Chapter 1: Introduction to Privacy

Vocabulary-style flashcards covering core concepts, definitions, and models from Chapter 1 on privacy and data protection.

Privacy

Protection of information about individuals; the right to control how personal information about oneself is collected, used, and disclosed.

Data protection/privacy law

Laws governing the collection, use, storage, and disclosure of personal information to safeguard individuals’ privacy.

Information privacy

Rules governing the collection and handling of personal information (e.g., financial, medical, government records, online activity).

Bodily privacy

Protection of the person’s physical being and freedom from invasive procedures (e.g., genetic testing, medical testing, birth control, abortion).

Territorial privacy

Limits on intruding into a person’s environment (home, workplace, public space) through monitoring or surveillance.

Communications privacy

Protection of modes of communication (postal mail, telephone, email) and related behavior.

Warren and Brandeis (1890) – Right to Privacy

'The right to be let alone' and the early concise definition of privacy in the Harvard Law Review.

Four classes of privacy

Categories used to analyze privacy: information privacy, bodily privacy, territorial privacy, and communications privacy.

Fair Information Practices (FIPs) / FIPPs

Guidelines for handling personal data with privacy, security, and fairness; organized around rights, controls, life cycle, and management.

Rights of Individuals (FIPs)

Notice, choice/consent, and data subject access as key individual rights in privacy frameworks.

Controls on the information (FIPs)

Focus on information security and information quality to protect data.

Information Life Cycle (FIPs)

Stages of data handling: collection, use/retention, and disclosure.

Management (FIPs)

Organizational governance of privacy policies, procedures, monitoring, and enforcement.

Data controller

Entity that decides how and why personal information is processed; focal point of obligations.

Data processor

Entity that processes data on behalf of the data controller (often a vendor or subcontractor).

Processing

Any operation on personal data, including collection, storage, use, disclosure, retrieval, and destruction.

Data subject

The individual about whom information is collected or processed.

Public records

Information collected and maintained by government entities that is available to the public (varies by jurisdiction).

Publicly available information

Information generally accessible to many people (e.g., telephone directory listings, news articles, search results).

Nonpublic information

Information not generally available or easily accessed; includes medical, financial, and other sensitive data.

Personal information (PII)

Information that identifies or can identify an individual (e.g., name, SSN, address, email). Electronic and paper records are covered.

Sensitive personal information

Subset of PII requiring higher protection (e.g., SSN, financial, health data, race, religion).

Deidentified / Anonymized / Pseudonymized

Techniques to remove or obscure identifiers; deidentified/anonymized data cannot be linked to individuals; pseudonymized data uses codes that can be reversed.

IP address as data

EU view: IP addresses are personal data; US view varies by statute; regulators may treat IP as personal information in certain contexts.

Public records vs publicly available vs nonpublic information

Different sources of data; public records are government-maintained, publicly available information is widely accessible, nonpublic data is restricted.

Data subject access

Right of individuals to access their personal data held by a controller or processor and to request corrections.

Notice (FIPs)

Notice of privacy policies, purposes for collection, and data handling practices.

Under OECD/APEC what is the Collection Limitation

Limit the collection of personal data to what is necessary and obtain it by lawful and fair means, often with consent.

Under OECD/APEC what is the Purpose Specification

Specify the purposes for data collection at or before collection and limit subsequent use to those purposes.

Under OECD/APEC what is the Use Limitation

Use personal data only for specified purposes, with certain exceptions by consent or law.

Under OECD/APEC what is the Security Safeguards

Protect personal data with reasonable security measures against risks like loss or unauthorized access.

Openess (OECD/APEC)

Public policy of transparency about data practices and the identity of the data controller.

Individual Participation (OECD/APEC)

Right to access, obtain explanations, and challenge data, with rights to correction or deletion where appropriate.

Under OECD/APEC what is the Accountability

Data controllers are accountable for complying with privacy principles and for demonstrating observance.

Madrid Resolution (2009) – Core principles

International privacy principles aimed at lawful processing, purpose limitation, proportionality, data quality, openness, and accountability.

Lawfulness and Fairness (Madrid principle)

Data must be processed lawfully and fairly, respecting applicable laws and individual rights.

Purpose Specification (Madrid)

Processing limited to explicit, legitimate purposes; noncompatible purposes require consent.

Proportionality (Madrid)

Processing should be adequate, relevant, and limited to what is necessary.

Data Quality (Madrid)

Personal data must be accurate, sufficient, up-to-date, and retained only as long as needed.

Openness (Madrid)

Provide information about identity, processing purposes, recipients, and how to exercise rights.

Accountability (Madrid)

Organize internal measures to observe and demonstrate adherence to privacy principles.

Comprehensive model

A data protection regime where the government sets broad rules for personal data across the economy, enforced by a dedicated authority.

Sectoral model

Privacy rules target specific industries or sectors rather than the entire economy.

Co-regulatory model

Shared responsibility between government and industry to create enforceable privacy codes.

Self-regulatory model

Industry-led privacy codes and practices with possible government involvement but no universal law.

Technology-based model

Privacy protection relies on technical measures (e.g., encryption) independent of stringent regulatory frameworks.