CISSP PRACTICE QUESTIONS – 20210525

Effective CISSP Questions

When it comes to data protection or privacy, where processing personal data is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Which of the following is the least likely action the controller might take? (Wentz QOTD)
A. Receive consent through an opt-out
B. Implement safeguards against ‘function creep’
C. Exercise the right to withdraw consent anytime
D. Avoid inappropriate influence which could affect the outcome of consent

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Exercise the right to withdraw consent anytime.

Exercising the right to withdraw consent anytime is typically a right that belongs to the data subject, not the controller. For example, GDPR states:

  • Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. (Art. 6)
  • The data subject shall have the right to withdraw his or her consent at any time. (GDPR Key Issues: Consent)

Opt-in by GDPR

Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing. (GDPR)

Opt-out in the US

The United States currently operates under an opt-out regime, wherein there is no federal requirement to obtain affirmative consent prior to data collection. However, it’s important to keep in mind that there are variations and nuances to how a regime is expressed in legislation. California operates under somewhat of a hybrid opt-out/opt-in regime. The state’s California Consumer Privacy Act (CCPA) allows a business to collect a consumer’s data by default, but also requires data collectors to provide notice to consumers prior to data collection.

Privacy

OECD

  • Privacy is a concept that applies to data subjects while confidentiality applies to data.
  • The concept is defined as follows: “It is the status accorded to data which has been agreed upon between the person or organisation furnishing the data and the organisation receiving it and which describes the degree of protection which will be provided.”.

NIST

  • The right of a party to maintain control over and confidentiality of information about itself. (NISTIR 4734)
  • Assurance that the confidentiality of, and access to, certain information about an entity is protected. (NIST SP 800-130)

ISO/TS 21089:2018 Health informatics — Trusted end-to-end information flows

  • security principle that protects individuals from the collection, storage and dissemination of information about themselves and the possible compromises resulting from unauthorized release of that information
  • right of individuals to keep information about themselves from being disclosed to anyone
  • Note 1 to entry: Also, freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual and the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.

ISO/TS 14265:2011 Health Informatics – Classification of purposes for processing personal health information

  • freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual

ISO/IEC TR 20547-1:2020 Information technology — Big data reference architecture — Part 1: Framework and application process

  • right of individuals to control or influence what information related to them may be collected and stored and by whom that information may be disclosed

Opt-in and opt-out

ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework

  • process or type of policy whereby the personally identifiable information (PII) principal is required to take an action to express explicit, prior consent for their PII to be processed for a particular purpose
  • Note 1 to entry: A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent (e.g., placing an order in an online shop).
  • Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.
  • While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR).
  • The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.
  • Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing.
  • Consent must be freely given, specific, informed and unambiguous.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

當涉及資料保護隱私時,如果處理個人資料是基於同意(consent),則控制者(controller)應能夠證明當事人(data subject)已同意處理其個資。 以下哪項是控制者最不可能採取的行動?(Wentz QOTD)
A. 通過opt-out方式取得同意
B. 採取措施防止“功能蠕變”(function creep)
C. 隨時行使撤回同意的權利
D. 避免施加可能影響同意結果的不適當影響

Leave a Reply