Privacy Principles

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP certification course
00:00
with Cybrary Privacy Principles.
00:00
My name is Charlene Hutchins and I'm your instructor.
00:00
Today, we're going to review some privacy principles
00:00
that have influenced privacy laws
00:00
and regulations worldwide.
00:00
The consistent implementation and
00:00
application of privacy principles enables
00:00
organizations to effectively manage
00:00
the data life cycle of data they maintain.
00:00
We will cover specifically general privacy principles,
00:00
the OECD, GAPP,
00:00
PIPEDA, and DPA.
00:00
Basic privacy principles includes consent or choice.
00:00
The principle that the individual
00:00
has choice and how their data is used.
00:00
Limited collection, or legitimate purpose,
00:00
or purpose specification,
00:00
>> is the principle that data is
00:00
>> only collected for a specific purpose
00:00
and not for any other reason.
00:00
Disclosure limitation, transfer to third parties,
00:00
or transporter concerns,
00:00
>> is the principal where a disclosure is only for
00:00
>> the purposes stated in
00:00
any agreements with third parties or other entities.
00:00
Access limitation is the principle that only
00:00
those who require access
00:00
>> should have access to the data.
00:00
>> Security is the principle that
00:00
the appropriate protections will
00:00
be put in place to safeguard the data.
00:00
Accuracy, completeness,
00:00
and quality is the principle that
00:00
aligns with the security principle of data integrity.
00:00
Data will be complete and accurate and up to date.
00:00
The privacy principles of management,
00:00
designation of privacy officer,
00:00
supervisor, re-authority, processing authorization,
00:00
accountability is the principle that there
00:00
is a designated data controller or stakeholder,
00:00
someone who's responsible for the protection of data.
00:00
Transparency and openness is
00:00
the principle that relates to ensuring
00:00
>> that the information around the policies and procedures
00:00
>> are made readily available relating to
00:00
>> the management of personal information.
00:00
Proportionality, use and retention,
00:00
use limitation is the principle
00:00
regarding guidelines around how
00:00
data is handled when no longer
00:00
required to fulfill the identified purposes.
00:00
Access. An individual participation is
00:00
the principle around the rights of
00:00
an individual regarding the existence,
00:00
use, and disclosure of their data.
00:00
Notice. In part,
00:00
that specification is the principle that
00:00
>> provides notice about privacy policies and
00:00
>> identifies the purposes that the data is collected.
00:00
Additional measures for breach notification
00:00
is the principle around
00:00
specifications for notification in
00:00
the event of a data breach.
00:00
Now, you may remember from the compliance video
00:00
talking about the OECD as a compliance framework.
00:00
Here, we're going to discuss the role of
00:00
OECD has played in promoting respect for
00:00
privacy as a fundamental value
00:00
for the free flow of personal data across borders.
00:00
The OECD is a standard that is based on the guidelines
00:00
>> on the protection of privacy and
00:00
>> transborder flows of personal data.
00:00
These guidelines were the first set of
00:00
privacy principles and contains five parts.
00:00
They are, part 1,
00:00
the general definitions and
00:00
>> the scope of the guidelines.
00:00
>> Part 2, covers the basic principle of
00:00
application that includes, but
00:00
is not limited to, collection,
00:00
data quality, purpose, security,
00:00
individual participation, and accountability.
00:00
Part 3 are the basic principles
00:00
>> of international application.
00:00
>> Part 4 is the national implementation guidelines.
00:00
Part 5 are the guidelines
00:00
for the international cooperation.
00:00
We talked before about GAPP,
00:00
the Generally Accepted Privacy Principles.
00:00
They provide criteria and
00:00
related material for protecting the privacy of
00:00
personal information that can be used by
00:00
CPAs or certified public accountants.
00:00
The GAPP standard defines the following 10 principles,
00:00
which are very similar and
00:00
aligned with the overall privacy principles.
00:00
Management, meaning the entity defines documents,
00:00
communicates, and assigns accountability
00:00
for its privacy policies and procedures.
00:00
Notice is where the entity provides
00:00
notice about its privacy policies and procedures,
00:00
and identifies the purposes for
00:00
which personal information is collected,
00:00
used, retained, and disclosed.
00:00
Choice and consent is
00:00
the description of choices available to the individual
00:00
and obtains implicit or explicit consent
00:00
with respect to the collection,
00:00
use and disclosure of the information.
00:00
Collection is the principle where the entity collects
00:00
personal information only for
00:00
the purposes identified in the notice.
00:00
Use, retention, and disposal means
00:00
the entity limits the use of personal information to
00:00
the purposes identified in the notice and
00:00
>> for which the individual has provided implicit
00:00
>> or explicit consent.
00:00
>> Access is how the entity provides individuals with
00:00
access to their personal information
00:00
for review and update.
00:00
Disclosure to third parties is that
00:00
>> the entity discloses personal information
00:00
>> to third parties,
00:00
>> only for the purposes identified in the notice,
00:00
and with the implicit or explicit consent
00:00
of the individual.
00:00
Security for privacy is where the entity
00:00
protects the personal information
00:00
against unauthorized access;
00:00
both physical and logical.
00:00
Quality is that the entity maintains accurate,
00:00
>> complete, and relevant personal information
00:00
>> for the purposes identified in the notice,
00:00
>> and monitoring enforcement.
00:00
>> The entity monitors compliance
00:00
with its privacy policies and procedures,
00:00
>> and has procedures to address
00:00
>> privacy related complaints and disputes.
00:00
>> PIPEDA is the Canadian regulation
00:00
for protection of personal information.
00:00
It sets the ground rules for how
00:00
private sector organizations collect,
00:00
use or disclose personal information.
00:00
The log is individuals the right to access and requests
00:00
correction to the personal information
00:00
that companies may have collected about them.
00:00
In general, PIPEDA applies to organizations,
00:00
commercial activities, and all provinces,
00:00
except organizations that collect
00:00
user disclose personal information
00:00
entirely within a province
00:00
that has their own privacy laws;
00:00
although the laws really
00:00
actually are very similar to the federal law.
00:00
DPA is the United Kingdom's
00:00
>> Data Protection Act of 1998.
00:00
>> The Information Commissioner's Office is
00:00
the UK's independent authority setup to
00:00
promote access to official information
00:00
and protect personal information.
00:00
Unless they are exempt,
00:00
every organization that processes
00:00
personal information must be
00:00
registered with the Information Commissioners Office.
00:00
The DPA gives individuals the right to
00:00
know what information is held about them,
00:00
and provides a framework to
00:00
ensure that personal information is handled properly.
00:00
The act came into force on March 1st, 2000,
00:00
>> and covers personal data
00:00
>> held on computers and manual files.
00:00
It also imposes restrictions on the transfer of
00:00
data outside of the European Economic Area,
00:00
which has particular implications
00:00
for placing materials on the web.
00:00
The organization must comply
00:00
with the eighth data protection principles,
00:00
which ensure that personal data
00:00
is fairly and lawfully processed,
00:00
process for limited purposes, adequate,
00:00
relevant, and not excessive,
00:00
accurate and up to date,
00:00
not kept for longer than is necessary,
00:00
processed in line with the rights of the individuals,
00:00
secure, and not transferred
00:00
to other countries without adequate protection.
00:00
What we discussed in this video
00:00
were the general principles
00:00
and standards that align with those principles.
00:00
Make sure to review the supplemental materials and
00:00
flashcards to go over
00:00
these privacy principles and their definitions.
00:00
Join me for the next video,
00:00
the relationship between security and privacy.
Up Next