IAPP IAPP Certifications CIPT Questions & Answers

• Question 111:

  SCENARIO

  Please use the following to answer the next question: Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client's office to perform an onsite review of the client's operations. He rented a car from Finley Motors upon arrival at the airport as so he could commute to and from the client's office. The car rental agreement was electronically signed by Chuck and included his name, address, driver's license, make/model of the car, billing rate, and additional details describing the rental transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley Motors emailed a copy of the final receipt to the address on file.

  Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number, occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a written letter regarding the infraction to collect the fine.

  After reviewing the incident through the AMP Payment Resources' web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.

  What is the most secure method Finley Motors should use to transmit Chuck's information to AMP Payment Resources?

  A. Cloud file transfer services.

  B. Certificate Authority (CA).

  C. HyperText Transfer Protocol (HTTP).

  D. Transport Layer Security (TLS).

  Correct Answer: D

  TLS is a cryptographic protocol that provides secure communication over a network. It can help protect against eavesdropping and tampering by encrypting data in transit. Cloud file transfer services (option A) can also provide secure transmission of data but their security depends on the specific service used. Certificate Authority (CA) (option B) is not a method for transmitting data but rather a trusted third party that issues digital certificates used for authentication. HyperText Transfer Protocol (HTTP) (option C) is not a secure method for transmitting sensitive data as it does not provide encryption.

• Question 112:

  An organization's customers have suffered a number of data breaches through successful social engineering attacks. One potential solution to remediate and prevent future occurrences would be to implement which of the following?

  A. Differential identifiability.

  B. Multi-factor authentication.

  C. Greater password complexity.

  D. Attribute-based access control.

  Correct Answer: B

  Multi-factor authentication. Social engineering attacks often involve tricking individuals into revealing their login credentials. Implementing multi-factor authentication can help prevent unauthorized access even if an attacker obtains a user's password.

• Question 113:

  SCENARIO

  Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed. The table below indicates some of the personal information Clean-Q requires as part of its business operations:

  

  Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore,

  the Clean-Q permanent employee base is not included as part of this scenario.

  With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some

  overlapping bookings.

  Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers,

  presenting their proposed solutions and platforms.

  The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes

  of resource and customer management. This would entail uploading resource and customer information.

  A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.

  A resource facing web interface that enables resources to apply and manage their assigned jobs.

  An online payment facility for customers to pay for services.

  Which question would you most likely ask to gain more insight about LeadOps and provide practical privacy recommendations?

  A. What is LeadOps' annual turnover?

  B. How big is LeadOps' employee base?

  C. Where are LeadOps' operations and hosting services located?

  D. Does LeadOps practice agile development and maintenance of their system?

  Correct Answer: C

  The location of LeadOps' operations and hosting services is important information for Clean-Q to consider when assessing LeadOps' appropriateness as a service provider. This is because different countries have different data protection laws and regulations that may impact how personal information can be processed and stored. Knowing where LeadOps' operations and hosting services are located will help Clean-Q make informed decisions about how to protect the personal information it entrusts to LeadOps.

• Question 114:

  Implementation of privacy controls for compliance with the requirements of the Children's Online Privacy Protection Act (COPPA) is necessary for all the following situations EXCEPT?

  A. A virtual jigsaw puzzle game marketed for ages 5-9 displays pieces of the puzzle on a handheld screen. Once the child completes a certain level, it flashes a message about new themes released that day.

  B. An interactive toy copies a child's behavior through gestures and kid-friendly sounds. It runs on battery power and automatically connects to a base station at home to charge itself.

  C. A math tutoring service commissioned an advertisement on a bulletin board inside a charter school. The service makes it simple to reach out to tutors through a QR-code shaped like a cartoon character.

  D. A note-taking application converts hard copies of kids' class notes into audio books in seconds. It does so by using the processing power of idle server farms.

  Correct Answer: B

• Question 115:

  An organization must terminate their cloud vendor agreement immediately. What is the most secure way to delete the encrypted data stored in the cloud?

  A. Transfer the data to another location.

  B. Invoke the appropriate deletion clause in the cloud terms and conditions.

  C. Obtain a destruction certificate from the cloud vendor.

  D. Destroy all encryption keys associated with the data.

  Correct Answer: D

  Destroying all encryption keys associated with encrypted data stored on a cloud server would make that encrypted data inaccessible even if it still exists on that server 4.

• Question 116:

  Granting data subjects the right to have data corrected, amended, or deleted describes?

  A. Use limitation.

  B. Accountability.

  C. A security safeguard

  D. Individual participation

  Correct Answer: D

  Reference: https://www.ncbi.nlm.nih.gov/books/NBK236546/

  Granting data subjects the right to have data corrected, amended, or deleted describes individual participation1. As explained above, the individual participation principle gives individuals certain rights over their personal data held by a data controller1. One of these rights is to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended1. The other options are not principles that describe granting data subjects this right.

• Question 117:

  SCENARIO

  Please use the following to answer the next question:

  Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client's office to perform an onsite review of the client's operations. He rented a car from Finley Motors upon arrival at the airport as

  so he could commute to and from the client's office. The car rental agreement was electronically signed by Chuck and included his name, address, driver's license, make/model of the car, billing rate, and additional details describing the rental

  transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley

  Motors emailed a copy of the final receipt to the address on file.

  Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number,

  occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and

  transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a

  written letter regarding the infraction to collect the fine.

  After reviewing the incident through the AMP Payment Resources' web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.

  How can Finley Motors reduce the risk associated with transferring Chuck's personal information to AMP Payment Resources?

  A. By providing only the minimum necessary data to process the violation notice and masking all other information prior to transfer.

  B. By requesting AMP Payment Resources delete unnecessary datasets and only utilize what is necessary to process the violation notice.

  C. By obfuscating the minimum necessary data to process the violation notice and require AMP Payment Resources to secure store the personal information.

  D. By transferring all information to separate datafiles and requiring AMP Payment Resources to combine the datasets during processing of the violation notice.

  Correct Answer: A

  To reduce the risk associated with transferring Chuck's personal information to AMP Payment Resources, Finley Motors could take several steps. One such step would be option A: By providing only the minimum necessary data to process the violation notice and masking all other information prior to transfer.By providing only the minimum necessary data to process the violation notice and masking all other information prior to transfer, Finley Motors can help reduce the risk associated with transferring Chuck's personal information. This can help ensure that only necessary data is shared and that any unnecessary or sensitive data is protected.

• Question 118:

  Which of the following does NOT illustrate the `respect to user privacy' principle?

  A. Implementing privacy elements within the user interface that facilitate the use of technology by any visually-challenged users.

  B. Enabling Data Subject Access Request (DSARs) that provide rights for correction, deletion, amendment and rectification of personal information.

  C. Developing a consent management self-service portal that enables the data subjects to review the details of consent provided to an organization.

  D. Filing breach notification paperwork with data protection authorities which detail the impact to data subjects.

  Correct Answer: D

• Question 119:

  What is the main reason a company relies on implied consent instead of explicit consent from a user to process her data?

  A. The implied consent model provides the user with more detailed data collection information.

  B. To secure explicit consent, a user's website browsing would be significantly disrupted.

  C. An explicit consent model is more expensive to implement.

  D. Regulators prefer the implied consent model.

  Correct Answer: B

  The main reason a company relies on implied consent instead of explicit consent from a user to process their data is typically due to the concern that securing explicit consent might significantly disrupt the user's website browsing experience. Implied consent assumes that users agree to certain data processing practices by continuing to use a website or service, without requiring them to actively provide explicit consent for each specific action. While explicit consent provides more transparency and control to users, it can indeed be more cumbersome to implement and may lead to interruptions in the user experience. However, companies must strike a balance between user privacy and operational efficiency while adhering to relevant regulations.

• Question 120:

  SCENARIO

  Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.

  You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage. Which regulation most likely applies to the data stored by Berry Country Regional Medical Center?

  A. Personal Information Protection and Electronic Documents Act

  B. Health Insurance Portability and Accountability Act

  C. The Health Records Act 2001

  D. The European Union Directive 95/46/EC

  Correct Answer: A

  Berry Country Regional Medical Center is located in Ontario, Canada. PIPEDA is a Canadian federal law that sets out rules for how private sector organizations must handle personal information in the course of commercial activities. Since Berry Country Regional Medical Center is a private sector organization that handles personal information in the course of its commercial activities, it would be subject to PIPEDA.