data protection dictionary · data protection dictionary multidisciplinary data privacy and related...

DATA PROTECTION DICTIONARYMultidisciplinary data privacy and related terms and definitions

Edition 2020

Professor mr drs Romeo F. Kadir MA MSc LLM LLM (Adv) EMBA EMoC - Editor-in-Chief

Drs Timon ten Berge MSc - Lexicography, Chair of the Editorial Board

Privacy Publishing Group (PPG)

2020

Further inquiries can be addressed to:

PPG Client Servicesclientservices@privacypublishing.euwww.privacypublishing.eu

Design: Jeroen BosCover: Jeroen Bos

Aanbevolen citeerwijze

Kadir, R.F. (ed.), Data Protection Dictionary – Multidisciplinary data privacy and related terms and definitions, Global Privacy & Data Protection Dictionaries Series, Privacy Publishing Group, PPG (2020), www.privacypublishing.eu

ISBN/EAN 978-94-93074-16-3

ISSN 2666-5689

NUR 820

BISAC LAW116000

© Privacy Publishing Group BV (PPG) | 2020

www.privacypublishing.eu

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or trans-mitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the publisher’s prior consent. Except for the quotation of short passages for the purposes of criticism and review, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or other-wise, without the prior written permission of the publisher or a license.

Without limiting the rights under copyright reserved above, no part of this book may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the written permission of both the copy-right owner and the author of the book.

Every effort has been made to obtain permission to use all copyrighted illustrations reproduced in this book. Nonetheless, whosoever believes to have rights to this material is advised to contact the pub-lisher.

Fictitious names of companies, products, people, characters and/or data that may be used herein (in case studies or in examples) are not intended to represent any real individual, company, product or event.

This publication is drafted in English. Privacy Publishing Group (PPG) takes no responsibility for the quality of the translations into other languages. The views expressed in this handbook do not bind PPG. The handbook refers to a selection of commentaries, manuals and other primary sources. PPG takes no responsibility for their content, nor does their inclusion amount to any form of endorsement of these publications.

PrefaceData Protection has become a topic of growing global concern and a source of many interpretations related to many laws and regulations. This first initiative to collect used terms and definitions in daily practices of many data protection professionals is primarily meant to provide for a ‘primary source’ to use for getting introduced to a larger plethora of related terms and definitions from a multidisci-plinary perspective. Data Privacy Law, Intellectual Property Law, IT, Data Security, (Cyber) Security, Data Science, Compliance and Ethics are at the center of attention. The primary aim of this ‘dictionary in progress’ is to provide a collection of over 9,500 data protection related multidisciplinary terms and definitions, structured in alphabetical order, to serve data protection professionals with a single source of entries for further understanding and research.

FAIR Principles

In compiling this collection we have been guided by the FAIR principles. Findable, Accessible, Inter-operable and Reusable resources were consulted and structured in a chronological order to produce a ‘substantive source’ that would meet the first needs of data protection professionals and data sub-jects who are interested in remits and different meanings and interpretations of data protection related terms and definitions to acquire a more thorough understanding of key components.

Beyond professional lingua franca

The choice for a multidisciplinary approach has been inspired by profound questions from participants with different disciplinary backgrounds concerning used terms and definitions during many discussions with data protection professionals, lectures, public addresses, training courses, discussions and adviso-ry processes. From these interesting debates the need for clarifying terms and definitions became ap-parent as well as the need for a more comprehensive (multidisciplinary approach) of what used to be a law-centered discipline. Present day understanding of the remits of data protection can simply not do without contextual phraseology.

With the entry into force of the EU GDPR on 25 May 2018 and many other data protection (related) laws and regulations across the globe, many companies, institutions or organizations have a duty to be able to demonstrate that they at least actually dispose of a proper understanding of or at least have access to the necessary knowledge and expertise regarding all relevant implementation obligations to implement appropriate measure and actions for which they are hold accountable.

Sourced contextualization

Data protection terms and definitions included in this publication are contextualized at two levels. First at the level of ‘practical experience’ as a data protection professional experience. With a background as Senior Data Protection Expert, seasoned Data Protection Officer (DPO), external consultant in the field of priva-cy and data protection, data protection auditor and as a data protection law educator and researcher (Utrecht University (Netherlands), EADPP Professor European Data Protection Law at Jindal Global Uni-versity (India), EADPP Professor of European Data Privacy Security law at UNpad (Indonesia) and IMF Trainer and Coach for Data Protection Officers (recognized by IAPP, US) it might not come as a surprise that, at least in my view, more attention to the sources of knowledge and contexts is indebted in order to ‘comply with obligations under data protection laws and regulations’.

The second level of contextualization is related to the increasing international body of data protection laws and regulations, data protection jurisprudence (court decisions), academic researches, discussions papers, whitepapers, policy papers, strategic notes et cetera.

Ultimately, the editorial board hopes that this ‘primary source of knowledge’ will grow beyond a col-lection of ‘must reads’ and will provide material that is interesting to read, and to get familiar with the broader multidisciplinary contexts of data protection, especially in case of studying ‘open norms’ and ‘vague terms.’

Work in progress invitationThe content of this comprehensive data protection dictionary aims to (among others) contribute to the promotion of more qualitative substantive debates about compliance with obligations under laws and legislations. Partly in the context of continuing training needs of data protection professionals, this dictionary hopes to be able to contribute to future debates and developments to come. Given this back-ground and the second level of contextualization as mentioned above, this data protection dictionary will be updated alongside state of the art topics and feedback from its users. To this end all users of this dictionary are cordially invited to provide the editorial board with their feedback for content and quality improvement by sending an email to [email protected].

Last but not least, a word of sincere thanks to all professors, research colleagues, many students, many participants in the various data protection courses, candidate DPO’s, fellow DPO’s, data protection spe-cialists and others who have contributed in their own unique way to sharpen our intellectual thoughts considering the at times vague and complex aspects of data protection laws and regulations. This book is partly the result of this valued dynamic. A special word of thanks to the entire editorial board and editorial staff, with special thanks to Jeroen Bos, my GDPR legal assistant. Without his continuous com-mitment and intellectual contributions this publication would not have seen the light of day.

The editorial board wishes the reader interesting multidisciplinary data protection insights.

Romeo F. Kadir

Editor-in Chief

First Edition 2020

Founding Editor-In-Chief

Romeo F. Kadir

Publishing Project Management

Jeroen Bos

Editorial Board

Timon ten Berge (Chair) (Lexicography)

Dieuwe de la Parra

Editorial Staff

Richard Versteegh

Anne van der Vliet

Özlem Lieberwirth

Nathan Youssef

Design

Jeroen Bos

Please send your feedback to

[email protected]

List of abbreviations and acronyms

ARP Accountability and Reporting planBCR Binding corporate ruleCB Certifying Body CCTV Closed circuit televisionCETS Council of Europe Treaty SeriesCharter Charter of Fundamental Rights of the European UnionCIS Customs information systemCJEU Court of Justice of the European Union (prior to December 2009, European Court of Justice, ECJ)CNIL Commission Nationale de l’Informatique et des Libertés (France)CoE Council of EuropeConvention 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe)COSO Committee of Sponsoring Organizations of the Treadway Commission CRM Customer relations managementC-SIS Central Schengen Information SystemDPIA Data Protection Impact AssessmentDPO Data Protection OfficerDPA Data Protection AuthorityEADPP European Association of Data Protection ProfessionalsEAW European Arrest WarrantEC European CommunityECHR European Convention on Human RightsECtHR European Court of Human RightsEDPB European Data Protection Board EDPS European Data Protection SupervisorEEA European Economic AreaEFSA European Food and Safety AuthorityEFTA European Free Trade AssociationEIPACC European Institute for Privacy, Audit, Compliance & CertificationENISA European Network and Information Security AgencyENU Europol National UnitEP EuroPrivacy (Seal)EPPO European Prosecutor’s OfficeESMA European Securities and Markets AuthorityeTEN Trans-European Telecommunication NetworksEU European UnionEuroPriSe European Privacy SealEuroPrivacy European Privacy Seal for Comprehensive GDPR Complianceeu-LISA EU Agency for Large-scale IT SystemsFRA European Union Agency for Fundamental RightsGDPR General Data Protection Regulation (EU)GRP GDPR Review PlanGPS Global positioning systemGUG (1) GDPR Ultimate Guide, Part 1 (GDPR Business Companion, GDPR Checklists)GUG (2) GDPR Ultimate Guide, Part 2 (GDPR Global Data Management, GDPR Checklists)GUG (3) GDPR Ultimate Guide, Part 3 (GDPR DPO Work Plan, A Practical Guide)GUG (4) GDPR Ultimate Guide, Part 4 (GDPR Dictionary, Contextualization)GUG (5) GDPR Ultimate Guide, Part 5 (GDPR Historical Resources, From UDHR to EDPB)GUG (6) GDPR Ultimate Guide, Part 6 (GDPR Legislation Bundle, Official Publications)GUP GDPR Update PlanIoT Internet of ThingsISO International Standards Organization

ISMS Information Security Management SystemICCPR International Covenant on Civil and Political RightsICT Information and communications technologyISP Internet service providerJSB Joint Supervisory BodyNGO Non-governmental organisationNIST National Institute of Standards and TechnologyN-SIS National Schengen Information SystemOECD Organisation for Economic Co-operation and DevelopmentOJ Official JournalPbD Privacy by Design PDPF Personal Data Process FlowPET Privacy Enhancing TechnologiesPII Personally Identifiable InformationPNR Passenger name recordPPEP Privacy Permanent Education Programme RIP Roadmap Inventory PlanRUP Review and Update PlanSCG Supervision Coordination GroupSEPA Single Euro Payments AreaSIS Schengen Information SystemSWIFT Society for Worldwide Interbank Financial TelecommunicationTEU Treaty on European UnionTFEU Treaty on the Functioning of the European UnionUDHR Universal Declaration of Human RightsUN United NationsVIS Visa Information SystemVMS Vision, Mission and Strategy

See also : www.gdprliterature.eu

12

Ab initio

PPG © | 2020 gdprliterature.eu

ceedings. x Domain: Law

Absorbed overhead: Apart of financial manage-ment, it is the indirect cost of providing a ser-vice, which can be fairly allocated to specific customers. This can be based on usage or some other fair measurement. For example, cost of providing network bandwidth or shared servers. See also direct cost, indirect cost, unabsorbed overhead.

x Domain: Law, IT x Source: ITIL

Abstract of title: A document, drawn up by the seller, summarising the title deeds to a property (such as a house).

x Domain: LawAbuse of process: When criminal proceedings are

brought against a person without there being any good reason and with malice.

x Domain: LawAbuttals: The parts of the boundaries of a piece of

land which touch pieces of land alongside. x Domain: Law

Acceptable level of risk: The tolerable level of risk that is determined from: an analysis of threats and vulnerabilities, the sensitivity of data and applications, a cost/benefit analysis, and a study of the technical and operational feasibility of available controls.

x Domain: Law, IT, Healthcare, Ethics x Source: Centers for Medicare & Medicaid Services (CMS)

Acceptable use policy: A policy that establishes an agreement between users and the enterprise and defines for all parties’ the ranges of use that are approved before gaining access to a network or the Internet.

x Domain: Compliance x Source: https://www.isaca.org/Pages/Glossary.aspx

Acceptance: See assurance. x GDPR: See recital 32 and 51 GDPR See article 47, paragraph 2, sub f GDPR

x Domain: LawAcceptance: When an offer is accepted uncondi-

tionally and a legally binding agreement is cre-ated.

x GDPR: See recital 32 and 51 GDPR See article 47, paragraph 2, sub f GDPR

x Domain: LawAcceptance: Formal agreement that an IT ser-

vice, process, plan or other deliverable is com-plete, accurate, reliable and meets its specified requirements. Acceptance is usually preceded by change evaluation or testing and is often re-

Ab initio: From the start of something. (This phrase is Latin.)

x Domain: LawAbandonment: Giving up a legal right. x Domain: Law

Abatement: Cancelling a writ or action; stopping a nuisance; reducing the payments to creditors in proportion, if there is not enough money to pay them in full; or reducing the bequests in a will, in proportion, when there is not enough money to pay them in full.

x Domain: LawAbduction: Taking someone away by force. x Domain: Law

Abend: An abnormal end to a computer job; termi-nation of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.

x Domain: IT x Source: ISACA

Ablate: Describes the process by which laser-read-able “pits” are burned into the recorded layer of optical discs, DVD-ROMs and CD-ROMs.

x Domain: IT x Source: Sedona Conference

Ablative: Unalterable data. See also Ablate x Domain: IT x Source: Sedona Conference

Abovementioned: Describing something which has been referred to before in the document.

x Domain: LawAbscond: When a person fails to present them-

selves before the court when required, such as when they have been released on bail and not returned to court.

x Domain: LawAbsolute: Complete and unconditional. x GDPR: See recital 4 GDPR x Domain: Law

Absolute: Complete and unconditional. x GDPR: See recital 4 GDPR x Domain: Law

Absolute discharge: Someone who has been con-victed of an offence being released without any penalty. (They may still have to pay compensa-tion though.)

x Domain: LawAbsolute owner: The only owner of property such

as equipment, buildings, land or vehicles. x Domain: Law

Absolute privilege: A defence which can be used in a case of defamation if the statement from which the defamation arose was: • made in Par-liament; • in fair and accurate news reporting of court proceedings; or • made during court pro-

13


edge of the information the system contains, or to control system components and functions.

x GDPR: See recitals 2, 16, 19, 39, 49, 50, 52, 53, 71, 73, 75, 81, 83, 91, 94 and 104 GDPR. See article 2 paragraph 2 sub d, article 4, paragraph 12, article 5 paragraph 1 sub f, article 9 paragraph 2 sub b, article 10, article 23 paragraph 1, article 32, article 35 paragraph 7 sub d, article 40 paragraph 2 sub h, article 45 paragraph 2 sub a and article 47, paragraph 2 sub d GDPR.

x See also: https://csrc.nist.gov/glossary x Domain: Information security, ICT x Source: CNSSI-4009

Access authority: An entiry responsible for mon-itoring and granting access privileges for other authorized entities.

x Domain: Privacy, Law, Government x Source: NIST 800 series

Access Authority: An entity responsible for mon-itoring and granting access privileges for other authorized entities.



Access block: A key BLOB that contains the key of the symmetric cipher used to encrypt a file or message. The access block can only be opened with a private key.

x See also: BLOB, Symmetric encryption x Domain: Information security x Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx

Access control: The processes, rules and deploy-ment mechanisms that control access to infor-mation systems, resources and physical access to premises.

x GDPR: See article 29, paragraph 2, sub a and e GDPR

x Domain: Information security, Compliance x Source: https://www.isaca.org/Pages/Glossary.aspx

Access control: Measures that limit access to in-formation or information processing resourc-es to these authorized persons or applications according to the system or data classification, HIP AA defines this as the ability to implement a mechanism to encrypt and decrypt regulated

quired before proceeding to the next stage of a project or process. See also service acceptance criteria.

x GDPR: See recital 32 and 51 GDPR See article 47, paragraph 2, sub f GDPR

x Domain: Law, IT x Source: ITIL® glossary and abbreviations

Acceptance of service: When a solicitor accepts a writ on behalf of a client.

x Domain: LawAcceptor: The organisation (such as a bank) which

will pay the cheque or bill of exchange it has ac-cepted.

x Domain: LawAccess: A property of threat that defines how a

threat actor accesses an asset (network access, physical access). This only applies to human ac-tors. In terms of information management it means the right, opportunity, means of finding, using, or retrieving information. This results in the flow of information between one source and another.

x GDPR: See recitals 39, 49, 54, 59, 63, 73, 83, 104, 129, 154, 158 and 164 GDPR See article 4 para-graph 12, article 13, paragraph 2, sub b, article 14, paragraph 2 sub c, article 15, paragraph 1, article 23, paragraph 2 sub d, article 29, article 32, paragraph 1, sub c and paragraph 2 and 4, article 34, paragraph 3 sub a, article 38 paragraph 2, article 42, paragraph 6, article 45, paragraph 2, sub a, article 47, paragraph 2, sub n, article 58, paragraph 1, sub e and f, article 76, paragraph 2, article 83, paragraph 5, sub e and article 86 GDPR

x Domain: Privacy, Law, Information security, Government, Healthcare

x Source: CERTOCTAVE, ISO 15489, DIRKS, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, US National Information Assurance (IA) Glossary, NIST 800 series

Access: Ability to make use of any information sys-tem (IS) resource.


x See also: https://csrc.nist.gov/glossary x Domain: Information security, ICT x Source: SP 800-32

Access: Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowl-

14

Access Control


x GDPR: Also referred to as access control tables x Domain: Information security, Compliance x Source: https://www.isaca.org/Pages/Glossary.aspx

Access control list: A list of access control entries (ACE) that apply to an object. Each ACE controls or monitors access to an object by a specified user. In a discretionary access control list (DACL), the ACL controls access; in a system access con-trol list (SACL) the ACL monitors access in a se-curity event log which can comprise part of an audit trail.

x See also: Discretionary access control list, Discre-tionary access control list, System access control list, System access control list, Access control entry, Access control entry, IAPP Certification Textbooks

x Domain: Compliance x Source: https://iapp.org/resources/glossary/

Access Control List (ACL): 1. A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. 2. A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or ex-plicitly, the access modes granted to each entity.



Access control lists (acl): A register of 1) users (in-cluding groups, machines, processes) who have been given permission to use a particular system resource, and 2) the types of access they have been permitted.


x Source: NIST 800 series, Centers for Medicare & Medicaid Services (CMS), Sedona Conference, US National Information Assurance (IA) Glossary

Access Control Lists (ACLs): A register of: 1. us-ers (including groups, machines, processes) who have been given permission to use a particular system resource, and 2. the types of access they have been permitted.

x GDPR: See recitals 2, 16, 19, 39, 49, 50, 52, 53, 71,

data. However, NIST defines this as the abiliry to enable authorized use of a resource while pre-venting unauthorized use or use in an unauthor-ized manner. Both share the same underlying principle of ensuring confidentiality and integri-ty. Access control can be defined by the system (mandatory access control, or MAC) or defined by the user who owns the object (discretionary access control, or DAC).

x GDPR: See article 29, paragraph 2, sub a and e GDPR

x Domain: Privacy, Law, Information security, Government

x Source: HIPAA, NIST 800 series, ISACA, FISCAM, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001 :2005, PCI-DSS, Workgroup for Electronic Data Interchange, US National Information Assurance (IA) Glossary, FIPS Pubs

Access Control: The process of granting or de-nying specific requests to: 1) obtain and use in-formation and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).


x See also: https://csrc.nist.gov/glossary x Domain: Information security, ICT x Source: FIPS 201; CNSSI-4009

Access control entry: An entry in an access con-trol list. An access control entry contains a set of access rights and a security identifier that iden-tifies a trustee for whom the rights are allowed, denied, or audited.

x See also: Security identifier (SID), Security identi-fier (SID), Access control list, Access control list

x Domain: Information security x Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx

Access control facility (acf2): Domain: Privacy, Law, Information security, Government

x Source: FISCAMAccess control facility (acf2): Domain: Privacy,

Law, Information security, Government x Source: FISCAM

Access control list: An internal computerized ta-ble of access rules regarding the levels of com-puter access permitted to logon IDs and comput-er terminals.

15

Access management


Access control table: An internal computerized table of access rules regarding the levels of com-puter access permitted to logon IDs and comput-er terminals.

x Domain: Privacy, Law, IT, Information security x Source: ISACA

Access level: Hierarchical portion of the security level used to identify the sensitivity of IS data and the clearance or authorization of users. Ac-cess level, in conjunction with the nonhierarchi-cal categories, forms the sensitivity label of an object. See also category.

x Domain: Privacy, Law, Information security, Government, Internet

x Source: US National Information Assurance (IA) Glossary

Access Level: A category within a given security classification limiting entry or system connectiv-ity to only authorized persons.



Access list: Compilation of users, programs, or processes and the access levels and types to which each is authorized. Also, a roster of in-dividuals who have admittance to a controlled area.

x Domain: Privacy, Law, Information security, Government


Access List: Roster of individuals authorized ad-mittance to a controlled area.



Access management: (ITIL Service Operation) The process responsible for allowing users to make use of IT services, data or other assets.

73, 75, 81, 83, 91, 94 and 104 GDPR. See article 2 paragraph 2 sub d, article 4, paragraph 12, article 5 paragraph 1 sub f, article 9 paragraph 2 sub b, article 10, article 23 paragraph 1, article 32, article 35 paragraph 7 sub d, article 40 paragraph 2 sub h, article 45 paragraph 2 sub a and article 47, paragraph 2 sub d GDPR.


Access control mechanism: Security safeguard designed to detect and deny unauthorized ac-cess and permit authorized access in an IS.

x Domain: Privacy, Law, Information security, Government, Internet


Access Control Mechanism: Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized ac-cess and permit authorized access to an infor-mation system.



Access control software: Mechanisms that re-strict access to computer resources. This type of software, which is external to the operating system, provides a means of specifying who has access to a system, who has access to spe-cific resources, and what capabilities authorized users are granted. Access control software can generally be implemented in different modes that provide varying degrees of protection such as denying access for which the user is not ex-pressly authorized, allowing access wliich is not expressly authorized but providing a warning, or allowing access to all resources without warning regardless of authority.


x Source: Centers for Medicare & Medicaid Services (CMS), FISCAM

Access control table: See also: Access control list, Access control list

16

Access mask


certain area. x Domain: Privacy, Law, IT, Internet, ICT, Internet x Source: Network Frontiers

Access Point: A device that logically connects wireless client devices operating in infrastruc-ture to one another and provides access to a dis-tribution system, if connected, which is typically an organization’s enterprise wired network.


x See also: https://csrc.nist.gov/glossary x Domain: Information security, ICT x Source: SP 800-48; SP 800-121

Access privileges: See access rights. x Domain: Privacy, Law, Information security x Source: FISCAM

Access profile: Associates each user with a list of protected objects the user may access.



Access Profile: Association of a user with a list of protected objects the user may access.



Access rights: The permission or privileges grant-ed to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy.

x Domain: Information security x Source: https://www.isaca.org/Pages/Glossary.aspx

Access rights: Precise statements that define the extent to which an individual can access com-puter systems and use or modify the programs and data on the system, and under what circum-stances this accesswill be allowed. Access rights determine the actions users can perform (e.g.,

Access management helps to protect the con-fidentiality, integrity and availability of assets by ensuring that only authorized users are able to access or modify them. Access management implements the policies of information security management and is sometimes referred to as rights management or identity management.

x Domain: IT x Source: ITIL® glossary and abbreviations

Access mask: A 32-bit value that specifies the rights that are allowed or denied in an access control entry. An access mask is also used to re-quest access rights when an object is opened.

x See also: Access control entry, Access control entry


Access method: The technique used for selecting records in a file for processing, retrieval, or stor-age. The access method is related to, but distinct from, the file organization that detennines how the records are stored.


x Source: FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)

Access path: The logical route that an end user takes to access computerized information. Typ-ically includes a route through the operating system, telecommunications software, selected application software and the access control sys-tem.

x Domain: IT x Source: https://www.isaca.org/Pages/Glossary.aspx

Access path: Ways in which information or ser-vices can be accessed via an organization ‘s network. Any component capable of enforcing access restrictions or any component that could be used to bypass an access restriction should be considered part of the access path. The access path can also be defined as the path through which user requests travel, including the tele-communications software, transaction process-ing software, application programs, etc. See also data flow.

x Domain: Privacy, Law, Information security, Government, Internet, Healthcare

x Source: CERTOCTAVE, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)

Access point: In a wireless local area network (WLAN), an access point transmits and receives data. It connects users to ether users within the network and can serve multiple users within a

17

Account manager


to commit a crime. x Domain: Law

Accordingly: A word used in legal documents which means therefore or so.

x GDPR: See recital 36 and 173 GDPR See article 11, paragraph 2 GDPR

x Domain: LawAccount harvesting: A method to determine ex-

isting user accounts based on trial and error. For example, giving too much information in an er-ror message can disclose information that makes it easier for an attacker to penetrate or compro-mise the system.

x Domain: Privacy, Law, IT, Information security x Source: PCI-DSS

Account management: In network and systems management, a set of functions that 1) enables network or system service use to be measured and the costs of such use to be determined; and 2) includes all the resources consumed, the facili-ties used to collect accounting data, the facilities used to set billing parameters for the services used by customers, maintenance of the databas-es used for billing purposes, and the preparation of resource usage and billing reports.


x Source: Centers for Medicare & Medicaid Services (CMS)

Account Management, User: Involves 1) the pro-cess of requesting, establishing, issuing, and closing user accounts; 2) tracking users and their respective access authorizations; and 3) manag-ing these functions.



Account manager: In business relationship man-agement, a role that is very similar to business relationship manager, but includes more com-mercial aspects. Most commonly used when dealing with external customers.

x Domain: Privacy, Law, Information security, Internet, ICT

Account manager: (ITIL Service Strategy) A role that is very similar to that of the business rela-tionship manager, but includes more commercial

read, write, execute, create, and delete) on files in shared volumes or file shares on the server.

x Domain: Privacy, Law, Information security, ICT x Source: ISACA, ISO/IEC 27001:2005

Access script: A program or a series of encoded commands that enable a user to log onto a sys-tem.


x Source: Centers for Medicare & Medicaid Services (CMS)

Access token: An access token contains the secu-rity information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user’s groups, and the user’s privileges. The system uses the token to control access to secur-able objects and to control the ability of the user to perform various system-related operations on the local computer. There are two kinds of access token, primary and impersonation.


Access type: Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types.



Access Type: Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. See Write.



Accession log: A serial list of numbers assigned to records in a numeric storage system, also called an accession file or a numeric file list.

x Domain: Privacy, Law, IT, Information securityAccessory: Someone who encourages or helps an-

other person to commit a crime. x Domain: Law

Accomplice: Someone who helps another person

data protection dictionary · data protection dictionary multidisciplinary data privacy and related...

Documents