Textbook Key

F: Foundations of Information Privacy and Data Protection

US: U.S. Private-sector Privacy

C: Canadian Privacy

E: European Privacy

G: U.S. Government Privacy

IT: Privacy in Information Technology

M: Privacy Program Management

Find the terms that relate to the program or designation you are studying for by using the tabs below to narrow your search.




Accountability

A fair information practices principle, it is the idea that when personal information is to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with other fair use principles.

Reference(s) in IAPP Certification Textbooks: F18, 21-22; US34-35; C39, 101, 122; E8; G13; M35

Return to top


Active Scanning Tools

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions.

Reference(s) in IAPP Certification Textbooks: M133

Return to top


American Institute of Certified Public Accountants

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

Reference(s) in IAPP Certification Textbooks: C61-62; M50, 86

Acronym(s): AICPA

Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust

Return to top


APEC Privacy Principles

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.

Reference(s) in IAPP Certification Textbooks: F19-20; US40-41; C120-122; G11-13; M27

Return to top


Assess

The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.

Reference(s) in IAPP Certification Textbooks: M84

Associated term(s): Privacy Operational Life Cycle; Protect; Sustain; Respond

Return to top


Audit Life Cycle

High-level, five-phase audit approach.  The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.

Reference(s) in IAPP Certification Textbooks: M137

Return to top


Bureau of Competition

One of the United States’ Federal Trade Commission’s three principle groups relevant to privacy oversight; investigates and attempts the prevention of anticompetitive business practices, such as monopolies, price- fixing and similar regulatory violations, which may negatively affect commercial competition.

Reference(s) in IAPP Certification Textbooks: M42

Associated term(s): Bureau of Consumer Protection; Bureau of Economics

Return to top


Bureau of Consumer Protection

One of the United States’ Federal Trade Commission’s three principle groups relevant to privacy oversight; protects consumers against deceptive and or unfair business practices. Included under the FTC mandate are deceptive advertising and fraudulent product and/or service claims.

Reference(s) in IAPP Certification Textbooks: M41

Associated term(s): Bureau of Competition; Bureau of Economics

Return to top


Bureau of Economics

One of the United States’ Federal Trade Commission’s three principle groups relevant to privacy oversight; works in accord with the Bureau of Competition to study the effects of FTC lawmaking initiatives and of existing law.

Reference(s) in IAPP Certification Textbooks: M42

Associated term(s): Bureau of Competition; Bureau of Consumer Protection

Return to top


Business case

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations.

Reference(s) in IAPP Certification Textbooks: M29-53

Return to top


Business Continuity and Disaster Recovery Plan

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.

Reference(s) in IAPP Certification Textbooks: M92-94

Acronym(s): BCDR

Return to top


Business Continuity Plan

The business continuity plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a BCP often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.

Reference(s) in IAPP Certification Textbooks: M171-173

Acronym(s): BCP

Return to top


C-I-A Triad

Also known as information security triad; three common information security principles from the 1960s:  Confidentiality, integrity, availability.

Reference(s) in IAPP Certification Textbooks: M95, 112

Associated term(s): Information Security Triad

Return to top


Canadian Institute of Chartered Accountants

The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical functions of strategic planning, protection of the public and ethics, education and qualification, standard setting and communications

Reference(s) in IAPP Certification Textbooks: C6, 61; M50, 86

Acronym(s): CICA

Return to top


Centralized governance

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.

Reference(s) in IAPP Certification Textbooks: M19-21

Return to top


Children’s Online Privacy Protection Act (COPPA) of 1998

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy policy on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Reference(s) in IAPP Certification Textbooks: F43, 126-127; US107-11; C127-128; G94-98; M9, 38, 146

Acronym(s): COPPA

Associated term(s): 15 U.S.C. §§ 6501-6508

Return to top


Collection Limitation

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Reference(s) in IAPP Certification Textbooks: F17, 20; M35

Return to top


Current baseline

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.

Reference(s) in IAPP Certification Textbooks: M34-36

Return to top


Cyber liability insurance

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. Cyber liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

Reference(s) in IAPP Certification Textbooks: M169, 191

Return to top


Data Inventory

Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location.  That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.

Reference(s) in IAPP Certification Textbooks: M33

Return to top


Data Life Cycle Management

Also known as information life cycle management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements:  Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.

Reference(s) in IAPP Certification Textbooks: M105-110, 142

Acronym(s): DLM; ILM

Associated term(s): Information Life Cycle Management

Return to top


Data Protection Authority

An official or body that ensures compliance with data protection laws and investigates alleged breaches of the laws’ provisions.

Reference(s) in IAPP Certification Textbooks: F31; E39; M41

Acronym(s): DPA

Return to top


Data Protection Impact Assessment

Similar to a Privacy Impact Assessment. According to the proposed EU Data Protection Regulation, Data Protection Impact Assessments ensure “a conscious and systematic effort is made to assess privacy risks to individuals in the collection, use and disclosure of their personal data. DPIAs help identify privacy risks, foresee problems and bring forward solutions.”

Reference(s) in IAPP Certification Textbooks: M123-124

Acronym (s): DPIA

Associated term(s): Privacy Impact Assessments (PIAs)

Return to top


Data Quality

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Reference(s) in IAPP Certification Textbooks: F22; C19; E2; G10, 20; M35

Return to top


Decentralized Governance

Also known as “local governance,” this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.

Reference(s) in IAPP Certification Textbooks: M20

Associated term(s): Local Governance

Return to top


Electronic Communications Privacy Act of 1986

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

Reference(s) in IAPP Certification Textbooks: US142,143; G108-109; M38

Acronym(s): ECPA

Associated law(s): Stored Communications Act, Stored Wire Electronic Communications Act, USA Patriot Act

Return to top


EU Data Protection Directive

Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals’ privacy and personal data use. The Directive was adopted in 1995, became effective in 1998 and protects individuals’ privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality and transparency principles, data security and confidentiality, data subjects’ rights of access, rectification, deletion and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved and a prohibition on automated individual decisions. The Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The Directive’s key provisions impose severe restrictions on personal data processing, grant individual rights to “data subjects” and set forth specific procedural obligations including notification to national authorities. This was followed in 1997 by a more specific directive for the telecom sector (97/66/EC), which was replaced in mid-2002 by the European institutions to adapt it to new technologies and business practices (2002/58/EC). The Directive has been supplemented by additional directives including a specific provision for e-commerce.

There is currently a proposal from the European Commission for an EU Data Protection Regulation that would supersede the directive if passed.

Reference(s) in IAPP Certification Textbooks: F18-19, 34-41; E37; M30, 39

Associated term(s): Data Protection Directive

Return to top


Fair and Accurate Credit Transactions Act of 2003

An amendment to the Fair Credit Reporting Act, this Act allows consumers to request and obtain a free credit report every twelve months from each of the three nationwide consumer credit reporting companies.

Reference(s) in IAPP Certification Textbooks: M38

Acronym(s): FACTA

Associated law(s): Fair Credit Reporting Act (FCRA)

Return to top


Five-Step Metric Life Cycle

Return to top


Gap Analysis

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit or privacy assessment, if any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure.

Reference(s) in IAPP Certification Textbooks: M54

Return to top


Generally Accepted Privacy Principles

A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement.

Reference(s) in IAPP Certification Textbooks: C61-62; M30, 49-50, 128

Acronym(s): GAPP

Return to top


Gramm-Leach-Bliley Act

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S. In its privacy provisions, GLBA addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions. GLBA requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt out of some sharing of personal financial information.

Reference(s) in IAPP Certification Textbooks: F41, 43, 68; US66-71; C125-126; G98-101; M8, 30, 38

Acronym(s): GLBA

Return to top


Health Insurance Portability and Accountability Act, The

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

Reference(s) in IAPP Certification Textbooks: F42; US46-51; C124-125; G89-92; M9, 30, 38, 40

Acronym(s): HIPAA

Return to top


Hybrid Governance

This privacy governance model allows for a combination of centralized and local governance.  Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body.

Reference(s) in IAPP Certification Textbooks: M20

Return to top


Individual Participation

A fair information practices principle, it is the principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating to him communicated to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Reference(s) in IAPP Certification Textbooks: F18; E20; M35

Associated term(s): FIPs

Return to top


Information Life Cycle Management

Also known as data life cycle management (DLM) or data governance, ILM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. ILM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements:  Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.

Reference(s) in IAPP Certification Textbooks: M105-110, 142

Acronym(s): DLM, ILM

Associated term(s): Data Life Cycle Management

Return to top


Information Security Practices

Provide management, technical and operational controls to reduce probable damage, loss, modification or unauthorized data access.

Reference(s) in IAPP Certification Textbooks: M112

Return to top


Information Security Triad

Also known as “the C-I-A triad”; consists of three common information security principles: Confidentiality, integrity, and availability.

Reference(s) in IAPP Certification Textbooks: M112

Associated law(s): C-I-A Triad

Return to top


Internal Partners

Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology.

Reference(s) in IAPP Certification Textbooks: M11-13

Return to top


Local Governance

Also known as “decentralized governance,” this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider span of control and bottom-to-top flow of decision-making and ideas.

Reference(s) in IAPP Certification Textbooks: M20

Associated term(s): Decentralized Governance

Return to top


Metric Life Cycle

The processes and methods to sustain a metric to match the ever-changing needs of an organization.  Consists of a 5-step process: (1) Identification of the intended audience; (2) Definition of data sources; (3) Selection of privacy metrics; (4) Collection and refinement of systems/application collection points; and (5) Analysis of the data/metrics to provide value to the organization and provide a feedback quality mechanism.

Reference(s) in IAPP Certification Textbooks: M64

Return to top


Metrics

Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical.

Reference(s) in IAPP Certification Textbooks: M61

Associated term(s): Metric Life Cycle

Return to top


Non-Public Personal Information

Is defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information.

Reference(s) in IAPP Certification Textbooks: F43; US67-68; G99; M36

Acronym(s): NPI

Associated law(s): GLBA

Return to top


Openness

A fair information practices principle, it is the principle that there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Reference(s) in IAPP Certification Textbooks: F18, 22; C42-43; E8; M35

Return to top


Organization for Economic Cooperation and Development

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.

Reference(s) in IAPP Certification Textbooks: F17-18; US13, 24; C18; E7; G10-11; M27, 50

Acronym(s): OECD

Return to top


PCI Data Security Standard

A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties.

Reference(s) in IAPP Certification Textbooks: F33; US23, 117; M9, 46

Acronym(s): PCI-DSS

Return to top


Performance Measurement

The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness; gathering data and producing quantifiable output that describes performance.

Reference(s) in IAPP Certification Textbooks: M61-63

Associated term(s): Metrics

Return to top


Personal Information

May refer to either a generic term for information, or an EU term for such information. In the U.S., such information may be referred to as Personally Identifiable Information

Reference(s) in IAPP Certification Textbooks: F4-7, 39; G4-5; M36

Acronym(s): PI

Associated term(s): Personal Data; Personally Identifying Information; Personally Identifiable Information

Return to top


Personal Information Protection and Electronic Documents Act

A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.

Reference(s) in IAPP Certification Textbooks: F48-49; C23-31; M27

Acronym(s): PIPEDA

Return to top


Platform for Privacy Preferences

A machine-readable language that helps to express a website’s data management practices in an automated fashion.

Reference(s) in IAPP Certification Textbooks: M30, 51

Acronym(s): P3P

Return to top


Privacy by Design

The concept that organizations need to build privacy directly into technology, systems and practices at the design phase, thereby ensuring the existence of privacy from the outset. Originating in the mid-1990s by the Information and Privacy Commissioner of Ontario, the principle has gained recognition around the globe, including from the U.S. Federal Trade Commission and the European Commission. Privacy by Design consists of seven foundational principles: (1) Proactive not Reactive; Preventative not Remedial. Privacy by Design anticipates and prevents privacy invasive events before they happen, rather than waiting for privacy risks to materialize; (2) Privacy as the Default Setting. No action is required by individuals to maintain their privacy; it is built into the system by default. This concept has been introduced in the European Commission’s draft regulation to reform data protection. (3) Privacy Embedded into Design. Privacy is an essential component of the core functionality being designed and delivered. The FTC has adopted this principle in its proposed consumer privacy framework, calling for companies to promote consumer privacy throughout the organization and at every stage of product development. (4) Full Functionality—Positive-Sum, not Zero-Sum: Privacy by Design seeks to accommodate all legitimate interests and objectives, rather than making unnecessary trade-offs. (5) End-to-End Security—Full Lifecycle Protection. Strong security measures are essential to privacy, from start to finish of the lifecycle of data. This is another principle the FTC has adopted in its proposed consumer privacy framework.

Reference(s) in IAPP Certification Textbooks: F14-15, 128; US21; M88-90, 121-122

Acronym(s): PbD

Return to top


Privacy Champion

An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept.

Reference(s) in IAPP Certification Textbooks: M12

Return to top


Privacy Impact Assessment

“An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” PIAs should disclose what PII is being collected, why it is being collected, what the intended uses of the PII are, whom the PII will be shared with, what opportunities individuals will have to opt-out of PII collection or use, how the PII will be secured, whether a system of records is being created under the Privacy Act and an analysis of the information life cycle. Checklists or tools used to ensure that the system used to collect personal information is evaluated for privacy risks, designed with lifecycle principles in mind and made to ensure that effective and required privacy protection measures are used. A PIA should be completed pre-implementation of the privacy project, product, or service and should be ongoing through its deployment. The PIA should identify these attributes of the data collected: what information is collected; why it is collected; the intended use of the information; with whom the information is shared, and the consent and choice rights of the data subjects. The PIA should be used to assess new systems, significant changes to existing systems, operational policies and procedures and intended use of the information. PIAs should also be used before, during, and after mergers and acquisitions. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards, and maintains consistency between policy and operational practices.

Reference(s) in IAPP Certification Textbooks: F14; G31; M123-125

Acronym(s): PIAs

Return to top


Privacy Maturity Model

Provides a standardized reference for companies to use in assessing the level of maturity of their privacy programs.

Reference(s) in IAPP Certification Textbooks: M86-88

Acronym(s): PMM

Return to top


Privacy Operational Life Cycle

Focused on refining and improving privacy processes, this model continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to measure (assess), improve (protect), evaluate (sustain) and support (respond), and then start again.

Reference(s) in IAPP Certification Textbooks: M28, 83

Associated term(s): Assess; Protect; Sustain; Respond

Return to top


Privacy Program Framework

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.

Reference(s) in IAPP Certification Textbooks: M25-28

Return to top


Privacy Threshold Analysis

One tool used to determine whether a PIA should be conducted.

Reference(s) in IAPP Certification Textbooks: M123

Acronym(s): PTA

Return to top


Privacy-Enhancing Technologies

Privacy technology standards developed solely to be used for the transmission, storage and use of privacy data. Examples include Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL).

Reference(s) in IAPP Certification Textbooks: M30, 51, 128-129

Acronym(s): PETs

Return to top


Protect

The second of four phases of the privacy operational life cycle. It provides the data life cycle, information security practices and Privacy by Design principles to “protect” personal information.

Reference(s) in IAPP Certification Textbooks: M105

Associated term(s): Privacy Operational Life Cycle; Assess; Sustain; Respond

Return to top


Protected Health Information

Any individually identifiable health information transmitted or maintained in any form or medium that is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer, and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.

Reference(s) in IAPP Certification Textbooks: US46; G91; M37

Acronym(s): PHI

Return to top


Purpose Specification

A fair information practices principle, it is the principle stating that the purposes for which personal data are collected should be specified no later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Reference(s) in IAPP Certification Textbooks: F18, 22; E20, 253; M35

Associated term(s): FIPs

Return to top


Respond

The fourth of four phases of the privacy operational life cycle. It includes the respond principles of information requests, legal compliance, incident-response planning and incident handling. The “respond” phase aims to reduce organizational risk and bolster compliance to regulations.

Reference(s) in IAPP Certification Textbooks: M153

Associated term(s): Privacy Operational Life Cycle; Assess; Protect; Sustain

Return to top


Return on Investment

An indicator used to measure the financial gain/loss (or “value”) of a project in relation to its cost.  Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in assets.

Reference(s) in IAPP Certification Textbooks: M77

Acronym(s): ROI

Return to top


Security Safeguards

A fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Reference(s) in IAPP Certification Textbooks: F18, 21; G10; M35

Return to top


Social Engineering

A general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability.

Reference(s) in IAPP Certification Textbooks: F119-120; M170-171

Associated term(s): Phishing

Return to top


Stakeholders

Individual executives within an organization who lead and “own” the responsibility of privacy activities.

Reference(s) in IAPP Certification Textbooks: M12

 

Return to top


Strategic Management

The first high-level task necessary to implementing proactive privacy management through three subtasks:  Define your organization’s privacy vision and privacy mission statements; develop privacy strategy; and structure your privacy team.

Reference(s) in IAPP Certification Textbooks: M4

 

Return to top


Sustain

The third of four phases of the privacy operational life cycle. It provides privacy management through the monitoring, auditing, and communication aspects of the management framework.

Reference(s) in IAPP Certification Textbooks: M127

Associated term(s): Privacy Operational Life Cycle; Assess; Protect; Respond

Return to top


US-CERT

A partnership between the Department of Homeland Security and the public and private sectors intended to coordinate the response to security threats from the Internet. As such, it releases information about current security issues, vulnerabilities and exploits via the National Cyber Alert System and works with software vendors to create patches for security vulnerabilities.

Reference(s) in IAPP Certification Textbooks: G7, 49; M113

Acronym(s): US-CERT

Associated term(s): U.S. Computer Emergency Readiness Team

Return to top


US-CERT IT Security Essential Body of Knowledge

Fourteen generic information security practice competency areas, including: Data Security; Digital Signatures; Enterprise Continuity; Incident Management; IT Security and Training Awareness; IT Systems Operation and Maintenance; Network and Telecommunications Security; Personnel Security; Physical and Environmental Security; Procurement; Regulatory and Standards Compliance; Security Risk Management; Strategic Security Management; and System and Application Security.

Reference(s) in IAPP Certification Textbooks: M113

 

Return to top


Vendor Assessment

Assessment of a third-party vendor for the vendor’s privacy and information security policies, access controls, where the personal information will be held and who has access to it. Privacy/security questionnaires, privacy impact assessments and other checklists can be used to assess this risk.

Reference(s) in IAPP Certification Textbooks: M101

Return to top


WebTrust

Created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is a self-regulating seal program which licenses qualifying certified public accountants.

Reference(s) in IAPP Certification Textbooks: F34; M50

Associated term(s): Seal Programs

Return to top