IAPP-CIPT-GlossaryTerms-2023/24-
Final
Abstract - Limit the amount of detail in which personal information is processed.
Access Control Entry - An element in an access control list (ACL). Each ACE controls, monitors, or records
access to an object by a specified user.
Access Control List - A list of access control entries (ACE) that apply to an object. Each ACE controls or
monitors access to an object by a specified user. In a discretionary access control list (DACL), the ACL
controls access; in a system access control list (SACL) the ACL monitors access in a security event log
which can comprise part of an audit trail.
Accountability - The implementation of appropriate technical and organisational measures to ensure
and be able to demonstrate that the handling of personal data is performed in accordance with relevant
law, an idea codified in the EU General Data Protection Regulation and other frameworks, including
APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices
principle, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
Active Data Collection - When an end user deliberately provides information, typically through the use
of web forms, text boxes, check boxes or radio buttons.
AdChoices - A program run by the Digital Advertising Alliance to promote awareness and choice in
advertising for internet users. Websites with ads from participating DAA members will have an
AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon,
users may set preferences for behavioral advertising on that website or with DAA members generally
across the web.
Adequate Level of Protection - A transfer of personal data from the European Union to a third country or
an international organisation may take place where the European Commission has decided that the
third country, a territory or one or more specified sectors within that third country, or the international
organisation in question, ensures an adequate level of protection by taking into account the following
elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and
,sectoral legislation, data protection rules, professional rules and security measures, effective and
enforceable data subject rights and effective administrative and judicial redress for the data subjects
whose personal data is being transferred; (b) the existence and effective functioning of independent
supervisory authorities with responsibility for ensuring and enforcing compliance with the data
protection rules; (c) the international commitments the third country or international organisation
concerned has entered into in relation to the protection of personal data.
Advanced Encryption Standard - An encryption algorithm for security sensitive non-classified material by
the U.S. Government. This algorithm was selected in 2001 to replace the previous algorithm, the Date
Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the
U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael,
pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent
Rijmen.
Adverse Action - Under the Fair Credit Reporting Act, the term "adverse action" is defined very broadly
to include all business, credit and employment actions affecting consumers that can be considered to
have a negative impact, such as denying or canceling credit or insurance, or denying employment or
promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer
that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient
of the adverse action with a copy of the credit report leading to the adverse action.
Agile Development Model - A process of software system and product design that incorporates new
system requirements during the actual creation of the system, as opposed to the Plan-Driven
Development Model. Agile development takes a given project and focuses on specific portions to
develop one at a time. An example of Agile development is the Scrum Model.
Algorithms - Mathematical applications applied to a block of data.
Anonymization - The process in which individually identifiable data is altered in such a way that it no
longer can be related back to a given individual. Among many techniques, there are three primary ways
that data is anonymized. Suppression is the most basic version of anonymization and it simply removes
some identifying values from data to reduce its identifiability. Generalization takes specific identifying
values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise
addition takes identifying values from a given data set and switches them with identifying values from
another individual in that data set. Note that all of these processes will not guarantee that data is no
longer identifiable and have to be performed in such a way that does not harm the usability of the data.
,Anonymous Information - In contrast to personal data, anonymous information or data is not related to
an identified or an identifiable natural person and cannot be combined with other information to re-
identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.
Anthropomorphism - Attributing human characteristics or behaviors to non-human objects.
Anti-discrimination Laws - Anti-discrimination laws are indications of special classes of personal data. If
there exists law protecting against discrimination based on a class or status, it is likely personal
information relating to that class or status is subject to more stringent data protection regulation, under
the GDPR or otherwise.
Application or field encryption - Ability to encrypt specific fields of data; specifically sensitive data such
as credit cards numbers or health-related information.
Application-Layer Attacks - Attacks that exploit flaws in the network applications installed on network
servers. Such weaknesses exist in web browsers, e-mail server software, network routing software and
other standard enterprise applications. Regularly applying patches and updates to applications may help
prevent such attacks.
Appropriation - Using someone's identity for another person's purposes.
Asymmetric Encryption - A form of data encryption that uses two separate but related keys to encrypt
data. The system uses a public key, made available to other parties, and a private key, which is kept by
the first party. Decryption of data encrypted by the public key requires the use of the private key;
decryption of the data encrypted by the private key requires the public key.
Attribute-Based Access Control - An authorization model that provides dynamic access control by
assigning attributes to the users, the data, and the context in which the user requests access (also
referred to as environmental factors) and analyzes these attributes together to determine access.
Audit Trail - A chain of electronic activity or sequence of paperwork used to monitor, track, record, or
validate an activity. The term originates in accounting as a reference to the chain of paperwork used to
validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce,
to track customer's activity, or cyber-security, to investigate cybercrimes.
, Authentication - The process by which an entity (such as a person or computer system) determines
whether another entity is who it claims to be.
Authorization - In the context of information security, it is process of determining if the end user is
permitted to have access to the desired resource such as the information asset or the information
system containing the asset. Authorization criteria may be based upon a variety of factors such as
organizational role, level of security clearance, applicable law or a combination of factors. When
effective, authentication validates that the entity requesting access is who or what it claims to be.
Automated decision making - The process of making a decision without human involvement.
Basel III - A comprehensive set of reform measures, developed by the Basel Committee on Banking
Supervision, to strengthen the regulation, supervision and risk management of the banking sector.
Behavioral Advertising - Advertising that is targeted at individuals based on the observation of their
behaviour over time. Most often done via automated processing of personal data, or profiling, the
General Data Protection Regulation requires that data subjects be able to opt-out of any automated
processing, to be informed of the logic involved in any automatic personal data processing and, at least
when based on profiling, be informed of the consequences of such processing. If cookies are used to
store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires
that data subjects provide consent for the placement of such cookies, after having been provided with
clear and comprehensive information.
Big Data - A term used to describe the large data sets which exponential growth in the amount and
availability of data have allowed organizations to collect. Big data has been articulated as "the three V's:
volume (the amount of data), velocity (the speed at which data may now be collected and analyzed),
and variety (the format, structured or unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - Data concerning the intrinsic physical or behavioral characteristics of an individual.
Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke
technique and gait. The General Data Protection Regulation, in Article 9, lists biometric data for the
purpose of uniquely identifying a natural person as a special category of data for which processing is not
allowed other than in specific circumstances.
Blackmail - The threat to disclose an individual's information against his or her will.
Final
Abstract - Limit the amount of detail in which personal information is processed.
Access Control Entry - An element in an access control list (ACL). Each ACE controls, monitors, or records
access to an object by a specified user.
Access Control List - A list of access control entries (ACE) that apply to an object. Each ACE controls or
monitors access to an object by a specified user. In a discretionary access control list (DACL), the ACL
controls access; in a system access control list (SACL) the ACL monitors access in a security event log
which can comprise part of an audit trail.
Accountability - The implementation of appropriate technical and organisational measures to ensure
and be able to demonstrate that the handling of personal data is performed in accordance with relevant
law, an idea codified in the EU General Data Protection Regulation and other frameworks, including
APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices
principle, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
Active Data Collection - When an end user deliberately provides information, typically through the use
of web forms, text boxes, check boxes or radio buttons.
AdChoices - A program run by the Digital Advertising Alliance to promote awareness and choice in
advertising for internet users. Websites with ads from participating DAA members will have an
AdChoices icon near advertisements or at the bottom of their pages. By clicking on the Adchoices icon,
users may set preferences for behavioral advertising on that website or with DAA members generally
across the web.
Adequate Level of Protection - A transfer of personal data from the European Union to a third country or
an international organisation may take place where the European Commission has decided that the
third country, a territory or one or more specified sectors within that third country, or the international
organisation in question, ensures an adequate level of protection by taking into account the following
elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and
,sectoral legislation, data protection rules, professional rules and security measures, effective and
enforceable data subject rights and effective administrative and judicial redress for the data subjects
whose personal data is being transferred; (b) the existence and effective functioning of independent
supervisory authorities with responsibility for ensuring and enforcing compliance with the data
protection rules; (c) the international commitments the third country or international organisation
concerned has entered into in relation to the protection of personal data.
Advanced Encryption Standard - An encryption algorithm for security sensitive non-classified material by
the U.S. Government. This algorithm was selected in 2001 to replace the previous algorithm, the Date
Encryption Standard (DES), by the National Institute of Standards and Technology (NIST), a unit of the
U.S. Commerce Department, through an open competition. The winning algorithm (RijnDael,
pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen and Vincent
Rijmen.
Adverse Action - Under the Fair Credit Reporting Act, the term "adverse action" is defined very broadly
to include all business, credit and employment actions affecting consumers that can be considered to
have a negative impact, such as denying or canceling credit or insurance, or denying employment or
promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer
that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient
of the adverse action with a copy of the credit report leading to the adverse action.
Agile Development Model - A process of software system and product design that incorporates new
system requirements during the actual creation of the system, as opposed to the Plan-Driven
Development Model. Agile development takes a given project and focuses on specific portions to
develop one at a time. An example of Agile development is the Scrum Model.
Algorithms - Mathematical applications applied to a block of data.
Anonymization - The process in which individually identifiable data is altered in such a way that it no
longer can be related back to a given individual. Among many techniques, there are three primary ways
that data is anonymized. Suppression is the most basic version of anonymization and it simply removes
some identifying values from data to reduce its identifiability. Generalization takes specific identifying
values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise
addition takes identifying values from a given data set and switches them with identifying values from
another individual in that data set. Note that all of these processes will not guarantee that data is no
longer identifiable and have to be performed in such a way that does not harm the usability of the data.
,Anonymous Information - In contrast to personal data, anonymous information or data is not related to
an identified or an identifiable natural person and cannot be combined with other information to re-
identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR.
Anthropomorphism - Attributing human characteristics or behaviors to non-human objects.
Anti-discrimination Laws - Anti-discrimination laws are indications of special classes of personal data. If
there exists law protecting against discrimination based on a class or status, it is likely personal
information relating to that class or status is subject to more stringent data protection regulation, under
the GDPR or otherwise.
Application or field encryption - Ability to encrypt specific fields of data; specifically sensitive data such
as credit cards numbers or health-related information.
Application-Layer Attacks - Attacks that exploit flaws in the network applications installed on network
servers. Such weaknesses exist in web browsers, e-mail server software, network routing software and
other standard enterprise applications. Regularly applying patches and updates to applications may help
prevent such attacks.
Appropriation - Using someone's identity for another person's purposes.
Asymmetric Encryption - A form of data encryption that uses two separate but related keys to encrypt
data. The system uses a public key, made available to other parties, and a private key, which is kept by
the first party. Decryption of data encrypted by the public key requires the use of the private key;
decryption of the data encrypted by the private key requires the public key.
Attribute-Based Access Control - An authorization model that provides dynamic access control by
assigning attributes to the users, the data, and the context in which the user requests access (also
referred to as environmental factors) and analyzes these attributes together to determine access.
Audit Trail - A chain of electronic activity or sequence of paperwork used to monitor, track, record, or
validate an activity. The term originates in accounting as a reference to the chain of paperwork used to
validate or invalidate accounting entries. It has since been adapted for more general use in e-commerce,
to track customer's activity, or cyber-security, to investigate cybercrimes.
, Authentication - The process by which an entity (such as a person or computer system) determines
whether another entity is who it claims to be.
Authorization - In the context of information security, it is process of determining if the end user is
permitted to have access to the desired resource such as the information asset or the information
system containing the asset. Authorization criteria may be based upon a variety of factors such as
organizational role, level of security clearance, applicable law or a combination of factors. When
effective, authentication validates that the entity requesting access is who or what it claims to be.
Automated decision making - The process of making a decision without human involvement.
Basel III - A comprehensive set of reform measures, developed by the Basel Committee on Banking
Supervision, to strengthen the regulation, supervision and risk management of the banking sector.
Behavioral Advertising - Advertising that is targeted at individuals based on the observation of their
behaviour over time. Most often done via automated processing of personal data, or profiling, the
General Data Protection Regulation requires that data subjects be able to opt-out of any automated
processing, to be informed of the logic involved in any automatic personal data processing and, at least
when based on profiling, be informed of the consequences of such processing. If cookies are used to
store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires
that data subjects provide consent for the placement of such cookies, after having been provided with
clear and comprehensive information.
Big Data - A term used to describe the large data sets which exponential growth in the amount and
availability of data have allowed organizations to collect. Big data has been articulated as "the three V's:
volume (the amount of data), velocity (the speed at which data may now be collected and analyzed),
and variety (the format, structured or unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - Data concerning the intrinsic physical or behavioral characteristics of an individual.
Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke
technique and gait. The General Data Protection Regulation, in Article 9, lists biometric data for the
purpose of uniquely identifying a natural person as a special category of data for which processing is not
allowed other than in specific circumstances.
Blackmail - The threat to disclose an individual's information against his or her will.
