CIPP-C Online Practice Questions and Answers

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), when engaging in a third-party transfer of personal information for processing, an organization is expected to have the technology to protect the information during transit and to?

A. Establish a contract outlining the individual outsourcing arrangement.

B. Obtain additional consent for the use of the information by the third party.

C. Confirm the jurisdictional protections of the receiving organization are the same as PIPEDA.

D. Review the cross-border data flow completed and approved by the Treasury Board of Canada Secretariat.

What is required for a provincial law to be considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA)?

A. Consistency with at least eight of the ten privacy principles, an independent oversight body and a complaint handling mechanism.

B. Consistency with the ten privacy principles, an independent oversight body and a process for accessing information.

C. Consistency with the ten privacy principles, an independent oversight body and a redress mechanism.

D. Consistency with the ten privacy principles, an appeal process and a redress mechanism.

What is a difference between the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Privacy Act (PIPA) of both Alberta and British Columbia?

A. PIPEDA applies to personal information about individuals employed by government institutions; PIPA applies to personal information about individuals employed by public-sector organizations within the provinces.

B. The enforcement powers of the federal Privacy Commissioner of Canada under PIPEDA are greater than those of the provincial privacy commissioners under PIPA.

C. PIPEDA applies to federal undertakings and to inter-provincial organizations engaged in commercial activities; PIPA applies to private organizations.

D. The person in charge of oversight of PIPEDA is a privacy commissioner; the person in charge of oversight of PIPA is an ombudsman.

What is the main reason a country might adopt an "ombudsman" model of privacy oversight?

A. It provides a more streamlined process of complaint resolution.

B. It increases the power of the commissioner to enforce decisions.

C. It reduces the perception that compliance is a confrontational process.

D. It provides a more detailed set of guidelines regarding possible violations.

As response to TJX Winners - Homesense, why is "hashing" preferable to storing a personal identifier such as a driver's license number?

A. It scrambles information but can be unscrambled for later use.

B. It automatically puts a lifespan on any identification that is stored.

C. It randomizes all permanent identification within an organized database.

D. It still provides customer identification, but in a form that would not reveal the real number.

Which of the following existing frameworks is least effective in addressing emerging AI issues while specific AI legislation is being decided?

A. The Canada Consumer Product Safety Act.

B. The Motor Vehicle Safety Act.

C. The Copyright Act.

D. The Criminal Code.

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive

frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using

artificial intelligence in this manner?

A. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

B. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.

C. If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.

D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the

letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and

request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened

the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

At this stage of the investigation, what should the data privacy leader review first?

A. Available data flow diagrams

B. The text of the original complaint

C. The company's data privacy policies

D. Prevailing regulation on this subject

Chanel Hair Studio is a busy high-end hair salon. In an effort to maximize efficiency of its operations and reduce wait times for appointments, Chanel decides to implement artificial intelligence software that will use client profiles and history to predict which clients will likely be late for their appointments. Information used to create the client profile included appointment history, distance from the salon, and any references to being tardy pulled from the client's social media accounts. If a client is predicted to be late, their appointment will be cancelled within 5 minutes.

Based on the details, what is the biggest potential privacy concern related to Chanel's use of this new software?

A. Scanning a client's social media accounts to use in a client profile without notice to the client.

B. Calculating client profile address distance from the salon to determine location from salon to help predict if the client will be late.

C. Using client profile information for any purpose other than setting up an appointment.

D. Assessing client tardiness history with the salon for predictive purposes.

Which federal law or regulation preempts state law?

A. Health Insurance Portability and Accountability Act

B. Controlling the Assault of Non-Solicited Pornography and Marketing Act

C. Telemarketing Sales Rule

D. Electronic Communications Privacy Act of 1986

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.

Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.

Which statement accurately describes SMH's notification responsibilities?

A. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.

B. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

D. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.

What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

A. SCA

B.

C. ECPA

D. CALEA

E. USA Freedom Act

Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?

A. Financial institutions must avoid collecting a customer's sensitive personal information

B.

C. Financial institutions must help ensure a customer's understanding of products and services

D. Financial institutions must use a prescribed level of encryption for most types of customer records

E. Financial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing

Which of these organizations would be required to provide its customers with an annual privacy notice?

A. The Four Winds Tribal College.

B. The Golden Gavel Auction House.

C. The King County Savings and Loan.

D. The Breezy City Housing Commission.

What privacy concept grants a consumer the right to view and correct errors on his or her credit report?

A. Access.

B. Notice.

C. Action.

D. Choice.