Vocabulary

Question 1

accountability

Answer 1

A fair information practices principle, it is the idea that when personal information is to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with other fair use principles.
Reference(s) in IAPP Certification Textbooks: F18, 21-22; US34-35; C39, 101, 122; E8; G13; M35

Question 2

Act Respecting the Protection of Personal Information in the Private Sector

Answer 2

A Québéquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.
Reference(s) in IAPP Certification Textbooks: F48-49, C35-37

Question 3

Active Data Collection

Answer 3

When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.

Question 4

Active Scanning Tools

Answer 4

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.
Reference(s) in IAPP Certification Textbooks: M133

Question 5

Adequate Level of Protection

Answer 5

A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.
Reference(s) in IAPP Certification Textbooks: F36-37; C24; E38, 175-178, 295
Associated term(s): Adequacy

Question 6

Administrative Purpose

Answer 6

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.
Reference(s) in IAPP Certification Textbooks: C68

Question 7

Adverse Action

Answer 7

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.

Question 8

Alberta PIPA

Answer 8

A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.

Question 9

American Institute of Certified Public Accountants

Answer 9

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

Question 10

Americans with Disabilities Act

Answer 10

A U.S. law that bars discrimination against qualified individuals with disabilities.

Question 11

Annual Independent Evaluations

Answer 11

Under FIMSA, U.S. agencies’ information security programs must be independently evaluated yearly. The independent auditor is selected by the agency’s inspector general or the head of the agency. The audit is submitted to the Office of Management and Budget.

Question 12

Annual Reports

Answer 12

The requirement under the European Data Protection Directive that member state data protection authorities report on their activities at regular intervals.

Question 13

Anonymity, Privacy, and Security Online

Answer 13

This survey by the Pew Research Center’s Internet Project asked 1,002 adults about their Internet habits. It is laid out in five parts: the quest for anonymity online; concerns about personal information online; who internet users are trying to avoid, the information they want to protect; how users feel about the sensitivity of certain kinds of data; online identity theft, security issues and reputational damage. (2013)

Question 14

Antidiscrimination Laws

Answer 14

Refers to the right of people to be treated equally.

Question 15

APEC Privacy Principles

Answer 15

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Question 16

Application-Layer Attacks

Answer 16

Attacks that exploit flaws in the network applications installed on network servers. Such weaknesses exist in web browsers, e-mail server software, network routing software and other standard enterprise applications. Regularly applying patches and updates to applications may help prevent such attacks.

Question 17

Article 29 Working Party

Answer 17

A European Union organization that functions as an independent advisory body on data protection and privacy. While EU data protection laws are actually enforced by the national Data Protection Authorities of EU member states.

Question 18

Assess

Answer 18

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.

Question 19

Audit Life Cycle

Answer 19

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

Question 20

Authentication

Answer 20

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. Authentication identified as an individual based on some credential; i.e. a password, biometrics, etc. Authentication is different from authorization. Proper authentication ensures that a person is who he or she claims to be, but it says nothing about the access rights of the individual.

Question 21

Authorization

Answer 21

In the context of information security, it is process of determining if the end user is permitted to have access to the desired resource such as the information asset or the information system containing the asset. Authorization criteria may be based upon a variety of factors such as organizational role, level of security clearance, applicable law or a combination of factors. When effective, authentication validates that the entity requesting access is who or what it claims to be.

Question 22

Background Screening/Checks

Answer 22

Verifying an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity.

Question 23

Bank Secrecy Act, The

Answer 23

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.