Here are some common privacy law tenets shared across regulatory standards:
- Participation – the data subject should have the option to opt in or opt out.
- Limitation – data can only use it for the purpose stated.
- Scope – there must be a specific purpose (and it must be legal/ethical), the scope should be include in the notification.
- Accuracy – the data must be as accurate as possible, and the data subject should be able to make corrections.
- Retention – the data should be kept only as long as it’s needed.
- Security – the custodian must protect the data.
- Dissemination – the custodian must not share the data without notifying the data subject.
- Notification – must notify the user that you’re collecting and creating their data before it’s used, should include purpose of use.
A trick to memorize the privacy tenets is to say the following phrase while noting the bolded letters above:
“PLS (please) Acquire or Reveal Some DoNuts”
Write this mnemonic down on your memorization sheet several times.
Try to understand the difference between the grayer tenets, such as Limitation and Scope, or Notification and Scope.
Some additional privacy concepts that are presented in Domain 1 include:
General Data Protection Regulation (GDPR): also has privacy tenets that are similar, but not the same as the general tenets. There is no guarantee which one you’ll be tested on, so memorize both and what happens with each tenet. You can memorize these with a mnemonic as well: “Public Displays of Affection Sure Interest A Lot of Us.”
Purpose limitation – this means it should be collected for the stated purpose.
Data minimization – this means it should be used for the stated purpose.
Accuracy – this means there should be a method for the data subject to make corrections so that the info is accurate.
Storage limitation – basically, don’t keep the information longer than needed.
Integrity/confidentiality – this means you should prevent unauthorized modifications or views of the data.
Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data.
Lawfulness, fairness, transparency: Data must be collected, handled, and destroyed in ways that are legal, fair, and transparent (subject to review/audit).
- Personally identifiable information (PII) – This refers to information that can be used to identify someone such as social security number, tax ID number, home address, email address, photograph of the person, fingerprint, credit card number, account number, etc.
- Personal or Protected Health Information (PHI) – This refers to information that is protected under health laws such as HIPAA.
Some random concepts presented in the CBK related to GDPR are the following:
Data portability – this is a GDPR right, and says that an individual can have their data securely transferred from one service or controller to another, and that controllers need to provide a mechanism for such requests to be made, such as a paper form to be submitted that requests the transfer, or maybe an online web form.
Data localization refers to the requirement that data be processed and stored in the country of the data’s origin, or where it was collected. GDPR discusses this principle in the context of the conditions that are required before transmitting EU data outside of the EU.
Cross border privacy rules are being put into frameworks to help address transmitting PII across international borders.
The Organization for Economic Cooperation and Development (OECD) has small differences in its privacy tenets:
- Collection limitation – limits the collection of personal data
- Data quality – accurate and up to date, and relevant to the purpose that it is used
- Purpose specification – the purpose should be specified at the time of collection
- Use limitation – the data cannot be disclosed or used without consent
- Security safeguards – data affords reasonable protection
- Openness – with respect to policy and procedure involving personal data
- Individual participation – data must be made available to the subject and the subject has specific rights related to the data
- Accountability – the data controller is accountable