DCPP-01 Online Practice Questions and Answers

A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.

For exporting EU branch employees' data to Asian Countries for processing, which of the following instruments could be used for legal data transfer?

A. Customized contracts mandating ISO 27001 certification by the data processor

B. Standard Contractual Clauses

C. Binding Corporate Rules

D. Privacy Shield Framework

Effective 2013, HIPAA Omnibus rule applies to which of the following?

A. Covered Entities only

B. Business Associates only

C. Covered Entities and Business Associates

D. Federal Health Bodies only

"As per Indian laws, any information that is freely available or accessible in public domain cannot be regarded as sensitive personal data or information."

Please state if this statement is True or False.

A. True

B. False

The Information Technology (Reasonable Security Practices And Procedures and Sensitive Data or Information) Rules, 2011 incorporate which of the following privacy concepts and principles:

i. Collection Limitation

ii. Accountability

iii. Right to be forgotten

iv.

Purpose Limitation

v.

Access and correction

A.

i, ii, iii and iv

B.

I, ii, iv and v

C.

I, iii, iv and v

D.

All the above

Choose the correct grouping of privacy principles into user centric (requiring data subjects' involvement) and organization centric (confined to organization processes and procedures) from the following options:

A. User Centric: Notice, Consent, Collection Limitation, Access and Correction Organization Centric: Choice, Use Limitation, Security, Disclosure to third party, Openness, Accountability

B. User Centric: Consent, Choice, Collection Limitation, Access and Correction Organization Centric: Notice, Use Limitation, Security, Disclosure to third party, Openness,

Accountability

C. User Centric: Notice, Consent, Choice, Access and Correction Organization Centric: Collection Limitation, Use Limitation, Security, Disclosure to third party, Openness, Accountability

D. User Centric: Notice, Consent, Openness, Accountability Organization Centric: Choice, Collection Limitation, Use Limitation, Security, Disclosure to third party, Access and Correction

As per GDPR, by means of an intra group scheme, an organization can offer sufficient data protection safeguards and put in place data transfer arrangements within their organization and some of their establishments which are located outside the EU/EEA to enable transfer of personal data outside the region.

This internal code of transfer is known as _______.

A. Company Code of Conduct

B. Binding Corporate Rules

C. Standard Contractual Clauses

D. Binding Transfer Rules

Provisions in which of the following legislations in India have or could have a direct conflict with an individual's privacy (though exceptions could have already been defined in the law)?

A. Right to Information (Amendment) Act, 2013

B. TheLokPal and LokaYuktas Act, 2013

C. National Food Security Act, 2013

D. Official Secrets Act, 1923

"The adequacy agreement between EU and Japan is the first ever mutual adequacy decision under EU GDPR". Is this statement True or False?

A. True

B. False

Which of the following laid foundation for the development of OECD privacy principles for the promotion of free international trade and trans border data flows?

A. Fair information Privacy Practices of US, 1974

B. EU Data Protection Directive

C. Safe Harbor Framework

D. WTO's Free Trade Agreement

Technological advancement is inevitable and the speed of change is exponential. In such a scenario, which of the following statement is not true for defining the relationship between privacy protection and technology advancement, both at individual and corporate levels?

A. Maintaining privacy is difficult with emerging platforms and services

B. Maintaining privacy is difficult, as exercising complete control over personal information in online environment is an uphill task

C. Technology advancements and privacy protection are independent concepts that are not related

D. Maintaining privacy in cyberspace becomes easier with proper use of tools and technologies

Rashmi recently started working as a customer care representative for a bank. After receiving a customer complaint over the phone, she wrote an email to send to grievance department in the bank. The email included customer's full name, bank account number, residential address, email address and contact number. She picked 2-3 resources/employees from the intranet site of the bank, which belonged to the grievance department and sent the email.

Please select the most ideal scenario from a privacy point of view?

A. Rashmi should have included some of the customer information in the email and send to grievance team.

B. Rashmi did the right thing by sharing all customer details to parties identified from company intranet.

C. Rashmi should have ascertained who in the grievance team is/are authorized to handle the complaint request and only then should have sent the customer details to the concerned person(s).

D. none of the above

In the landmark case _____________________ the Honourable Supreme Court of India reaffirmed the status of Right to Privacy as a Fundamental Right under Part III of the constitution.

A. M. P. Sharma and others vs. Satish Chandra, District Magistrate, Delhi, and others

B. Maneka Gandhi vs. Union of India

C. Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India And Ors

D. Olga Tellis vs. Bombay Municipal Corporation

How are privacy and data protection related to each other?

A. Data protection is a subset of privacy.

B. Privacy is a subset of data protection.

C. The terms `privacy' and `data protection' are interchangeable.

D. They're unrelated concepts.

A Data Loss Prevention (DLP) tool identifies a large number of medical records sent by an employee to a personal email address.

Which of the following is the most critical consideration while internally investigating this incident?

A. The domain of the recipient e-mail address

B. The gender of patients whose records were shared

C. The time of day the records were sent

D. The reason the records were emailed

Which of the following parameters should ideally be addressed by a privacy program of an organization?

A. Privacy incident response plan and grievance handling

B. Environmental security concerns

C. Training and data classification

D. Intellectual Property (IP) protection