Dashboard

CIPP/US

Enroll

CIPP/E

Enroll

CIPM

Enroll

CIPT

Enroll

Account Settings

Manage Groups

CIPT

Table of Contents

Welcome

I. Foundational Privacy Principles

Section A: Introduction to the Concept of Privacy

0/3

1. The Role of Privacy in the Information Technology Landscape

2. Key Privacy Concepts and Definitions

a. Privacy or Data Protection?

b. Personal Data

i. Identified vs. Identifiable Information

ii. Sensitive Personal Data

iii. The Role of Encryption, Anonymization, and Pseudonymization

c. Data Processing

d. The Roles in Data Processing: Data Subjects, Controllers, and Processors

Section I.A Review

Section B: Privacy Risk Models and Frameworks

0/4

1. Defining Privacy in a Privacy Pluralistic World

a. Nissenbaum's Contextual Integrity

b. Calo's Harms Dimensions

c. Solove's Taxonomy of Privacy

d. Marx's Public and Private Borders

2. Fair Information Practices (FIPs)

a. Examples of FIPs

i. Organization for Economic Co-operation and Development (OECD) Guidelines (1980)

ii. The Council of Europe Convention on the Protection of Individuals with Regard to the Automatic Processing of Personal Data (1981)

iii. The Madrid Resolution (2009)

b. Common Themes

i. Individual Data Subject Rights

ii. Organizational Management

3. Risk and Compliance Frameworks

a. Legal Compliance Frameworks

b. Factors Analysis in Information Risk (FAIR)

c. NIST Privacy Framework

d. NICE Framework

e. ISO/IEC 27701

f. BS 100112 Privacy Information Managements System (PIMS)

Section I.B Review

Section C: Protecting Privacy Across the Data Life Cycle

0/3

1. Privacy by Design Foundational Principles

2. The Data Life Cycle

a. Data Life Cycle Management

b. The Role of Notice and Consent in Data Processing

c. Data Collection

d. Data Retention and Destruction Policies

Section I.C Review

Section D: Privacy-Related Technology Fundamentals

0/11

1. Introduction

2. Risk Concepts

a. Threats, Vulnerability, Consequence, and Control

b. Proxies and Agents

3. Security as a Cornerstone of Privacy Protection

a. The CIA Triad

b. Security Controls

i. Purpose of Controls: Preventative, Detective, and Corrective

ii. Types of Controls: Physical, Administrative, and Technical

c. Privacy Incidents vs. Data Breaches

d. Security Policies

4. Internal Privacy Policies

a. The Privacy Policy Life Cycle

b. Key Components of a Privacy Policy

5. External Privacy Notices

a. Legal Consequences of a Privacy Notice

b. Updating a Privacy Notice

c. Common Elements of a Privacy Notice

6. Third-Party Contracts and Agreements

a. Choosing a Third-Party Data Vendor

b. Vendor Contracts

7. Data Assessments

a. Data Inventory

b. Data Flow Maps

c. Data Classification

d. Developing Data Inventories, Maps, and Classification Schema

e. GDPR Records Processing Requirements

f. Other Assets

8. Cross-Border Data Transfers

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. GDPR International Transfer Rules

d. Transfer Impact Assessments

9. Risk Assessments

a. Privacy Assessments

b. Privacy Threshold Analyses and Privacy Impact Assessments

c. Data Protection Impact Assessments

i. When is a DPIA Required?

ii. What Must Be Included in a DPIA?

10. Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), and Privacy Metrics

a. What are Privacy Metrics?

b. Specific Examples of Privacy Metrics, KRIs, and KPIs

c. Compliance Metrics

Section I.D. Review

Knowledge Review #1

II. The Privacy Technologist’s Role in the Organization

Introduction

Section A: General Responsibilities of the Privacy Technology Professional

0/5

1. Understanding Various Roles on the Privacy Team

a. Privacy as an Organization-Wide Undertaking

b. Where Does the Privacy Function Reside?

c. The Roles on a Privacy Team

2. Implementing Industry Privacy Standards and Frameworks

3. Translating Legal and Regulatory Requirements into Practical Technical and Operational Solutions

4. Privacy Governance Activities

a. Privacy Program Activities

b. Consulting on Internal Privacy Policies and External Privacy Notices

c. Consulting on Contractual and Regulatory Requirements

Section II.A Review

Section B: Technical Responsibilities of the Privacy Technologist

0/7

1. Advising on Technology Elements of Privacy and Security Practices

2. Implementing Privacy and Security Technical Measures

a. How to Translate Privacy to Technical Solutions

b. Common IT Frameworks

c. Privacy Technology Tools

3. Handling Individuals' Rights Requests (e.g., Access, Deletion, Etc.)

a. European Data Protection Board (EDPB) Guidance on DSARs

i. Determining What Information Relates to the Requesting Data Subject

ii. The Modalities of a Response

4. Reviewing Security Incidents, Investigations, and Advising on Breach Notification

a. Incident Detection

b. Steps in an Incident Response

c. Investigation of an Incident

i. Containment and Remediation

ii. Preserving Privilege

d. Managing an Incident Register

e. Breach Notification

i. Internal Notification and Progress Reporting

ii. Notifying Affected Individuals

iii. Notifying Regulators

5. Additional Responsibilities of the Privacy Technologist

a. Advising on the Privacy Implications of New and Emerging Technologies

b. Implementing and Developing Privacy-Enhancing Technologies and Tools

c. Supporting Records of Processing Activities (RoPA), Automation of Inventory, and Data Flow Mapping

d. Advising on the Effective Selection and Implementation During Acquisition of Privacy Impacting Projects

e. Advising on Privacy by Design and Security and Privacy Impact Assessments in System Development

f. Performing and Supporting IT Privacy Oversights and Audits Including Third Party Assessments

6. Developing, Compiling and Reporting Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)

a. Identifying Your Intended Audience

b. Privacy Metric Development Template

c. Metric Owners

d. Identifying Data Sources for Privacy Metrics

Section II.B Review

Knowledge Review #2

III. Privacy Risks, Threats, and Violations

Introduction

a. When Disclosure is Permitted

b. Obligations Imposed on Financial Institutions

c. Enforcement

Section A: Data Ethics

0/5

1. Legal vs. Ethical

2. Moral Issues

3. Societal Issues

4. Bias and Discrimination

a. Personal Preferences in Data Decisions

b. Bias and Discrimination in Algorithms

i. Legal Approaches to Address Bias

ii. Increased Transparency

iii. Accountability and Fairness

Section III.A Review

Section B: Classification of Privacy Threats and Harms

0/7

1. The Challenge of Defining Privacy Harms

a. Attempts to Define Privacy Harms

b. Alternative Categorizations: Interference

c. Cascading Privacy Risks

2. Privacy Harms During Data Collection

a. Asking People to Reveal Personal Data (Interrogation)

b. Tracking and Surveillance

c. Other Data Collection Harms

i. Lack of Informed Consent

ii. Automatic Collection

iii. Inaccuracies

iv. Extracting from Publicly Available Sources

v. Jurisdictional Implications

3. Privacy Harms During Use (Information Processing)

a. Insecurity

b. Identification and Re-Identification

c. Aggregation

d. Secondary Use

e. Exclusion

f. Profiling

4. Privacy Harms During Dissemination

a. Disclosure

b. Distortion

c. Exposure

d. Breach of Confidentiality

e. Increased Accessibility

f. Blackmail

g. Appropriation

5. Privacy Invasions or Interference: Intrusion, Decisional Interference and Self-Representation

a. Behavioral Advertising

b. Cyberbullying

c. Social Engineering

d. Blackmail

e. Dark Patterns

6. Subjective and Objective Privacy Harms

a. Subjective Privacy Harm

b. Objective Privacy Harm

c. The Relationship Between Subjective and Objective Harm

d. Measuring Subjective and Objective Harm

Section III.B Review

Section C: Software and Computer Security

0/4

1. Vulnerability Management

a. Common Threats

b. Intrusion Detection and Prevention

c. Change Management (Patches and Upgrades)

2. Open-Source vs. Closed-Source

3. Possible Violation by Service Providers

Section III.C Review

Knowledge Review #3

IV. Privacy Enhancing Strategies, Techniques, and Technologies

Introduction

Section A: Data-Oriented Strategies

0/5

1. Separate

2. Minimize

3. Abstract

4. Hide

Section IV.A Review

Section B: Process-Oriented Strategies

0/5

1. Informing the Individual

2. User Control

3. Policy and Process Enforcement

4. Demonstrate Compliance

Section IV.B Review

Section C: Specific Techniques

0/8

1. Aggregation

a. Frequency and Magnitude Data

b. Noise Addition Through Differential Privacy

c. Differential Identifiability

2. Encryption: An Introduction

a. Encryption and Privacy

b. Algorithms, Keys, and Entropy

c. Passwords vs. Encryption Keys

d. Symmetric vs. Asymmetric Encryption

e. Encryption Security Considerations

i. Secure and Insecure Application

ii. Measuring Encryption Security

3. Symmetric and Asymmetric Encryption

a. Symmetric Encryption

i. Advanced Encryption Standard (AES)

ii. Cryptanalysis

iii. Modes of Operation

b. Hash Functions

c. Asymmetric Encryption

i. Algorithms: RSA, DSA, and ECC

ii. Digital Signatures

d. Public Key Infrastructure

e. Client-Side PKI

4. Modern Encryption Practices

a. Data at Rest

i. Application or Field Encryption

ii. Device Encryption

b. Data in Flight

i. A Brief Overview of How the Internet Works

ii. The Rise of Transport Layer Security

iii. The Limitations of TLS

iv. Anonymity, Proxies, and Mix Networks

v. Email Encryption: S/MIME and PGP

c. Data in Use

i. Specific Techniques

ii. Private Information Retrieval and Oblivious Random-Access Memory

iii. Secure Multi-Party Computation

iv. Quantum Encryption

5. Identity

a. What is “Identity”?

b. What is a “Role”?

c. Labels That Point to Individuals

d. Regulation of Identifying Data (a/k/a Personal Data)

e. Anonymization Techniques

f. K-anonymity, L-diversity, and T-closeness

g. Tokenization

6. Access Management

a. Principle of Least-Privileged Require

b. Role-Based Access Control (RBAC)

c. Other Access Control Methods

d. Federated Identity

e. Cross-Enterprise Authentication and Authorization Models

7. Authentication

a. Something You Know

b. Something You Are

c. Something You Have

d. Multifactor Authentication

e. Digital Rights Management (DRM)

f. Domain-Based Message Authentication, Reporting & Conformance (DMARC)

Section IV.C Review

Knowledge Review #4

V. Privacy Engineering

Introduction: The Privacy Engineer Role

Section A: The Role of Privacy Engineering in the Organization

0/4

1. Effective Implementation of Privacy

a. Privacy as an Organizational Undertaking

b. Privacy Expertise and Specialization

c. Data Governance

d. Accountability

e. Awareness

2. Technological Controls

a. Privacy by Architecture

i. Identifiability

ii. Network Centricity

b. Mapping Technological Controls to Internal Controls

3. Protecting Privacy During the Development Life Cycle

Section V.A Review

Section B: Privacy Engineering Objectives

0/5

1. Introduction to Privacy Engineering

2. Predictability

3. Manageability

4. Disassociability

Section V.B Review

Section C: Privacy Design Patterns

0/4

1. Software Development Life Cycle (SDLC) and Software Design Processes

a. Software Development Life Cycle (SDLC)

b. Plan-Driven vs. Agile Development

i. Waterfall Method

ii. Spiral Method

iii. Scrum Method

iv. DevOps Method

c. Privacy Engineering Models

2. Design Patterns to Emulate

a. Software Development Life Cycle (SDLC)

b. Plan-Driven vs. Agile Development

3. Dark Patterns to Avoid

Section V.C Review

Section D: Privacy Risk in Software

0/4

1. A (Very) Brief Introduction to Computer Programming

a. What is Computer Programming?

b. How is Computer Code Written?

2. Risks and Modeling

3. Controls and Countermeasures

Section V.D Review

Knowledge Review #5

VI. Privacy by Design Methodology

Introduction

Section A: The Privacy by Design Process

0/10

1. Goal Setting

2. Documenting Requirements

a. Establishing Requirements

b. Using a Trace Matrix

c. When are Requirements Complete?

d. Addressing Privacy Threats

3. Understanding Quality Attributes

a. Identifiability

b. Network Centricity

c. Confidentiality, Integrity, and Availability

d. Mobility

e. Predictability, Manageability, and Disassociability

f. Auditability

4. Identify Information Needs

5. Privacy Risk Assessment and Analysis

a. Defining and Measuring Risk

b. Privacy Risk Models

c. Risk Management Frameworks

6. High-Level Design

a. Common IT Infrastructure

i. Front-end vs. Back-end

ii. Types of Architectural Models

b. Representing Designs

i. Object and Data Models

ii. Process Models

iii. Model-Based Systems Engineering

c. Design Choices and Tradeoffs

7. Low-Level Design

a. Git and Version Control

b. Bug Reporting

c. Code Maintainability

d. Using Standard Libraries, APIs, and Frameworks

8. Impose Controls

9. Testing and Validation

a. Types of Testing

b. Types of Testing Data

c. Testing With Live Users

d. Ongoing Testing and Validation

Section VI.A Review

Section B: Privacy Interfaces and User Experience

0/6

1. Introduction to User Interface / User Experience (UI/UX)

a. Usable and Useful Privacy Interface Design

b. Why Effective UI/UX Design is Important

2. Design Effects on User Behavior

a. Factors that Affect Privacy Decisions

i. The Effect of Incomplete Information on Privacy Decisions

ii. Bounded Rationality

iii. Context

b. Manipulating Privacy Decisions

3. UX Design and Usability of Privacy-Related Functions

a. User-Centered Design

i. The Research Stage

ii. The Design Stage

iii. The Evaluation Stage

4. Privacy Interfaces: Notices, Settings, and Consent Management

a. Types of Privacy Interfaces

i. Privacy Notices

ii. Privacy Settings and Privacy Dashboards

iii. Consent Management

b. Common Usability Issues

c. Privacy Design Principles

d. Privacy Design Processes

e. Design Space for Privacy Notices

5. Usability Testing

a. What Can Usability Testing Measure?

b. How to Conduct Usability Tests

c. Usability Tests Best Practices

i. Using Metrics

ii. Creating Reliable and Valid Tests

iii. Finding Representative Users

iv. Conducting Ethical Testing

Section VI.B Review

Section C: Value-Sensitive Design

0/4

1. Introduction to Value-Sensitive Design

2. How Design Affects Users

a. Conceptual Investigations

b. Empirical Investigations

c. Technical Investigations

3. Strategies and Skillful Practice

a. What Separates Value-Sensitive Design

b. Design Thinking Process

c. 14 Methods of Value-Sensitive Design

Section VI.C Review

Section D: Ongoing Vigilance

0/6

1. Privacy Audits and IT Control Reviews

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

2. Code Reviews and Code Audits

3. Runtime Behavior Monitoring

4. Software Evolution

5. Data Cleansing in Production and Non-Production Environments

Section VI.D Review

Knowledge Review #6

VII. Technology Challenges for Privacy

Section A: Robotics and Internet of Things (IoT)

0/4

1. Mobile Phones

a. Cameras and Microphones

b. Accelerometers

c. Biometric Data and Readers

i. Facial Recognition

ii. Speech Recognition

iii. Fingerprint ID

iv. Regulation of Biometric Data

d. Context Aware Computing

2. Internet of Things (IoT)

a. Privacy Challenges of IoT Devices

b. Wearable Devices

c. Smart Homes

d. Smart Cities

e. Edge Computing

3. Robots and Drones

a. Robots

b. Drones

Section VII.A Review

Section B: Internet / eCommerce

0/7

1. Internet Monitoring

a. How the Internet Works

i. Packets

ii. Internet Protocols and Communication

iii. IP Addresses and the Internet “Phonebook”

iv. HTTP Requests and Responses

v. Email Protocols

vi. Logging, Cache, and Other Concepts

b. Types of Monitoring

i. Deep Packet Inspection

ii. Wi-Fi Eavesdropping

iii. Employee and Student Monitoring

c. Preventing Internet Monitoring

2. Cookies and Other Webtracking Technologies

a. Web Cookies

i. Types of Cookies

ii. Single-Origin Policy

iii. Legal Regulations Concerning the Use of Cookies

iv. Best Practices

b. Other Tracking Techniques

i. Web Beacons

ii. Digital Fingerprinting

iii. URL Rewriting

iv. Tracking on Social Media and Search Engines

v. Email Tracking

c. Preventing Web Tracking

i. Blocking With the Browser

ii. Blocking Email Tracking

3. AdTech and Behavioral Advertising

a. Online Behavioral Advertising

i. Tacking Users Across the Internet

ii. Creating Consumer Profiles

iii. Behavioral Modeling

iv. Parties Involved in Behavioral Advertising

b. AdTech Industry Self-Regulation

i. DAA Self-Regulatory Principles

ii. NAI Self-Regulatory Principles

4. Unsolicited Messages (a/k/a Spam)

5. Location Tracking

a. Types of Location Tracking

i. GPS Tracking

ii. Wi-Fi, Cell Tower, and Bluetooth Tracking

iii. RFID Chips

iv. Other Sources of Location Data

v. IP Addresses

b. Location Based Services

c. Preventing Location Tracking

6. Chatbots

Section VII.B Review

Section C: Corporate IT Services

0/4

1. Cloud-Based Infrastructure

a. Shared Data Centers

b. Data Residency

c. Controllers and Processors in Cloud Computing

2. Remote Working

a. Video Calls and Conferencing

b. Bring Your Own Device (BYOD) Concerns

c. Mobile Device Management

d. Striking the Right Balance for Employee Privacy

3. Messaging and Video Calling

Section VII.C Review

Section D: Advanced Computing and Social Networks

0/5

1. Artificial Intelligence, Machine Learning, and Deep Learning

a. Machine Learning

b. Deep Learning

c. The Privacy Risks of A.I.

d. Legal Implications of A.I.

i. Application of Data Protection Laws

ii. E.U. Artificial Intelligence Regulation

2. Blockchain, Cryptocurrencies, and Non-Fungible Tokens (NFTs)

a. Compliance Challenges

3. Social Media

a. Social Media Data Processing

b. Data Protection Challenges

i. Data Subjects and Personal Data

ii. Transparency Requirements

iii. Right of Access

iv. Special Categories of Data

v. Personal Data of Others

4. Virtual and Augmented Reality

Section VII.D Review

Knowledge Review #7

Conclusion

Full Exam #1

Full Exam #2

Flashcards

Cheat Sheet

Exam HQ

The Data Life Cycle

As you will recall from Module I.A.2, the processing of personal data refers to nearly anything that can be done with data, including collection, use, and destruction of that data. When it comes to appropriately protecting the privacy interests of individuals, adequate steps must be taken to protect data processing in all its forms. One of the core principles of Privacy by Design (“PbD”) is end-to-end security, from before data is processed until data is destroyed.¹ It is helpful, therefore, to think of personal data as existing across a life cycle.

The Data Life Cycle typically refers to the following five steps: (1) collection; (2) use; (3) disclosure; (4) retention; and (5) destruction.

The above diagram is general in nature and adaptable to different scenarios. While similarities will exist across all organizations, the specific data life cycle for the personal data processed by your organization will have unique nuances based upon the business and privacy objectives of your organization.

a. Data Life Cycle Management

Each stage of the data life cycle presents unique risks and challenges for organizations processing personal data. Organizations must therefore be mindful of the privacy implications of that processing at each stage of the data life cycle. This is a concept referred to as Data Life Cycle Governance or Data Life Cycle Management, which the IAPP defines as follows:

Also known as Information Life Cycle Management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.²

The above eleven elements all require a delicate balance, and each is likely to involve tradeoffs. Simplification of a DLM policy may, for example, result in some unnecessary information being retained. Making data easily retrievable, on the other hand, may increase the security risks to the data being retrieved.

An organization’s privacy objectives and business needs will typically determine how it approaches DLM. While not always in direct conflict, the more liberally personal data is used by an organization for business purposes, the more likely it is that the privacy risks associated with using that data will increase. It can be helpful to think of this as a spectrum—at one end is the <>maximize-information-utility objective and at the other extreme is the <>minimize-privacy-risk objective.³ How these objectives are balanced against one another will be unique to an organization and dictate many internal policies regarding the handling of personal data.

Maximize Privacy vs. Maximize Efficiency

b. The Role of Notice and Consent in Data Processing

As you will observe in the Data Life Cycle chart above, notice and consent play an important role in data governance. Some combination of notice and consent will typically dictate the extent to which an organization may process personal data. Under the General Data Protection Regulation (“GDPR”), for example, a data controller is prohibited from processing personal data, unless it has a lawful purpose.⁴ One lawful basis to process personal data is consent.⁵

Consent may be express or implied, with certain types of data collection requiring express approval. Express, affirmative consent is sometimes referred to as “Opt-in” consent and requires an affirmative indication or act that provides consent to collect or use a person’s information. The counterpart to this, “Opt-out” consent, is a passive form of acceptance that is implied by a person’s conduct or actions, as well as the context of the transaction. The distinction between opt-in and opt-out consent is often an important concept to be aware of when reviewing applicable laws and regulations; some laws specifically require that a form of opt-in consent be obtained from a consumer before collecting or processing personal information, while other laws permit opt-out consent.

Obtaining consumer consent may not be appropriate in every situation. The “No Option” form of consumer choice involves situations in which the authority to collect and utilize data is implied from the situation. One example of when this might be appropriate is with respect to product fulfillment. The authority to share these pieces of information with these third parties is implied from the nature of the transaction itself, and specific consent from the consumer to process information in this manner is therefore not necessary.

Notice is often provided through an external privacy notice. Notice is closely correlated with consent. Without providing a data subject with adequate notice of how his or her personal data will be processed, obtaining informed, express consent would be impossible.⁶ In this respect, notice of processing activities often sets the outer bound of how data may be processed—including what data is collected, how it is used, to whom it is disclosed, and the extent to which it is retained. It would not be proper to repurpose data—i.e., use it for a purpose other than for which it was originally collected. Putting data to a secondary use without the user’s consent risks creating privacy harms, as well as opening up the data controller to potential legal liability.

c. Data Collection

Data is collected in the modern data environment in a number of unique ways. These include the following:

First Party Collection – First party collection is when a “data subject provides personal data to the collector directly, through a form or survey that is sent to the collector upon the data subject submitting the information.”⁷
Third Party Collection – Third party collection is when “[d]ata [is] acquired from a source other than directly from the subject of the data.”⁸
Surveillance – Surveillance refers to “[t]he observation and/or capturing of an individual’s activities,” with or without their knowledge.⁹

In addition to the above, Repurposing is the process of “[t]aking information collected for one purpose and using is for another purpose later on.”¹⁰ This may also, in some sense, be considered a form of data collection; it is “collected” for purposes of a secondary use.

Some personal data is collected automatically, often without the user’s knowledge. This automatic collection of user data is commonly referred to as Passive Data Collection.¹¹ Passive data collection can take many forms. Online it is commonly done through the use of cookies and the identification of specific devices.¹² For example, web server logs often will record information regarding a website visitor’s IP address and the type of browser the visitor is using, among other information. All of this data is collected automatically, and often without express consent.

Personal information can also be collected with a data subject’s knowledge, which is referred to as Active Data Collection.¹³ This can be done, for example, through the use of web forms—i.e., a part of a webpage that allows users to input data in a text field, dropdown menu, radio buttons, or other means and then “submit” that information to a web server to process information or store that information in a database.¹⁴

d. Data Retention and Destruction Policies

DLM covers the processing of data from cradle to grave—i.e., from initial collection through the destruction of data. Accordingly, an organization’s data retention and data destruction policies play a vital role in DLM for any organization. The destruction and retention policies adopted by an organization should be guided by the principle that data should be retained only for so long as necessary to achieve its purpose. This is determined based upon the business goals of the organization, along with laws, regulations, and industry standards. After data is no longer necessary for the purpose for which it was originally retained, the data should be appropriately destroyed or anonymized.

Retaining information unnecessarily creates privacy risks. At the same time, destroying data prematurely also risks legal complications and privacy harms. It is therefore important to adequately document practices and ensure that they are consistently followed throughout the organization. This destruction plan should set out when and how data should be destroyed in detail.

Data destruction is one of the most powerful ways of protecting personal data. After all, data cannot be improperly accessed if it no longer is in existence. Electronic data can be destroyed by overwriting or the process of degaussing.¹⁵ Shredding, melting, and burning are common means of destroying data held in physical form.¹⁶ Policies regarding the destruction of data should be specific and detailed to ensure proper destruction based on the type of data at issue or the manner in which it is held. It should cover data in all its forms, including back up data and cached data.¹⁷

A key part of protecting the physical environment of an organization’s data is appropriate media sanitization. Digital data might exist on physical objects, such as a flash drive or computer hard drive. Proper destruction requires a media sanitization strategy. The National Institute of Standards and Technology (NIST) Special Publication 800-88 Rev. 1 sets forth appropriate guidelines for organizations to follow with respect to sanitizing media.¹⁸ Under these guidelines, media may be sanitized in one of three ways—clearing, purging, or destroying the data.¹⁹

The data retention and data destruction practices of an organization may be dictated by applicable law. In Europe, the “right to be forgotten” under Article 17 of the General Data Protection Regulation (“GDPR”) requires data controllers to erase information concerning a data subject upon request, with only a few limited exceptions.²⁰ There are also data destruction requirements contained in various laws throughout the United States, such as the Fair Credit Report Act (as amended by the Fair and Accurate Credit Transactions Act of 2003).²¹ The timing of data destruction is typically an important component of applicable data destruction laws. Timing may be based on specific length of time (e.g., 45 days) or on more ambiguous standards, such as when the data is no longer necessary for the purpose for which it was originally retained.

On the other hand, applicable law may also require that data be retained for a specific length of time. Retention may be necessary in other instances as well, such as when the organization is involved in litigation or the subject of a governmental investigation.

Legal requirements aside, developing a data retention and destruction policy starts with collecting information about what data is maintained and how it is used. Some questions are particularly important to answer in developing data retention and destruction policies, including: Why was the information originally collected? Why is the organization retaining it? And how long does the information remain useful to the organization? An analysis of the eleven elements in the DLM model is likely to answer these questions. As part of this process, stakeholders across the organization should be brought into the process to ensure legal compliance and that business objectives are satisfied.

Key Points

Data Life Cycle Management: A policy-based approach to managing the flow of information through a life cycle from creation to final disposition
There are 11 elements of DLM that must be balanced against one another: (1) enterprise objectives; (2) minimalism; (3) simplicity of procedure and effective training; (4) adequacy of infrastructure; (5) information security; (6) authenticity and accuracy of one’s own records; (7) retrievability; (8) distribution controls; (9) auditability; (10) constituency of policies; and (11) enforcement
Some combination of notice and consent will dictate the extent of processing permitted
Opt-In Consent: An express consent that requires some affirmative act by the consumer before consent will be deemed adequate
Opt-Out Consent: A passive form of consent where consent is implied, and processing occurs unless the data subject states his or her desire to not have data processed
“No Option” Consent: Commonly accepted forms of commercial data practices in which the authority to process data is implied by the circumstances, including product fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing
In managing user preferences, organizations should consider the scope of consent, the form of consent, and how that consent is implemented
Consumers should generally have a means to access their personal information held by an organization

This includes actual access and the ability to correct inaccurate or incomplete information

Data is collected in a number of ways in the modern data environment

First Party Collection: When data is collected directly from the data subject
Third Party Collection: When data is collected from a source other than the data subject
Repurposing: Taking information collected for one purpose and using it for another purpose; may be considered a form of “collection”
Active vs. passive data collection is an important distinction

Data retention and destruction policies are a key part of DLM; these policies may be dictated by applicable law

Data should be retained only for so long as necessary to achieve the purpose for which it was collected
Data destruction is one of the best ways to protect personal data
These policies should cover data in all its forms (e.g., backups, cached data)
Policies should be detailed
Media sanitization can be done by clearing, purging, or destroying (NIST SP 800-88)

Sources

1. Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, available at https://iapp.org/media/pdf/resource_center/Privacy%20by%20Design%20-%207%20Foundational%20Principles.pdf.

2. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#data-life-cycle-management.

3. International Association of Privacy Professionals, An Introduction to Privacy for Technology Professionals at 56 (Travis D. Breaux et al. eds., 2020).

4. GDPR, OJ 2016 L 119/1, Art. 5(1)(a).

5. GDPR, OJ 2016 L 119/1, Art. 6(1).

6. GDPR, OJ 2016 L 119/1, Recital 42.

7. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#first-party-collection.

8. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#third-party-collection.

9. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#surveillance.

10. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#repurposing.

11. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#passive-data-collection.

12. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#passive-data-colleciton.

13. IAPP, Glossary of Privacy Terms, https://iapp.org/resources/glossary/#active-data-collection-2.

14. MDN Web Docs, Your First HTML Form, https://developer.mozilla.org/en-US/docs/Learn/HTML/Forms/Your_first_HTML_form.

15. International Association of Privacy Professionals, Privacy Program Management: Tools for Managing Privacy Within Your Organization at 222 (Russell R. Densmore et al. eds., 2022) (3d ed.).

16. International Association of Privacy Professionals, Privacy Program Management: Tools for Managing Privacy Within Your Organization at 222 (Russell R. Densmore et al. eds., 2022) (3d ed.).

17. International Association of Privacy Professionals, Privacy Program Management: Tools for Managing Privacy Within Your Organization at 222 (Russell R. Densmore et al. eds., 2022) (3d ed.).

18. Nat’l Institute of Standards & Tech., Special Publication 800-88 (Rev. 1) (Dec. 2008), available at https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final.

19. Nat’l Institute of Standards & Tech., Special Publication 800-88 (Rev. 1) at 24-25 (Dec. 2008), available at https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final.

20. GDPR, OJ 2016 L 119/1, Art. 17.

21. 16 C.F.R. Part 682, §§ 682.1-682.5.