u.s. government privacy certification · 2012-02-14 · copyright © 2011, iapp pease international...

copyright © 2011, IAPP

Pease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙ + 603.427.9200 ∙ [email protected]

U.S. Government Privacy Certification

Bibliography of Recommended Reading

Introduction

The IAPP and its certification advisory board compiled the following list of books, periodicals, white

papers, reports and Web sites for the purpose of furthering education of information privacy issues in

U.S. federal and state government agencies and departments. These selections support the Certified

Information Privacy Professional/Government (CIPP/G) credentialing program which assesses

candidates’ understanding of information access and information privacy laws and practices now in force

across the U.S. public sector.

The CIPP/G Bibliography is divided into three sections:

(1) Core Subject Matter Areas: Selections that address one or more of the topics covered under the

CIPP/G credentialing program;

(2) Supplemental Privacy Topics: Privacy and security-related publications that augment the core

study selections; and,

(3) Web-based Privacy Resources. General references for information privacy that are available

online.

Who Should Review

• Certification Candidates: The selections in the bibliography address a number of information

privacy and information security concepts and issues. They are not expressly required for your

CIPP/G exam preparation. However, they are recommended as supplements to your exam

preparation –in addition to other educational products such as the IAPP certification training

workshops on CD-ROM and the IAPP on-site certification training workshops. The IAPP strongly

suggests that you incorporate supplemental reading into your regimen for exam preparation

based on your individual needs.

• Certified Professionals (current CIPP credential holders): Each of the items listed in this

bibliography may be applied toward the continuing privacy education (CPE) requirements

mandated under your credential. Upon submission to the IAPP for approval, credits will be

awarded based on a formula where 50 pages of written text = 1 CPE credit. Simply tally the



total number of pages from your selection and submit for approval using the authorization form

available at http://www.privacyassociation.org.

IMPORTANT: You must include photocopies of both the cover and inside table of contents of the

selection(s) you submit for CPE consideration.

Core Subject Matter Areas

ALL CIPP/G Course Sections

• McEwen, Julie S. and Shapiro, Dr. Stuart S., U.S. Government Privacy: Essential Policies and

Practices for Privacy Professionals (IAPP Publications)

CIPP/G Section One: U.S. Government Privacy Laws

U.S. Federal Statutes

(See also: “U.S. Information Privacy Statutes” under Web-based Resources, below)

• Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. Section 6501

• E-Government Act of 2002, Public Law 107-347

• Electronic Communications Privacy Act (ECPA), 18 U.S.C. Section 2701.

• Family Educational Right to Privacy Act (FERPA) (aka Buckley Amendment), 20 U.S.C.

Section 1232.

• Freedom of Information Act (as amended 2002) (FOIA), 5 U.S.C. Section 552.

• Gramm-Leach Bliley Act (GLB), 15 U.S.C. Section 6801.

• Health Insurance Portability and Accountability Act (HIPAA), Public Law 105-191.

• Information Technology Resources Management Act (k/n/a “Clinger-Cohen”), 40 USC

11101 et seq.

• Paperwork Reduction Act, 44 U.S.C. Section 3501, Public Law 104-13.

• Privacy Act of 1974, 5 U.S.C. § 552A.

• Right to Financial Privacy Act (“RFPA”), 12 U.S.C. 3401.



CIPP/G Section One: U.S. Government Privacy Laws

National Institute of Standards and Technology (NIST) Special Publications

• NIST Special Publication 800-12, An Introduction to Computer Security: The NIST

Handbook (October, 1995).

• NIST Special Publication 800-18, Guide for Developing Security Plans for Information

Technology Systems (December, 1998).

• NIST Special Publication 800-21 Guideline for Implementing Cryptography in the Federal

Government (November, 1999).

• NIST Special Publication 800-26, Security Self-Assessment Guide for Information

Technology Systems (November, 2001).

• NIST Special Publication 800-34, Contingency Planning Guide for Information

Technology Systems (June, 2002).

• NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy, (January,

2002).

• NIST Special Publication 800-47, Security Guide for Interconnecting Information

Technology Systems (August, 2002).

• NIST Special Publication 800-59, Guideline for Identifying an Information System as a

National Security System (August, 2003).



Supplemental Privacy Topics

Privacy Fundamentals

• Cady, Glee Harrah and McGregor, Pat, Protect Your Digital Privacy: Survival Skills for the

Information Age (Que Press)

• Etzioni, Amitai, The Limits of Privacy (Basic Books)

• Smith, Derek, A Survival Guide in the Information Age (Longstreet Press)

• Smith, Robert Ellis, Ben Franklin's Web Site: Privacy and Curiosity from Plymouth Rock to

the Internet (Privacy Journal)

Privacy and U.S. Law Enforcement

• Richard Hunter, World Without Secrets: Business, Crime and Privacy in the Age of

Ubiquitous Computing (Harper Business)

Privacy and Operations

• Canadian Information and Privacy Office, Privacy Impact Assessment: A User’s Guide

(Information and Privacy Office, Ontario, Canada)

• Flaherty, David H., Privacy Impact Assessments: An Essential Tool for Data Protection

(Paper presented at the 22nd Annual Meeting of Privacy and Data Protection Officials in

Venice, September 27-30, 2000)/

• Frye, Curtis, Privacy-enhanced Business: Adapting to the Online Environment (Quorum

Books)

• Herold, Rebecca (Editor), The Privacy Papers: Managing Technology, Consumer, Employee

and Legislative Actions (Auerbach)

• Internal Revenue Service, IRS Privacy Impact Assessment –Version 13 (Office of the Privacy

Advocate, Internal Revenue Service)



Privacy and Public Policy

• Alderman, Ellen and Kennedy, Caroline, The Right to Privacy (Vintage Books)

• Armacst, Michael H. and Cate, Fred H., Privacy in the Information Age (Brookings Institution

Press)

• Banisar, David and Schneier, Bruce, The Electronic Privacy Papers: Documents on the Battle

for Privacy in the Age of Surveillance (John Wiley & Sons)

• Banisar, David and Laurant, Cedric, Privacy and Human Rights 2003: An International

Survey of Privacy Laws and Developments (Electronic Privacy Information Center and

Privacy International)

• Harper, Jim, Identity Crisis: How Identification is Overused and Misunderstood (Cato

Institute)

• O’Harrow, Robert, No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society

(Free Press)

• Ridley, Matt, The Origins of Virtue (Penguin)

• Rosen, Jeffrey, The Unwanted Gaze : The Destruction of Privacy in America (Random House)

• Rosen, Jeffrey, The Naked Crowd (Random House)

• Smith, Derek, Risk Revolution: Real Threats Facing America and the Promise of Technology

for a Safer Tomorrow (Longstreet Press)



Web-based Privacy Resources

U.S. Federal Agency Web sites on Privacy

• U.S. Department of Commerce: www.commerce.gov

• U.S. Equal Employment Opportunity Commission (“EEOC”): www.eeoc.gov

• U.S. Department of Health and Human Services / Office for Civil Rights: www.hhs.gov (the

HHS HIPAA pages are available at www.hhs.gov/ocr/hipaa/ )

• U.S. Department of Labor: www.dol.gov

• U.S. Department of the Treasury, Comptroller of the Currency, Administrator of National

Banks: www.occ.gov

• U.S. Federal Trade Commission: www.ftc.gov (FTC privacy pages at

www.ftc.gov/privacy/index.html; www.ftc.gov/kidzprivacy/ )

• U.S. National Archives and Records Administration (“NARA”): www.archives.gov

• U.S. National Do-not-call Registry: www.donotcall.gov

• U.S. Transportation Security Administration: www.tsa.gov

U.S. Information Privacy Statutes

• California’s data breach notification law; Senate Bill 1386 (“SB 1386”):

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-

1400/sb_1386_bill_20020926_chaptered.html

• Children’s Internet Protection Act of 2001 (“CIPA”):

http://ftp.fcc.gov/cgb/consumerfacts/cipa.html

• Children’s Online Privacy Protection Act of 1998 (“COPPA”): www.ftc.gov/ogc/coppa1.htm

• Communications Assistance for Law Enforcement Act of 1994 (“CALEA”):

http://www.askcalea.net/calea.html

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-

SPAM”): http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm

• Fair and Accurate Credit Transactions Act of 2003 (“FACTA”):

http://www.ftc.gov/os/statutes/fcrajump.htm

• Federal Trade Commission Act (“FTCA”): http://www.fda.gov/opacom/laws/ftca.htm (See:

Section 5 on unfair and deceptive trade practices)



• Driver’s Privacy Protection Act of 1994 (“DPPA”):

http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002721----000-.html

• Fair Credit Reporting Act of 1999 (“FCRA”): http://www.ftc.gov/os/statutes/031224fcra.pdf

• Family Education Rights and Privacy Act of 1974 (“FERPA”):

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

• Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or “GLBA”):

http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

• Privacy Act of 1974: http://www.usdoj.gov/oip/privstat.htm

• Privacy Protection Act of 1980 (“PPA”):

http://www4.law.cornell.edu/uscode/html/uscode42/usc_sec_42_00002000--aa000-.html

• Safe Web Act of 2006, bill S.1608: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:s.1608

• Telecommunications Act of 1996: http://www.fcc.gov/telecom.html

• Telephone Consumer Protection Act of 1981 (“TCPA”):

http://www.fcc.gov/cgb/consumerfacts/tcpa.html

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and

Obstruct Terrorism Act of 2001; H.R. 3162 (“USA-PATRIOT”): http://thomas.loc.gov/cgi-

bin/bdquery/z?d107:h.r.03162.

• Video Privacy Protection Act of 1988:

http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002710----000-.html

Privacy and Security Organizations

• American Institute of Certified Public Accountants (“AICPA”):

http://infotech.aicpa.org/Resources/Privacy/

• Asia Pacific Economic Cooperation (“APEC”) Electronic Commerce Steering Group:

http://www.apec.org/apec/apec_groups/som_special_task_groups/electronic_commerce.ht

ml

• Better Business Bureau / BBB Online: www.bbbonline.org/privacy/index.asp

• Center for Democracy and Technology (“CDT”): www.cdt.org/resourcelibrary/Privacy/Misc/

• Center for Information Policy Leadership at Hunton & Williams (“CIPL”):

http://www.hunton.com/Resources/Sites/general.aspx?id=45

• Direct Marketing Association (“DMA”): www.the-dma.org

• Electronic Privacy Information Center (“EPIC”): www.epic.org

• Information Systems Audit and Control Association (“ISACA”): www.isaca.org



• International Association of Privacy Professionals (“IAPP”): www.privacyassociation.org

• Organization for Economic Development and Cooperation (“OECD”):

http://www.oecd.org/topic/0,2686,en_2649_34255_1_1_1_1_37441,00.html

• Network Advertising Initiative (“NAI”): www.networkadvertising.org

• Privacilla: www.privacilla.org

• Privacy Council: www.privacycouncil.com

• Privacy Exchange: www.privacyexchange.org

• Privacy Foundation: www.privacyfoundation.org

• Privacy International: www.privacyinternational.org

• Privacy Journal: www.privacyjournal.net

• Privacy Laws and Business: www.privacylaws.com/

• Privacy Law Institute (“PLI”): www.pli.org

• Privacy Rights Clearinghouse: www.privacyrights.org

• TRUSTe: www.truste.org

• World Wide Web Consortium (W3C): www.w3.org

Privacy Principles and Standards

• American Institute of Certified Public Accountants (“AICPA”) in collaboration with the

Canadian Institute of Chartered Accountants (“CICA”), “Generally Accepted Privacy

Principles (“GAPP”) – A Global Privacy Framework”:

http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles

• Asia Pacific Economic Cooperation (“APEC”), “The APEC Privacy Principles”:

http://www.apec.org/apec/apec_groups/som_special_task_groups/electronic_commerce.ht

ml

• Commission Nationale de l’Informatique et des Libertes (“CNIL”), guidelines on the

implementation of whistle-blowing systems:

http://www.cnil.fr/fileadmin/documents/uk/CNIL-recommandations-whistleblowing-VA.pdf

• Control Objectives for Information and Related Technology (“COBIT”): www.isaca.org/cobit

• National Institute for Standards and Technology (“NIST”): www.nist.gov

• The Network Advertising Initiative (“NAI”), “The NAI Self-regulatory Principles”:

http://www.networkadvertising.org/industry/principles.asp



• Open Web Application Security Project (“OWASP”): www.owasp.org

• Organization for Economic Cooperation and Development (“OECD”) “Guidelines on the

Protection of Privacy and Transborder Flows of Personal Data”:

http://www.oecd.org/document/20/0,2340,en_2649_34255_15589524_1_1_1_1,00.html