10 Core Principles of Privacy

Questions and Answers

Which of the following is a core principle of the General Data Protection Regulation (GDPR)?

• Lack of user rights
• Unlimited data collection
• Transparency in data handling (correct)
• Data retention without consent

What is the primary function of the Health Insurance Portability and Accountability Act (HIPAA)?

• Regulates telemarketing practices
• Protects health information (correct)
• Protects financial data
• Governs social media data sharing

Which law would apply specifically to the protection of children's online privacy?

• Children's Online Privacy Protection Act (COPPA) (correct)
• California Consumer Privacy Act (CCPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• General Data Protection Regulation (GDPR)

The California Consumer Privacy Act (CCPA) is primarily focused on which aspect of privacy?

Data transparency and consumer rights (B)

Which statement accurately describes a notable difference between EU and US privacy laws?

EU privacy laws, like GDPR, apply universally, while US laws lack a unified approach. (A)

What does the term 'composable risk' refer to in the context of privacy?

The risk of combining non-PII to identify individuals (C)

Which of the following privacy types ensures confidentiality of personal communications?

Communicational Privacy (A)

What is a significant feature of informational privacy?

Handling of personal data and information (A)

What is the main purpose of COPPA?

Protects children's online privacy (B)

Which of the following is a right granted under the CCPA?

Right to opt-out of data sales (A)

What key principle ensures organizations are answerable for protecting personal data?

Accountability (B)

Which legislation is primarily focused on health data privacy in the U.S.?

HIPAA (A)

What does GDPR primarily regulate?

Personal data protection in the EU (B)

Which principle emphasizes that individuals should have access to their personal data?

Individual Access (D)

Which of the following is a fundational right under the Canadian Charter?

Protection against unreasonable search and seizure (D)

What does privacy law interpretation rely heavily on?

Understanding case law and legal precedents (B)

Which of the following best describes the primary focus of HIPAA?

To ensure the confidentiality of Protected Health Information (C)

What is a key requirement of COPPA?

Parental consent is required for collecting personal information of children. (A)

How does the California Consumer Privacy Act (CCPA) empower users?

By granting users the right to know about their data usage (A)

What characterizes the U.S. privacy framework compared to GDPR?

It lacks uniformity and prioritizes commercial interests. (A)

Which of the following is true about GLBA?

It regulates financial institutions' information sharing practices. (A)

What additional capability does the California Privacy Rights Act (CPRA) provide over CCPA?

It introduces stricter rules and a private enforcement agency. (C)

What is a notable characteristic of China's privacy laws compared to the U.S. laws?

China's laws prioritize individual privacy rights similarly to U.S. laws. (B)

Why do U.S. privacy laws tend to lack uniformity?

They are influenced by various state-level regulations. (B)

Flashcards

HIPAA

Federal law protecting patient health information (PHI).

COPPA

Federal law regulating online collection and use of kids' data.

GLBA

Federal law governing financial data collection and use.

CCPA

California law granting privacy rights to consumers.

CPRA

California law expanding CCPA rules; stricter regulations.

Fragmented Privacy Framework

US privacy laws are not centralized but different in each area.

Limited Federal Oversight

US privacy enforcement lacks one central entity.

China's Privacy Approach

China's privacy framework prioritizes commercial interests and several different main laws and regulations.

COPPA

US law protecting children's online privacy.

CCPA

California law giving consumers control over personal data.

Privacy Principles (Canada)

10 core rules for handling personal data in Canada.

Accountability (Privacy)

Organizations responsible for protecting personal data, even if shared with others.

Consent (Privacy)

Individuals must agree to data collection, use and sharing.

Privacy Rights (Canada)

Protects data of Canadians. Canadian law gives power to people on their personal data.

Canadian Charter, Section 8

Guarantees protection against excessive government searches and surveillance in Canada.

Privacy Complaints Process

How issues related to privacy are handled and resolved by review body.

Composable Risk

Risk of non-personal info combining to reveal personal information.

Privacy (Definition)

Control over personal info: how, when, and how much is shared.

Physical Privacy

Protection from intrusion into personal spaces.

Informational Privacy

Protection of personal data (financial, health, etc.).

EU GDPR

EU law governing data handling of EU residents.

FIPPA

Ontario government data privacy law.

Health Info Exceptions

Laws that exempt health info custodians regarding certain information.

Types of Privacy

Physical, informational, communicational, and territorial dimensions of privacy rights.

Study Notes

10 Core Principles of Privacy

• Accountability: Organizations are responsible for any breaches or damage to information.
• Consent: Data owners must give consent to use their data.
• Purpose: Data is used only for the specified reason.
• Limitation: Only necessary data is collected.
• Limits, Breach, and Disclosure: Data is handled appropriately after use.
• Accuracy: Data must be correct and up-to-date.
• Safeguards: Data is protected against loss, theft, unauthorized access, and copying.
• Openness: Data handling practices must be transparent.
• Individual Access: Individuals have access to their data and can challenge its accuracy.
• Challenge Compliance: Questions and complaints about data handling are addressed.

Accountability and Compliance

• Accountability: The organization has responsibility if data is harmed.
• Consent: Obtaining agreement from owners before using or disclosing.
• Purpose: Collection and use of data aligned with intended objective.
• Limitation: Collected data is restricted to what's needed.
• Breach/Disclosure Limits: Handling data appropriately after intended use.
• Accuracy: Data must be accurate and updated.
• Safeguards: Processes ensure data security and protection.
• Transparency: Open communication about data handling.
• Individual Access: Data owners have access to their data information.
• Challenge Compliance: Mechanism to address complaints about data handling.

Types of Privacy

• Physical Privacy: Protecting physical space from intrusion.
• Informational Privacy (Personal): Protecting sensitive personal data.
• Informational Privacy (Government/Corporate): Protecting sensitive government and corporate data.
• Legal Privacy: Protecting information related to law, security and commercial activity.
• Digital Privacy: Protecting information collected digitally (data storage, cyberattacks, etc.)

PIPEDA (Canada)

• Personal Information Protection and Electronic Document Act: Law in Canada that regulates personal information management.
• Purpose: Regulate organizations handling personal information (digital or physical).
• Compliance Requirements: Obtain consent, collect only necessary data, keep accurate and up-to-date information, ensure security, and be transparent.

GDPR (Europe)

• General Data Protection Regulation: EU law regulating how organizations handle personal data.
• Purpose: Give individuals more control over their information, and make companies justify their data handling.
• Rights: Access, rectification, deletion, and objection on use of information.

US Privacy Approach

• Decentralized: Different privacy standards depending on sector and state.
• Federal Laws: Various laws cover specific areas (health, children's online activity).

GLBA (US)

• Gramm-Leach-Bliley Act: US law that regulates financial institutions information handling.
• Purpose: Regulate financial institutions' handling of customers financial information and practices.
• Requirement: Provide customers information about their info-sharing practices along with the ability to opt-out of certain data shares.

California Consumer Privacy Act (CCPA) (US)

• California consumer rights: User rights regarding personal data (right to know, right to delete, and to avoid sales).
• Expansion (CPRA): Stricter rules and a designated enforcement agency.

China's Privacy Approach

• Multifaceted: Multiple laws, not just one law.
• Priorities: Commercial innovation with individual privacy rights.
• Three Primary Pillars: Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL)

Privacy Principles (Canada's)

• Accountability: Organizations are responsible for their activities.
• Identifying Purposes: Purpose of data collection must be clear.
• Consent: Individuals consent to data collection, use, and disclosure.
• Collection Limitation: Necessary data is collected.
• Use Limitation: Info used for original, stated purpose.
• Disclosure Limitation: Minimized disclosure unless necessary.
• Accuracy: Data is accurate, up-to-date, and complete.
• Safeguards: Data protection measures according to sensitivity.
• Openness: Data handling practices transparently communicated.
• Individual Access: Individuals can view and correct their data.

Description

Test your knowledge on the 10 core principles of privacy that guide organizations in data protection and management. Understand concepts like accountability, consent, and individual access rights as you explore the significance of each principle in safeguarding personal information.