Section 1 Flashcards
(87 cards)
GDPR SPI
Data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a person,, health data, data about sex life or orientation
HHS ways to de-identify data
Expert determination (statistician) or safe harbor (removal of 18 types of info)
GAPP Principles
Management, Notice, Choice and Consent, Collection, Use/Retention/Disposal, Access, Disclosure, Security for Privacy, Quality, & Monitoring + Enforcement
ISO 27701
It covers best practices for implementing privacy controls. Annex F provides advice on applying the privacy standard in an organization that already uses the information security standards
What is the data that must be removed from a data set for the HHS safe harbor in de-identification?
names, geographic dvisions and ZIP codes containing fewer than 20K, month and day of a person’s birth/death/hospital admissions or discharge or the age in years of a person over 89, telephone numbers, vehicle identifiers and serial numbers, including license plates, fax numbers, device identifiers and serial numbers, email addresses, web URLs, social security numbers, IP addresses, medical record numbers, biometric identifiers including finger and voice prints, health plan beneficiary numbers, full face photographs, account numbers, certificate/license numbers
ISO 27001 and 27002
These relate to an org’s information security program
Olmstead v. US
Right to be left alone
What is an investigative report under the FCRA?
under the FCRA, a consumer report becomes an investigative report when the process includes interviews with a person’s contacts to learn more about factors in the report such as “mode of living”
Can an ISP call an existing customer for telemarketing?
The Telemarketing sales rule does provide an existing business relationship exemption that would allow an ISP to call her even though she has added her phone to the DNC list
FACTA
the Fair and Accurate Credit Transactions Act includes specialized guidance for organizations that use consumer reports. The basic requirement of the FACTA Disposal Rule is that covered organizations must take “reasonable measures to protect against unauthorized access or use of the information in connections with its disposal”
What are the three main goals of a cybersecurity program?
confidentiality, integrity, and availability
Industry best practice for frequency of privacy risk assessment
Annual
Articles 1, 2, 3
1 - Legislative, 2 - executive, 3 - judicial
Article IV
defines the relationship between the federal government and the governments of the states
Article V
creates the process for amending the Constitution itself
Article VI
contains the supremacy clause and the process to modify the Constitution through amendments (2/3 of each house of Congress and 38/50 states)
Article VII
process for the initial establishment of the federal government
Which states have privacy in their constitutions?
Alaska
Arizona
California
Florida
Hawaii
Illinois
Louisiana
Montana
New Hampshire
South Carolina
Washington.
Smyth v Pillsbury (Eastern District of Pennsylvania 1996)
Holding: employees generally do not have a right to privacy in their use of a company provided email account.
Google v. CNIL (2019)
The right to be forgotten applies only within the EU
What does FERPA not apply to?
employee professional education records maintained by hospitals
What does HIPAA not apply to?
medical records maintained at student health centers
Does FERPA have a private right of action?
No but the DoE can bring a case
Does HIPAA have a private right of action?
No