IAPP Certified Information Privacy Professional/United States CIPP/US Exam Practice Test

Page: 1 / 14
Total 195 questions

Want more questions? Get Premium Access.
()

Question 1

Which of the following would NOT be regulated by the Illinois Biometnc Information Pnvacy Act (BIPA)?

APhotographs of local convicted felons uploaded lo a news website.

BFingerprint scans of elementary school students used to open their lockers

CSecurity software designed to identify local convicted felons in retail stores via facial recognition.

DRetina scans of elementary school students used to verify their identities for attendance purposes

Answer : A

The Illinois Biometric Information Privacy Act (BIPA) regulates the collection, storage, and use of biometric identifiers and biometric information, such as fingerprints, retina scans, and facial recognition data. However, BIPA does not regulate photographs, as they are explicitly excluded from the definition of 'biometric identifiers' under the law.

Key Definitions Under BIPA:

Biometric Identifier: Includes fingerprints, retina or iris scans, voiceprints, and scans of hand or face geometry.

Biometric Information: Refers to any information derived from biometric identifiers.

Exclusions: BIPA explicitly excludes certain types of data from regulation, such as photographs, writing samples, and physical descriptions.

Explanation of Options:

A. Photographs of local convicted felons uploaded to a news website: This is correct because photographs are explicitly excluded from BIPA's definition of biometric identifiers.

B. Fingerprint scans of elementary school students used to open their lockers: This would be regulated under BIPA, as fingerprints are considered biometric identifiers.

C. Security software designed to identify local convicted felons in retail stores via facial recognition: This would also be regulated under BIPA, as facial recognition involves scans of face geometry, which qualify as biometric identifiers.

D. Retina scans of elementary school students used to verify their identities for attendance purposes: Retina scans are biometric identifiers under BIPA and would therefore be regulated.

Reference from CIPP/US Materials:

Illinois BIPA (740 ILCS 14/10): Defines biometric identifiers and excludes photographs from regulation.

IAPP CIPP/US Certification Textbook: Discusses the scope and application of BIPA.

Question 2

Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?

ABeing more closely scrutinized for any breaches of policy

BGetting accused of discriminatory practices

CAttracting skepticism from auditors

DHaving a security system failure

Answer : A

A company that develops a privacy policy with standards that are much higher than its competitors may face the risk of being more closely scrutinized for any breaches of policy by regulators, customers, media, or other stakeholders. This is because the company sets a higher expectation for its privacy practices and may be held to a higher standard of accountability and transparency. If the company fails to comply with its own policy or experiences a data breach, it may face more severe consequences, such as reputational damage, loss of trust, legal liability, or regulatory sanctions.Reference:

IAPP CIPP/US Body of Knowledge, Section I, B, 2

[IAPP CIPP/US Study Guide, Chapter 1, Section 1.4]

Question 3

What was the original purpose of the Foreign Intelligence Surveillance Act?

ATo further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.

BTo further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.

CTo further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.

DTo further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect's home, stemming from the Olmstead v. United States decision.

Answer : C

The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon.It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power1The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation23FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of U.S.persons4Reference: https://www.intelligence.gov/foreign-intelligence-surveillance-act

https://www.intelligence.gov/foreign-intelligence-surveillance-act/1234-categories-of-fisa

Question 4

Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

AThe Office of the Comptroller of the Currency

BThe Consumer Financial Protection Bureau

CThe Department of Health and Human Services

DThe Federal Trade Commission

Answer : C

The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.

The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.

The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:

The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.

The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.

The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.

The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.

The Board of Governors of the Federal Reserve System (FRB), which has authority over state-chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.

The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.

The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.

The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.

The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.

Question 5

SCENARIO

Please use the following to answer the next QUESTION:

Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. ''If they were really serious about not being bothered,'' Evan said, ''They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to.''

Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call ''another time.'' This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.

Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects

American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi

a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.

Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.

Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.

Larry wants to take action, but is uncertain how to proceed.

Based on the way he uses social media, Evan is susceptible to a lawsuit based on?

ADefamation

BDiscrimination

CIntrusion upon seclusion

DPublicity given to private life

Answer : B

Discrimination is the unfair or prejudicial treatment of people based on certain characteristics, such as race, gender, age, religion, or political affiliation. Discrimination can occur in various contexts, such as employment, education, housing, or public accommodations. Discrimination can violate federal, state, or local laws that prohibit discrimination on the basis of protected categories. In the scenario, Evan is susceptible to a lawsuit based on discrimination because he uses social media to favor employees who share his political views and deny promotions to those who do not. This could constitute political discrimination, which is prohibited by some state and local laws, such as the District of Columbia Human Rights Act and the New York City Human Rights Law. Additionally, Evan's use of social media could reveal other protected characteristics of his employees, such as their race, gender, age, religion, or sexual orientation, and expose him to claims of discrimination based on those grounds as well. For example, if Evan posts derogatory comments about a certain race or religion, and then denies a promotion to an employee of that race or religion, that employee could sue Evan for discrimination under federal laws, such as Title VII of the Civil Rights Act of 1964 or the Civil Rights Act of 1991.Reference:

Political Discrimination in the Workplace | Nolo

Social Media and Employment Law Summary of Key Cases and Legal Issues

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.1: State Anti-Discrimination Laws.

Question 6

SCENARIO

Please use the following to answer the next question;

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevad

a. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.

For this new initiative. Miraculous is considering a product built by MedApps. a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices" branding. MedApps provides technical support for the app. which it hosts in the cloud MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service

Riya is the Privacy Officer at Miraculous, responsible for the practice s compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements Riya is currently reviewing the suitability of the MedApps app from a pnvacy perspective

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps

Which of the following would accurately describe the relationship of the parties if they enter into a contract for use of the app?

AMiraculous Healthcare would be the covered entity because Us name and branding are on the app. MedApps would be a business associate because it Is hosting the data that supports the app

BMedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app.

CMiraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it.

DMiraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous.

Answer : D

Under the Health Insurance Portability and Accountability Act (HIPAA), entities involved in the handling of protected health information (PHI) are classified as either covered entities or business associates based on their roles and activities.

Definitions Under HIPAA:

Covered Entity (CE):

A healthcare provider, health plan, or healthcare clearinghouse that creates, receives, maintains, or transmits PHI.

Miraculous Healthcare qualifies as a covered entity because it is a medical practice directly providing healthcare services to patients.

Business Associate (BA):

An organization or individual that performs functions, activities, or services involving the use or disclosure of PHI on behalf of a covered entity.

MedApps qualifies as a business associate because it is providing a telehealth app service to Miraculous, which involves hosting and maintaining PHI (e.g., appointment details, patient information).

Analysis of the Relationship:

Miraculous Healthcare: As the healthcare provider, it is responsible for patient care and compliance with HIPAA. Since it directly provides healthcare services to patients, it is the covered entity in this scenario.

MedApps: Although MedApps designed, hosts, and supports the telehealth app, it is providing these services on behalf of Miraculous Healthcare. As such, MedApps is a business associate under HIPAA. This designation requires MedApps to comply with HIPAA regulations through a Business Associate Agreement (BAA), ensuring that it appropriately safeguards the PHI it handles on behalf of Miraculous Healthcare.

Consideration of the Benchmarking Service:

The optional benchmarking service also reinforces MedApps' role as a business associate. Miraculous Healthcare would need to assess whether the PHI uploaded for benchmarking meets HIPAA's minimum necessary standard and that MedApps implements appropriate safeguards for PHI used for benchmarking. The BAA would need to address these specific uses.

Explanation of Options:

A . Miraculous Healthcare would be the covered entity because its name and branding are on the app. MedApps would be a business associate because it is hosting the data that supports the app: While this is close, it oversimplifies the reasoning by focusing solely on branding. The covered entity designation is determined by the healthcare services provided, not just branding.

B . MedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app: This is incorrect because MedApps is not directly providing healthcare services. Hosting and maintaining PHI does not make it a covered entity but rather a business associate.

C . Miraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it: This is incorrect because MedApps does not independently provide healthcare services to patients. Its role is solely as a service provider to Miraculous.

D . Miraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous: This is the correct answer. Miraculous is the covered entity, and MedApps, by hosting the telehealth app and handling PHI on Miraculous' behalf, is a business associate.

Reference from CIPP/US Materials:

HIPAA Privacy Rule (45 CFR 160.103): Defines covered entities and business associates.

Business Associate Agreements (BAAs): HIPAA requires a BAA between covered entities and business associates to ensure PHI is appropriately protected.

IAPP CIPP/US Certification Textbook: Provides detailed examples of covered entities and business associates, along with their roles and responsibilities under HIPAA.

Question 7

All of the following organizations are specified as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) EXCEPT?

AHealthcare information clearinghouses

BPharmaceutical companies

CHealthcare providers

DHealth plans

Answer : C

The Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personal information by federal agencies.

The Privacy Act of 1974 applies to records that are maintained in a system of records, which is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.

The Privacy Act of 1974 grants individuals the right to access and amend their records, and requires agencies to provide notice of their systems of records, establish safeguards for the protection of the records, and limit the disclosure of the records to certain authorized purposes.

The Privacy Act of 1974 also establishes civil and criminal penalties for violations of the law, such as unauthorized disclosure, failure to publish a notice, or refusal to grant access or amendment.

The Privacy Act of 1974 does NOT require agencies to obtain the consent of the individual before collecting their personal information. However, the Privacy Act of 1974 does require agencies to inform the individual of the authority for the collection, the purpose and use of the collection, and the effects of not providing the information.