CIPP-US Glossary Terms Exam Questions with Verified Solutions (Rated A+)
Accountability - Answers The implementation of appropriate technical and organisational measures to
ensure and be able to demonstrate that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks,
including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information
practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
Adequate Level of Protection - Answers A transfer of personal data from the European Union to a third
country or an international organisation may take place where the European Commission has decided
that the third country, a territory or one or more specified sectors within that third country, or the
international organisation in question, ensures an adequate level of protection by taking into account
the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both
general and sectoral legislation, data protection rules, professional rules and security measures,
effective and enforceable data subject rights and effective administrative and judicial redress for the
data subjects whose personal data is being transferred; (b) the existence and effective functioning of
independent supervisory authorities with responsibility for ensuring and enforcing compliance with the
data protection rules; (c) the international commitments the third country or international organisation
concerned has entered into in relation to the protection of personal data.
Adverse Action - Answers Under the Fair Credit Reporting Act, the term "adverse action" is defined very
broadly to include all business, credit and employment actions affecting consumers that can be
considered to have a negative impact, such as denying or canceling credit or insurance, or denying
employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a
counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish
the recipient of the adverse action with a copy of the credit report leading to the adverse action.
American Institute of Certified Public Accountants (AICPA) - Answers A U.S. professional organization of
certified public accountants and co-creator of the WebTrust seal program.
Americans with Disabilities Act (ADA) - Answers A U.S. law that bars discrimination against qualified
individuals with disabilities.
Anti-discrimination Laws - Answers Anti-discrimination laws are indications of special classes of personal
data. If there exists law protecting against discrimination based on a class or status, it is likely personal
information relating to that class or status is subject to more stringent data protection regulation, under
the GDPR or otherwise.
APEC Privacy Principles - Answers A set of non-binding principles adopted by the Asia-Pacific Economic
Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD
Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing
information privacy with business needs.
,Background Screening/Checks - Answers Organizations may want to verify an applicant's ability to
function in the working environment as well as assuring the safety and security of existing workers.
Background checks range from checking a person's educational background to checking on past criminal
activity. Employee consent requirements for such check vary by member state and may be negotiated
with local works councils.
Bank Secrecy Act, The (BSA) - Answers A U.S. federal law that requires U.S. financial institutions and
money services businesses (MSBs), which are entities that sell money orders or provide cash transfer
services, to record, retain and report certain financial transactions to the federal government. This
requirement is meant to assist the government in the investigation of money laundering, tax evasion,
terrorist financing and various other domestic and international criminal activities.
Behavioral Advertising (OBA) - Answers Advertising that is targeted at individuals based on the
observation of their behaviour over time. Most often done via automated processing of personal data,
or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any
automated processing, to be informed of the logic involved in any automatic personal data processing
and, at least when based on profiling, be informed of the consequences of such processing. If cookies
are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive
requires that data subjects provide consent for the placement of such cookies, after having been
provided with clear and comprehensive information.
Binding Corporate Rules (BCR) - Answers Binding Corporate Rules (BCRs) are an appropriate safeguard
allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data
between the various entities of a corporate group worldwide. They do so by ensuring that the same high
level of protection of personal data is complied with by all members of the organizational group by
means of a single set of binding and enforceable rules. BCRs compel organizations to be able to
demonstrate their compliance with all aspects of applicable data protection legislation and are approved
by a member state data protection authority. To date, relatively few organizations have had BCRs
approved.
Binding Safe Processor Rules (BSPR) - Answers Previously, the EU distinguished between Binding
Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data
Protection Regulation, there is now no distinction made between the two in this context and Binding
Corporate Rules are appropriate for both.
Breach Disclosure - Answers The requirement that an organization notify regulators and/or victims of
incidents affecting the confidentiality and security of personal data. The requirements in this arena vary
wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps
mitigate damage and aids in the understanding of causes of failure.
Bring Your Own Device (BYOD) - Answers Use of employees' own personal computing devices for work
purposes.
, California Investigative Consumer Reporting Agencies Act (CICRAA) - Answers A California state law that
requires employers to notify applicants and employees of their intention to obtain and use a consumer
report.
Case Law - Answers Principles of law that have been established by judges in past decisions. When
similar issues arise again, judges look to the past decisions as precedents and decide the new case in a
manner that is consistent with past decisions.
CCTV - Answers Originally an acronym for "closed circuit television," CCTV has come to be shorthand for
any video surveillance system. Originally, such systems relied on coaxial cable and was truly only
accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be
accessed remotely, and the footage much more easily shared, eliciting new and different privacy
concerns.
Children's Online Privacy Protection Act (COPPA) of 1998 - Answers A U.S. federal law that applies to the
operators of commercial websites and online services that are directed to children under the age of 13.
It also applies to general audience websites and online services that have actual knowledge that they
are collecting personal information from children under the age of 13. COPPA requires these website
operators: to post a privacy notice on the homepage of the website; provide notice about collection
practices to parents; obtain verifiable parental consent before collecting personal information from
children; give parents a choice as to whether their child's personal information will be disclosed to third
parties; provide parents access and the opportunity to delete the child's personal information and opt
out of future collection or use of the information, and maintain the confidentiality, security and integrity
of personal information collected from children.
Choice - Answers In the context of consent, choice refers to the idea that consent must be freely given
and that data subjects must have a genuine choice as to whether to provide personal data or not. If
there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection
Regulation.
Cloud Computing - Answers The provision of information technology services over the Internet. These
services may be provided by a company for its internal users in a "private cloud" or by third-party
suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e.,
operating systems). Cloud computing has numerous applications, from personal webmail to corporate
data storage, and can be subdivided into different types of service models.
Collection Limitation - Answers A fair information practices principle, it is the principle stating there
should be limits to the collection of personal data, that any such data should be obtained by lawful and
fair means and, where appropriate, with the knowledge or consent of the data subject.
Commercial Activity - Answers Under Canada's PIPEDA, "commercial activity" means any particular
transaction, act or conduct, or any regular course of conduct, that is of a commercial character,
including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit
associations, unions and private schools are likely to be found to exist outside of this definition.
Accountability - Answers The implementation of appropriate technical and organisational measures to
ensure and be able to demonstrate that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks,
including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information
practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
Adequate Level of Protection - Answers A transfer of personal data from the European Union to a third
country or an international organisation may take place where the European Commission has decided
that the third country, a territory or one or more specified sectors within that third country, or the
international organisation in question, ensures an adequate level of protection by taking into account
the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both
general and sectoral legislation, data protection rules, professional rules and security measures,
effective and enforceable data subject rights and effective administrative and judicial redress for the
data subjects whose personal data is being transferred; (b) the existence and effective functioning of
independent supervisory authorities with responsibility for ensuring and enforcing compliance with the
data protection rules; (c) the international commitments the third country or international organisation
concerned has entered into in relation to the protection of personal data.
Adverse Action - Answers Under the Fair Credit Reporting Act, the term "adverse action" is defined very
broadly to include all business, credit and employment actions affecting consumers that can be
considered to have a negative impact, such as denying or canceling credit or insurance, or denying
employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a
counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish
the recipient of the adverse action with a copy of the credit report leading to the adverse action.
American Institute of Certified Public Accountants (AICPA) - Answers A U.S. professional organization of
certified public accountants and co-creator of the WebTrust seal program.
Americans with Disabilities Act (ADA) - Answers A U.S. law that bars discrimination against qualified
individuals with disabilities.
Anti-discrimination Laws - Answers Anti-discrimination laws are indications of special classes of personal
data. If there exists law protecting against discrimination based on a class or status, it is likely personal
information relating to that class or status is subject to more stringent data protection regulation, under
the GDPR or otherwise.
APEC Privacy Principles - Answers A set of non-binding principles adopted by the Asia-Pacific Economic
Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD
Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing
information privacy with business needs.
,Background Screening/Checks - Answers Organizations may want to verify an applicant's ability to
function in the working environment as well as assuring the safety and security of existing workers.
Background checks range from checking a person's educational background to checking on past criminal
activity. Employee consent requirements for such check vary by member state and may be negotiated
with local works councils.
Bank Secrecy Act, The (BSA) - Answers A U.S. federal law that requires U.S. financial institutions and
money services businesses (MSBs), which are entities that sell money orders or provide cash transfer
services, to record, retain and report certain financial transactions to the federal government. This
requirement is meant to assist the government in the investigation of money laundering, tax evasion,
terrorist financing and various other domestic and international criminal activities.
Behavioral Advertising (OBA) - Answers Advertising that is targeted at individuals based on the
observation of their behaviour over time. Most often done via automated processing of personal data,
or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any
automated processing, to be informed of the logic involved in any automatic personal data processing
and, at least when based on profiling, be informed of the consequences of such processing. If cookies
are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive
requires that data subjects provide consent for the placement of such cookies, after having been
provided with clear and comprehensive information.
Binding Corporate Rules (BCR) - Answers Binding Corporate Rules (BCRs) are an appropriate safeguard
allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data
between the various entities of a corporate group worldwide. They do so by ensuring that the same high
level of protection of personal data is complied with by all members of the organizational group by
means of a single set of binding and enforceable rules. BCRs compel organizations to be able to
demonstrate their compliance with all aspects of applicable data protection legislation and are approved
by a member state data protection authority. To date, relatively few organizations have had BCRs
approved.
Binding Safe Processor Rules (BSPR) - Answers Previously, the EU distinguished between Binding
Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data
Protection Regulation, there is now no distinction made between the two in this context and Binding
Corporate Rules are appropriate for both.
Breach Disclosure - Answers The requirement that an organization notify regulators and/or victims of
incidents affecting the confidentiality and security of personal data. The requirements in this arena vary
wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps
mitigate damage and aids in the understanding of causes of failure.
Bring Your Own Device (BYOD) - Answers Use of employees' own personal computing devices for work
purposes.
, California Investigative Consumer Reporting Agencies Act (CICRAA) - Answers A California state law that
requires employers to notify applicants and employees of their intention to obtain and use a consumer
report.
Case Law - Answers Principles of law that have been established by judges in past decisions. When
similar issues arise again, judges look to the past decisions as precedents and decide the new case in a
manner that is consistent with past decisions.
CCTV - Answers Originally an acronym for "closed circuit television," CCTV has come to be shorthand for
any video surveillance system. Originally, such systems relied on coaxial cable and was truly only
accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be
accessed remotely, and the footage much more easily shared, eliciting new and different privacy
concerns.
Children's Online Privacy Protection Act (COPPA) of 1998 - Answers A U.S. federal law that applies to the
operators of commercial websites and online services that are directed to children under the age of 13.
It also applies to general audience websites and online services that have actual knowledge that they
are collecting personal information from children under the age of 13. COPPA requires these website
operators: to post a privacy notice on the homepage of the website; provide notice about collection
practices to parents; obtain verifiable parental consent before collecting personal information from
children; give parents a choice as to whether their child's personal information will be disclosed to third
parties; provide parents access and the opportunity to delete the child's personal information and opt
out of future collection or use of the information, and maintain the confidentiality, security and integrity
of personal information collected from children.
Choice - Answers In the context of consent, choice refers to the idea that consent must be freely given
and that data subjects must have a genuine choice as to whether to provide personal data or not. If
there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection
Regulation.
Cloud Computing - Answers The provision of information technology services over the Internet. These
services may be provided by a company for its internal users in a "private cloud" or by third-party
suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e.,
operating systems). Cloud computing has numerous applications, from personal webmail to corporate
data storage, and can be subdivided into different types of service models.
Collection Limitation - Answers A fair information practices principle, it is the principle stating there
should be limits to the collection of personal data, that any such data should be obtained by lawful and
fair means and, where appropriate, with the knowledge or consent of the data subject.
Commercial Activity - Answers Under Canada's PIPEDA, "commercial activity" means any particular
transaction, act or conduct, or any regular course of conduct, that is of a commercial character,
including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit
associations, unions and private schools are likely to be found to exist outside of this definition.
