SCENARIO
Please use the following to answer the next questions:
Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub. This is accessible through the `Settings' icon from any app page then clicking `My Preferences', and selecting `Information Sharing and Consent' where the following choices are displayed:
1.
"I consent to receive notifications and infection alerts";
2.
"I consent to receive information on additional features or services and new products";
3.
"I consent to sharing only my risk result and location information for exposure and contact tracing purposes";
4.
"I consent to share my data for medical research purposes"; and
5.
"I consent to share my data with healthcare providers affiliated to the company".
For each choice, an `ON' or `OFF' tab is available The default setting is `ON' for all. Users purchase a virus screening service for US$29.99 for themselves or others using the app. The virus screening service works as follows:
1.
Step 1: A photo of the user's face is taken
2.
Step 2: The user measures their temperature and adds the reading in the app
3.
Step 3: The user is asked to read sentences so that a voice analysis can detect symptoms
4.
Step 4: The user is asked to answer questions on known symptoms
5.
Step 5: The user can input information on family members (name, date of birth, citizenship, home address, phone number, email and relationship).
The results are displayed as one of the following risk status "Low", "Medium" or "High". If the user is deemed at "Medium" or "High" risk an alert may be sent to other users, and the user is invited to seek a medical consultation and diagnostic from a healthcare provider.
A user's risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in close proximity of an infected person. If a user has come in contact with another individual classified as `medium' or `high' risk, an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual. Location is collected using the phone's GPS functionality, whether the app is in use or not however the exact location of the user is "blurred' for privacy reasons. Users can only see on the map circles with a 12-feet radius (approximately 4 meters wide), which is double the recommended distance for social distancing.
Which of the following pieces of information collected is the LEAST likely to be justified for the purposes of the app?
A. Relationship of family member.When deploying a consumer gadget that incorporates speech recognition, where is the speech generally best processed, from a privacy by design perspective?
A. Within the subject's jurisdictionWhich of the following CANNOT be effectively determined during a code audit?
A. Whether access control logic is recommended in all cases.One difference between privacy threat modeling and information security threat modeling is?
A. Privacy threat modeling looks at threats to the individual while security threat modeling looks at threats to the organization.SCENARIO
WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to
WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker. The CEO of WebTracker, Mr. Bond, would like to
assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating
any internal data processing activity, such as HR or Payroll.
This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome -- a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources
to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.
To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.
The results of this initial work include the following notes:
There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome. You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in
the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure. There are data flows representing personal data being collected from the internal employees of WebTracker, including an
interface from the HR system. Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.
All the WebTracker and SmartHome customers are based in USA and Canada.
Which of the following issues is most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker?
A. Data flows use encryption for data at rest, as defined by the IT manager.What is the main benefit of using a private cloud?
A. The ability to use a backup system for personal files.Properly configured databases and well-written website codes are the best protection against what online threat?
A. Pharming.Which of the following statements best describes the relationship between privacy and security?
A. Security systems can be used to enforce compliance with privacy policies.Which of these actions is NOT generally part of the responsibility of an IT or software engineer?
A. Providing feedback on privacy policies.SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the St. Anne's Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on-hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You recall a recent visit to the Records Storage Section in the basement of the old hospital next to the modern facility, where you noticed paper records sitting in crates labeled by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. On the back shelves of the section sat data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the records storage section, you noticed a man leaving whom you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
You quickly realize that you need a plan of action on the maintenance, secure storage and disposal of data.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system at St. Anne's Regional Medical Center?
A. Symmetric EncryptionNowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPT exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.