Accountability
A fair information practices principle, it is the idea that when personal information is to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and tak
Active Scanning Tools
DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on th
American Institute of Certified Public Accountants
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
APEC Privacy Principles
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region b
Assess
The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and
Audit Life Cycle
High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up.
Bureau of Competition
One of the United States' Federal Trade Commission's three principle groups relevant to privacy oversight; investigates and attempts the prevention of anticompetitive business practices, such as monopolies, price- fixing and similar regulatory violations,
Bureau of Consumer Protection
One of the United States' Federal Trade Commission's three principle groups relevant to privacy oversight; protects consumers against deceptive and or unfair business practices. Included under the FTC mandate are deceptive advertising and fraudulent produ
Bureau of Economics
One of the United States' Federal Trade Commission's three principle groups relevant to privacy oversight; works in accord with the Bureau of Competition to study the effects of FTC lawmaking initiatives and of existing law.
Business case
The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements a
Business Continuity and Disaster Recovery Plan
A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.
Business Continuity Plan
The business continuity plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in
C-I-A Triad
Also known as information security triad; three common information security principles from the 1960s: Confidentiality, integrity, availability.
Canadian Institute of Chartered Accountants
The Canadian Institute of Chartered Accountants (CICA), in partnership with the provincial and territorial institutes, is responsible for the functions that are critical to the success of the Canadian CA profession. CICA, pursuant to the 2006 Protocol, is
Centralized governance
Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point.
Children's Online Privacy Protection Act (COPPA) of 1998
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collec
Collection Limitation
A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data
Current baseline
As-is" data privacy requirements; the current environment and any protections, policies, and procedures currently deployed.
Cyber liability insurance
Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. Cyber liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis mana
Data Inventory
Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabl
Data Life Cycle Management
Also known as information life cycle management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles,
Data Protection Authority
An official or body that ensures compliance with data protection laws and investigates alleged breaches of the laws' provisions.
Data Protection Impact Assessment
Similar to a Privacy Impact Assessment. According to the proposed EU Data Protection Regulation, Data Protection Impact Assessments ensure "a conscious and systematic effort is made to assess privacy risks to individuals in the collection, use and disclos
Data Quality
A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of
Decentralized Governance
Also known as "local governance," this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure,
Electronic Communications Privacy Act of 1986
The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are
EU Data Protection Directive
Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals' privacy and personal data use. The Directive was adopted in 1995,
Fair and Accurate Credit Transactions Act of 2003
An amendment to the Fair Credit Reporting Act, this Act allows consumers to request and obtain a free credit report every twelve months from each of the three nationwide consumer credit reporting companies.
Gap Analysis
Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit or privacy assessment, if any exist; requires reviewing the capabilities of current systems, managemen
Generally Accepted Privacy Principles
A framework promulgated by the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA). The ten principles are management, notice, choice and consent, collection, use and retent
Gramm-Leach-Bliley Act
The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the United States and applies broadly to any company that is "significantly engaged" in financial activities in the U.S. In
Health Insurance Portability and Accountability Act, The
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health i
Hybrid Governance
This privacy governance model allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the
Individual Participation
A fair information practices principle, it is the principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating
Information Life Cycle Management
Also known as data life cycle management (DLM) or data governance, ILM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. ILM provides a holistic approach to the processes, roles, contro
Information Security Practices
Provide management, technical and operational controls to reduce probable damage, loss, modification or unauthorized data access.
Information Security Triad
Also known as "the C-I-A triad"; consists of three common information security principles: Confidentiality, integrity, and availability.
Internal Partners
Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology.
Local Governance
Also known as "decentralized governance," this governance model involves the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational str
Metric Life Cycle
The processes and methods to sustain a metric to match the ever-changing needs of an organization. Consists of a 5-step process: (1) Identification of the intended audience; (2) Definition of data sources; (3) Selection of privacy metrics; (4) Collection
Metrics
Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and prac
Non-Public Personal Information
Is defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. E
Openness
A fair information practices principle, it is the principle that there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature
Organization for Economic Cooperation and Development
An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.
PCI Data Security Standard
A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Exce
Performance Measurement
The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness; gathering data and producing quantifiable output that describes performance.
Personal Information
May refer to either a generic term for information, or an EU term for such information. In the U.S., such information may be referred to as Personally Identifiable Information
Personal Information Protection and Electronic Documents Act
A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.
Platform for Privacy Preferences
A machine-readable language that helps to express a website's data management practices in an automated fashion.
Privacy by Design
The concept that organizations need to build privacy directly into technology, systems and practices at the design phase, thereby ensuring the existence of privacy from the outset. Originating in the mid-1990s by the Information and Privacy Commissioner o
Privacy Champion
An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept.
Privacy Impact Assessment
An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in iden
Privacy Maturity Model
Provides a standardized reference for companies to use in assessing the level of maturity of their privacy programs.
Privacy Operational Life Cycle
Focused on refining and improving privacy processes, this model continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to measure (assess), improve (protect), evaluate (sustain) and support (respond), and
Privacy Program Framework
An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for
Privacy Threshold Analysis
One tool used to determine whether a PIA should be conducted.
Privacy-Enhancing Technologies
Privacy technology standards developed solely to be used for the transmission, storage and use of privacy data. Examples include Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL).
Protect
The second of four phases of the privacy operational life cycle. It provides the data life cycle, information security practices and Privacy by Design principles to "protect" personal information.
Protected Health Information
Any individually identifiable health information transmitted or maintained in any form or medium that is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received
Purpose Specification
A fair information practices principle, it is the principle stating that the purposes for which personal data are collected should be specified no later than at the time of data collection and the subsequent use limited to the fulfillment of those purpose
Respond
The fourth of four phases of the privacy operational life cycle. It includes the respond principles of information requests, legal compliance, incident-response planning and incident handling. The "respond" phase aims to reduce organizational risk and bol
Return on Investment
An indicator used to measure the financial gain/loss (or "value") of a project in relation to its cost. Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in assets.
Security Safeguards
A fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Social Engineering
A general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability.
Stakeholders
Individual executives within an organization who lead and "own" the responsibility of privacy activities.
Strategic Management
The first high-level task necessary to implementing proactive privacy management through three subtasks: Define your organization's privacy vision and privacy mission statements; develop privacy strategy; and structure your privacy team.
Sustain
The third of four phases of the privacy operational life cycle. It provides privacy management through the monitoring, auditing, and communication aspects of the management framework.
US-CERT
A partnership between the Department of Homeland Security and the public and private sectors intended to coordinate the response to security threats from the Internet. As such, it releases information about current security issues, vulnerabilities and exp
US-CERT IT Security Essential Body of Knowledge
Fourteen generic information security practice competency areas, including: Data Security; Digital Signatures; Enterprise Continuity; Incident Management; IT Security and Training Awareness; IT Systems Operation and Maintenance; Network and Telecommunicat
Vendor Assessment
Assessment of a third-party vendor for the vendor's privacy and information security policies, access controls, where the personal information will be held and who has access to it. Privacy/security questionnaires, privacy impact assessments and other che
WebTrust
Created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is a self-regulating seal program which licenses qualifying certified public accountants.