Privacy, Data Handling, and AI Governance

Key Concepts

Privacy is about appropriate handling of personal information. Security protects confidentiality, integrity, and availability; privacy focuses on whether personal information is collected, used, shared, retained, and disposed of in ways that are lawful, fair, transparent, and consistent with the stated purpose.

Personal information can include names, addresses, government identifiers, financial records, health information, precise location, biometrics, account IDs, device identifiers, and combinations of data that identify a person. Some data is more sensitive because misuse can create serious harm. Privacy scenarios often ask whether the organization should collect less data, limit access, notify users, obtain consent, or involve legal and privacy teams.

Data minimization is a core practical idea: collect only what is needed, use it only for the approved purpose, keep it only as long as needed or required, and dispose of it securely. If a newsletter signup asks for a passport number, that is a red flag because the data does not match the purpose. If a support ticket includes a full payment card number, the process should be corrected to reduce collection and exposure.

AI governance applies similar ideas to systems that use machine learning or automated decision support. At beginner level, focus on purpose, data quality, human oversight, privacy, transparency, fairness, and accountability. An organization should know what the AI system is used for, what data it uses, who approves it, how outputs are reviewed, and how errors or harmful effects are reported.

Model poisoning is a useful CC-level integrity example. If an attacker can influence training data, feedback data, labels, or prompts used to update a model, the model may learn incorrect or harmful behavior. That is an integrity risk because the system output can no longer be trusted. Controls may include protecting training data pipelines, validating data sources, monitoring model behavior, limiting who can submit training feedback, reviewing changes, and keeping rollback options.

Exam Application

Transparency does not mean revealing trade secrets or sensitive security details. It means people should receive appropriate information about when automated systems are used, what the purpose is, and how to challenge or escalate important decisions when needed. Non-bias means the organization should try to avoid unfair treatment caused by skewed data, poor design, or untested assumptions. Bias may appear when training data underrepresents a group, historical decisions include discrimination, or the model uses a proxy variable that correlates with protected traits.

Scenario example: A hiring team wants to use an AI tool to screen resumes. Governance should require vendor review, privacy review, data minimization, bias testing, human oversight, approved retention, and clear instructions for candidates or HR staff. Uploading all resumes to an unapproved tool because it is convenient is a poor answer.

Scenario example: A chatbot for customer support is learning from user feedback. Attackers begin submitting repeated false answers so the bot recommends unsafe password practices. This is model poisoning. The practical response is to stop automatic trust in unvalidated feedback, review recent training changes, restore a trusted model version if needed, and add monitoring and approval controls.

For exam questions, choose answers that protect personal data, limit use to approved purposes, preserve data and model integrity, and escalate novel AI uses through governance rather than allowing informal adoption.