Question 23

When does one Privacy Policy make sense?

Answer 23

When an organization has a consistent set of values and practices for all its operations.

Question 24

What legal bodies require opt-ins?

Answer 24

COPPA, HIPPA, FCRA