CIPP-C Online Practice Questions and Answers

In Ontario, a patient attends an appointment with a physician and reveals information about some new symptoms that she has been experiencing. Based on this information, the physician diagnoses the patient with a condition and prepares the report detailing the applicable history and diagnosis. The report is added to the patient's record. The patient later regrets revealing certain facts and doesn't want anyone else to know about these symptoms or the diagnosis. She acknowledges that the information she provided was correct and does not question the diagnosis.

Which of the following requests would the patient be most successful at pursuing?

A. That a correction be made to change the diagnosis based on the patient's wishes.

B. That the information be restricted from disclosure to other health care providers.

C. That a copy of the record be kept by the patient for disclosure to physicians.

D. That details of the diagnosis be deleted from the patient's health record.

What is a difference between the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Privacy Act (PIPA) of both Alberta and British Columbia?

A. PIPEDA applies to personal information about individuals employed by government institutions; PIPA applies to personal information about individuals employed by public-sector organizations within the provinces.

B. The enforcement powers of the federal Privacy Commissioner of Canada under PIPEDA are greater than those of the provincial privacy commissioners under PIPA.

C. PIPEDA applies to federal undertakings and to inter-provincial organizations engaged in commercial activities; PIPA applies to private organizations.

D. The person in charge of oversight of PIPEDA is a privacy commissioner; the person in charge of oversight of PIPA is an ombudsman.

Under the Privacy Act, when government institutions collect personal information?

A. Data subject consent is required.

B. The collection must be directly from a data subject.

C. The collection must relate to an operating program or activity.

D. Information collected must be made anonymous where technologically possible.

Oversight authorities allow the following types of consent EXCEPT?

A. Implied consent at the time of collection.

B. Verbal consent given to the person collecting the information.

C. Written consent included with the information that is collected.

D. General consent covering all activities associated with the personal information.

The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system

of the APEC Privacy Framework.

Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able

to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted.

Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator

at the cloud provider stored the encryption keys with the data itself.

The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the

various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.

The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.

B. That the company is governed by CCPA, but does not need to take any additional steps because it

C. follows CPBR.

D. That business contact information could be considered personal information governed by CCPA.

E. That CCPA only applies to companies based in California, which exempts the company from compliance.

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the

letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and

request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened

the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

At this stage of the investigation, what should the data privacy leader review first?

A. Available data flow diagrams

B. The text of the original complaint

C. The company's data privacy policies

D. Prevailing regulation on this subject

According to FERPA, when can a school disclose records without a student's consent?

A. If the disclosure is not to be conducted through email to the third party

B. If the disclosure would not reveal a student's student identification number

C. If the disclosure is to practitioners who are involved in a student's health care

D. If the disclosure is to provide transcripts to a school where a student intends to enroll

A company's employee wellness portal offers an app to track exercise activity via users' mobile devices. Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?

A. Offer information about data collection and uses at key data entry points.

B. Publish a privacy policy written in clear, concise, and understandable language.

C. Present a privacy policy to users during the wellness program registration process.

D. Provide a link to the wellness program privacy policy at the bottom of each screen.

Which of the following best describes what a "private right of action" is?

A. The right of individuals to keep their information private.

B. The right of individuals to submit a request to access their information.

C. The right of individuals harmed by data processing to have their information deleted.

D. The right of individuals harmed by a violation of a law to file a lawsuit against the violation.

Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

A. Research (such as information for understanding consumer trends).

B. Risk mitigation (such as information that may reduce the risk of fraud).

C. Location of individuals (such as identifying an individual from partial information).

D. Marketing (such as appending data to customer information that a marketing company already has).