IAPP Glossary of Privacy Terms
Abstract - answer-Limit the amount of detail in which personal information is processed.
Access Control Entry (ACE) - answer-An element in an Access Control List (ACL). Each ACE controls,
monitors or records access to an object by a specified user.
Access Control List (ACL) - answer-A list of Access Control Entries (ACEs) that apply to an object. Each
ACE controls or monitors access to an object by a specified user. In a Discretionary Access Control List
(DACL), the ACL controls access; in a System Access Control List (SACL), the ACL monitors access in a
security event log which can comprise part of an audit trail.
Accountability - answer-The implementation of appropriate technical and organizational measures to
ensure and be able to demonstrate that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks,
including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information
practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
Accuracy - answer-Organizations must take every reasonable step to ensure the data processed is
accurate and, where necessary, kept up to date. Reasonable measures should be understood as
implementing processes to prevent inaccuracies during the data collection process as well as during the
ongoing data processing in relation to the specific use for which the data is processed. The organization
must consider the type of data and the specific purposes to maintain the accuracy of personal data in
relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests
to correct records that contain incomplete information or misinformation.
Act Respecting the Protection of Personal Information in the Private Sector - answer-A Québéquois
privacy law that, other than different terminology, is similar to PIPEDA, though at a province level. It
came into force in 1994 and espouses three principles: (1) Every person who establishes a file on
another person must have a serious and legitimate reason for doing so; (2) The person establishing the
file may not deny the individual concerned access to the information contained in the file; and (3) The
person must also respect certain rules that are applicable to the collection, storage, use and
communication of this information.
,Active Data Collection - answer-When an end user deliberately provides information, typically through
the use of web forms, text boxes, check boxes or radio buttons.
Active Scanning Tools - answer-DLP network, storage, scans and privacy tools can be used to identify
security and privacy risks to personal information. They can also be used to monitor for compliance with
internal policies and procedures, and block e-mail or file transfers based on the data category and
definitions.
Ad Exchange - answer-An ad trafficking system through which advertisers, publishers, and networks
meet and do business via a unified platform. An ad exchange allows advertisers and publishers to use
the same technological platform, services, and methods, and "speak the same language" in order to
exchange data, set prices, and ultimately serve an ad.
Ad Network - answer-A company that serves as a broker between a group of publishers and a group of
advertisers. Networks traditionally aggregate unsold inventory from publishers in order to offer
advertisers a consolidated and generally less expensive pool of impressions, but they can have a wide
variety of business models and clients.
AdChoices - answer-A program run by the Digital Advertising Alliance (DAA) to promote awareness and
choice in advertising for internet users. Websites with ads from participating DAA members will have an
AdChoices icon near advertisements or at the bottom of their pages. By clicking on the AdChoices icon,
users may set preferences for behavioral advertising on that website or with DAA members generally
across the web.
Adequate Level of Protection - answer-A transfer of personal data from the European Union to a third
country or an international organization may take place where the European Commission has decided
that the third country, a territory or one or more specified sectors within that third country, or the
international organization in question, ensures an adequate level of protection by taking into account
the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both
general and sectoral legislation, data protection rules, professional rules and security measures,
effective and enforceable data subject rights and effective administrative and judicial redress for the
data subjects whose personal data is being transferred; (b) the existence and effective functioning of
independent supervisory authorities with responsibility for ensuring and enforcing compliance with the
data protection rules; (c) the international commitments the third country or international organization
concerned has entered into in relation to the protection of personal data.
,Administrative Purpose - answer-The use of personal information about an individual in Canada in a
decision-making process that directly affects that individual.
Advanced Encryption Standard (AES) - answer-An encryption algorithm
for securing sensitive non-classified material by the U.S. Government. This algorithm was selected in
2001 to replace the previous algorithm, the Data Encryption Standard (DES), by the National Institute of
Standards and Technology (NIST), a unit of the U.S. Commerce Department, through an open
competition. The winning algorithm (RjinDael, pronounced rain-dahl), was developed by two Belgian
cryptographers, Joan Daemen and Vincent Rijmen.
Adverse Action - answer-Under the Fair Credit Reporting Act (FCRA), the term "adverse action" is
defined very broadly to include all business, credit and employment actions affecting consumers that
can be considered to have a negative impact, such as denying or canceling credit or insurance, or
denying employment or promotion. No adverse action occurs in a credit transaction where the creditor
makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker
furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.
Agile Development Model - answer-A process of software system and product design that incorporates
new system requirements during the actual creation of the system, as opposed to the Plan-Driven
Development Model. Agile development takes a given project and focuses on specific portions to
develop one at a time. An example of Agile development is the Scrum Model.
Alberta PIPA - answer-A privacy law in the Canadian province of Alberta, similar to PIPEDA, that came
into force in 2004. Unlike PIPEDA, these acts clearly apply to employee information.
Algorithms - answer-Mathematical applications applied to a block of data.
American Institute of Certified Public Accountants (AICPA) - answer-A U.S. professional organization of
certified public accountants and co-creator of the WebTrust seal program.
Americans with Disabilities Act - answer-A U.S. law that bars discrimination against qualified individuals
with disabilities.
, Annual Independent Evaluations - answer-Under FISMA, U.S. agencies' information security programs
must be independently evaluated yearly. The independent auditor is selected by the agency's inspector
general or the head of the agency. The audit is submitted to the Office of Management and Budget.
Annual Reports - answer-The requirement under the General Data Protection Regulation (GDPR) that
the European Data Protection Board (EDPB) and each supervisory authority periodically report on their
activities. The supervisory authority report should include infringements and the activities that the
authority conducted under their Article 58(2) powers. The EDPB report should include guidelines,
recommendations, best practices and binding decisions. Additionally, the report should include the
protection of natural persons with regard to processing in the EU and, where relevant, in third countries
and international organizations. The report shall be made public and be transmitted to the European
Parliament, to the Council and to the Commission.
Anonymization - answer-The process in which individually identifiable data is altered in such a way that
it no longer can be related back to a given individual. Among many techniques, there are three primary
ways that data is anonymized. Suppression is the most basic version of anonymization and it simply
removes some identifying values from data to reduce its identifiability. Generalization takes specific
identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).
Noise addition takes identifying values from a given data set and switches them with identifying values
from another individual in that data set. Note that all of these processes will not guarantee that data is
no longer identifiable and have to be performed in such a way that does not harm the usability of the
data.
Anonymous information - answer-In contrast to personal data, anonymous information or data is not
related to an identified or an identifiable natural person and cannot be combined with other
information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected
by the GDPR.
Anthropomorphism - answer-Attributing human characteristics or behaviors to non-human objects.
Anti-discrimination Laws - answer-Anti-discrimination laws are indications of special classes of personal
data. If there exists law protecting against discrimination based on a class or status, it is likely personal
information relating to that class or status is subject to more stringent data protection regulation, under
the GDPR or otherwise.
APEC Privacy Principles - answer-A set of non-binding principles adopted by the Asia-Pacific Economic
Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD
