Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Pass the IAPP Information Privacy Technologist CIPT Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam CIPT Premium Access

View all detail and faqs for the CIPT exam

Go to Exam

770 Students Passed

90% Average Score

96% Same Questions

Viewing page 3 out of 7 pages

Viewing questions 21-30 out of questions

Questions # 21:

Which of the following is NOT a valid basis for data retention?

Options:

Size of the data.

Type of the data.

Location of the data.

Last time the data was accessed.

Questions # 22:

To meet data protection and privacy legal requirements that may require personal data to be disposed of or deleted when no longer necessary for the use it was collected, what is the best privacy-enhancing solution a privacy technologist should recommend be implemented in application design to meet this requirement?

Options:

Implement a process to delete personal data on demand and maintain records on deletion requests.

Implement automated deletion of off-site backup of personal data based on annual risk assessments.

Develop application logic to validate and purge personal data according to legal hold status or retention schedule.

Securely archive personal data not accessed or used in the last 6 months. Automate a quarterly review to delete data

from archive once no longer needed.

Questions # 23:

An organization is considering launching enhancements to improve security and authentication mechanisms in their products. To better identify the user and reduce friction from the authentication process, they plan to track physical attributes of an individual. A privacy technologist assessing privacy implications would be most interested in which of the following?

Options:

The purpose of the data tracking.

That the individual is aware tracking is occurring.

The authentication mechanism proposed.

The encryption of individual physical attributes.

Questions # 24:

Which of the following statements describes an acceptable disclosure practice?

Options:

An organization’s privacy policy discloses how data will be used among groups within the organization itself.

With regard to limitation of use, internal disclosure policies override contractual agreements with third parties.

Intermediaries processing sensitive data on behalf of an organization require stricter disclosure oversight than vendors.

When an organization discloses data to a vendor, the terms of the vendor’ privacy notice prevail over the organization’ privacy notice.

Questions # 25:

SCENARIO

WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.

The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.

This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome — a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.

To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.

The results of this initial work include the following notes:

There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.

You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.

There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.

Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.

All the WebTracker and SmartHome customers are based in USA and Canada.

Which of the following issues is most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker?

Options:

Data flows use encryption for data at rest, as defined by the IT manager.

AmaZure sends newsletter to WebTracker customers, as approved by the Marketing Manager.

Employees’ personal data are being stored in a cloud HR system, as approved by the HR Manager.

File Integrity Monitoring is being deployed in SQL servers, as indicated by the IT Architect Manager.

Answer

Explanation

In the given scenario, WebTracker Limited is migrating its IT infrastructure to the cloud provider AmaZure. As part of this, it is crucial to understand the privacy and security implications associated with AmaZure’s role as the data processor while WebTracker remains the data controller. The issues highlighted in the scenario provide a comprehensive understanding of the privacy risks and responsibilities involved.

The key issues identified include:

Typos in the privacy notice of WebTracker.

Missing privacy notice for SmartHome.

Unidentified sub-processors working for SmartHome.

Internal data flows from HR systems collecting employee data.

DNA data collected from employees for prototyping.

Among these issues, the most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker is the one involving AmaZure sending newsletters to WebTracker customers (Option B). This activity directly involves customer data and could indicate potential unauthorized processing or misuse of personal data, which is a significant privacy concern.

Detailed Explanation:

Option A (Encryption for Data at Rest): While ensuring data is encrypted at rest is critical, it does not directly indicate a breach of privacy or misuse of personal data. It is more about data security and less about privacy controls.

Option B (AmaZure Sends Newsletter): This involves direct interaction with customer data. If AmaZure is sending newsletters to WebTracker’s customers, it implies that customer data is being processed and possibly used for marketing purposes. This requires explicit consent from the data subjects and appropriate contractual agreements between WebTracker and AmaZure. Without proper oversight, this could lead to unauthorized data processing and potential violations of privacy regulations.

Option C (Employees’ Personal Data in Cloud HR System): Storing employee personal data in a cloud HR system, while significant, is typically within the scope of internal data processing. This issue is more about ensuring internal compliance with privacy policies rather than an immediate risk requiring CPO investigation.

Option D (File Integrity Monitoring in SQL Servers): File integrity monitoring is a security measure to ensure data integrity and does not directly indicate any privacy risks or misuse of personal data.

References:

GDPR Articles 28 and 29 on the responsibilities of data controllers and processors.

The necessity for explicit consent for data processing (GDPR Article 7).

Contractual obligations for data processors to protect personal data (GDPR Article 28).

Conclusion: The scenario of AmaZure sending newsletters to WebTracker customers (Option B) poses the most immediate and significant risk that requires an investigation by the CPO to ensure compliance with privacy regulations and avoid unauthorized use of customer data.

Questions # 26:

SCENARIO

Please use the following to answer the next question:

Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client’s office to perform an onsite review of the client’s operations. He rented a car from Finley Motors upon arrival at the airport as so he could commute to and from the client’s office. The car rental agreement was electronically signed by Chuck and included his name, address, driver’s license, make/model of the car, billing rate, and additional details describing the rental transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley Motors emailed a copy of the final receipt to the address on file.

Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number, occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a written letter regarding the infraction to collect the fine.

After reviewing the incident through the AMP Payment Resources’ web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.

What should Finley Motors have done to incorporate the transparency principle of Privacy by Design (PbD)?

Options:

Signed a data sharing agreement with AMP Payment Resources.

Documented that Finley Motors has a legitimate interest to share Chuck’s information.

Obtained verbal consent from Chuck and recorded it within internal systems.

Provided notice of data sharing practices within the electronically signed rental agreement.

Questions # 27:

A clinical research organization is processing highly sensitive personal data, including numerical attributes, from medical trial results. The organization needs to manipulate the data without revealing the contents to data users. This can be achieved by utilizing?

Options:

k-anonymity.

Microdata sets.

Polymorphic encryption.

Homomorphic encryption.

Questions # 28:

SCENARIO

Please use the following to answer the next questions:

Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub. This is accessible through the 'Settings' icon from any app page, then clicking 'My Preferences', and selecting 'Information Sharing and Consent' where the following choices are displayed:

• "I consent to receive notifications and infection alerts";

• "I consent to receive information on additional features or services, and new products";

• "I consent to sharing only my risk result and location information, for exposure and contact tracing purposes";

• "I consent to share my data for medical research purposes"; and

• "I consent to share my data with healthcare providers affiliated to the company".

For each choice, an ON* or OFF tab is available The default setting is ON for all

Users purchase a virus screening service for USS29 99 for themselves or others using the app The virus screening

service works as follows:

• Step 1 A photo of the user's face is taken.

• Step 2 The user measures their temperature and adds the reading in the app

• Step 3 The user is asked to read sentences so that a voice analysis can detect symptoms

• Step 4 The user is asked to answer questions on known symptoms

• Step 5 The user can input information on family members (name date of birth, citizenship, home address, phone number, email and relationship).)

The results are displayed as one of the following risk status "Low. "Medium" or "High" if the user is deemed at "Medium " or "High" risk an alert may be sent to other users and the user is Invited to seek a medical consultation and diagnostic from a healthcare provider.

A user’s risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in dose proximity of an infected person If a user has come in contact with another individual classified as "medium’ or 'high' risk an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual Location is collected using the phone's GPS functionary, whether the app is in use or not however, the exact location of the user is "blurred' for privacy reasons Users can only see on the map circles

Which of the following pieces of information collected is the LEAST likely to be justified tor the purposes of the app?

Options:

Relationship of family member

Phone number

Dale of birth

Citizenship

Questions # 29:

SCENARIO

Looking back at your first two years as the Director of Personal Information Protection and Compliance for the St. Anne’s Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on-hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.

You recall a recent visit to the Records Storage Section in the basement of the old hospital next to the modern facility, where you noticed paper records sitting in crates labeled by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. On the back shelves of the section sat data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the records storage section, you noticed a man leaving whom you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.

You quickly realize that you need a plan of action on the maintenance, secure storage and disposal of data.

Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system at St. Anne’s Regional Medical Center?

Options:

Symmetric Encryption

Tokenization

Obfuscation

Certificates

Questions # 30:

A privacy engineer has been asked to review an online account login page. He finds there is no limitation on the number of invalid login attempts a user can make when logging into their online account.

What would be the best recommendation to minimize the potential privacy risk from this weakness?