The Data Privacy Dictionary

A process in which a system, service, or website determines that the rightful account holder is the one accessing it. Digital authentication can come in many forms and combinations including passwords, biometric data, and more.

1. Bank-grade Authentication – The standards and methods of authentication primarily used by financial institutions, which typically involves username, passwords, biometrics, multi-factor authentication and checking multiple fraud signals,  to authenticate the user’s identity and ensure that the banking experience is a secure and safe one.  
2. Biometric Authentication – A method of confirming a person’s identity using their biological traits, such as scanning their fingerprint, face, retina, or voice. 
3. Multi-factor Authentication – When two or more methods are used to authenticate a person in order for them to access a website or service. 
4. Password Authentication – A combination of letters, numbers, and special characters that are used to confirm a person’s identity in order for them to access a website or service. 

Data obtained through the unique patterns in a person’s eyes, voice, or fingerprint.

The process by which a business/website obtains consent from users to the collection, use, disclosure and processing of personal information.

A pop-up on websites to inform a user that the website uses cookies and/or asks for permission to use them. 

Small text files stored in the browser by the website, containing unique identifiers such as login information, what was in a shopping cart, when a user last visited, etc.

1. First-party cookies – Cookies set by the website the visitor is on. 
2. Third-party cookies – Cookies set by companies other than the website the visitor is on. These are normally applied to track user behaviour across multiple websites to build a robust user profile for targeted advertising.

Taking readable data and changing it so it appears to be written with random text in order to prevent it from being viewed or altered. Encrypted data can only be decrypted by people with access to a special key (a “decryption key”).

A service that provides protection against the loss of electronic data. This can be provided by some private insurance companies and FinTechs. 

Limiting the collection and storage of personal information to only the relevant information needed to fulfill the purpose of collection.

The idea that an individual should have control of their personal data and how it is collected or shared.

1. First-party data – Information a company collects directly from the users.
2. Second–party data – Information shared or sold by one company or website that collected that information to another for the second party’s use (i.e., the data is being used second hand).
3. Third-party data – Information obtained from companies that don’t have a direct relationship with the subject and is usually bought through a marketplace or resource that did not itself collect that information from the subject.
4. Zero-party data – Personal information voluntarily provided by the user themselves (personal preferences, shipping info, account information etc.).

Access to a computing device and/or the internet.

Any piece of personal data that exists online and can be traced back to an individual.

Protecting data in a computer, mobile device, and other Internet-connected devices from unauthorized access, corruption, or theft.

The integration of digital technology in business to become more efficient, competitive, and able to meet the demands of clients and the business itself.

Where a third-party who has stolen or fraudulently obtained an individual’s personal information uses it to pose for a fraudulent purpose, such as posing as the user and stealing their money or taking out a loan in their name.

The ability of different systems, devices, or services to communicate and connect to one another in a coordinated way.

“Malicious Software”, a blanket term for any kind of software with malicious intent (i.e., to disrupt, damage or gain unauthorized access).

1. Keylogger – Also known as a keystroke logger, this is a type of malware that monitors the keyboard inputs a user makes. This can then be used to obtain unauthorized access to passwords and other sensitive or confidential details (i.e., financial details). 
2. Spyware – A type of malware that hides on the user’s computer and can transmit their activity, passwords and other sensitive or confidential details (i.e., financial details). 
3. Trojan Horse Virus – A type of malware disguised as a regular program. There are many types of Trojan horse viruses that do anything from taking down a network via a user’s computer by flooding it with traffic to impairing the computer’s performance to get a ransom. 

Also known as “Personally Identifiable Information” – information in any format (paper or digital) that can be used to directly or indirectly identify an individual. This can include name, date of birth, contact information, ID cards, health information, and certain employment information.

1. Publicly Available Information – Information that is readily available to the public (i.e., work phone number or email address, address which can be found in a public directory, etc.). 
2. Sensitive Information – Information that one would expect to have a higher level of privacy, such as health or financial information. 

The law that governs how Canadian private sector organizations collect, use, and disclose personal information in the course of for-profit activities. Alberta, British Columbia, and Quebec all have comprehensive private sector privacy laws to the collection, use, and disclosure of personal information in their jurisdiction.

The policy a business has in place stating their personal information handling practices and what they will be doing with your information.

The automated processing of personal information to gain insights about a user. Profiling can be used for things such as suggesting music or videos based on previous history (“Based on your listening history, we suggest these albums”).

The process in which personal information is de-identified and renamed so it cannot be associated with an individual. 

A fraudulent or deceptive act where a scammer tries to obtain financial, sensitive or personal information. Some examples are a fake text message, email, or phone call in which a scammer claims to be someone else, such as a prospective romantic partner or a representative from an official service such as the CRA. 

1. Fake Online Shopping Websites – The process in which fraudsters set up fake online shopping portals with the intention of being paid and not delivering the product at all. 
2. Phishing – The process in which a scammer sends fraudulent messages, usually by email, to trick a person into clicking a link in order to download malware or reveal their financial information, passwords or other sensitive information.
3. Smishing – Similar to phishing but the scammer specifically sends a fraudulent text message via SMS.

A similar process to pseudonymization but includes a level of encryption to personal data to ensure the pseudonym is an unrecognizable token.

A security enhancement technology that hides the source and destination in order to increase privacy and security of an end user. When using the Interac sign-in service, for example, no financial institution, government service or network operators knows from where or to where you are signing in.

A process in which a system or service needs to confirm that the user is an actual person that exists and that the user is who they say they are. This is usually done with physical identification documents such as ID cards, passports, or bank information.