When preparing CIPT, CIPP/e and other certification exams from the International Association of Privacy Professionals I found very limited free preparation material and test quizzes. So, I thought I might as well share my notes as a cheat sheet on this blog. They come from my reading of several reference books and training materials, etc.
Enjoy and save a lot of money!
Key concepts to be known for the CIPP and CIPT exams come below. If you want to read more on privacy related subjects, you should to have a look to the textbooks:
- For IAPP CIPP: Certified Information Privacy Professional (CIPP/US) Study Guide: Pass the IAPP's CIPP/US Exam with Ease!
- For IAPP CIPT: Introduction to IT Privacy: A Handbook for Technologists
PS: have a look to part 2 of these notes to have a complete overview of what you need to remember to succeed in the exams.
Privacy definitions for IAPP certifications
- Privacy is the right to be left alone
- Information privacy / data protection (EU) : rights and obligation wrt collection use retention disclosure and disposal of personal information
- Privacy categories: there is also bodily privacy (no finger in the ass please), territorial privacy (no trespassing) communication privacy (stop reading my emails)
- Personal information / data = related to an identified or identifiable individual
- sensitive personal information = must be even better protected. Related to medical records, sexual life etc. Processing it requires explicit consent from the data subject in most cases.
- Processing: anything you do with data is considered as "processing" from the legal side
- Privacy notice = externauser-facingng privacy statement
- Roles wrt data processing: data subject, data controller (defines why / how to process data), data processor (does the processing), privacy authority
- Information life-cycle: collect, use, disclose, store & destroy
- Opt-in: need explicit consent, opt-out: can do as long as data subject does not explicitly objects
- Threat: any event with the potential to adversely affect operations / assets.
- Active data collection: the data subject actively provides the data (e.g., through a form). Passive: e.g., through proxy and server logs.
Legal Frameworks Regulating Privacy
- Fair Information Practices (1973): fundamental rights of data subjects for governmental use of personal information: notice, choice, consent, access, security, quality, collection limitation, appropriate use, retention, limited disclosure, management and administration, monitoring and enforcement
- This list is hard to remember; so, categories help:
- Rights of the individual: notice, choice, consent, access
- Controls: security, quality, collection limitation, appropriate use, retention, limited disclosure, monitoring, and enforcement
- Privacy protection approaches depending on countries: sectoral (heath, credit, ads... like in Brazil) vs comprehensive approach (like in EU) vs co-regulatory model including laws and binding industry codes (like in Australia and Canada).
- OECD guidelines (1980): collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability.
- Followed by Council of Europe (COE) in 1981, a convention for data processing in public and private sectors. It covers also the trans-border exchanges of data and inter-state collaboration: US safe harbor, third party countries with "adequate" privacy protections...
- Switzerland, Iceland, Norway are European Free Trade Association (EFTA) members and follow the EU privacy directive. Switzerland has "adequate" privacy protections that simplify data exchanges with EU countries.
- EU 95/46/EC directive (1995) is a comprehensive legal framework for the processing of individual data.
- Other EU data protection laws: EU e-privacy directive 2002 + EU cookie directive 2009 + article 29 working party
- Asia: APEC privacy Framework (2004)
- EU framework is probably the toughest in the world. For instance, employee data is better protected than in the USA.
- Some countries have two legal layers - federal vs state laws:
- EU law: EU members need to pass national laws to be consistent with the EU privacy directives.
- USA: HiPAA (health), CoPPA (child protection), Can-SPAM (anti-spam... Some states such as Massachussets and California are in advance on these laws. For instance, location data related to children under 13 is protected by CoPPa: should be treated carefully. Cf. inmobi's fine from FCC.
- Canada: federal privacy act vs provincial laws.
- South America: very variable levels of protection. Uruguay and Argentina have "adequate" privacy protection according to EU.
- Eastern European countries: most of them have similar frameworks as the EU privacy directive. Russia's law is considered as even more stringent than EU laws.
- Middle East / Africa: little data protection in most countries. Very variable depending on countries.
- Industry frameworks: digital advertising alliance (DAA), IAB, ...
Best Practices For Information Security and Privacy
- There is no information privacy (rules governing collection & handling of information) without information security (protection of information). Some aspects are quite distinct: notice is pure privacy, integrity is pure security. There is also some overlap between both concepts: use, confidentiality, and access to data.
- Security is not just technical: it involves people, processes, and technology
- Example: threat and vulnerabilities identification, security policies, legal/regulatory and contractual duties...
- ISO 27001 and 27002 cover well the organizational parts of information security. In particular, they pay attention to:
- security policies (can I use passw0rd as password?)
- asset management (my laptop was stolen and all my confidential work is on it. What do I do?)
- physical and environmental security (put a lock on this door!)
- access control (who read my personal diary?)
- incident management (what do we do when there is a problem?)
- compliance (are we breaching the law?)
- organization and processes for information security (who does what)
- HR security (hiring and stuff)
- business continuity, purchasing, decommissioning hardware, etc.
- The list of the main information security operations needed to ensure privacy comes below:
- Information security policy definition,
- Data asset inventory,
- Risk assessment
- Employees / suppliers / customers credential management
- Process identification / data flows,
- Definition of technical mechanisms for data protection,
- Implementation of industry security standard,
- Implementation of standard privacy frameworks,
- Implementation of KPI tracking (number of outages, breaches, data losses, unauthorized access) and continuous improvement.
- Authentication and Authorization
- Access control: control access to network, OS, Apps, remote access...
How to write a privacy notice for a website
You can get it done for about 15$ on Fiverr. Do not get ripped off by expensive lawyers :).
- Notice is a fundamental rights of data subjects. It's not so easy to write a good privacy notice.
- Layered privacy notices: high-level info and links to more details
I hope these notes have helped you. Now if you want to help me, you can link to this page to make it more visible on Google, it will help others in their preparation too!
More resources to prepare IAPP privacy certification exams
If you want to read more on privacy and information security subjects, I advise you to have a look to following books:
- For CIPP: Certified Information Privacy Professional (CIPP/US) Study Guide: Pass the IAPP's CIPP/US Exam with Ease!
- For CIPT: Introduction to IT Privacy: A Handbook for Technologists