IAPP IAPP Certifications CIPT Questions & Answers

• Question 31:

  A user who owns a resource wants to give other individuals access to the resource. What control would apply?

  A. Mandatory access control.

  B. Role-based access controls.

  C. Discretionary access control.

  D. Context of authority controls.

  Correct Answer: C

  Reference: https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/overview

• Question 32:

  What is a main benefit of data aggregation?

  A. It is a good way to perform analysis without needing a statistician.

  B. It applies two or more layers of protection to a single data record.

  C. It allows one to draw valid conclusions from small data samples.

  D. It is a good way to achieve de-identification and unlinkabilty.

  Correct Answer: D

• Question 33:

  Which of the following would be the best method of ensuring that Information Technology projects follow Privacy by Design (PbD) principles?

  A. Develop a technical privacy framework that integrates with the development lifecycle.

  B. Utilize Privacy Enhancing Technologies (PETs) as a part of product risk assessment and management.

  C. Identify the privacy requirements as a part of the Privacy Impact Assessment (PIA) process during development and evaluation stages.

  D. Develop training programs that aid the developers in understanding how to turn privacy requirements into actionable code and design level specifications.

  Correct Answer: A

  This option is the best method to ensure that Information Technology projects follow Privacy by Design (PbD) principles. By developing a technical privacy framework that is integrated with the development lifecycle, privacy considerations are embedded at every stage of the project, from initial design to deployment and beyond. This approach ensures that privacy is not an afterthought but a foundational component of the development process, aligning directly with the core concept of Privacy by Design, which advocates for privacy to be included throughout the entire engineering process.

• Question 34:

  How does browser fingerprinting compromise privacy?

  A. By creating a security vulnerability.

  B. By differentiating users based upon parameters.

  C. By persuading users to provide personal information.

  D. By customizing advertising based on the geographic location.

  Correct Answer: B

  browser fingerprinting compromises privacy by differentiating users based upon parameters. Browser fingerprinting involves collecting information about a user's device and browser configuration in order to uniquely identify them. This can allow for tracking of user behavior across websites without their knowledge or consent.

• Question 35:

  What must be used in conjunction with disk encryption?

  A. Increased CPU speed.

  B. A strong password.

  C. A digital signature.

  D. Export controls.

  Correct Answer: B

• Question 36:

  Which of the following would be an example of an "objective" privacy harm to an individual?

  A. Receiving spam following the sale an of email address.

  B. Negative feelings derived from government surveillance.

  C. Social media profile views indicating unexpected interest in a person.

  D. Inaccuracies in personal data.

  Correct Answer: D

  Inaccuracies in personal data would be an example of an "objective" privacy harm to an individual. This is because inaccuracies in personal data can lead to incorrect decisions being made about an individual, which can have negative consequences for the individual.

• Question 37:

  What is a mistake organizations make when establishing privacy settings during the development of applications?

  A. Providing a user with too many choices.

  B. Failing to use "Do Not Track" technology.

  C. Providing a user with too much third-party information.

  D. Failing to get explicit consent from a user on the use of cookies.

  Correct Answer: D

  Failing to get explicit consent from a user on the use of cookies is a mistake organizations make when establishing privacy settings during the development of applications2. Cookies are small files that store information about users' preferences and behavior on websites2 . They can be used for various purposes such as authentication, personalization, analytics, advertising etc.2 However, they can also pose privacy risks as they may collect sensitive or personal information without users' knowledge or consent2. Therefore, organizations should inform users about how they use cookies and obtain their explicit consent before placing cookies on their devices2. This is also required by some laws such as EU's General Data Protection Regulation (GDPR) and ePrivacy Directive2. The other options are not mistakes organizations make when establishing privacy settings during the development of applications.

• Question 38:

  SCENARIO

  Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed. The table below indicates some of the personal information Clean-Q requires as part of its business operations:

  

  Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore,

  the Clean-Q permanent employee base is not included as part of this scenario.

  With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some

  overlapping bookings.

  Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers,

  presenting their proposed solutions and platforms.

  The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes

  of resource and customer management. This would entail uploading resource and customer information.

  A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.

  A resource facing web interface that enables resources to apply and manage their assigned jobs.

  An online payment facility for customers to pay for services.

  Considering that LeadOps will host/process personal information on behalf of Clean-Q remotely, what is an appropriate next step for Clean-Q senior management to assess LeadOps' appropriateness?

  A. Nothing at this stage as the Managing Director has made a decision.

  B. Determine if any Clean-Q competitors currently use LeadOps as a solution.

  C. Obtain a legal opinion from an external law firm on contracts management.

  D. Involve the Information Security team to understand in more detail the types of services and solutions LeadOps is proposing.

  Correct Answer: D

  Since LeadOps will host/process personal information on behalf of Clean-Q remotely, it is important for Clean-Q's Information Security team to assess the security measures and controls that LeadOps has in place to protect this information. This will help Clean-Q senior management make an informed decision about whether or not to engage LeadOps' services.

• Question 39:

  When designing a new system, which of the following is a privacy threat that the privacy technologist should consider?

  A. Encryption.

  B. Social distancing.

  C. Social engineering.

  D. Identity and Access Management.

  Correct Answer: C

  Social engineering is a privacy threat that the privacy technologist should consider when designing a new system.

• Question 40:

  What was the first privacy framework to be developed?

  A. OECD Privacy Principles.

  B. Generally Accepted Privacy Principles.

  C. Code of Fair Information Practice Principles (FIPPs).

  D. The Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

  Correct Answer: C

  The first privacy framework to be developed was the Code of Fair Information Practice Principles (FIPPs)3. The FIPPs were proposed by a US government advisory committee in 1973 as a set of guidelines for protecting personal data in automated systems3. The FIPPs influenced many subsequent privacy frameworks and laws around the world, such as the OECD Privacy Principles (1980), the EU Data Protection Directive (1995), and the APEC Privacy Framework (2004)3.