Textbook Key

F: Foundations of Information Privacy and Data Protection

US: U.S. Private-sector Privacy

C: Canadian Privacy

E: European Privacy

G: U.S. Government Privacy

IT: Privacy in Information Technology

M: Privacy Program Management

Find the terms that relate to the program or designation you are studying for by using the tabs below to narrow your search.




Accountability

A fair information practices principle, it is the idea that when personal information is to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with other fair use principles.

Reference(s) in IAPP Certification Textbooks: F18, 21-22; US34-35; C39, 101, 122; E8; G13; M35

Return to top


Adverse Action

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.

Reference(s) in IAPP Certification Textbooks: US60-61; C124

Associated law(s): FCRA

Return to top


Annual Independent Evaluations

Under FIMSA, U.S. agencies’ information security programs must be independently evaluated yearly. The independent auditor is selected by the agency's inspector general or the head of the agency. The audit is submitted to the Office of Management and Budget.

Reference(s) in IAPP Certification Textbooks: G49

Associated law(s): FISMA

Return to top


APEC Privacy Principles

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Reference(s) in IAPP Certification Textbooks: F19-20; US40-41; C120-122; G11-13; M27

Return to top


Background Screening/Checks

Verifying an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity.

Reference(s) in IAPP Certification Textbooks: F39, 98; US158-164; E215; G158

Return to top


Bank Secrecy Act, The

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.

Reference(s) in IAPP Certification Textbooks: US72-74; G103-105

Acronym(s): BSA

Associated term(s): Financial Record Keeping and Reporting Currency and Foreign Transactions Act of 1970

Return to top


Census Bureau

The Census Bureau collects data to meet the nation’s statistical needs.  Because the data that the Census Bureau collects is often highly personal in nature, and the Census Bureau depends on the trust of the individuals and businesses that supply the data, privacy protection is a high priority.

Reference(s) in IAPP Certification Textbooks: G128

Return to top


Chief FOIA Officer

Executive Order 13392 supplemented FOIA by reiterating the requirement for agencies to process requests in a courteous and expeditious manner.  In addition, it required agencies to appoint a chief FOIA officer.  The Open Government Act of 2007 codified this requirement and expanded on the responsibilities of the chief FOIA officer to include the following: have agency-wide responsibility for efficient and appropriate compliance with FOIA; monitor FOIA implementation throughout the agency; recommend to the head of the agency any necessary adjustments in practices, personnel, policies or funding.

Reference(s) in IAPP Certification Textbooks: G62

Associated term(s): FOIA

Associated law(s): Freedom of Information Act

Return to top


Chief Privacy Officer (Agency level)

A position within an organization that is responsible for managing risks of privacy laws and policies. Within the U.S. government, this position was created under section 522(a) of the Consolidated Appropriations Act of 2005.

Reference(s) in IAPP Certification Textbooks: G43-45

Acronym(s): CPO

Return to top


Children’s Online Privacy Protection Act (COPPA) of 1998

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy policy on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Reference(s) in IAPP Certification Textbooks: F43, 126-127; US107-11; C127-128; G94-98; M9, 38, 146

Acronym(s): COPPA

Associated term(s): 15 U.S.C. §§ 6501-6508

Return to top


Choice

An individual’s ability to determine whether or how their personal information may be used or disclosed by the entity that collected the information. Also, the ability of an individual to limit certain uses of their personal information. For example; an individual may have choice about whether to permit a company to contact them or share their data with third parties. Can be express or implied.

Reference(s) in IAPP Certification Textbooks: F16; US6, 21; C62, 115, 121; E105-106

Associated term(s): Consent

Return to top


Collection Limitation

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Reference(s) in IAPP Certification Textbooks: F17, 20; M35

Return to top


Computer Matching and Privacy Protection Act

Requires agencies that match data among agency systems granting financial benefits to publicly disclose that matching and explain its scope.

Reference(s) in IAPP Certification Textbooks: G25-27, 158, 161

Return to top


Confidentiality

The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.

Reference(s) in IAPP Certification Textbooks: F77, G46

Return to top


Consent

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice (see Choice) about the use or disclosure of his or her information, consent is the individuals’ way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out. (1) Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties. According to the EU Data Protection Directive, explicit consent is required for processing of sensitive information. Further, data controllers cannot infer consent from non-response to a communication. (2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Reference(s) in IAPP Certification Textbooks: F16; C28, G178

Associated term(s): Choice

Return to top


Controlled Unclassified Information

A system that standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.  The program emphasizes the openness and uniformity of government-wide practices.  Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.

Reference(s) in IAPP Certification Textbooks: G73

Acronym(s): CUI

Return to top


Cookie

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their user name and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer.

Reference(s) in IAPP Certification Textbooks: F38, 75, 135-137; C46; E274-275; G37, 95, 97

Associated term(s): First-Party Cookie, Persistent Cookie, Session Cookie, Third-Party Cookie, Tracking Cookie, Web Cookie

Return to top


Credit Reporting Agency

Under the Fair Credit Reporting Act, any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee.

Reference(s) in IAPP Certification Textbooks: US58-59; G147

Acronym(s): CRA

Associated term(s): Consumer reporting agency

Associated law(s): FCRA

Return to top


Customer Access

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Reference(s) in IAPP Certification Textbooks: F122-123; US58; G13

Return to top


Data Breach

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

Reference(s) in IAPP Certification Textbooks: F104-111; G5-6, 115

Associated term(s): Breach, Privacy Breach (Canadian)

Return to top


Data Controller

An entity that has the authority over the processing of personal information. This entity is the focus of most obligations under privacy and data protection laws. It controls the use of personal data by determining the purposes for its use and the manner in which the data will be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.

Reference(s) in IAPP Certification Textbooks: F8; E57-59, 288; G10-11

Associated term(s): Data Processor

Return to top


Data Elements

The different types of personal information processed by data processors. Typical data elements include name, date of birth and numerical identifiers. Organizational data elements tied to both individuals as well as organizations include business addresses, business phone numbers, business e-mail addresses and related information.

Reference(s) in IAPP Certification Textbooks: F5; US49

Return to top


Data Integrity Board

Under the Privacy Act, federal agencies using computerized means to match data between electronic federal privacy record systems, or to match data from any federal system with nonfederal records, are required to create a DIB composed of senior officials and the agency’s inspector general.  The DIB shall, among other things: review, approve and maintain all matching programs; review all existing matching programs annually to determine compliance with laws, regulations, guidelines and agreements, and; assess the cost and benefits of the agreements.

Reference(s) in IAPP Certification Textbooks: G26

Acronym(s): DIB

Associated term(s): Data Matching

Associated law(s): Privacy Act

Return to top


Data Matching

An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.

Reference(s) in IAPP Certification Textbooks: C87-89; G25-27, 160-161

Return to top


Data Quality

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Reference(s) in IAPP Certification Textbooks: F22; C19; E2; G10, 20; M35

Return to top


Data Quality Act of 2000

Passed in response to the increased use of the Internet by U.S. federal agencies, the act was designed to ensure the quality of information released by agencies by establishing four major requirements: (1) Office of Management and Budget was to issue guidelines "ensuring and maximizing the quality, objectivity, utility and integrity" of disseminated information; (2) agencies must issue their own sets of information quality guidelines; (3) agencies must establish administrative mechanisms for persons to correct erroneous information about themselves; (4) agencies must annually report to OMB regarding the number, nature and handling of complaints.

Reference(s) in IAPP Certification Textbooks: G71

Acronym(s): DQA

Associated term(s): Information Quality

Return to top


Data Subject

The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.

Reference(s) in IAPP Certification Textbooks: F8; E63; G10, 137

Return to top


Deidentification

An action that one takes to remove identifying characteristics from data. De-identified data is information that does not actually identify an individual.

Reference(s) in IAPP Certification Textbooks: F5-7; US49; G91

Associated term(s): Anonymization, Anonymized Data, Deidentified Data, Pseudonymization, Pseudonymized Data

Return to top


E-Authentication

To address the rise in citizen use of the Internet to access government information and services, some type of identity verification or authentication is needed. As such, agencies are required to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.

Reference(s) in IAPP Certification Textbooks:  G148-149

Associated term(s): Authorization

Return to top


E-Government Act

A U.S. federal law that, among other things, requires federal agencies to conduct Privacy Impact Assessments on new or substantially revised information technology.

Reference(s) in IAPP Certification Textbooks: G15, 17, 28-40, 115

Associated law(s): FISMA

Return to top


Electronic Communications Privacy Act of 1986

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

Reference(s) in IAPP Certification Textbooks: US142,143; G108-109; M38

Acronym(s): ECPA

Associated law(s): Stored Communications Act, Stored Wire Electronic Communications Act, USA Patriot Act

Return to top


Encryption

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys.

Reference(s) in IAPP Certification Textbooks: F34, 88-89, 96-97, 124-125; US35; G7, 93, 121, 158

Return to top


EU Data Protection Directive

Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals’ privacy and personal data use. The Directive was adopted in 1995, became effective in 1998 and protects individuals’ privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality and transparency principles, data security and confidentiality, data subjects’ rights of access, rectification, deletion and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved and a prohibition on automated individual decisions. The Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The Directive’s key provisions impose severe restrictions on personal data processing, grant individual rights to “data subjects” and set forth specific procedural obligations including notification to national authorities. This was followed in 1997 by a more specific directive for the telecom sector (97/66/EC), which was replaced in mid-2002 by the European institutions to adapt it to new technologies and business practices (2002/58/EC). The Directive has been supplemented by additional directives including a specific provision for e-commerce.

There is currently a proposal from the European Commission for an EU Data Protection Regulation that would supersede the directive if passed.

Reference(s) in IAPP Certification Textbooks: F18-19, 34-41; E37; M30, 39

Associated term(s): Data Protection Directive

Return to top


Executive Order 12333

The order that provides information about the goals, direction, duties and responsibilities with respect to the national intelligence effort and provides basic information on how intelligence activities should be conducted.  The executive order states that agencies within the intelligence community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned, and must be approved by the attorney general.

Reference(s) in IAPP Certification Textbooks: G81-82

Return to top


Fair Credit Reporting Act, The

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.

Reference(s) in IAPP Certification Textbooks: F4, 42; US57-64; C123-124; G147; M38

Acronym(s): FCRA

Associated law(s): Fair and Accurate Credit Transactions Act of 2003 (FACTA)

Return to top


Family Educational Rights and Privacy Act

FERPA establishes requirements regarding the privacy protection of student educational records.  It applies to all academic institutions that receive funds under applicable U.S. Department of Education programs.  FERPA gives parents certain rights with respect to their children’s education records.  These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.  Students to whom the rights have transferred are referred to as “eligible students.”

Reference(s) in IAPP Certification Textbooks: US77-82; G101

Acronym(s): FERPA

Return to top


Federal Advisory Committee Act, The

A federal law governing the behavior of federal advisory committees, restricting the formation of such committees to those deemed essential, limiting their powers and their length of operation, requiring open meetings and open records and mandating a publicly-accessible government-wide database.

Reference(s) in IAPP Certification Textbooks: G67-68

Acronym(s): FACA

Return to top


Federal Agency Data Mining Reporting Act

A federal law requiring agencies found of data mining to submit a yearly report to Congress.  The privacy office of that agency must be involved in producing the report.  The report will be made public and describe all of the agency’s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.

Reference(s) in IAPP Certification Textbooks: G75

Return to top


Federal Agency Data Mining Reporting Act

A federal law requiring agencies found of data mining to submit a yearly report to Congress.  The privacy office of that agency must be involved in producing the report.  The report will be made public and describe all of the agency’s data-mining activity, goals and an assessment of the effectiveness of the data mining activity.

Reference(s) in IAPP Certification Textbooks: G75

Return to top


Federal Enterprise Architecture Security and Privacy Profile

The FEA-SPP services two function in the integration of privacy and security risk-management practices.  First, it clearly articulates that while there is a symbiotic relationship between security and privacy, these practices are not identical; they are distinct practices, but intertwined. Second, the FEA-SPP lays the groundwork for driving agency integration of privacy risk management into the fundamental design of technical systems and technologies.

Reference(s) in IAPP Certification Textbooks: G49-50

Acronym(s): FEA-SPP

Return to top


Federal Information Security Incident Center

FISMA codified a federal information security center, which is implemented in the U.S. Computer Emergency Readiness Team (US-CERT). U.S.-CERT is called upon to provide timely technical assistance regarding security incidents; compile and analyze security incident information; inform federal agency information system operators about current and potential threats, and consult with NIST and others regarding information security incidents.

Reference(s) in IAPP Certification Textbooks: G76

Acronym(s): FISIC

Associated term(s): U.S.-CERT, NIST

Associated law(s): FISMA

Return to top


Federal Information Security Management Act of 2002, The

A U.S. federal law enacted as part of the E-Government Act of 2002. The act requires each federal agency to develop, document and implement an agency-wide program to provide information security for the data and data systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source. FISMA requires agency program officials, chief information officers and inspectors general to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget. OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.  In FY 2008, federal agencies spent $6.2 billion securing the government’s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio.

Reference(s) in IAPP Certification Textbooks: G29, 45-53

Acronym(s): FISMA

Return to top


Federal Records Act

The Federal Records Act requires the establishment of standards and procedures to ensure efficient and effective records management.  The objectives of the Federal Records Act interact with federal privacy to: Ensure appropriate maintenance of a record that allows access rights to subject of the record; Minimize the collection of PII; Ensure the destruction of PII when there is no longer a business, legal, or historical need for the record.

Reference(s) in IAPP Certification Textbooks: G153-4

Associated term(s): PII

Associated law(s): Privacy Act

Return to top


Federal Trade Commission

The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

Reference(s) in IAPP Certification Textbooks: F43; US14-20

Acronym(s): FTC

Associated law(s): FTC Act

Return to top


Final Health Breach Notification Rule

A rule, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

Reference(s) in IAPP Certification Textbooks:

Associated law(s): HITECH

Return to top


Foreign Intelligence Surveillance Act of 1978, The

A U.S. federal law regulating the way that U.S. intelligence agencies conduct foreign intelligence surveillance activities, including wiretaps and the interception of communications. The act sets forth a judicial approval process required when the government targets U.S. persons located within the United States. FISA allows warrantless surveillance to be conducted without a court order for up to one year, provided the surveillance is for foreign intelligence information, is targeting foreign powers and will not capture the contents of any communication to which a U.S. person is a party. Generally speaking, FISA does not apply to activities directed at persons overseas.

Reference(s) in IAPP Certification Textbooks: G105-107, 110

Acronym(s): FISA

Return to top


Freedom of Information Act, The

A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

Reference(s) in IAPP Certification Textbooks: F44; US133-135; G20, 22, 54-62

Acronym(s): FOIA

Return to top


Government in the Sunshine Act

The Government in the Sunshine Act, 5 U.S.C. § 552b, generally requires multi-member federal agencies; i.e., the FCC and SEC, to hold their meetings in public and to give advance public notice of their meetings. The goal of the Sunshine Act is to promote public access to information about the decision-making processes of the federal government and to improve those processes by exposing them to public view.

Reference(s) in IAPP Certification Textbooks: G68-70

Acronym(s): GSA

Associated term(s): 5 U.S.C. § 552b

Return to top


Gramm-Leach-Bliley Act

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt out of some sharing of personal financial information.

Reference(s) in IAPP Certification Textbooks: F41, 43, 68; US66-71; C125-126; G98-101; M8, 30, 38

Acronym(s): GLBA

Return to top


Health Information Technology for Economic and Clinical Health Act, The

Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA.  The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties.  Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

Reference(s) in IAPP Certification Textbooks (see key at bottom of page): F32; US51-52; C124-125; G92-94

Acronym(s): HITECH

Related term(s): EHR

Associated law(s): HIPAA

Return to top


Health Insurance Portability and Accountability Act, The

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

Reference(s) in IAPP Certification Textbooks: F42; US46-51; C124-125; G89-92; M9, 30, 38, 40

Acronym(s): HIPAA

Return to top


Information Life Cycle

Collection, processing, use, disclosure, retention, and destruction.

Reference(s) in IAPP Certification Textbooks: F13, 16; G176

Return to top


Information Privacy

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Reference(s) in IAPP Certification Textbooks: F2-4, 77-78; G8-13

Return to top


Information Security

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

Reference(s) in IAPP Certification Textbooks : F77-112; G45

Acronym(s): IS

Return to top


Information Sharing Environment

The ISE is a conceptual framework for facilitating the sharing of terrorism-related information among federal, state, local and tribal agencies, the private sector, and foreign partners.  The ISE was mandated by the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).  ISE guidance includes steps that ensure the information privacy and other legal rights of Americans are protected in the development and use of the information-sharing environment.  The ISE privacy guidelines provide high-level direction on protecting privacy.  The guidelines apply to information about U.S. citizens and lawful permanent residents.

Reference(s) in IAPP Certification Textbooks: G82-84

Acronym(s): ISE

Associated law(s): Intelligence Reform and Terrorism Prevention Act

Return to top


Machine-readable Formats

“[W]ritten in a standard computer language (not English text) that can be read automatically by a web browser.” (Source: OMG PIA Guidance)

Reference(s) in IAPP Certification Textbooks: G37

Return to top


Matching Program (from The Privacy Act of 1974)

Any computerized comparison of two or more automated systems of records or a system of records with non-Federal records for the purpose of establishing or verifying the eligibility of, or continuing compliance by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs, or (any computerized comparison of) two or more automated Federal personnel or payroll systems of records or (any such system) with non-Federal records.

Reference(s) in IAPP Certification Textbooks: G19, 124, 161

Associated term(s): The Privacy Act of 1974

Return to top


Medical Information

Information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics or other medical or medically related facilities.

Reference(s) in IAPP Certification Textbooks: F67-68, US45-47, 63; G90

Associated term(s): HIPAA

Return to top


Memorandum of Understanding/Agreement

“A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide [NIST SP 800-47], an MOU/A defines the responsibilities of two or more organizations in establishing, operating and securing a system interconnection.” For the proposed transmission of PII among federal agencies, a memorandum will govern the purpose, methods of transmission, relevant authorities, specific responsibilities of the organizations transmitting and receiving the PII, and risks associated with its transmission.

Reference(s) in IAPP Certification Textbooks: G159

Acronym(s): MOU

Associated term(s): NIST SP 800-47

Return to top


Monetary Instrument Log

Under the Bank Secrecy Act, the log of transactions a financial institution must retain a record for cash purchases of monetary instruments (e.g., money orders, cashier’s checks, travelers checks) ranging from $3,000 to $10,000.

Reference(s) in IAPP Certification Textbooks: G104

Acronym(s): MIL

Associated law(s): Bank Secrecy Act

Return to top


National Archives and Records Administration

NARA is charged with providing guidance and assistance with respect to records management and maintaining those records that are of sufficient value to warrant permanent preservation.  Further, NARA establishes general records schedules, which provide mandatory disposal authorization for temporary administrative records common to several or all agencies of the federal government.  These include records relating to civilian personnel, fiscal accounting, procurement, communications, printing and other common functions and certain nontextual records.

Reference(s) in IAPP Certification Textbooks: G154,156

Acronym(s): NARA

Associated term(s): Terms

Associated law(s): Laws

Return to top


National Institute of Standards and Technology

NIST is an agency within the Department of Commerce.  NIST has the lead responsibility for the development and issuance of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure.

The NIST has published a series of publications in support of its risk management framework (RMF).  The RMF is a multi-tiered and structured methodology for creating a unified information security framework for the federal government in order to meet the vast array of requirements set forth in FISMA.

Reference(s) in IAPP Certification Textbooks: G118

Acronym(s): NIST

Associated term(s): FISMA

Associated law(s): FISMA

Return to top


Non-Public Personal Information

Is defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information.

Reference(s) in IAPP Certification Textbooks: F43; US67-68; G99; M36

Acronym(s): NPI

Associated law(s): GLBA

Return to top


OECD Guidelines

(1)The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. (2)The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. (3)The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. (4)The Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 8 (below) except a) with the consent of the data subject; or b) by the authority of law. (5)The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. (6)The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. (7)The Individual Participation Principle. An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial, and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

Reference(s) in IAPP Certification Textbooks: F17-18; US13; E7-9; G10-11

Associated term(s): OECD Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (1980)

Return to top


Office of Management and Budget

Under the Privacy Act, the OMB is charged with the responsibility to supervise agencies’ implementation of the act’s provisions. In order to perform this task, the act provides that the director of the OMB shall develop and prescribe guidelines and regulations, as well as provide assistance and oversight of their implementation by agencies.

Reference(s) in IAPP Certification Textbooks: G27

Acronym(s): FCRA

Return to top


Office of the Director of National Intelligence

Overseeing the intelligence community is the Office of the Director of National Intelligence.  The IRTPA established the director of National Intelligence as the head of the intelligence community and the principal advisor to the president and the National Security Council.

Reference(s) in IAPP Certification Textbooks: G84

Acronym(s): ODNI

Associated law(s): Intelligence Reform and Terrorism Prevention Act

Return to top


OMB Memorandum M-03-22

This memorandum provides agencies with specific implementation guidance for conducting PIAs and developing website privacy policies. It applies to all executive branch agencies and departments, contractors and cross-agency initiatives that use websites or other information technology for interacting with the public. It requires agencies to: conduct PIAs and make them publicly available; post privacy policies on agency websites; translate privacy policies into a standardized machine-readable format; ensure privacy responsibilities are properly executed for information in identifiable form (IIF) processed by information technology; report annually to OMB on Section 208 compliance.

Reference(s) in IAPP Certification Textbooks: G29

Associated law(s): Privacy Act

Return to top


Omnibus Laws

Laws in which the government has defined requirements throughout the economy including public-sector, private-sector and health-sector.

Reference(s) in IAPP Certification Textbooks: US16

Return to top


Open Government Directive

When President Obama entered into office he issued a memorandum calling for an unprecedented level of openness in government, which launched the Open Government Initiative.  In December 2009, the Director of the OMB issued the Open Government Directive, which set forth detailed requirements focused on implementing the president’s vision.  The president required the OMB to issue a directive to federal departments and agencies to take certain steps to implement the underlying principles of transparency, participation and collaboration discussed in the president’s memorandum.

Reference(s) in IAPP Certification Textbooks: G70

Associated term(s): OMB

Return to top


Opt-In

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Reference(s) in IAPP Certification Textbooks: F16; US38-40; C116-117; E136; G171

Associated term(s): Choice; Consent; Opt-Out

Return to top


Opt-Out

One of two central concepts of choice. It means that an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, his or her information will be shared with third parties.

Reference(s) in IAPP Certification Textbooks: F16; US38-40; C116-117; E136

Associated term(s): Choice; Consent; Opt-In

Return to top


Organization for Economic Cooperation and Development

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.

Reference(s) in IAPP Certification Textbooks: F17-18; US13, 24; C18; E7; G10-11; M27, 50

Acronym(s): OECD

Return to top


Paperwork Reduction Act

The PRA concerns information that is created, collected, disclosed, maintained, used, shared, and disseminated by or for the federal government, regardless of whether it is PII.  The primary goal is to calculate and reduce as much as possible the burden of providing information to the government while maintaining the quality of that information. The requirements of the PRA cover collections of information, which may exist in any format, and could include surveys, applications, questionnaires, and reports or any scenario in which 10 or more persons are asked to provide the same information within a 12-month period.

Reference(s) in IAPP Certification Textbooks: G63

Acronym(s): PRA

Return to top


Personal Data

Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly—in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Reference(s) in IAPP Certification Textbooks: F4-7, 39

Associated term(s): Personal Information; Personally Identifying Information; Personally Identifiable Information

Return to top


Personal Information

May refer to either a generic term for information, or an EU term for such information. In the U.S., such information may be referred to as Personally Identifiable Information

Reference(s) in IAPP Certification Textbooks: F4-7, 39; G4-5; M36

Acronym(s): PI

Associated term(s): Personal Data; Personally Identifying Information; Personally Identifiable Information

Return to top


PIA Triggers

These events constitute triggers for an organization to conduct a privacy impact assessment: Conversion of records from paper-based to electronic form; Conversion of information from anonymous to identifiable form; System management changes involving significant new uses and/or application of new technologies; Significant merging, matching or other manipulation of multiple databases containing PII; Application of user-authenticating technology to a system accessed by members of the public; Incorporation into existing databases of PII obtained from commercial or public sources; Significant new inter-agency exchanges or uses of PII; Alteration of a business process resulting in significant new collection, use and/or disclosure of PII; Alteration of the character of PII due to the addition of qualitatively new types of PII.

Reference(s) in IAPP Certification Textbooks: G32

Associated law(s): FISMA

Return to top


Privacy Act Exceptions

Among the exception to the Privacy Act of 1972 are: (1) Performance of regular duties of an agency employee; (2) FOIA disclosures; (3) Routine uses as specified in the applicable SORN; (4) Census Bureau census or survey functions; (5) Statistical research if not individually identifiable(6) Data held by the National Archives; (7) Law enforcement activity; (8) Compelling health or safety circumstances; (9) Congressional committee with appropriate jurisdiction; (10) GAO duties; (11) Court order, and (12) Consumer reporting agencies;

Reference(s) in IAPP Certification Textbooks: G22-23

Associated term(s): The Privacy Act of 1972

Associated law(s): The Privacy Act of 1972

Return to top


Privacy Act of 1974, The

A U.S. law that regulates the federal government’s use of computerized databases of information about U.S. citizens and permanent legal residents. It also establishes fair information practices that each agency must follow when collecting, using or disclosing personal information, including rights of citizen action and redress for violations. It guarantees that U.S. citizens and lawful permanent residents have: (1) the right to see records about themselves that are maintained by the federal government (provided that information is not subject to one or more of the Privacy Act's exemptions); (2) the right to amend inaccurate, irrelevant, untimely or incomplete records; and (3) the right to sue the government for failure to comply with its requirements. It also contains fair information practices that: (1) require that information about a person be collected from that person to the greatest extent practicable; (2) require agencies to ensure that their records are relevant, accurate, timely and complete, and (3) prohibit agencies from maintaining information describing how an individual exercises his or her First Amendment rights (unless the individual consents to it, it is permitted by statute or is within the scope of an authorized law enforcement investigation).

Reference(s) in IAPP Certification Textbooks: F43-44, 70; US13; G17-28

Return to top


Privacy Impact Assessment

“An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” PIAs should disclose what PII is being collected, why it is being collected, what the intended uses of the PII are, whom the PII will be shared with, what opportunities individuals will have to opt-out of PII collection or use, how the PII will be secured, whether a system of records is being created under the Privacy Act and an analysis of the information life cycle. Checklists or tools used to ensure that the system used to collect personal information is evaluated for privacy risks, designed with lifecycle principles in mind and made to ensure that effective and required privacy protection measures are used. A PIA should be completed pre-implementation of the privacy project, product, or service and should be ongoing through its deployment. The PIA should identify these attributes of the data collected: what information is collected; why it is collected; the intended use of the information; with whom the information is shared, and the consent and choice rights of the data subjects. The PIA should be used to assess new systems, significant changes to existing systems, operational policies and procedures and intended use of the information. PIAs should also be used before, during, and after mergers and acquisitions. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards, and maintains consistency between policy and operational practices.

Reference(s) in IAPP Certification Textbooks: F14; G31; M123-125

Acronym(s): PIAs

Return to top


Privacy Notice

A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy. Special privacy notices are also mandated by specific laws such a GLBA and COPPA in the united states.

Reference(s) in IAPP Certification Textbooks: F16; US16-18, 37; G95-97, 100

Return to top


Privacy Officer

An official responsible for the coordination and implementation of all privacy and confidentiality efforts within a government department or component. This official may be statutorily mandated, as in the Department of Homeland Security, or appointed by a department or component to handle privacy and other related matters.

Reference(s) in IAPP Certification Textbooks: G3-4, 40

Return to top


Privacy Policy

An internal statement that governs an organization or entity’s handling practices of personal information. It is directed at the users of the personal information. A privacy policy instructs employees on the collection and the use of the data, as well as any specific rights the data subjects may have.

Reference(s) in IAPP Certification Textbooks: F11; US16-18; G134-136

Return to top


Privacy Policy in Standardized Machine-Readable Format

Defined by the U.S. Office of Management and Budget Memorandum M-03-22, “[a] statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a web browser.”

Reference(s) in IAPP Certification Textbooks: G29

Return to top


Privacy Rule, The

Under HIPAA, this rule establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Reference(s) in IAPP Certification Textbooks: US47-50, 134; G90-91

Associated law(s): HIPAA

Return to top


Protected Health Information

Any individually identifiable health information transmitted or maintained in any form or medium that is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer, and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.

Reference(s) in IAPP Certification Textbooks: US46; G91; M37

Acronym(s): PHI

Return to top


REAL ID Act

The REAL ID Act of 2005 is a nationwide effort intended to prevent terrorism, reduce fraud and improve the reliability and accuracy of identification documents issued by U.S. state governments. The act has many varying provisions, but the one generating the most interest and controversy concerns the establishment and implementation of national standards for state-issued driver’s licenses and non-driver ID cards. On January 11, 2008, the U.S. Department of Homeland Security issued a final rule establishing the minimum-security standards for state-issued identification cards. The new standards purportedly enhance the card’s integrity and reliability, strengthen issuance capabilities, increase security at card-production facilities and reduce state implementation costs.

Reference(s) in IAPP Certification Textbooks: G111

Return to top


Reidentification

The process of using publicly available information to re-associate personally identifying information with data that has been anonymized.

Reference(s) in IAPP Certification Textbooks: G71-72, 91, 165-166

Associated term(s): Deidentification; anonymization

Return to top


Retention

Within the information lifecycle the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.

Reference(s) in IAPP Certification Textbooks: F16; G22

Return to top


Right of Access

Generally, the right of individuals to obtain data about themselves from data controllers upon request. The right is accorded under Article 12 of the Data Protection Directive, although member states are afforded some latitude to implement the rule. In Canada, the right is provided by PIPEDA. In the U.S., The Privacy Act provides only U.S. Citizens and lawful permanent residents right of access to their own records, whereas FOIA provides a general right of access to agency records for any requester seeking access to such records.

Reference(s) in IAPP Certification Textbooks: C76-77; E126; G28

Return to top


Right to Financial Privacy Act of 1978

Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.

Reference(s) in IAPP Certification Textbooks: G107-108

Acronym(s): RFPA

Return to top


Section 208 of the E-Government Act

Section 208 requires agency website privacy policies to include the following information: what information is to be collected through use of the website; why the information is being collected; the intended use by the agency of the information; with whom the information will be shared; what notices or opportunities for consent will be provided; how the information will be secured; the rights of individuals under the Privacy Act and other privacy laws.

Reference(s) in IAPP Certification Textbooks: G36

Associated term(s): E-Government Act

Associated law(s): E-Government Act

Return to top


Security Safeguards

A fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Reference(s) in IAPP Certification Textbooks: F18, 21; G10; M35

Return to top


Senior Agency Official for Privacy

Under OMB Memorandum M-05-08, each executive agency should identify the senior official who has agency-wide responsibility for information privacy. The agency’s chief information officer (CIO) may perform this role, or it may be performed by another senior official at the assistant secretary or equivalent level. Agencies are also advised that the official given this role should have the authority to address information privacy policy issues at a national and agency-wide level. The official has overall responsibility and accountability for ensuring the agency’s implementation of information privacy protections, including full compliance with federal laws, regulations and policies relating to information security, such as the Privacy Act.

Reference(s) in IAPP Certification Textbooks: G3, 44-45

Acronym(s): SAOP

Return to top


Subpoena

A written court order issued in an administrative, civil or criminal action that requires the person named in the subpoena to appear in court in order to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit. A subpoena may also require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that discloses personal information.

Reference(s) in IAPP Certification Textbooks: G86, 101, 107

Return to top


System of Records Notice

A notice required when a federal agency creates, modifies or destroys a system of records. When the agency collects and stores Personally Identifiable Information in records, the agency is required to establish the statutory need for the collection, disclose the collection, describe its contents and declare the routine uses for that agency or any other agency that will use the information. This disclosure must be made to the Office of Management and Budget and Congress and must be published in the Federal Register in advance of the system becoming operational.

Reference(s) in IAPP Certification Textbooks: G20-21

Acronym(s): SORN

Associated law(s): Privacy Act, The

Return to top


The Data Quality Act

In light of the increased use of the Internet by federal agencies as an easy, inexpensive and expedient way to disseminate information to the public, Congress passed the Data Quality Act of 2000.  This act was designed to ensure the quality of information released by federal agencies.  The DQA’s impact on individual privacy is limited and indirect, as its principal focus is on the quality, and not the confidentiality, of information intended for publication.  That said, DQA data quality procedures overlap with the data quality and integrity requirements of the Privacy Act when an agency collects, generates or uses individual-level data in an agency system of records to prepare or support published studies or research covered by the DQA.

Reference(s) in IAPP Certification Textbooks: G65

Acronym(s): DQA

Associated term(s): Terms

Associated law(s): Privacy Act

Return to top


The Protect America Act

The PAA restored FISA to its original focus of protecting the rights of persons in the United States, while not acting as an obstacle to gathering foreign intelligence on targets located in foreign countries.  The act also modernized FISA in four important ways: It clarifies FISA’s definition of electronic surveillance; It provides a role for the FISA court in reviewing the procedures the intelligence community uses to ensure that collection remains direct at persons located overseas; It provides a mechanism for the FISA court to direct third parties to assist the intelligence community in its collection efforts, and; it protects third parties from private lawsuits arising from assistance they provide the government in authorized foreign intelligence activities targeting individuals located outside the United States.

Reference(s) in IAPP Certification Textbooks: G106

Acronym(s): PAA

Associated term(s): FISA

Associated law(s): FISA

Return to top


Transparency

The requirement to be open and honest about manner in, and purposes for, which personal data is used. It is a fundamental principle in privacy protections and a key concept of the European data protection framework.

Reference(s) in IAPP Certification Textbooks: E107-111; G67-68, 70

Return to top


U.S. Department of Labor

A U.S. federal agency that oversees “the welfare of the job seekers, wage earners and retirees of the United States by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefits, helping employers find workers, strengthening free collective bargaining and tracking changes in employment, prices and other national economic measurements.” To achieve this mission, the department administers a variety of federal laws including, but not limited to, the Fair Labor Standards Act (FLSA), the Occupational Safety and Health Act (OSHA) and the Employee Retirement Income Security Act (ERISA).

Reference(s) in IAPP Certification Textbooks: US157

Acronym(s): DOL

Associated law(s): FLSA; ERISA, OSHA

Return to top


United States Department of Health, Education and Welfare Fair Information Practice Principles (1973), The

A code of fair information practices that contained five principles: (1) There must be no personal data record keeping systems whose very existence is secret. (2) There must be a way for an individual to find out what information about him (or her) is in a record and how it is used. (3) There must be a way for an individual to prevent information about him (or her) that was obtained for one purpose from being used or made available for other purposes without his (or her) consent. (4) There must be a way for an individual to correct or amend a record of identifiable information about him (or her). (5) Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

Reference(s) in IAPP Certification Textbooks: G9

Associated term(s): HEW Principles; HEW Report, The

Return to top


US-CERT

A partnership between the Department of Homeland Security and the public and private sectors intended to coordinate the response to security threats from the Internet. As such, it releases information about current security issues, vulnerabilities and exploits via the National Cyber Alert System and works with software vendors to create patches for security vulnerabilities.

Reference(s) in IAPP Certification Textbooks: G7, 49; M113

Acronym(s): US-CERT

Associated term(s): U.S. Computer Emergency Readiness Team

Return to top


USA-PATRIOT Act

A broad-ranging act designed to counter terrorism that expanded law enforcement authority to surveillance and capturing communications and records.

Reference(s) in IAPP Certification Textbooks: US74, 132, 148; C88-90; G110-111

Acronym(s): USAPA

Associated term(s): Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001; Patriot Act

Return to top