CIPT Study Set Exam 2024 Questions and Answers Correctly Solved

AICPA definition of privacy - The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information IAPP definition of Privacy - The appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individuals expectations; also, the right of an individual to control the collection, use, and disclosure of personal information Data Protection - The management of personal information. In the United States, "privacy" is the term that is used in policies, laws and regulations, However, in the EU and other countries, this term often identifies privacy related laws and regulations. Processes in an organization where privacy is important - Human resource management, Finance and accounting, Procurement, Marketing, Sales, Customer Support, Technical support, retail operations, research and development, regulatory reporting. Common challenges with privacy - Lost or stolen media, over-sharing of personal information, good intentions but misused data, third party service provider weaknesses, regulatory isolations, website leakage, hackers, unwanted marketing communications, fraudulent transactions, social engineering If Privacy is compromised, what is the result - identity theft, brand and reputation damage, litigation, regulatory action, direct financial loss, loss of market value, loss of consumer and business partner confidence, becoming an example of what could go wrong What are the different types of information about people - Personal information, personal data, PII, individually identifiable information Types of personal information - sensitive information, PII, protected health information (PHI) and electronic (ePHI), non-public personal financial information (NPI) Types of non-personal information - non-personally identifiable information (non-PII), de-identified or anatomized information, statistical and aggregate information, household data, demographic data European categories of sensitive data - racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, offenses or criminal convictions, genetic data US categories of sensitive data - social security numbers financial information drivers license numbers medical records Personal information data elements - Name, gender, age/date of birth, martial status, citizenship, nationality, languages spoken, veteran status, disabled status, addresses, phone numbers, email addresses, Govt-issued Id's, identity verification information, internal id numbers Employee related data elements - employment history, job-related history, employee relations, compensations, payroll, background checks, benefits, heath, labor relations Customer related data elements - account numbers, personal financial information, credit score, transaction, income, assets, credit information Ways of processing personal information - collection, recording, organization, storage, updating or modifying, retrieval, consultation, use, disclosure by transmission, linking, alignment or combinations, blocking, erase or destruction List of Data Protection Authorities around the World - Canadian federal and provincial privacy commissioners, Hong Kong, Australia, New Zealand national privacy commissioners EU UK Information commissioner German federal and state level data protection commissioners Under GDPR, EU nations will have supervisor authorities obliged to work together US there is no national data protection authority Japan has a similar protection stance and multiple regulators Controller - Determines the purposes and means of processing Every instance of processing personal data has a minimum of one of these May be joint responsibility of two or more There can be 2 of them if they share a pool of personal information, each processing independently of the other The responsibility of the data always sits with this person Processor - processes personal data on behalf of the controller ie a vendor like a cloud provider providing space for the client They rely on the instructions from the controller Types of rights of the indivual - Notice Choice and consent Data Subject Access Information life cycle - Collection Use of internal sharing disclosure retention and disposal Types of Controls on the Data - Information Security Quality controls Management elements of data - management and admin monitoring and enforcement powers of the regulators penalties and sanctions Notice - The organization provides ____ about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed i.e. website privacy statements, employee privacy notice marketing emails notice and choice statements