What is Information Policy?
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello, everyone. My name is Chris Stevens,
00:00
and I'll be your instructor for
00:00
Cybrary's US information privacy course.
00:00
I'd like to share some background information
00:00
with you before we get started.
00:00
I served in the United States Army as
00:00
a signals intelligence collector for over 20 years,
00:00
and I served another 13 plus years
00:00
in the US Intelligence Community as
00:00
a senior manager and as a senior intelligence executive.
00:00
Both of those capacities,
00:00
I learned that data has value.
00:00
It has value to the person
00:00
or to the organization to whom it pertains.
00:00
It has value to the organizations, institutions,
00:00
and companies that collect
00:00
that information for legal and lawful purposes.
00:00
But unfortunately, it also has value to
00:00
those cyber adversaries and other criminal types that
00:00
want to access this valuable data
00:00
for unauthorized and oftentimes legal purposes.
00:00
As I said before, my name is Chris Stevens.
00:00
I'm certified in 07 of
00:00
the International Association of Privacy Professionals,
00:00
IPPs Privacy Certifications.
00:00
I also serve as one of
00:00
its senior Privacy Faculty Members.
00:00
I'm an IPP fellow with information privacy.
00:00
I also hold other certifications.
00:00
I'm certified by
00:00
the American Health Information Management Association,
00:00
certified in Healthcare Information
00:00
, Privacy and security.
00:00
I'm also certified by
00:00
the Health Care Compliance Association,
00:00
certified in Healthcare Privacy Compliance.
00:00
I also served for two years for IPP as
00:00
one of its co-chair persons for Baltimore,
00:00
Maryland knowledge Ned, which works to
00:00
promote information privacy with local organizations,
00:00
institutions, and companies.
00:00
Understanding the importance of privacy's integration
00:00
with enterprise risk management
00:00
and with information security,
00:00
I also possess ISACA's Certified
00:00
in Risk and Information Systems Controls,
00:00
as well as its Certified Data Privacy Solutions Engineer.
00:00
I have completed
00:00
the Loyola University Chicago School of Law's
00:00
graduate certificate in privacy law.
00:00
Some people refer to me as the privacy Gremlin.
00:00
Don't talk to Chris about privacy after midnight.
00:00
I'll keep you up all night
00:00
talking about privacy because I
00:00
just love the concept and topic.
00:00
I never thought I'd love anything
00:00
more than being an intelligence professional,
00:00
but information privacy is my joy today.
00:00
They also sometimes referred to me as
00:00
donkey audio privacy because
00:00
there's not a privacy challenge
00:00
and a privacy windmill that I won't
00:00
charge or privacy challenge that I won't except.
00:00
I enjoy engaging with you.
00:00
After the course, our relationship
00:00
doesn't end at the end of this course,
00:00
and so I've posted my LinkedIn public profile URL
00:00
on the screen so that you can reach out and talk to me.
00:00
I also have listed
00:00
my personal email account address for you also.
00:00
I publish a newsletter,
00:00
The Privacy Legion,
00:00
from Monday through Friday,
00:00
that really captures on a daily basis,
00:00
key concepts and topics about
00:00
enterprise risk management, information privacy,
00:00
data protection, and other germane topics
00:00
that are key to expanding
00:00
our knowledge as information privacy professionals.
00:00
My motto was carpi diem.
00:00
Let's get those tasks done today so that we
00:00
don't miss out on opportunities tomorrow.
00:00
We have several learning objectives for this course.
00:00
We're going to introduce you to the role of
00:00
information privacy as it
00:00
exist here in the United States.
00:00
We're going to discuss
00:00
some key foundational information
00:00
privacy concepts and topics.
00:00
We're going to look at the role of
00:00
information privacy at the US Federal Government level,
00:00
specifically focusing in on the executive branch.
00:00
We're also going to look at
00:00
the role of information privacy
00:00
as it applies to the US private sector.
00:00
We'll have a discussion at the US state-level on
00:00
those recent data security and data privacy laws
00:00
that are important to us as
00:00
information privacy professionals,
00:00
and we'll conclude with a discussion on
00:00
US state-level data breach notification laws.
00:00
There are no prerequisites for this course
00:00
, so at this time,
00:00
you're probably wondering why,
00:00
and asking yourself the question,
00:00
why should I take Cybrary's
00:00
US information privacy course?
00:00
I think I have an appropriate answer for you.
00:00
Cybrary has done a good job in developing this course,
00:00
really to assess individuals hoping
00:00
to enter into the information privacy career field,
00:00
whether they're supporting organizations, agencies,
00:00
companies and institutions in the private sector space,
00:00
as well as those that are looking to work
00:00
in the public sector space.
00:00
Cybrary also realizes that many of you
00:00
are already working in those capacities,
00:00
so Cybrary wants to provide you with
00:00
additional privacy tools to add to
00:00
your privacy toolkits as you
00:00
complete your day-to-day tasks
00:00
as information privacy professionals.
00:00
Now, I must emphatically make this statement,
00:00
this course was not developed to
00:00
assist students in preparing for and
00:00
successfully passing
00:00
any industry-specific privacy certification.
00:00
This course stands on its own,
00:00
and I truly believe it's a great course.
00:00
We have a syllabus, we have 10 modules.
00:00
Each of those modules have lessons associated with them,
00:00
and at the end of those lessons,
00:00
you have a series of questions that really allow
00:00
you to assess your attention of the course materials.
00:00
We're going to talk about a number of things.
00:00
We'll open with an introduction,
00:00
we're going to look at the role of information privacy in
00:00
the executive branch of the US Federal Government.
00:00
We'll look at some key aspects,
00:00
looking at the office of management and
00:00
budget and how privacy applies to it.
00:00
We'll look at the National
00:00
Institute of Standards and Technology,
00:00
and the great work it has done
00:00
in the area of information privacy.
00:00
We're going to look at those federal government agencies
00:00
that are charged with providing
00:00
consumer privacy protection and
00:00
also consumer financial privacy protection.
00:00
We'll transition and look
00:00
at some laws that are applicable
00:00
to companies working in
00:00
the private sector space here in the United States.
00:00
We're going to look at health care,
00:00
we're going to look at finance.
00:00
We're going to look at education,
00:00
and given today's challenges,
00:00
we're going to look at children online privacy.
00:00
We're going to look at recent
00:00
US state private security laws
00:00
because it is extremely
00:00
important for us to be familiar with
00:00
those privacy laws that exist at the state level,
00:00
should you find yourself supporting an organization,
00:00
an institution or a company in one or more US states.
00:00
Then we'll conclude with a discussion on US states,
00:00
their individual data breach notification laws.
00:00
All 50 states have
00:00
different data breach notification laws,
00:00
US territories, and the District of Columbia.
00:00
The course materials, we have a syllabus that
00:00
contains information as it applies to this course.
00:00
We're also going to provide you with
00:00
an in-depth reference guide that lists
00:00
all of the references used to create this course.
00:00
>> I encourage you to take
00:00
some time out of your day and watch
00:00
this three and a half minute video entitled,
00:00
Facebook betrayed the trust of its users.
00:00
In this video, you're going to hear the chairperson of
00:00
the Federal Trade Commission really
00:00
describe to us the process by which the FTC,
00:00
the Federal Trade Commission,
00:00
use to really determine
00:00
a five billion dollar fine assessed
00:00
against Facebook for Cambridge Analytica
00:00
and other violations of
00:00
the Fair Federal Trade Commission Act of 1914 as amended.
00:00
In this video, you will hear the commissioner talk about
00:00
why Facebook failure to comply with
00:00
this law ended in
00:00
a five billion dollar assessment against it.
00:00
Now some of you may say that means nothing,
00:00
Facebook is a large company.
00:00
But when you really look at the details, in 2018,
00:00
that fine accounted for almost 10 percent
00:00
of Facebook's annual revenues.
00:00
When you dissect the fine more closely,
00:00
you'll see that it also accounts for
00:00
almost 23 percent of
00:00
Facebook's net profits for that year.
00:00
What's the moral of the story?
00:00
I want you to work
00:00
diligently with your companies, organizations,
00:00
institutions to ensure that they're complying
00:00
with these privacy laws every time they collect,
00:00
use, disclose, or retain information from consumers.
00:00
In lesson 1.1,
00:00
we're going to talk about
00:00
the description and definition of
00:00
privacy and information privacy because
00:00
those definitions are important to
00:00
us as privacy professionals.
00:00
No matter if you're working and
00:00
supporting organizations, institutions, agencies,
00:00
and companies in the private sector,
00:00
or if you're supporting agencies and
00:00
organizations in the public sector,
00:00
is important that we understand these important concepts.
00:00
As a privacy professional,
00:00
I've had the opportunity to
00:00
work with organizations, companies,
00:00
and institutions, not only
00:00
in the private sector but the public sector.
00:00
I last had a fabulous time working with
00:00
the US House of Representatives as I
00:00
helped it mature its privacy program.
00:00
What I've learned is that every jurisdiction in
00:00
every organization, institution,
00:00
and company may have varying different notions of what we
00:00
describe as privacy and information privacy.
00:00
As always, we have several learning objectives.
00:00
For this lesson, we're going to talk
00:00
about the definition of privacy.
00:00
We'll talk about the definition of information privacy.
00:00
We'll talk about the definition of
00:00
personal information which varies
00:00
by jurisdiction or laws, rules, and regulations.
00:00
We'll conclude with a discussion
00:00
on fair information practices,
00:00
which are extremely important to us.
00:00
You may have seen this term referred
00:00
to as fair information practice principles.
00:00
If you're familiar with the US
00:00
Office of Management and Budget's
00:00
Circular A-130 entitled,
00:00
Managing Information as Strategic Resource,
00:00
it has a specific definition
00:00
of fair information practice principles.
00:00
Let's delve right into this topic.
00:00
What does it mean when we talk about privacy?
00:00
There are many types of privacy,
00:00
but here we're talking about,
00:00
it's been coined as the phrase by Louis Brandeis,
00:00
is the right to be let alone,
00:00
the right to have some semblance of
00:00
privacy in our personal lives,
00:00
in our professional lives,
00:00
in our correspondence, and to have some protections
00:00
under the law that provide us
00:00
with protection from privacy harms,
00:00
privacy invasions of that privacy.
00:00
Now if we further define
00:00
privacy and look at it as information privacy,
00:00
those are the rules,
00:00
regulations, those laws and
00:00
directives that you see and use,
00:00
not only in the private sector,
00:00
but in the public sector.
00:00
That really provide individuals with
00:00
some semblance of control
00:00
over how their information is collected,
00:00
used, disclosed, retained,
00:00
and disposed off when appropriate.
00:00
It's also the ability of these individuals exert
00:00
some control when organizations collect
00:00
their information for collection,
00:00
use, disclosure, retention
00:00
and disclosure information lifecycle.
00:00
As two sides of the coin.
00:00
We as Americans have the right tails and say so.
00:00
We're seeing that now promulgated into rules,
00:00
enacted into laws,
00:00
that give us information,
00:00
the right to know what's being collected on us,
00:00
how it's being used.
00:00
We're seeing now we've talked about Facebook,
00:00
but across the globe we're seeing regulatory bodies,
00:00
countries themselves now taking efforts to
00:00
enforce those laws and
00:00
using administrative fines to do so.
00:00
Every time an organization, an institution,
00:00
or a company decide they're going to collect
00:00
information from an individual,
00:00
a consumer, a customer, an employee,
00:00
they need to do that by showing
00:00
due diligence and due care.
00:00
Let's define personal information.
00:00
Like I said, you may have depending on where you work,
00:00
in which jurisdiction that you're
00:00
working in and those laws with which you have to comply,
00:00
you may have seen this term referred to as personal data.
00:00
If you're working abroad,
00:00
especially in the European Union,
00:00
personal identifiable information, that's a term that's
00:00
used in the federal government,
00:00
you may have seen terms used
00:00
as electronic protected health information,
00:00
if you're having to comply with
00:00
the Health Insurance Portability
00:00
and Accountability Act of 1996.
00:00
But in short, is any information that
00:00
distinguishes or traces a natural person,
00:00
somebody living and breathing.
00:00
Other definitions like we've seen with
00:00
the former Article 29 Working Party that
00:00
defines it as any information that relates
00:00
to an identified or identifiable natural person.
00:00
What you'll have to do is really look closely at the law,
00:00
the rules and regulations to
00:00
ensure and understand how those rules,
00:00
laws, directives, and regulations,
00:00
Circular Memoranda define these terms
00:00
because it's extremely important.
00:00
Companies, organizations,
00:00
institutions collect a lot of important information.
00:00
But from a privacy perspective,
00:00
we're concerned with how
00:00
these organizations, institutions,
00:00
and companies are processing
00:00
personal information or one of
00:00
the other derivatives of
00:00
personal information that we've previously talked about.
00:00
What are those fair information practices,
00:00
fair information practice principles?
00:00
Now those are those guidelines that organizations
00:00
have that really identify
00:00
what their privacy practices are.
00:00
It was here in the United States in 1973
00:00
that the former Secretary of Health,
00:00
Education, and Welfare Commission,
00:00
advisory committee to really examine how
00:00
the federal government's executive branch agencies
00:00
were collecting information on American citizens.
00:00
What he determined or that
00:00
advisory committee determined was
00:00
that the federal government is maintaining
00:00
secret dossiers on individuals.
00:00
We saw this in the 1960s antiwar protests
00:00
of civil rights leaders.
00:00
That individual had no way of determining what
00:00
information is being collected on
00:00
them in a record and how it's being used.
00:00
That the average American didn't know,
00:00
have a way to prevent
00:00
that information from being used for
00:00
additional purpose beyond the first purpose
00:00
that was the given consent to.
00:00
Individuals didn't have a right to correct
00:00
their information under the law.
00:00
Then those organizations that were collecting
00:00
this information had no way
00:00
of determining the reliability,
00:00
the accuracy of that information for their intended use,
00:00
nor did they have the security protocols in
00:00
place to identify misuse.
00:00
Some cases, these fair information
00:00
practices are binding,
00:00
and in other cases they're non-binding.
00:00
If we look abroad,
00:00
where we look at the Organization
00:00
of Economic Cooperation and Development,
00:00
Islam mark eight guiding principles
00:00
themselves have been incorporated.
00:00
Can many of the laws across
00:00
the globe conclude corporate policies and procedures?
00:00
Now, what are we talking about?
00:00
Notice twice a consent, individual participation,
00:00
access, security safeguards, data quality.
00:00
They really define what
00:00
those privacy practices are so that
00:00
these organizations are open and
00:00
transparent with those customers,
00:00
those consumers, and stakeholders
00:00
that are entrusting these organizations,
00:00
companies, and institutions to
00:00
process their information safely and securely.
00:00
As always, we'll have a series of questions
00:00
with each of these lessons.
00:00
Question 1 asks you to define information privacy.
00:00
Which of these choices would you select?
00:00
The appropriate choices would be A and
00:00
D. Question 2 ask you to define personal information.
00:00
The appropriate choice would be
00:00
C. Question 3 asks
00:00
you to define fair information practices,
00:00
which we're going to talk about later in the course.
00:00
Which would be your choices?
00:00
The appropriate choice would be D. In summary,
00:00
it's extremely important for us as privacy professionals,
00:00
whether you're supporting agencies in
00:00
the private sector or
00:00
the public sector to respect the rights and
00:00
freedoms of those customers,
00:00
those consumers, employees, and other stakeholders
00:00
from whom we collect their personal information
00:00
and use it for a lawful or legal purpose.
00:00
We talked about information privacy,
00:00
and that was a more narrow focus
00:00
on the definition of privacy,
00:00
where we were looking at the rights and freedoms of
00:00
individuals to control how
00:00
their information is collected,
00:00
used, disclosed, retained, and disposed off.
00:00
Those responsibilities are placed in
00:00
organizations to ensure that they're
00:00
collecting that information in
00:00
accordance with the appropriate laws,
00:00
rules, regulations, directives, and others.
00:00
We defined fair information practices as
00:00
those guidelines that organizations
00:00
use to really define their privacy practices,
00:00
and are incorporated into their policies,
00:00
procedures, standards, and guidelines.
Up Next
Similar Content
