Flashcards in Module 1: Introduction to Privacy Deck (162)
What are the 4 Fair Information Practices (FIP)
1) Rights of individuals: Notice, choice and consent, data subject access
2) Controls on the information: Information security, information quality
3) Information life cycle: Collection, use and retention, disclosure, destruction
4) Management: Management and administration, monitoring, and enforcement
Name 5 major components of milestone legislations re: FIPs
1) US Health, Education and Welfare FIPs (1973): created after secret dossiers were created. Also created Privacy Act of 1974.
2) OECD guidelines (1980): created as a set of guidelines across economies (The Organisation for Economic Co-operation and Development)
3) Council of Europe Convention (1981): the first legally binding international data protection convention
4) APEC Privacy Framework (2004): Non-binding data protection guidelines for Asia-Pacific countries.
5) Madrid Resolution (2009): Looked at creating at guiding privacy practices for Europe
Name 4 types of information
1) Personal Information includes name, gender, address, etc.
2) Sensitive information is information that is riskier to expose you to harm (e.g. SSN, medical records, etc).
3) Non-personal information is anonymized data and aggregated data.
4) Pseudonymized data is the replacement of personal information with pseudonyms, or artificial replacements.
Name 3 sources of personal information
1) Public records: information that government agencies publish for public consumption
2) Publicly available information: newspapers, phonebooks, etc.
3) Nonpublic information: information we want protected from public disclosure
Name 4 data protection roles
1) Data Subject: Who the information is about
2) Data Controller: Who controls access to information and what is done about it.
3) Data Processor: Processes data on behalf of the controller.
4) Regulator or data protection authority (DPA)
Name 4 sources of privacy protection
1) Markets: they want to create trust in their services, so they make sure they build in privacy controls.
3) Law: a good privacy law benefits us all, but quickly written laws only cause confusion
4) Self-regulation: 2 types--self-regulatory and co-regulatory (laws + regulating themselves). Establish enforceable codes.
Legislation: who writes the rules
Adjudication: who is breaking the rules
Enforcement: who enforces non-compliance
Name 4 types of privacy protection models
1) Few or no general laws (e.g. Cuba)
2) Co-regulatory: enforceable by industry body OR government (e.g. Australia). COPPA is an example of this -- the government can enforce but lets industry-specific bodies do work too.
3) Sectoral: Industry-specific laws (e.g. U.S.)
4) Comprehensive: Omnibus laws (e.g. EU)
Name the 3 branches of government
1) Executive: enforces laws
2) Legislative: makes laws
3) Judicial: interprets laws
Name 8 sources of US law.
3) Regulations and rules
4) Contract law
5) Case law
6) Common law
7) Consent decree
8) Tort law
What 3 things must be necessary for a contract to be binding?
What is consideration in contract law?
Each party must change their position. Usually one of two things: 1) a promise to do something not legally obligated to 2) A promise not to do something you have the right to.
What is common law?
Used synonymously with case law in US. A system where courts can set precedent (vs. cannot work without laws in place). Generally legal precedent and social customs set laws.
What is a consent decree?
An agreement or settlement that resolves a dispute without admission of guilt or liability. It describes actions the defendant will take. Same effect as a court decision. Often used by SEC and FTC, since it's easier for all.
What are torts?
Civil wrongs recognized by law as having the grounds for lawsuits. Provides relief and deters others from committing the same wrongs
What are the three general tort categories?
Intentional: defendant knew or should have known action would cause harm
Negligent: defendant's actions were unreasonable unsafe
Strict liability: defendant has legal responsibility for damages even if not negligent or at fault.
What is a person (in legal terms)?
Any entity with legal rights. Can be a human being or corporation.
What are the two types of legal authority?
General: blanket authority to regulate a field of activity
Specific: Targeted at singular activities outlined by legislation
Does CAN-SPAM preempt state laws?
What are the 3 data subject rights?
2) Choice: opt-in or opt-out
3) Access: view personal information held by an org
Name 6 federal agencies that regulate privacy
2) Federal banking agencies such as the CFPB, Federal Reserve Board, or Office of the Comptroller of the Currency
5) HHS (through Office of Civil Rights)
6) Department of Commerce
Who regulates privacy at the state level?
Attorneys general (except California Privacy Protection Authority)
Name the three conditions that can trigger GDPR application
1) Processing of personal data when a controller or processor is established in EU
2) Processing of personal data of EU subjects relating to offering goods or services or monitoring behavior
3) Processing of personal data by a controller not established in the EU but in a place where member state law applies
Name 2 ways to transfer data from GDPR areas to the US aside from adequecy decisions
1) Binding Corporate Rules (BCRs): **multinational** company can transfer data between countries after certification of their practices by an EU privacy supervisory agency
2) Standard Contractual Clauses (SCCs): A company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisory agency
Name 4 accountability requirements GDPR controllers have that processors don't
1) Privacy by design
2) Privacy by default
3) Data Protection Impact Assessments (DPIAs)
4) Data breach reporting (to data subject; processor must notify controller)
When is a DPO required under GDPR?
When the core activities are:
• Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
• Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale”
• Processing by public bodies, other than courts acting in judicial capacity
Name 6 responsibilities of a DPO under GPDR
• To monitor compliance with the GDPR
• Advise controller and processors
• Manage risk
• Cooperate with supervisory authorities
• Communicate with data subjects and supervisory authorities
• Exercise professional secrecy
Who must a Processor notify when there is a data breach under GDPR?
Who must a Controller inform when there is a data breach under GDPR?
1) The supervisory authority
2) The data subject
What is an adequacy decision?
A finding by the European Commission that a third country, territory, specific sector in a third country or an international organization offers levels of data protection that are essentially equivalent to that within the EU.