IAPP Certified Information Privacy Professional/United States CIPP/US Exam Questions

Page: 1 / 14
Total 195 questions

Want more questions? Get Premium Access.
()

Question 1

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal dat

a. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: ''Please act immediately by identifying all personal data received from our company.''

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the GDPR, the complainant's request regarding her personal information is known as what?

ARight of Access

BRight of Removal

CRight of Rectification

DRight to Be Forgotten

Answer : D

Under the GDPR, the complainant's request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort.Reference:

Everything you need to know about the ''Right to be forgotten''

Right to erasure | ICO

Art. 17 GDPR -- Right to erasure ('right to be forgotten') - General ...

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

Question 2

SCENARIO

Please use the following to answer the next question;

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevad

a. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.

For this new initiative. Miraculous is considering a product built by MedApps. a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices" branding. MedApps provides technical support for the app. which it hosts in the cloud MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service

Riya is the Privacy Officer at Miraculous, responsible for the practice s compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements Riya is currently reviewing the suitability of the MedApps app from a pnvacy perspective

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps

Which of the following would accurately describe the relationship of the parties if they enter into a contract for use of the app?

AMiraculous Healthcare would be the covered entity because Us name and branding are on the app. MedApps would be a business associate because it Is hosting the data that supports the app

BMedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app.

CMiraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it.

DMiraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous.

Answer : D

Under the Health Insurance Portability and Accountability Act (HIPAA), entities involved in the handling of protected health information (PHI) are classified as either covered entities or business associates based on their roles and activities.

Definitions Under HIPAA:

Covered Entity (CE):

A healthcare provider, health plan, or healthcare clearinghouse that creates, receives, maintains, or transmits PHI.

Miraculous Healthcare qualifies as a covered entity because it is a medical practice directly providing healthcare services to patients.

Business Associate (BA):

An organization or individual that performs functions, activities, or services involving the use or disclosure of PHI on behalf of a covered entity.

MedApps qualifies as a business associate because it is providing a telehealth app service to Miraculous, which involves hosting and maintaining PHI (e.g., appointment details, patient information).

Analysis of the Relationship:

Miraculous Healthcare: As the healthcare provider, it is responsible for patient care and compliance with HIPAA. Since it directly provides healthcare services to patients, it is the covered entity in this scenario.

MedApps: Although MedApps designed, hosts, and supports the telehealth app, it is providing these services on behalf of Miraculous Healthcare. As such, MedApps is a business associate under HIPAA. This designation requires MedApps to comply with HIPAA regulations through a Business Associate Agreement (BAA), ensuring that it appropriately safeguards the PHI it handles on behalf of Miraculous Healthcare.

Consideration of the Benchmarking Service:

The optional benchmarking service also reinforces MedApps' role as a business associate. Miraculous Healthcare would need to assess whether the PHI uploaded for benchmarking meets HIPAA's minimum necessary standard and that MedApps implements appropriate safeguards for PHI used for benchmarking. The BAA would need to address these specific uses.

Explanation of Options:

A . Miraculous Healthcare would be the covered entity because its name and branding are on the app. MedApps would be a business associate because it is hosting the data that supports the app: While this is close, it oversimplifies the reasoning by focusing solely on branding. The covered entity designation is determined by the healthcare services provided, not just branding.

B . MedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app: This is incorrect because MedApps is not directly providing healthcare services. Hosting and maintaining PHI does not make it a covered entity but rather a business associate.

C . Miraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it: This is incorrect because MedApps does not independently provide healthcare services to patients. Its role is solely as a service provider to Miraculous.

D . Miraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous: This is the correct answer. Miraculous is the covered entity, and MedApps, by hosting the telehealth app and handling PHI on Miraculous' behalf, is a business associate.

Reference from CIPP/US Materials:

HIPAA Privacy Rule (45 CFR 160.103): Defines covered entities and business associates.

Business Associate Agreements (BAAs): HIPAA requires a BAA between covered entities and business associates to ensure PHI is appropriately protected.

IAPP CIPP/US Certification Textbook: Provides detailed examples of covered entities and business associates, along with their roles and responsibilities under HIPAA.

Question 3

What do the Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act all have in common?

AThey require employers not to discriminate against certain classes when employees use personal information

BThey require that employers provide reasonable accommodations to certain classes of employees

CThey afford certain classes of employees' privacy protection by limiting inquiries concerning their personal information

DThey permit employers to use or disclose personal information specifically about employees who are members of certain classes

Answer : C

The Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act are all federal laws that prohibit employment discrimination based on certain protected characteristics, such as race, sex, disability, age, and pay1234These laws also afford certain classes of employees' privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes. For example:

The Civil Rights Act of 1964 prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on race, color, religion, sex, or national origin, unless they are bona fide occupational qualifications.

The Pregnancy Discrimination Act of 1978, which amended the Civil Rights Act of 1964, prohibits employers from making pre-employment inquiries about whether an applicant is pregnant or intends to become pregnant, unless they are related to the ability to perform the job.

The Americans with Disabilities Act of 1990 prohibits employers from making pre-employment inquiries about whether an applicant has a disability or the nature or severity of a disability, unless they are related to the ability to perform the essential functions of the job with or without reasonable accommodation.

The Age Discrimination in Employment Act of 1967 prohibits employers from making pre-employment inquiries about an applicant's age, unless they are related to a bona fide occupational qualification or a lawful affirmative action plan.

The Equal Pay Act of 1963 prohibits employers from making pre-employment inquiries about an applicant's salary history, unless they are made for a lawful purpose other than determining the applicant's pay.

Option A is incorrect because these laws do not require employers not to discriminate against certain classes when employees use personal information.Rather, they require employers not to discriminate against certain classes in any aspect of employment, such as hiring, firing, pay, promotion, training, benefits, etc1234The use of personal information by employees is not directly addressed by these laws, although it may be subject to other privacy laws or policies.

Option B is incorrect because these laws do not require that employers provide reasonable accommodations to certain classes of employees. Rather, only the Americans with Disabilities Act and the Pregnancy Discrimination Act require employers to provide reasonable accommodations to qualified individuals with disabilities and workers with limitations related to pregnancy, childbirth, or related medical conditions, respectively, unless doing so would cause an undue hardship to the employer. The other laws do not have a similar requirement, although they may prohibit employers from denying equal opportunities to certain classes of employees.

Option C is correct because these laws afford certain classes of employees' privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes, as explained above.

Option D is incorrect because these laws do not permit employers to use or disclose personal information specifically about employees who are members of certain classes. Rather, these laws generally prohibit employers from using or disclosing personal information that is protected by these laws for any unlawful or discriminatory purpose, unless an exception applies. For example, employers may use or disclose such information for legitimate business reasons, such as complying with reporting requirements, administering benefits, or conducting investigations.

Question 4

Which law provides employee benefits, but often mandates the collection of medical information?

AThe Occupational Safety and Health Act.

BThe Americans with Disabilities Act.

CThe Employee Medical Security Act.

DThe Family and Medical Leave Act.

Answer : D

The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child, the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.

The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee's ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:

Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee's own serious health condition or that of a family member.

Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee's own serious health condition or that of a family member, or for planned medical treatment.

A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.

Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.

The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:

Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees' family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.

Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.

Limit the disclosure of such records to supervisors and managers who need to know about an employee's FMLA leave, first aid and safety personnel when an employee's medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.

Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee's health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.

Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee's complete medical records or information unrelated to the FMLA leave request.

Respect the employee's right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.

The Family and Medical Leave Act (FMLA)

Question 5

Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?

AA bill of rights for individuals seeking access to their personal information.

BA code of responsibilities for medical establishments to uphold privacy laws.

CAn international court ruling on personal information held in the commercial sector.

DA baseline of marketers' minimum responsibilities for providing opt-out mechanisms.

Answer : C

The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section. The APEC information privacy principles are:

Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.

Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.

Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.

Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.

Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.

Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.

Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.

Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the legitimate rights of persons other than the individual would be violated.

Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.

The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information, such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond.Reference:

APEC Privacy Framework (2015)

APEC Cross-Border Privacy Rules (CBPR) System

APEC Privacy Recognition for Processors (PRP) System

APEC Privacy Framework: A New Model for Transborder Data Flows

Question 6

Although an employer may have a strong incentive or legal obligation to monitor employees' conduct or behavior, some excessive monitoring may be considered an intrusion on employees' privacy? Which of the following is the strongest example of excessive monitoring by the employer?

AAn employer who installs a video monitor in physical locations, such as a warehouse, to ensure employees are performing tasks in a safe manner and environment.

BAn employer who installs data loss prevention software on all employee computers to limit transmission of confidential company information.

CAn employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment.

DAn employer who records all employee phone calls that involve financial transactions with customers completed over the phone.

Answer : C

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees' privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms.Reference:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.

IAPP CIPP/US Practice Questions, Question 134.

Question 7

The Cable Communications Policy Act of 1984 requires which activity?

ADelivery of an annual notice detailing how subscriber information is to be used

BDestruction of personal information a maximum of six months after it is no longer needed

CNotice to subscribers of any investigation involving unauthorized reception of cable services

DObtaining subscriber consent for disseminating any personal information necessary to render cable services

Answer : A

The Cable Communications Policy Act of 1984 (CCPA) is a federal law that regulates the cable television industry and protects the privacy of cable subscribers.One of the provisions of the CCPA is that cable operators must provide their subscribers with an annual notice that clearly and conspicuously informs them of the following information12:

The nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information

The nature, frequency, and purpose of any disclosure of such information, including an identification of the types of persons to whom the disclosure may be made

The period during which such information will be maintained by the cable operator

The times and place at which the subscriber may have access to such information

The limitations provided by the CCPA with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under the CCPA to enforce such limitations

The annual notice must also state that the subscriber has the right to prevent disclosure of personally identifiable information to third parties, except as required by law or court order, and that the subscriber may sue for damages, attorney's fees, and other relief for violations of the CCPA12.