IT2028 Information Privacy Concepts

Questions and Answers

What does personally identifiable information (PII) include?

• Only financial and educational information
• Information that is not related to an individual's characteristics
• Only information about birth and race
• Any information that can distinguish or trace an individual's identity (correct)

Which of the following is a principle of Privacy by Design (PbD)?

• Implementing privacy measures only at the end of development
• Ignoring privacy during system development
• Focusing only on user consent after system implementation
• Taking privacy requirements into account throughout system development (correct)

Which of these is NOT considered personally identifiable information?

• Medical information
• Email content (correct)
• Internet Protocol (IP) address
• Photographic images

What are system privacy requirements primarily aimed at defining?

Capabilities to protect privacy and performance characteristics (A)

What was the foundational principle for PbD that was widely adopted by policymakers?

Incorporating privacy in every stage of system development (D)

What does the term 'privacy engineering' refer to?

Implementing technical measures to protect privacy in systems (B)

Which type of information is considered an asset in terms of PII?

Biometric images and fingerprints (C)

What is the main goal of privacy requirements in system development?

Detailing protection capabilities and ensuring privacy is maintained (B)

What is the primary goal of security risk assessment?

To express an expectation of loss related to potential threats. (A)

Which of the following is NOT a component of the risk management cycle?

Continuous resource allocation. (B)

From where are privacy requirements derived?

Sources such as laws, regulations, and stakeholder expectations. (C)

What is essential for ensuring that privacy requirements are satisfied?

Monitoring and assessing the effectiveness of controls. (C)

Which statement best describes the security risk management process?

It involves a structured approach to asset valuation and control implementation. (C)

What does the principle of 'privacy as the default' require organizations to do?

Only process necessary data to achieve specific purposes (C)

What is the primary focus of the proactive approach in Privacy by Design (PbD)?

Anticipating and preventing privacy issues (D)

Which of the following describes the primary activities involved in integrating privacy into an information system?

Designing and operating privacy features within the system (B)

What are security controls specifically designed to protect?

Confidentiality, integrity, and availability of information (C)

Which is NOT a major principle of Privacy by Design (PbD)?

Privacy through technology alone (C)

What is the role of technical and managerial controls in the context of privacy protection?

They are used to select protections for potential vulnerabilities. (B)

What defines the foundational principles of Privacy by Design?

Integration of privacy at all stages of system development (A)

Which of the following is a characteristic of the approach 'proactive, not reactive' in privacy design?

Identifying and addressing potential issues before they arise (B)

What is the primary role of privacy embedded into the design?

To ensure privacy controls are naturally integrated, not added later (D)

What does the principle of full functionality imply?

There should be balanced solutions that do not compromise privacy for system performance (B)

What does 'end-to-end security' refer to?

Consistent protection of PII throughout its entire life cycle (D)

Which of the following is a goal of privacy controls?

To reduce the likelihood of privacy threats through effective measures (B)

What is the focus of privacy engineering?

To integrate privacy considerations throughout the life cycle of ICT systems (C)

What does visibility and transparency in privacy by design aim to assure?

That users and stakeholders are informed about privacy practices and controls (A)

Which of the following actions is part of implementing effective privacy controls?

Changing how PII is processed to minimize risks (B)

How should privacy aims be described relative to system architecture?

As core and integrated functions of both design and architecture (C)

What is the primary purpose of a Privacy Impact Assessment (PIA)?

To ensure compliance with privacy-related legal and regulatory requirements (A)

Which of the following steps is NOT part of the Privacy Impact Assessment (PIA) process?

Selecting marketing strategies (A)

What is meant by the term 'iterative process' in the context of risk management?

It involves repeating steps to refine or adjust based on new information (C)

Which aspect is emphasized by privacy engineering and security objectives?

Enhancing capabilities to implement privacy policies (A)

In which stage of the PIA process is privacy and security controls selected?

After the privacy risk assessment (A)

What does the examination and evaluation of protections in a PIA aim to achieve?

Mitigation of potential privacy risks (D)

Which of the following statements best describes the role of privacy in risk management?

Privacy considerations are integral to overall risk management strategies (C)

Why is it important to adjust privacy and security measures in an organization regularly?

To address changes in technology and legal requirements (A)

Flashcards are hidden until you start studying

Study Notes

Information Privacy Concepts

• Information privacy relates to personally identifiable information (PII), which identifies or traces an individual's identity.
• Types of PII include demographic details (birth, race, religion), employment, medical, educational, and financial information.
• Personal characteristics include images, fingerprints, and biometric data.
• Asset information comprises identifiers like Internet Protocol (IP) addresses and media access control (MAC) addresses.

Privacy by Design Principles (PbD)

• PbD is aimed at integrating privacy requirements throughout system development, from conception to operation.
• System privacy requirements are derived from laws, standards, regulations, and stakeholder expectations.
• PbD principles prioritize proactive measures, meaning issues are anticipated and addressed before they arise.

Key Principles of Privacy by Design

• Privacy as the Default: Organizations must only process necessary data and protect PII during all stages of its lifecycle.
• Privacy Embedded into Design: Privacy should be integral to IT system design rather than an afterthought.
• Full Functionality: Solutions should balance privacy, security, and system functionality without trade-offs.
• End-to-End Security: Protect PII throughout its lifecycle from collection to destruction, avoiding protection gaps.
• Visibility and Transparency: Assure stakeholders that privacy-related practices are being effectively executed.

Privacy and Security Control Selection

• Privacy protection necessitates both privacy-specific controls and broader information security controls.
• Security controls are measures aimed at safeguarding the confidentiality, integrity, and availability of information.

Privacy Engineering

• Privacy engineering incorporates privacy considerations throughout the entire lifecycle of information and communication technology (ICT) systems.
• Techniques in privacy engineering help mitigate privacy risks, focusing on effective resource allocation and control implementation.

Risk Management in Privacy

• Risk management includes asset valuation, control selection, and continuous monitoring.
• Privacy impact assessments (PIA) evaluate how information is handled, ensuring compliance with legal and policy requirements.
• PIA consists of assessing privacy risks and selecting controls to mitigate potential threats.

Privacy Objectives

• Privacy engineering aims to execute organizational policies and ensure system privacy requirements are met.

Summary of Risk Management Process

• The risk management cycle is iterative, involving identification, assessment, selection, and implementation of privacy and security controls as a structured process.