When it comes to data protection or privacy, where processing personal data is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Which of the following is the least likely action the controller might take? (Wentz QOTD)
A. Receive consent through an opt-out
B. Implement safeguards against ‘function creep’
C. Exercise the right to withdraw consent anytime
D. Avoid inappropriate influence which could affect the outcome of consent
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Exercise the right to withdraw consent anytime.
Exercising the right to withdraw consent anytime is typically a right that belongs to the data subject, not the controller. For example, GDPR states:
- Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. (Art. 6)
- The data subject shall have the right to withdraw his or her consent at any time. (GDPR Key Issues: Consent)
Opt-in by GDPR
Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing. (GDPR)
Opt-out in the US
The United States currently operates under an opt-out regime, wherein there is no federal requirement to obtain affirmative consent prior to data collection. However, it’s important to keep in mind that there are variations and nuances to how a regime is expressed in legislation. California operates under somewhat of a hybrid opt-out/opt-in regime. The state’s California Consumer Privacy Act (CCPA) allows a business to collect a consumer’s data by default, but also requires data collectors to provide notice to consumers prior to data collection.
- Privacy is a concept that applies to data subjects while confidentiality applies to data.
- The concept is defined as follows: “It is the status accorded to data which has been agreed upon between the person or organisation furnishing the data and the organisation receiving it and which describes the degree of protection which will be provided.”.
- The right of a party to maintain control over and confidentiality of information about itself. (NISTIR 4734)
- Assurance that the confidentiality of, and access to, certain information about an entity is protected. (NIST SP 800-130)
ISO/TS 21089:2018 Health informatics — Trusted end-to-end information flows
- security principle that protects individuals from the collection, storage and dissemination of information about themselves and the possible compromises resulting from unauthorized release of that information
- right of individuals to keep information about themselves from being disclosed to anyone
- Note 1 to entry: Also, freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual and the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.
ISO/TS 14265:2011 Health Informatics – Classification of purposes for processing personal health information
- freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual
ISO/IEC TR 20547-1:2020 Information technology — Big data reference architecture — Part 1: Framework and application process
- right of individuals to control or influence what information related to them may be collected and stored and by whom that information may be disclosed
Opt-in and opt-out
ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework
- process or type of policy whereby the personally identifiable information (PII) principal is required to take an action to express explicit, prior consent for their PII to be processed for a particular purpose
- Note 1 to entry: A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent (e.g., placing an order in an online shop).
GDPR Key Issues: Consent
- Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.
- While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR).
- The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.
- Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing.
- Consent must be freely given, specific, informed and unambiguous.
- Privacy (OECD)
- Privacy (NIST)
- Privacy (Wex)
- General Data Protection Regulation (GDPR)
- GDPR Consent
- Information privacy
- CISSP DATA Privacy Exam Dose GDPR , OECD
- Privacy by Design CISSP 2021
- To Opt-In or Opt-Out?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
當涉及資料保護或隱私時，如果處理個人資料是基於同意(consent)，則控制者(controller)應能夠證明當事人(data subject)已同意處理其個資。 以下哪項是控制者最不可能採取的行動？(Wentz QOTD)
B. 採取措施防止“功能蠕變”(function creep)