Textbook Key

F: Foundations of Information Privacy and Data Protection

US: U.S. Private-sector Privacy

C: Canadian Privacy

E: European Privacy

G: U.S. Government Privacy

IT: Privacy in Information Technology

M: Privacy Program Management

Find the terms that relate to the program or designation you are studying for by using the tabs below to narrow your search.




Accountability

A fair information practices principle, it is the idea that when personal information is to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with other fair use principles.

Reference(s) in IAPP Certification Textbooks: F18, 21-22; US34-35; C39, 101, 122; E8; G13; M35

Return to top


Act Respecting the Protection of Personal Information in the Private Sector

A Québéquois privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It came into force in 1994 and espouses three principles: (1) Every person who establishes a file on another person must have a serious and legitimate reason for doing so; (2) The person establishing the file may not deny the individual concerned access to the information contained in the file; (3) The person must also respect certain rules that are applicable to the collection, storage, use and communication of this information.

Reference(s) in IAPP Certification Textbooks: F48-49, C35-37

Return to top


Adequate Level of Protection

A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.

Reference(s) in IAPP Certification Textbooks: F36-37; C24; E38, 175-178, 295

Associated term(s): Adequacy

Return to top


Administrative Purpose

The use of personal information about an individual in Canada in a decision-making process that directly affects that individual.

Reference(s) in IAPP Certification Textbooks: C68

Return to top


Adverse Action

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.

Reference(s) in IAPP Certification Textbooks: US60-61; C124

Associated law(s): FCRA

Return to top


Alberta PIPA

A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.

Reference(s) in IAPP Certification Textbooks: C31

Associated law(s): PIPEDA

Return to top


American Institute of Certified Public Accountants

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

Reference(s) in IAPP Certification Textbooks: C61-62; M50, 86

Acronym(s): AICPA

Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust

Return to top


Anonymity, Privacy, and Security Online

This survey by the Pew Research Center’s Internet Project asked 1,002 adults about their Internet habits. It is laid out in five parts: the quest for anonymity online; concerns about personal information online; who internet users are trying to avoid, the information they want to protect; how users feel about the sensitivity of certain kinds of data; online identity theft, security issues and reputational damage. (2013)
Read Now (PDF 289K)

Return to top


APEC Privacy Principles

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Reference(s) in IAPP Certification Textbooks: F19-20; US40-41; C120-122; G11-13; M27

Return to top


Authentication

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. Authentication identified as an individual based on some credential; i.e. a password, biometrics, etc. Authentication is different from authorization. Proper authentication ensures that a person is who he or she claims to be, but it says nothing about the access rights of the individual.

Reference(s) in IAPP Certification Textbooks: F94-95, 124, 128; C59

Associated term(s): Authorization

Return to top


Background Screening/Checks

Verifying an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity.

Reference(s) in IAPP Certification Textbooks: F39, 98; US158-164; E215; G158

Return to top


BC PIPA

A privacy law in the Canadian province of British Columbia, similar to PIPEDA, that came into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.

Reference(s) in IAPP Certification Textbooks: C32

Associated law(s): PIPEDA

Return to top


Behavioral Advertising

The act of tracking users’ online activities and then delivering ads or recommendations based upon the tracked activities.

Reference(s) in IAPP Certification Textbooks: F134; US22, 24; C45-47; E261-264

Acronym(s): OBA

Associated term(s): Online Behavioral Advertising, Behavioral Targeting

Return to top


Bodily Privacy

One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches.

Reference(s) in IAPP Certification Textbooks: F2

Return to top


Breach Disclosure

The requirement that a data controller notify regulators and victims of incidents affecting the confidentiality and security of personal data. It is a transparency mechanism highlights operational failures, this helps mitigate damage and aids in the understanding of causes of failure.

Reference(s) in IAPP Certification Textbooks: F108-111; US117-118; C60-61, C129; E42, E159-161; G101-103

Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws

Associated term(s): Breach notification

Return to top


Canada’s Anti-Spam Legislation

Canadian anti-SPAM legislation applying to all forms of electronic messaging. It requires that when a commercial electronic message (CEM) is sent, consent, identification and unsubscribing requirements must be complied with. Typically, consent from the recipient must be obtained before a CEM is sent. There are, however, a number of exceptions to the need for consent.

Reference(s) in IAPP Certification Textbooks: C37-38

Acronym(s): CASL

Return to top


Canadian Institute of Chartered Accountants

The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications

Reference(s) in IAPP Certification Textbooks: C6, 61; M50, 86

Acronym(s): CICA

Return to top


Canadian Organization for the Advancement of Computers in Health

A Canadian health infomatics association whose mission is to promote health technology systems and the effective use of health information.

Reference(s) in IAPP Certification Textbooks: C105

Acronym(s): COACH

Return to top


Canadian Standards Association

A non-profit standards organization that developed its own set of privacy principles and broke the OECD’s code into ten principles: (1) Accountability; (2) Identifying purposes; (3) Consent; (4) Limiting Collection; (5) Limiting Use, Disclosure, and Retention; (6) Accuracy; (7) Safeguards; (8) Openness; (9) Individual Access; (10) Challenging Compliance. These ten principles would go on to be listed in PIPEDA.

Reference(s) in IAPP Certification Textbooks: F49; C18-19

Acronym(s): CSA

Associated term(s): CSA Privacy Principles

Return to top


Charter Rights

Rights created by the Canadian Charter of Rights and Freedoms. They are constitutional rights and thus are considered to be the most valued rights in Canada. The Charter of Rights and Freedoms was made part of the Canadian Constitution in 1982.

Reference(s) in IAPP Certification Textbooks: C8

Return to top


Children’s Online Privacy Protection Act (COPPA) of 1998

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy policy on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Reference(s) in IAPP Certification Textbooks: F43, 126-127; US107-11; C127-128; G94-98; M9, 38, 146

Acronym(s): COPPA

Associated term(s): 15 U.S.C. §§ 6501-6508

Return to top


Choice

An individual’s ability to determine whether or how their personal information may be used or disclosed by the entity that collected the information. Also, the ability of an individual to limit certain uses of their personal information. For example; an individual may have choice about whether to permit a company to contact them or share their data with third parties. Can be express or implied.

Reference(s) in IAPP Certification Textbooks: F16; US6, 21; C62, 115, 121; E105-106

Associated term(s): Consent

Return to top


Closed Circuit Television

Systems of cameras, monitors and recording equipment that are not used for broadcasting but are connected to a closed network by cables. CCTV is used primarily for video surveillance of premises.

Reference(s) in IAPP Certification Textbooks: F11; US168; C165; E228, 233-238

Acronym(s): CCTV

Associated term(s): Video Surveillance

Return to top


Collection Limitation

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Reference(s) in IAPP Certification Textbooks: F17, 20; M35

Return to top


Commercial Activity

Under PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

Reference(s) in IAPP Certification Textbooks: F49; US16; C27

Return to top


Commercial Electronic Message

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

Reference(s) in IAPP Certification Textbooks: US96-97, 99; C37

Acronym(s): CEM

Return to top


Communications Privacy

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

Reference(s) in IAPP Certification Textbooks: F2; US85-102; C3-4

Return to top


Comprehensive Laws

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.

Reference(s) in IAPP Certification Textbooks: F31-32; C4-5

Associated term(s): Omnibus Laws

Return to top


Computer Forensics

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

Reference(s) in IAPP Certification Textbooks: F107; C4-5

Return to top


Confidentiality

The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.

Reference(s) in IAPP Certification Textbooks: F77, G46

Return to top


Consent

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice (see Choice) about the use or disclosure of his or her information, consent is the individuals’ way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out. (1) Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties. According to the EU Data Protection Directive, explicit consent is required for processing of sensitive information. Further, data controllers cannot infer consent from non-response to a communication. (2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Reference(s) in IAPP Certification Textbooks: F16; C28, G178

Associated term(s): Choice

Return to top


Convention 108

The first legally binding international instrument in the area of data protection. It requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information.

Reference(s) in IAPP Certification Textbooks: E9

Associated term(s): The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data

Return to top


Cookie

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their user name and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer.

Reference(s) in IAPP Certification Textbooks: F38, 75, 135-137; C46; E274-275; G37, 95, 97

Associated term(s): First-Party Cookie, Persistent Cookie, Session Cookie, Third-Party Cookie, Tracking Cookie, Web Cookie

Return to top


CSA Privacy Principles

The Canadian Standards Association (CSA) ten privacy principles are based on the OECD Guidelines and serve as the basis of Canada’s PIPEDA.

Reference(s) in IAPP Certification Textbooks: C18; G8-9

Associated term(s): Canadian Standards Association

Associated law(s): PIPEDA

Return to top


Customer Access

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Reference(s) in IAPP Certification Textbooks: F122-123; US58; G13

Return to top


Customer Information

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Reference(s) in IAPP Certification Textbooks: F10

Return to top


Data Breach

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

Reference(s) in IAPP Certification Textbooks: F104-111; G5-6, 115

Associated term(s): Breach, Privacy Breach (Canadian)

Return to top


Data Controller

An entity that has the authority over the processing of personal information. This entity is the focus of most obligations under privacy and data protection laws. It controls the use of personal data by determining the purposes for its use and the manner in which the data will be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.

Reference(s) in IAPP Certification Textbooks: F8; E57-59, 288; G10-11

Associated term(s): Data Processor

Return to top


Data Elements

The different types of personal information processed by data processors. Typical data elements include name, date of birth and numerical identifiers. Organizational data elements tied to both individuals as well as organizations include business addresses, business phone numbers, business e-mail addresses and related information.

Reference(s) in IAPP Certification Textbooks: F5; US49

Return to top


Data Processing

Any operation or set of operations which is performed on personal data, such as collecting; recording; organizing; storing; adapting or altering; retrieving; consulting; using; disclosing by transmission, dissemination or otherwise making the data available; aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.

Reference(s) in IAPP Certification Textbooks: F35-36

Associated term(s): Data Processor, Processing, Processor

Return to top


Data Processor

An individual or organization that processes data on behalf of the data controller. Although they are often third-party providers, a data controller can also be a data processor.

Reference(s) in IAPP Certification Textbooks: F8; E57, 61-62, 288

Associated term(s): Data Controller, Processor

Return to top


Data Protection Authority

An official or body that ensures compliance with data protection laws and investigates alleged breaches of the laws’ provisions.

Reference(s) in IAPP Certification Textbooks: F31; E39; M41

Acronym(s): DPA

Return to top


Data Quality

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Reference(s) in IAPP Certification Textbooks: F22; C19; E2; G10, 20; M35

Return to top


Data Recipient

A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

Return to top


Data Subject

The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.

Reference(s) in IAPP Certification Textbooks: F8; E63; G10, 137

Return to top


De Novo

A Latin expression meaning “from the beginning,” “anew” or “beginning again.” In a legal context, a de novo hearing is one in which a higher authority can make a new decision, entirely ignoring the findings and conclusions of a lower authority.

Reference(s) in IAPP Certification Textbooks: C54-56

Return to top


Deidentification

An action that one takes to remove identifying characteristics from data. De-identified data is information that does not actually identify an individual.

Reference(s) in IAPP Certification Textbooks: F5-7; US49; G91

Associated term(s): Anonymization, Anonymized Data, Deidentified Data, Pseudonymization, Pseudonymized Data

Return to top


Direct Marketing

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Reference(s) in IAPP Certification Textbooks: F74-75; C36; E176

Return to top


Do Not Track

A proposed regulatory policy, similar to the existing Do Not Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.

Reference(s) in IAPP Certification Textbooks: F75, 134; US22, 24

Acronym(s): DNT

Return to top


Electronic Communications Network

Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.

Acronym(s): ECN

Return to top


Electronic Communications Service

Any service which provides to users thereof the ability to send or receive wire or electronic communications.

Acronym(s): ECS

Return to top


Electronic Health Record

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers.

Reference(s) in IAPP Certification Textbooks: US52; C104

Acronym(s): EHR

Associated law(s): HIPAA, HITECH

Return to top


Employee Information

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.

Reference(s) in IAPP Certification Textbooks: F39, 71-73; US158-175; C17

Return to top


Employee Personal Data

A high level of protection is required for employee personal data in the EU. The notice and choice principles of the EU Directive should be honored for all employee data, meaning that an employee should be given notice of the company’s intent to share the information and give the employee the choice not to share this information.

Reference(s) in IAPP Certification Textbooks: E211-214

Return to top


Encryption

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys.

Reference(s) in IAPP Certification Textbooks: F34, 88-89, 96-97, 124-125; US35; G7, 93, 121, 158

Return to top


EU Data Protection Directive

Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals’ privacy and personal data use. The Directive was adopted in 1995, became effective in 1998 and protects individuals’ privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality and transparency principles, data security and confidentiality, data subjects’ rights of access, rectification, deletion and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved and a prohibition on automated individual decisions. The Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The Directive’s key provisions impose severe restrictions on personal data processing, grant individual rights to “data subjects” and set forth specific procedural obligations including notification to national authorities. This was followed in 1997 by a more specific directive for the telecom sector (97/66/EC), which was replaced in mid-2002 by the European institutions to adapt it to new technologies and business practices (2002/58/EC). The Directive has been supplemented by additional directives including a specific provision for e-commerce.

There is currently a proposal from the European Commission for an EU Data Protection Regulation that would supersede the directive if passed.

Reference(s) in IAPP Certification Textbooks: F18-19, 34-41; E37; M30, 39

Associated term(s): Data Protection Directive

Return to top


European Commission

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.

Reference(s) in IAPP Certification Textbooks: E274, 296

Return to top


European Convention for the Protection of Human Rights and Fundamental Freedoms

A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that “(e)veryone has the right to respect for his private and family life, his home and his correspondence.” Article 8 of the Convention limits a public authority’s interference with an individual’s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society.

Reference(s) in IAPP Certification Textbooks: F3; C5; E29

Return to top


Fair Credit Reporting Act, The

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.

Reference(s) in IAPP Certification Textbooks: F4, 42; US57-64; C123-124; G147; M38

Acronym(s): FCRA

Associated law(s): Fair and Accurate Credit Transactions Act of 2003 (FACTA)

Return to top


Federal Trade Commission

The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

Reference(s) in IAPP Certification Textbooks: F43; US14-20

Acronym(s): FTC

Associated law(s): FTC Act

Return to top


Four Classes of Privacy

Four main areas of privacy are of particular interest with regard to data protection and privacy laws and practices: information privacy, bodily privacy, territorial privacy, and communications privacy.

Reference(s) in IAPP Certification Textbooks: F2

Return to top


Generally Accepted Privacy Principles

A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.

Reference(s) in IAPP Certification Textbooks: C61-62; M30, 49-50, 128

Acronym(s): GAPP

Return to top


GET Method

The GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method.

Associated term(s): POST Method

Return to top


Global Privacy Enforcement Network

GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world. Another cross-border enforcement cooperation effort is the Asia-Pacific Economic Cooperation

Reference(s) in IAPP Certification Textbooks: US25

Acronym(s): GPEN

Return to top


House of Commons

One of two chambers of the Canadian Parliament, along with the Senate. Members of the House of Commons are elected at least every five years.

Reference(s) in IAPP Certification Textbooks: C7

Return to top


Identifying Purposes

Integral to privacy protection is the obligation on organizations to identify and document the purposes for the collection of any personal information at or before the time of collection.

Reference(s) in IAPP Certification Textbooks: C19

Return to top


Individual Access

One of 10 privacy principles of PIPEDA. Organizations must be able to respond to requests from individuals for access to their personal information.

Reference(s) in IAPP Certification Textbooks: C19-20

Associated law(s): PIPEDA

Return to top


Individual Participation

A fair information practices principle, it is the principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating to him communicated to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Reference(s) in IAPP Certification Textbooks: F18; E20; M35

Associated term(s): FIPs

Return to top


Information Banks

Repositories of personal information that are kept by the Canadian government to comply with the Privacy Act.

Reference(s) in IAPP Certification Textbooks: C72

Associated law(s): The Canadian Privacy Act

Return to top


Information Life Cycle

Collection, processing, use, disclosure, retention, and destruction.

Reference(s) in IAPP Certification Textbooks: F13, 16; G176

Return to top


Information Privacy

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Reference(s) in IAPP Certification Textbooks: F2-4, 77-78; G8-13

Return to top


Information Security

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

Reference(s) in IAPP Certification Textbooks : F77-112; G45

Acronym(s): IS

Return to top


International Data Transfers

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have “adequate” data protection practices.

Reference(s) in IAPP Certification Textbooks: F19, 36-37; E175-178

Return to top


Model Code for the Protection of Personal Information

A set of privacy principles developed by the Canadian Standards Association, that parallel the OECD's Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data and espouse 10 principles: Accountability, Identifying Purpose, Consent, Limiting Collection, Limiting Use, Disclosure, & Retention, Accuracy, Safeguards, Openness, Individual Access and Challenging Compliance

Reference(s) in IAPP Certification Textbooks: C19, 146

Return to top


Multi-Factor Authentication

The authentication of a user by multiple means. This is typically accomplished by a requirement for both a password and at least one other form of authentication such as a pass card, biometric scan or an "out of band" means such as a phone call.

Reference(s) in IAPP Certification Textbooks: F94-95

Associated term(s): Two-Factor Authentication; Two-Step Authentication

Return to top


OECD Guidelines

(1)The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. (2)The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. (3)The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. (4)The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 8 (below) except a) with the consent of the data subject; or b) by the authority of law. (5)The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. (6)The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. (7)The Individual Participation Principle. An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial, and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

Reference(s) in IAPP Certification Textbooks: F17-18; US13; E7-9; G10-11

Associated term(s): OECD Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (1980)

Return to top


Omnibus Laws

Laws in which the government has defined requirements throughout the economy including public-sector, private-sector and health-sector.

Reference(s) in IAPP Certification Textbooks: US16

Return to top


Online Behavioral Advertising

Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.

Reference(s) in IAPP Certification Textbooks: F134; US22, 24; C45-47; E261-264

Return to top


Online Privacy Alliance

A coalition composed of numerous online companies and trade associations specifically established to encourage the self-regulation of online privacy. The OPA introduced the Online Privacy Guidelines.

Reference(s) in IAPP Certification Textbooks: C5-6

Acronym(s): OPA

Associated term(s): Self-regulation

Return to top


Openness

A fair information practices principle, it is the principle that there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Reference(s) in IAPP Certification Textbooks: F18, 22; C42-43; E8; M35

Return to top


Opt-In

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Reference(s) in IAPP Certification Textbooks: F16; US38-40; C116-117; E136; G171

Associated term(s): Choice; Consent; Opt-Out

Return to top


Opt-Out

One of two central concepts of choice. It means that an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, his or her information will be shared with third parties.

Reference(s) in IAPP Certification Textbooks: F16; US38-40; C116-117; E136

Associated term(s): Choice; Consent; Opt-In

Return to top


Organization for Economic Cooperation and Development

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.

Reference(s) in IAPP Certification Textbooks: F17-18; US13, 24; C18; E7; G10-11; M27, 50

Acronym(s): OECD

Return to top


Outsourcing

Contracting business processes, such as the processing of personal information, to a third party.

Reference(s) in IAPP Certification Textbooks: C88-89; E287-292

Return to top


Perimeter Controls

Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.

Reference(s) in IAPP Certification Textbooks: F100

Associated term(s): Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Internet Protocol Security (IPSEC), Secure Sockets Layer (SSL)

Return to top


Personal Data

Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly—in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Reference(s) in IAPP Certification Textbooks: F4-7, 39

Associated term(s): Personal Information; Personally Identifying Information; Personally Identifiable Information

Return to top


Personal Information

May refer to either a generic term for information, or an EU term for such information. In the U.S., such information may be referred to as Personally Identifiable Information

Reference(s) in IAPP Certification Textbooks: F4-7, 39; G4-5; M36

Acronym(s): PI

Associated term(s): Personal Data; Personally Identifying Information; Personally Identifiable Information

Return to top


Personal Information Protection and Electronic Documents Act

A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.

Reference(s) in IAPP Certification Textbooks: F48-49; C23-31; M27

Acronym(s): PIPEDA

Return to top


POST Method

The GET and POST HTML method attributes specify how form data is sent to a web page. The POST method is more secure than GET as the GET method appends the form data to the URL allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar.

Associated term(s): GET Method

Return to top


Privacy Act, The (Canadian)

Enacted in 1983, the Act sets out rules for how institutions of the federal government must deal with personal information of individuals. It has been revised by many minor amendments, but remains substantially unaltered.

Reference(s) in IAPP Certification Textbooks: C67

Return to top


Privacy Breach (Canadian)

A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial privacy legislation.

Reference(s) in IAPP Certification Textbooks: C137

Associated term(s): Data Breach, Privacy Breach Response (Canadian)

Return to top


Privacy Breach Response (Canadian)

The guidelines for privacy breach responses were drafted in 2007 and consist of four steps: (1) Containment of the breach and preliminary assessment; (2) evaluating the associated risks; (3) notifying affected parties; (4) taking adequate steps to prevent future breaches.

Reference(s) in IAPP Certification Textbooks: C60, 138

Associated term(s): Data Breach, Privacy Breach (Canadian)

Return to top


Privacy by Design

The concept that organizations need to build privacy directly into technology, systems and practices at the design phase, thereby ensuring the existence of privacy from the outset. Originating in the mid-1990s by the Information and Privacy Commissioner of Ontario, the principle has gained recognition around the globe, including from the U.S. Federal Trade Commission and the European Commission. Privacy by Design consists of seven foundational principles: (1) Proactive not Reactive; Preventative not Remedial. Privacy by Design anticipates and prevents privacy invasive events before they happen, rather than waiting for privacy risks to materialize; (2) Privacy as the Default Setting. No action is required by individuals to maintain their privacy; it is built into the system by default. This concept has been introduced in the European Commission’s draft regulation to reform data protection. (3) Privacy Embedded into Design. Privacy is an essential component of the core functionality being designed and delivered. The FTC has adopted this principle in its proposed consumer privacy framework, calling for companies to promote consumer privacy throughout the organization and at every stage of product development. (4) Full Functionality—Positive-Sum, not Zero-Sum: Privacy by Design seeks to accommodate all legitimate interests and objectives, rather than making unnecessary trade-offs. (5) End-to-End Security—Full Lifecycle Protection. Strong security measures are essential to privacy, from start to finish of the lifecycle of data. This is another principle the FTC has adopted in its proposed consumer privacy framework.

Reference(s) in IAPP Certification Textbooks: F14-15, 128; US21; M88-90, 121-122

Acronym(s): PbD

Return to top


Privacy Commissioner of Canada

The individual who is mandated by PIPEDA to enforce the act. The commissioner has broad power to examine documents, but some documents may be shielded by solicitor-client privilege. The commissioner conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued. This individual is mandated by PIPEDA to enforce PIPEDA. Aggrieved individuals also have a right to complain to the commissioner.

Reference(s) in IAPP Certification Textbooks: C30

Associated law(s): PIPEDA

Return to top


Privacy Impact Assessments (Canadian)

The Canadian government requires all government institutions subject to the Privacy Act to conduct these assessments. The purpose behind a PIA is to evaluate whether program and service delivery initiatives that involve the collection, use or disclosure of personal information are in compliance with statutory obligations.

Acronym(s): PIAs

Return to top


Privacy Notice

A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy. Special privacy notices are also mandated by specific laws such a GLBA and COPPA in the united states.

Reference(s) in IAPP Certification Textbooks: F16; US16-18, 37; G95-97, 100

Return to top


Privacy of the Person

Protects bodily integrity, and in particular the right not to have our bodies touched or explored to disclose objects or matters we wish to conceal.

Return to top


Privacy Officer

An official responsible for the coordination and implementation of all privacy and confidentiality efforts within a government department or component. This official may be statutorily mandated, as in the Department of Homeland Security, or appointed by a department or component to handle privacy and other related matters.

Reference(s) in IAPP Certification Textbooks: G3-4, 40

Return to top


Privacy Policy

An internal statement that governs an organization or entity’s handling practices of personal information. It is directed at the users of the personal information. A privacy policy instructs employees on the collection and the use of the data, as well as any specific rights the data subjects may have.

Reference(s) in IAPP Certification Textbooks: F11; US16-18; G134-136

Return to top


Professional Regulatory Body

A body enacted pursuant to an act under which a professional or occupational group or discipline is organized and that provides for the membership in the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.

Reference(s) in IAPP Certification Textbooks: C34

Return to top


Public Records

Information collected and maintained by a government entity and available to the general public.

Reference(s) in IAPP Certification Textbooks: F7, 71

Return to top


Radio-Frequency Identification

Technologies that use radio waves to identify people or objects carrying encoded microchips.

Acronym(s): RFID

Return to top


Rectification

Closely intertwined with access, rectification is the right or ability of a data subject to correct erroneous information that is stored about them. The right is provided by the EU Data Protection Directive and the American Fair Credit Reporting Act, among other laws.

Reference(s) in IAPP Certification Textbooks: E90, 132-133

Associated term(s): Access

Associated law(s): Data Protection Directive; FCRA

Return to top


Reidentification

The process of using publicly available information to re-associate personally identifying information with data that has been anonymized.

Reference(s) in IAPP Certification Textbooks: G71-72, 91, 165-166

Associated term(s): Deidentification; anonymization

Return to top


Retention

Within the information lifecycle the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.

Reference(s) in IAPP Certification Textbooks: F16; G22

Return to top


Right of Access

Generally, the right of individuals to obtain data about themselves from data controllers upon request. The right is accorded under Article 12 of the Data Protection Directive, although member states are afforded some latitude to implement the rule. In Canada, the right is provided by PIPEDA. In the U.S., The Privacy Act provides only U.S. Citizens and lawful permanent residents right of access to their own records, whereas FOIA provides a general right of access to agency records for any requester seeking access to such records.

Reference(s) in IAPP Certification Textbooks: C76-77; E126; G28

Return to top


Right To Correct

The right for individuals to correct or amend information about themselves that is inaccurate.

Reference(s) in IAPP Certification Textbooks: C101

Return to top


Seal Programs

Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of the seal program are allowed to display the programs seal on their website.

Reference(s) in IAPP Certification Textbooks: F33-34; US24; C5

Associated term(s): Self-regulatory Model, WebTrust

Return to top


Sectoral Laws/Model

Laws that exist only in areas where the legislative body has found a particular need.

Reference(s) in IAPP Certification Textbooks: F32, 41-44; C5

Related term(s) Comprehensive Laws, Co-regulatory Model, Self-regulatory Model, Technology Based Model

Return to top


Semayne’s Case

A case recognized as establishing the "knock-and-announce rule," an important concept relating to privacy in one's home and Fourth Amendment search and seizure jurisprudence.

Reference(s) in IAPP Certification Textbooks: C2

Return to top


Senate (Canadian)

One of two chambers of the Canadian Parliament, along with the House of Commons. Unlike the House of Commons, whose members are elected, the Senate is appointed by the governor in council based upon the recommendations of the prime minister.

Reference(s) in IAPP Certification Textbooks: C7

Associated term(s): Canadian Parliament, House of Commons

Return to top


Sensitive Personal Information

That which is more significantly related to the notion of a reasonable expectation of privacy. One’s medical or financial information is often considered sensitive personal information(SPI), but other types of personal information might be as well.

Acronym(s): SPI

Return to top


SPAM

Unsolicited commercial e-mail.

Reference(s) in IAPP Certification Textbooks: F131-132; C128; E42-43, 265

Associated law(s): CASL; CAN-SPAM Act

Return to top


Technology-Based Model

The technology-based model for data protection utilizes technological security measures to protect individuals’ personal data. While it is commonplace for companies to utilize technology to protect data, developments in commercially available hardware and software have enabled consumers to establish privacy protections for their own online activity.

Reference(s) in IAPP Certification Textbooks: F34; C6-7

Associated term(s): Comprehensive Laws, Co-regulatory Model, Sectoral Laws, Self-Regulatory Model

Return to top


Territorial Privacy

One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into an individual’s territorial privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures.

Reference(s) in IAPP Certification Textbooks: F2; C2

Associated term(s): Home Privacy

Return to top


Transfer

Sending personal data cross-border or from one company to another, which is necessary for operation of the company or for providing a service to a customer.

Reference(s) in IAPP Certification Textbooks: E75, 174

Return to top


Transparency

The requirement to be open and honest about manner in, and purposes for, which personal data is used. It is a fundamental principle in privacy protections and a key concept of the European data protection framework.

Reference(s) in IAPP Certification Textbooks: E107-111; G67-68, 70

Return to top


Universal Declaration of Human Rights

Also called the Human Rights Declaration, the declaration recognized the universal values and traditions of inherent dignity, freedom, justice and peace. It was adopted by the General Assembly of the United Nations on 10 December 1948. In December 1948, the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights. This declaration formally announced that “[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence [.]” The statement was intended to encompass a wide range of conduct, as evidenced by Article 12 of the Declaration, which describes both the territorial and the communications notions of privacy.

Reference(s) in IAPP Certification Textbooks: F3; C2-3; E4, 15

Associated term(s): Declaration of Human Rights

Return to top


Value-Added Services

A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions. More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered value-added services, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as All Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.

Reference(s) in IAPP Certification Textbooks: C117; E232-233, 260

Associated term(s): MVAS, VASP

Return to top


Video Surveillance Guidelines

Guidelines discouraging video as an initial security option with the following constraints: (1) Video should be taken only in the absence of less intrusive alternatives; (2) the use should be disclosed to the public; (3) individuals should have access to their personal information; (4) video surveillance should be subject to independent audit, and (5) fair information practices should be respected.

Reference(s) in IAPP Certification Textbooks: C81

Return to top


Work Product Information

A Canadian term referring to information about an individual that is related to that individual’s position, functions and/or performance of his or her job. A term that is undefined by PIPEDA, the privacy commissioner has decided that work product may at times fall under the definition of personal information. Access to such information by the commissioner is addressed on a case-by-case basis. Not to be confused with the American legal term "work product," which refers to legal materials prepared in anticipation of litigation.

Reference(s) in IAPP Certification Textbooks: C17; 32-33

Associated term(s): Employee Information

Associated law(s): PIPEDA

Return to top