IAPP CIPP-A CIPP/A Exam Practice Test Instant Access

Question 1

Which control is NOT included in the requirements established by the Monetary Authority of Singapore (MAS) for financial institutions in order to deter money-laundering and financial aid to terrorism (AML/CFT)?

AIdentifying and knowing customers.

BSharing personal information with the PDPC.

CConducting regular reviews of customer accounts.

DMonitoring and reporting suspicious financial transactions.

Answer : A

https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Anti_Money-Laundering_Countering-the-Financing-of-Terrorism/Guidance-for- Effective-AML-CFT-Transaction-Monitoring-Controls.pdf (page 3)

Question 2

Besides the Personal Data Protection Act (PDPA), which of the following is a potential source of privacy protection for Singapore citizens?

AConstitutional protections of personal information.

BInternational agreements protecting privacy.

CThe tort of invasion of privacy.

DBreach of confidence law.

Answer : A

Question 3

The "due diligence" exemption in Hong Kong's PDPO was meant to apply to?

AThird-party data processors located in foreign countries.

BCompanies researching the viability of business mergers.

CService providers hosting customer information in the cloud.

DDirect marketers acting in the best interest of their company.

Answer : A

Question 4

SCENARIO -- Please use the following to answer the next QUESTION:

Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank employees are subject to constant and thorough monitoring and tracking through CCTV cameras, computer monitoring software and keyboard loggers. Singabank does this to ensure its employees are complying with Singabank's data security policy. Bigbank is now considering acquiring Singabank's retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to disclose to it all of its surveillance material on its employees, whether or not they are part of the retail banking division. Jimmy works in Singabank's investment banking division.

Assuming the monitoring was legal, can Singabank disclose Jimmy's personal data to Bigbank?

ANo, because Jimmy is not in the division that Bigbank seeks to acquire.

BNo, because the data was collected for the express purpose of complying with Singabank's privacy policies.

CYes, if Singabank informs Jimmy of the disclosure of his personal data before it occurs.

DYes, if Jimmy's personal data is necessary for Bigbank to determine whether to proceed with the acquisition.

Answer : C

Question 5

SCENARIO -- Please use the following to answer the next QUESTION:

Dracarys Inc. is a large multinational company with headquarters in Seattle, Washington, U.S.

ADracarys began as a small company making and selling women's clothing, but rapidly grew through its early innovative use of online platforms to sell its products. Dracarys is now one of the biggest names in the industry, and employs staff across the globe, and in Asia has employees located in both Singapore and Hong Kong.
Due to recent management restructuring they have decided, on the advice of external consultants, to open an office in India in order to centralize its call center as well as its internal human resource functions for the Asia region. Dracarys would like to centralize the following human resource functions in India:
1. The recruitment process;
2. Employee assessment and records management;
3. Employee benefits administration, including health insurance.
Dracarys will have employees on the ground in India managing the systems for the functions listed above. They have been presented with a variety of vendor options for these systems, and are currently assessing the suitability of these vendors for their needs.
The CEO of Dracarys is concerned about the behavior of her employees, especially online. After having proprietary company information being shared with competitors by former employees, she is eager to put certain measures in place to ensure that the activities of her employees, while on Dracarys' premises or when using any of Dracarys' computers and networks are not detrimental to the business.
Dracarys' external consultants are also advising the company on how to increase earnings. Dracary's management refuses to reduce production costs and compromise the quality of their garments, so the consultants suggested utilizing customer data to create targeted advertising and thus increase sales.
Dracary's existing client data sets have been anonymised but the CEO is concerned about re-identification and the risks of using the data for further analysis.
What should the CEO do?

AAssess the business risk of further processing in the absence of any regulations on anonymised data.

BRefer to India's Information Technology Act and the 2011 rules 3-8 for guidance on handling anonymised data.

CObtain the consent of the data subjects because anonymous data must be treated as personal data at all times.

DAdhere to the Singapore guidelines on anonymization and the Hong Kong Guidance on Personal Data Erasure and Anonymization.

Answer : A, A

Question 6

Both Sections 72 and 72A of India's IT Act 2000 involve unauthorized access of personal information. One main difference between the sections is that 72A does what?

AStipulates that disclosure has to have occurred.

BSpecifies imprisonment as a possible penalty.

CAdds a provision about wrongful loss or gain.

DIncludes the concept of consent.

Answer : B

Question 7

Increases in which of the following were a major reason for the enactment of Hong Kong's Amendment Ordinance in 2012?

ADirect marketing practices.

BLaw enforcement requests.

CBiometric authentication.

DData breach reports.

Answer : A

IAPP CIPP-A Certified Information Privacy Professional/Asia CIPP/A Exam Practice Test