IAPP IAPP Certifications CIPT Questions & Answers

• Question 71:

  SCENARIO

  Please use the following to answer the next questions:

  Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub. This is accessible through the 'Settings' icon from any app page, then clicking 'My Preferences', and selecting 'Information Sharing and Consent' where the following choices are displayed:

  1.

  "I consent to receive notifications and infection alerts";

  2.

  "I consent to receive information on additional features or services, and new products";

  3.

  "I consent to sharing only my risk result and location information, for exposure and contact tracing purposes";

  4.

  "I consent to share my data for medical research purposes"; and

  5.

  "I consent to share my data with healthcare providers affiliated to the company".

  For each choice, an ON* or OFF tab is available The default setting is ON for all

  Users purchase a virus screening service for USS29 99 for themselves or others using the app The virus screening service works as follows:

  1.

  Step 1 A photo of the user's face is taken.

  2.

  Step 2 The user measures their temperature and adds the reading in the app

  3.

  Step 3 The user is asked to read sentences so that a voice analysis can detect symptoms

  4.

  Step 4 The user is asked to answer questions on known symptoms

  5.

  Step 5 The user can input information on family members (name date of birth, citizenship, home address, phone number, email and relationship).)

  The results are displayed as one of the following risk status "Low. "Medium" or "High" if the user is deemed at "Medium " or "High" risk an alert may be sent to other users and the user is Invited to seek a medical consultation and diagnostic from a healthcare provider.

  A user's risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in dose proximity of an infected person If a user has come in contact with another individual classified as "medium' or 'high' risk an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual Location is collected using the phone's GPS functionary, whether the app is in use or not however, the exact location of the user is "blurred' for privacy reasons Users can only see on the map circles

  Which technology is best suited for the contact tracing feature of the app1?

  A. Bluetooth

  B. Deep learning

  C. Near Field Communication (NFC)

  D. Radio-Frequency Identification (RFID)

  Correct Answer: A

  Bluetooth technology can enable devices to communicate with each other over short distances. This makes it well-suited for contact tracing applications where proximity between individuals needs to be detected. Deep learning (option B), Near Field Communication (NFC) (option C), and Radio-Frequency Identification (RFID) (option D) are technologies that could also have potential uses in a contact tracing app but may not be as well-suited as Bluetooth.

• Question 72:

  SCENARIO

  You have just been hired by Ancillary.com, a seller of accessories for everything under the sun, including waterproof stickers for pool floats and decorative bands and cases for sunglasses. The company sells cell phone cases, e-cigarette cases, wine spouts, hanging air fresheners for homes and automobiles, book ends, kitchen implements, visors and shields for computer screens, passport holders, gardening tools and lawn ornaments, and catalogs full of health and beauty products. The list seems endless. As the CEO likes to say, Ancillary offers, without doubt, the widest assortment of low-price consumer products from a single company anywhere.

  Ancillary's operations are similarly diverse. The company originated with a team of sales consultants selling home and beauty products at small parties in the homes of customers, and this base business is still thriving. However, the company now sells online through retail sites designated for industries and demographics, sites such as "My Cool Ride" for automobile-related products or "Zoomer" for gear aimed toward young adults. The company organization includes a plethora of divisions, units and outrigger operations, as Ancillary has been built along a decentered model rewarding individual initiative and flexibility, while also acquiring key assets. The retail sites seem to all function differently, and you wonder about their compliance with regulations and industry standards. Providing tech support to these sites is also a challenge, partly due to a variety of logins and authentication protocols.

  You have been asked to lead three important new projects at Ancillary:

  The first is the personal data management and security component of a multi-faceted initiative to unify the company's culture. For this project, you are considering using a series of third- party servers to provide company data and approved applications to employees.

  The second project involves providing point of sales technology for the home sales force, allowing them to move beyond paper checks and manual credit card imprinting.

  Finally, you are charged with developing privacy protections for a single web store housing all the company's product lines as well as products from affiliates. This new omnibus site will be known, aptly, as "Under the Sun." The Director of Marketing wants the site not only to sell Ancillary's products, but to link to additional products from other retailers through paid advertisements. You need to brief the executive team of security concerns posed by this approach.

  Which should be used to allow the home sales force to accept payments using smartphones?

  A. Field transfer protocol.

  B. Cross-current translation.

  C. Near-field communication

  D. Radio Frequency Identification

  Correct Answer: C

  The technology that should be used to allow the home sales force to accept payments using smartphones is C. Near-field communication (NFC). NFC is a short-range wireless technology that allows devices to exchange data when they are brought close together. This technology is commonly used in contactless payment systems and can be used to enable smartphones to accept payments.

• Question 73:

  What risk is mitigated when routing meeting video traffic through a company's application servers rather than sending the video traffic directly from one user to another?

  A. The user's identity is protected from the other user

  B. The user is protected against cyberstalking attacks

  C. The user's IP address is hidden from the other user

  D. The user is assured that stronger authentication methods have been used

  Correct Answer: C

  routing meeting video traffic through a company's application servers rather than sending the video traffic directly from one user to another mitigates the risk that the user's IP address is hidden from the other user.

• Question 74:

  Which is likely to reduce the types of access controls needed within an organization?

  A. Decentralization of data.

  B. Regular data inventories.

  C. Standardization of technology.

  D. Increased number of remote employees.

  Correct Answer: C

• Question 75:

  Which of the following is NOT relevant to a user exercising their data portability rights?

  A. Notice and consent for the downloading of data.

  B. Detection of phishing attacks against the portability interface.

  C. Re-authentication of an account, including two-factor authentication as appropriate.

  D. Validation of users with unauthenticated identifiers (e.g. IP address, physical address).

  Correct Answer: B

• Question 76:

  What is the most important requirement to fulfill when transferring data out of an organization?

  A. Ensuring the organization sending the data controls how the data is tagged by the receiver.

  B. Ensuring the organization receiving the data performs a privacy impact assessment.

  C. Ensuring the commitments made to the data owner are followed.

  D. Extending the data retention schedule as needed.

  Correct Answer: C

  The most important requirement to fulfill when transferring data out of an organization is ensuring the commitments made to the data owner are followed. The data owner is the person who has provided their personal data to an organization for a specific purpose or consented to its collection. When transferring data out of an organization, such as sharing it with another entity or moving it across borders, it is essential that the organization respects the rights and expectations of the data owner and complies with any applicable laws or regulations. The other options are not requirements for transferring data out of an organization, but rather possible measures or considerations that may be relevant depending on the context or nature of the transfer.

• Question 77:

  How does k-anonymity help to protect privacy in micro data sets?

  A. By ensuring that every record in a set is part of a group of "k" records having similar identifying information.

  B. By switching values between records in order to preserve most statistics while still maintaining privacy.

  C. By adding sufficient noise to the data in order to hide the impact of any one individual.

  D. By top-coding all age data above a value of "k."

  Correct Answer: A

  Reference: https://www.researchgate.net/publication/284332229_k- Anonymity_A_Model_for_Protecting_Privacy

• Question 78:

  Which of the following is most important to provide to the data subject before the collection phase of the data lifecycle?

  A. Privacy Notice.

  B. Disclosure Policy.

  C. Consent Request.

  D. Data Protection Policy.

  Correct Answer: A

  A Privacy Notice is important to provide to data subjects before collecting their personal data because it informs them about how their data will be used, who it will be shared with, how long it will be kept for, etc.

• Question 79:

  What element is most conducive to fostering a sound privacy by design culture in an organization?

  A. Ensuring all employees acknowledge and understood the privacy policy.

  B. Frequent privacy and security awareness training for employees.

  C. Monthly reviews of organizational privacy principles.

  D. Gaining advocacy from senior management.

  Correct Answer: D

  gaining advocacy from senior management is the element most conducive to fostering a sound privacy by design culture in an organization. Senior management plays a crucial role in setting the tone and direction for privacy practices within an organization and their support is essential for establishing a strong privacy culture.

• Question 80:

  Which privacy engineering objective proposed by the US National Institute of Science and Technology (NIST) decreases privacy risk by ensuring that connections between individuals and their personal data are reduced?

  A. Disassoc lability

  B. Manageability

  C. Minimization

  D. Predictability

  Correct Answer: A

  disassociability is a privacy engineering objective proposed by the US National Institute of Science and Technology (NIST) that decreases privacy risk by ensuring that connections between individuals and their personal data are reduced.