Glossary of Privacy Terms

Secret Key

"A cryptographic key used with a secret key cryptographic algorithm, uniquely associated with one or more entities and which shall not be made public. The use of the term "secret" in this context does not imply a classification level, rather the term implies the need to protect the key from disclosure or substitution." (Federal Information Processing Standards Publication 140-1, Security Requirements for Cryptographic Modules)

California Investigative Consumer Reporting Agencies Act

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.

Semayne's Case (1604)

A case recognized as establishing the "knock-and-announce rule," an important concept relating to privacy in one's home and Fourth Amendment search and seizure jurisprudence in the U.S.

Customer Access

A customer's ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Reasonable Suspicion

A determining factor in substance testing where testing is allowed as a condition of continued employment if there is "reasonable suspicion" of drug or alcohol use based on specific facts as well as rational inferences from those facts; i.e., appearance, behavior, speech, odors.

Personal Information (PI)

A synonym for "personal data." It is a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.

Voice over Internet Protocol (VoIP)

A technology that allows telephone calls to be made over a LAN or the Internet itself. Skype is a well-known example. VoIP poses the same risk as network-connected PBX systems but also poses the additional risk of data interception when such data travel over an unsecured connection. VoIP functionality should be encrypted where possible and equipment monitored with intrusion-detection systems.

Data Elements

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.

Subpoena

A written court order issued in an administrative, civil or criminal action that requires the person named in the subpoena to appear in court in order to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit. A subpoena may also require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that discloses personal information.

Do-Not-Call Improvement Act of 2007

Amending the Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after 5 years, but with this act the registrations became permanent.

Confirmed Opt-In

An e-mail approach where e-mail marketers send a confirmation e-mail requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.

Organization for Economic Cooperation and Development (OECD)

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.

Negligence

An organization will be liable for damages if it breaches a legal duty to protect personal information and an individual is harmed by that breach.

Special Categories of Data

As defined in Article 9 of the General Data Protection Regulation, personal information that reveals, for example, racial origin, political opinions or religious or other beliefs, as well as personal data that concerns health or sexual life or criminal convictions is considered to be in a special category and cannot be processed except under specific circumstances.

Binding Safe Processor Rules

Binding Corporate Rules for controllers Binding Safe Processor Rules for processors.

Unfair Trade Practices

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.

Defamation

Common law tort focuses on a false or defamatory statement, defined as a communication tending "so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him."

Outsourcing

Contracting business processes, which may include the processing of personal information, to a third party.

Standard Model Clauses

Contractual agreements defined by the EU and Article 29 Working Party for the purpose of meeting the adequacy standards defined under the EU "Contractual Clauses"

Consumer Financial Protection Bureau

Created by the Dodd-Frank Act - intended to consolidate the oversight of the financial industry. an independent bureau within the Federal Reserve and when it was created CFPB took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators . Its enforcement powers include authority to take action against "abusive acts and practices" as specified by the Dodd-Frank Act.

EU-US Privacy Shield

Created in 2016 to replace the invalidated U.S.-EU Safe Harbor agreement, the Privacy Shield is a data transfer mechanism negotiated by U.S. and EU authorities that received an adequacy determination from the European Commission that allowed for the transfer of personal data from the EU to the United States for companies participating in the program. Only those companies that fell under the jurisdiction of the U.S. Federal Trade Commission could certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions. On July 16, 2020, the Court of Justice of the European Union invalidated the European Commission's adequacy determination for Privacy Shield.

Confidentiality

Data is "confidential" if it is protected against unauthorised or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

security requirements set forth by the HIPPA Security Rule

Designate a responsible person for the security program. Ensure compliance by the workforce and implement a security and awareness training program. Conduct initial and ongoing risk assessments.

Health Information Technology for Economic and Clinical Health Act (HITECH)

Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

Gramm-Leach-Bliley Act (GLBA)

GLBA requires financial institutions to : - securely store personal financial information; -give notice of their policies regarding the sharing of personal financial information, -give consumers the ability to opt-out of some sharing of personal financial information. The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is "significantly engaged" in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-public personal information, defined broadly to include a consumer's name and address, and consumers' interactions with banks, insurers and other financial institutions.

Global Privacy Enforcement Network (GPEN)

GPEN is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, As of 2018, GPEN counted 50 member countries.

Privacy by Design PbD

Generally regarded as a synonym for Data Protection by Design (see Data Protection by Design). However, Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.

Whistleblowing

If illegal or improper activity is taking place within an organization, employees may first observe it and report it to individuals with more authority or an agency outside of the organization. In setting up procedures to make it possible for an employee to report such activity, per laws in a variety of jurisdictions that protect the rights of these so-called whistleblowers, an organization will want to be sure that appropriate privacy safeguards are put in place.

Customer Information

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Choice

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.

Public Records

Information collected and maintained by a government entity and available to the general public.

Non-Public Personal Information (NPI)

Is defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information.

Data Protection Act 1998

Law to protect the individual against the misuse of data

Electronic Surveillance

Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.

Opt-Out

One of two central concepts of choice. It means an individual's lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

Employee Information

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.

Case Law

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

Electronic Discovery

Prior to trial, information is typically exchanged between parties and their attorneys. E-discovery requires civil litigants to turn over large volumes of a company's electronic records in litigation.

Seal Programs

Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of the seal program are allowed to display the programs seal on their website.

PPRA

Protection of Pupil Rights Amendment

Healthcare clearinghouse

Receive healthcare transactions from healthcare providers that translate the data from a given format into one acceptable to the intended payer

Video Surveillance

Recordings that do not have sound.

Self-Regulation Model

Refers to stakeholder-based models for ensuring privacy. The term "self-regulation" can refer to any or all of three pieces: legislation, enforcement and adjudication. Legislation refers to question of who defines privacy rules. For self-regulation, this typically occurs through the privacy policy of a company or other entity, or by an industry association. Enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities, other government agencies, industry code enforcement or, in some cases, the affected individuals. Adjudication refers to the question of who should decide whether an organization has violated a privacy rule. The decision maker can be an industry association, a government agency or a judicial officer. These examples illustrate that the term "self-regulation" covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who defines the requirements, which organization brings enforcement action and who actually makes the judicial decisions.

Qualified Protective Order

Requires that the parties are prohibited from using or disclosing the Personal Healthcare Information (PHI) for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation.

Location-Based Service

Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically rely upon GPS, RFID, Wi-Fi, or similar technologies in which geolocation is used to identify the real-world geographic location of an object, such as a mobile device or an internet-connected computer terminal.-

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Random Testing

Substance testing sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in specific, narrowly defined jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security.

Data Classification

System of organizing data according to its sensitivity. Common classifications include public, highly confidential, and top secret.

Transparency

Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language.

Perimeter Controls

Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.

Radio Frequency Identification (RFID)

Technologies that use radio waves to identify people or objects carrying encoded microchips.

EU Data Protection Directive

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals' privacy and personal data use.

POST Method

The POST method is more secure than GET as the GET method appends the form data to the URL allowing passwords and other sensitive information collected in a form to be visible in the browser's address bar.

Stored Communications Act (SCA)

The Stored Communications Act was enacted as part of Electronic Communications Privacy Act in 1986 in the United States. It generally prohibits the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.

Jurisdiction

The authority of a court to hear a particular case. Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject-matter to which such authority applies.

Accountability

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Transfer

The movement of personal data from one organization to another

Data Controller

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

Breach Disclosure

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.

Information Life Cycle

The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction. The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion.

Data Breach

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

Disposal Rule

Under FACTA, it requires those who use a consumer report or info derived from a consumer report for a business purpose to dispose of it in a way that prevents unauthorized access and misuse. Enforcement is by the FTC, the federal banking regulators, and the CFPB. Violators may face civil liability as well as federal and state enforcement actions. See also GLBA Safeguards Rule.

Minimum Necessary Requirement

Under HIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose.

Privacy Rule

Under HIPAA, this rule establishes U.S. national standards to protect individuals' medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Credit Reporting Agency (CRA)

Under the Fair Credit Reporting Act, any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a

Private Right of Action

Unless otherwise restricted by law, any individual that is harmed by a violation of the law can file a lawsuit against the violator.

SPAM

Unsolicited commercial e-mail.

Common Law

Unwritten legal principles that have developed over time based on social customs and expectations

Omnibus Laws

Used to distinguish from sectorial laws, to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population.

Background Screening/Checks

Verifying an applicant's ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person's educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.

Online Behavioral Advertising

Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.

Direct Marketing

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Protective Order

With a protective order, a judge determines what information should not be made public and what conditions apply to who may access the protected information.

Retention

Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.

WebTrust

a self-regulating seal program which licenses qualifying certified public accountants. Created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

Junk Fax Prevention Act of 2005

all marketing faxes be accompanied by instructions on how to opt out of further unsolicited communications. Creates the Existing Business Relationship exception to the U.S. Telephone Consumer Protection Act's ban of fax-based marketing without consent but contains a requirement that

Data Mapping

allows for connections between two systems. This connection allows for data initially captured for one purpose to be translated and used for another purpose. One system in a map is identified as the source while the other is the target.

Binding Corporate Rules (BCRs)

an appropriate safeguard allowed by the GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.

PRISM

data requests can be made to ISPs

21st Century Cures Act

designed to help accelerate medical product development and bring new innovations and advances to patients who need them faster and more efficiently

Security Rule

establishes minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form.

Upstream

is about searching internet-based communications as they pass through physical U.S. internet infrastructure.

Safeguards Rule

requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information

APEC Privacy Principles

seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs. A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices.

Collection Limitation

stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. A fair information practices principle,

Electronic Communications Privacy Act of 1986

updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

Publicity Given to Private Life

A U.S. common law tort that states: "One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public." (Restatement (Second) of Torts § 652D)

National Labor Relations Board

A U.S. federal agency that administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.

U.S. Department of Labor

A U.S. federal agency that oversees "the welfare of the job seekers, wage earners and retirees of the United States by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefits, helping employers find workers, strengthening free collective bargaining and tracking changes in employment, prices and other national economic measurements." To achieve this mission, the department administers a variety of federal laws including, but not limited to, the Fair Labor Standards Act (FLSA), the Occupational Safety and Health Act (OSHA) and the Employee Retirement Income Security Act (ERISA).

The Bank Secrecy Act

A U.S. federal law requires U.S. financial institutions and money services businesses (MSBs), to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.

Children's Online Privacy Protection Act of 1988 (COPPA)

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child's personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child's personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Freedom of Information Act (FOIA)

A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

Health Insurance Portability and Accountability Act (HIPAA)

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

Americans with Disabilities Act

A U.S. law that bars discrimination against qualified individuals with disabilities.

(AICPA)

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program. American Institute of Certified Public Accountants

Sarbanes-Oxley Act (SOX)

A United States law, passed in 2002, regulating the transparency of publicly held companies. In particular, public companies must establish a way for the company to confidentially receive and deal with complaints about actual or potential fraud from misappropriation of assets and/or material misstatements in financial reporting from so-called "whistle-blowers."

USA Patriot Act (USAPA)

A broad-ranging act designed to counter terrorism that expanded U.S. law enforcement authority to surveillance and capturing communications and records. Commonly referred to as the Patriot Act. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001

National Security Letter

A category of subpoena. The USA PATRIOT Act expanded the use of national security letters. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies and travel agencies.

United States Department of Health, Education and Welfare Fair Information Practice Principles (1973)

A code of fair information practices that contains five principles: 1. There must be no personal data record keeping systems whose very existence is secret. 2. There must be a way for an individual to find out what information about him (or her) is in a record and how it is used. 3. There must be a way for an individual to prevent information about him (or her) that was obtained for one purpose from being used or made available for other purposes without his (or her) consent. 4. There must be a way for an individual to correct or amend a record of identifiable information about him (or her). 5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

Electronic Health Record

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers.

Credit Freeze

A consumer-initiated security measure which locks an individual's data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

Financial Industry Regulatory Authority (FINRA)

A corporation that acts as a regulator for brokerage firms and exchange markets. Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors. Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry.

Polygraph

A device used for the purpose of rendering a diagnostic opinion regarding an individual's honesty.

CAN-SPAM Act

A federal law that placed guidelines on mass commercial emails.

FERPA (Family Educational Rights and Privacy Act)

A federal law that regulates the management of student records and disclosure of information from those records. The Act has its own administrative enforcement mechanism.

Privacy Officer

A general term in many organizations for the head of privacy compliance and operations. In the United States federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Department of Homeland Security, or a career professional.

Consent Decree

A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.

Digital Signature

A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file. If anything is changed in the electronic document after the digital signature is attached, the signature is rendered invalid.

Data Processor

A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.

Data Recipient

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

spear phishing

A phishing attack that targets only specific users.

Do Not Track

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.

Health Breach Notification Rule

A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

Data Classification

A scheme that provides the basis for managing access to, and protection of, data assets.

Substance Testing

A screening to identify drug use. Substance testing can be used in a variety of settings such as preemployment, reasonable suspicion, routine testing, post-accident testing or randomly.

PCI Data Security Standard (PCI-DSS)

A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties.

Cookie

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called "cookie identifiers," as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive

Privacy Notice

A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices.

Preemption

A superior government's ability to have its law(s) supersede those of an inferior government. For example, the U.S. federal government has mandated that no state government can regulate consumer credit reporting.

Behavioral Advertising

Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) 1989

After the savings and loans crisis of the 1980s, the U.S Congress passed FIRREA to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a Financial institution fails to comply with the information privacy requirements contained in GLBA.

National Do-Not-Call Registry

Allows U.S. consumers to place their phone number on a national list, preventing calls from unsolicited telemarketers. This registration is now permanent and can be enforced by the Federal Trade Commission, Federal Communication Commission and state attorneys general with up to a $16,000 fine per violation. Cell phones are protected from any unsolicited automatic-dialed calls through other FCC regulations.

Data Matching

An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.

EU-U.S. Safe Harbor Agreement

An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).

Privacy Assessment

An assessment of an organization's compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts. -measures how closely the organization's practices align with its legal obligations and stated practices and may rely on subjective information such as employee interviews/questionnaires and complaints received, or objective standards, such as information system logs or training and awareness attendance and test scores. -may be conducted internally by an audit function or by external third parties. It is also common in some jurisdictions for the privacy/data protection officer to conduct assessments. The results are documented for management sign-off, and analyzed to develop recommendations for improvement and a remediation plan. Resolution of the issues and vulnerabilities noted are then monitored to ensure appropriate corrective action is taken on a timely basis.

Multi-Factor Authentication

An authentication process that requires more than one verification method (see Authentication), such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.

Employment at Will

An employment contract can be terminated by either the employer or the employee at any time for any reason.

Smart Grid

An energy system that manages electricity consumption through continuous monitoring, remote computerization and automation. The traditional electric transmission system required physically sending workers into the field to periodically read customer meters and find where problems existed in the grid. Smart grid operators; however, can remotely monitor and control the use of electricity to each home or business.

Established Business Relationship

An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.

Data Subject

An identifiable living person who the data is held about.

Sedona Conference

An important source of standards and best practices for managing electronic discovery compliance through data retention policies. Regarding email retention, the Sedona Conference offers four key guidelines: 1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units; 2. such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice; 3. interdisciplinary teams should reach consensus as to policies while looking to industry standards; 4. technical solutions should meet and parallel the functional requirements of the organization.

Equal Employment Opportunity Commission (EEOC)

An independent U.S. federal agency that enforces laws against workplace discrimination. The EEOC investigates discrimination complaints based on an individual's race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.

Rectification

An individual's right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.

Right of Access

An individual's right to request and receive their personal data from a business or other organization.

Privacy Policy

An internal statement that governs an organization or entity's handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.

Commercial Electronic Message

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

Protected Health Information (PHI)

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.

Data Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Consumer Reporting Agency (CRA)

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

Do-Not-Call Implementation Act of 2003

Grants the authority to the Federal Trade Commission to create the National Do-Not-Call Registry in the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations. Originally consumers would have to re-register their numbers with the FTC every five years for continued prevention, but the Do-Not-Call Improvement Act of 2007 extended registration indefinitely. Violations can be enforced by the FTC, Federal Communications Commission, and state attorneys general with up to a $16,000 fine per violation.

HITECH Act

Health Info Technology for Economic & Clinical Health Act. Part of ARRA. Additional privacy regulations on top of HIPAA, breach notification rules & stiffer civil and criminal penalties for security violations

Dodd-Frank Wall Street Reform and Consumer Protection Act

In 2010 the U.S. Congress passed the Dodd-Frank Act to reorganize and improve financial regulation. Among other reforms it put in place, the Dodd-Frank Act created the Consumer Financial Protection Bureau and granted it rule-making authority over FCRA and GLBA as well as a few other regulations.

Medical Information

Information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics or other medical or medically related facilities.

Territorial Privacy

It is concerned with placing limitations on the ability of one to intrude into another individual's environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into an individual's territorial privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures.

HIPAA Security Rule

Law that requires covered entities to establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information.

Comprehensive Laws

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.

Substitute Notice

Most legislation recognizes that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore allow substitute notification methods. In Connecticut, for example, "Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agency if the person maintains one, and (C) notification to major state-wide media, including newspapers, radio and television."

Communications Privacy

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

Fair Credit Reporting Act (FCRA)

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.

Opt-In

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

CCTV

Originally an acronym for "closed circuit television," CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

Adequate Level of Protection

Required to transfer Personal data from European Union to international organization Following must be met: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data.

Red Flags Rule

Requires financial institutions and creditors to implement measures to detect and prevent identity theft. Created by the Federal Trade Commission (FTC) under the authority of the Fair and Accurate Credit Transactions Act of 2003. The original FTC rule was circumscribed by the Red Flag Program Clarification Act of 2010, which limited the definition of "creditors" to exclude any creditor "that advances funds on the behalf of a person for expenses incidental to a service." The act in effect allowed lawyers, some doctors and other service type companies to avoid implementing Red Flag credit measures.

California Financial Information Privacy Act

The California Financial Information Privacy Act became effective as of July 1, 2004. This act stated that a financial institution may not share or sell a consumer's nonpublic personal information without first obtaining the consumer's consent.

GET method

The GET method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser's address bar, less secure than the POST method.

GINA 2008

The Genetic Information Nondiscrimination Act makes it unlawful to misuse genetic information to discriminate in health insurance and employment.

Federal Communications Commission (FCC)

The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable. The Federal Communications Commission has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act.

Federal Trade Commission (FTC)

The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

Fair and Accurate Credit Transactions Act (2003)

The act mandates that credit reporting agencies allow consumers to obtain a free credit report once every twelve months it allows consumers to request alerts when a creditor suspects identity theft and gave the Federal Trade Commission (FTC) authority to promulgate rules to prevent identity theft. The FTC used the authority to create the Red Flags Rule. An expansion of the Fair Credit Reporting Act which focuses on consumer access and identity theft prevention.

Re-Identification

The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization) . Often invoked as a "risk of re-identification" or "re-identification risk," which refers to nullifying the de-identification actions previously applied to data (see De-identification).

Information Privacy

The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Computer Forensics

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

European Commission

The executive body of the European Union. Its main function is to implement the EU's decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.

Telephone Consumer Protection Act of 1991 (TCPA)

The first enactment of laws limiting unsolicited and automated telemarketing for both telephone and fax communications. -gives rule-making authority to the Federal Communications Commission, allowing it to make further regulations in this area. -prevents faxing without consent from the recipient and requires companies to create and honor internal do-not-call registries Most notably the act creates a private right of action for those receiving unsolicited faxes, carrying a $500 fine per violation and any damages sustained because of the fax.

Redaction

The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding. Specifically, attorneys are required to redact documents so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual's birth; (3) if the individual is a minor, only the minor's initials, and (4) the last four digits of the financial account number.

Personal Data

The predominant term for Personal Information in the European Union, defined broadly in the General Data Protection Regulation as any information relating to an identified or identifiable natural person.

OECD Guidelines

The principles: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation Accountability The most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data.

Information Security

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

Cloud Computing

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a "private cloud" or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.

Digital Fingerprinting

The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor's web browser, operating system and font preferences. In some cases, combining this information can be used to "fingerprint" a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same. It is used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for digital fingerprinting techniques to be used for targeted advertising.

Consent

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual's way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn't opt out. (1) Affirmative/Explicit Consent: A requirement that an individual ""signifies"" his or her agreement with a data controller by some active communication between the parties. (2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

existing business relationship

an existing business relationship exists when a transaction has taken place in the last 18 months or an offer has been requested in the last 3 months.

Commercial Activity

any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

Deceptive Trade Practices

corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by the Federal Trade Commission at the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.

Adverse Action

credit and employment actions affecting consumers that can be considered to have a negative impact such as denying or canceling credit or insurance, or denying employment or promotion. Under the FCRA No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.

Data Flow Diagram

illustrates the movement of information between external entities and the processes and data stores within the system

Anti-discrimination laws

indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.

NCLB (No Child Left Behind)

mandated sanctions against schools that failed to meet federal performance standards; part of his campaign pledge to end "low expectations".

Value-Added Services

non-core services; i.e., services beyond voice calls and fax transmissions. the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered value-added services, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.

PPA (Privacy Protection Act)

of 1980 protects the media against house searches. An exception applies if the person or organization in question has committed a crime itself or threatens to commit a crime. Having such information does not count as such a crime.

Bring Your Own Device (BYOD)

policy allowing employees to use their personal mobile devices and computers to access enterprise data and applications

Data Quality

the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application. A fair information practices principle