IAPP CIPT Exam Practice Test Instant Access

Question 1

SCENARIO

Please use the following to answer the next question:

Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.

The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.

LBH's privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.

The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.

What is the best way to ensure that the application only collects personal data that is needed to fulfill its primary purpose of providing potential medical and healthcare recommendations?

AObtain consent before using personal health information for data analytics purposes.

BProvide the user with an option to select which personal data the application may collect.

CDisclose what personal data the application the collecting in the company Privacy Policy posted online.

DDocument each personal category collected by the app and ensure it maps to an app function or feature.

Answer : D

Primary Purpose Principle: Ensuring that data collection is strictly for fulfilling the primary purpose helps in maintaining data minimization and relevance.

Mapping Data to Functionality: Documenting each personal data category and mapping it to specific app functions or features ensures that only the necessary data is collected and used. This approach adheres to the principle of data minimization, a core aspect of Privacy by Design.

Data Inventory and Mapping: Creating a comprehensive data inventory that links each piece of personal data to its specific use case in the application helps in justifying the necessity of data collection and provides transparency.

Reference: The IAPP guidelines on conducting Privacy Impact Assessments (PIAs) highlight the importance of data mapping in identifying and documenting the personal data collected and ensuring it aligns with the application's functionalities and purposes.

Question 2

What Privacy by Design (PbD) element should include a de-identification or deletion plan?

ACategorization.

BRemediation.

CRetention.

DSecurity

Answer : C

Privacy by Design (PbD) Principles: PbD emphasizes the proactive inclusion of privacy in the design and operation of IT systems, networks, and business practices.

Retention: The retention element in PbD involves specifying the duration for which personal data will be retained. This is crucial to ensure that data is not kept longer than necessary.

De-identification or Deletion: As part of the retention plan, organizations must decide on de-identifying or deleting personal data once it is no longer needed for its original purpose. This practice minimizes privacy risks associated with unnecessary data retention.

Reference: According to the IAPP's 'Privacy by Design: The 7 Foundational Principles,' the principle of retention emphasizes that personal data should be retained only as long as necessary to fulfill the specified purposes and that secure deletion or de-identification procedures should be implemented.

Question 3

Which of the following is one of the fundamental principles of information security?

AAccountability.

BAccessibility.

CConfidentiality.

DConnectivity.

Answer : C

The fundamental principles of information security are often summarized by the CIA triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes. It is crucial in protecting personal and sensitive data from unauthorized access and breaches. This principle is widely recognized and referenced in various information security standards and frameworks, such as ISO/IEC 27001 and NIST SP 800-53.

ISO/IEC 27001:2013, Information technology --- Security techniques --- Information security management systems --- Requirements.

NIST Special Publication 800-53 (Rev. 5), Security and Privacy Controls for Information Systems and Organizations.

Question 4

What has been identified as a significant privacy concern with chatbots?

AMost chatbot providers do not agree to code audits

BChatbots can easily verify the identity of the contact.

CUsers' conversations with chatbots are not encrypted in transit.

DChatbot technology providers may be able to read chatbot conversations with users.

Answer : D

A significant privacy concern with chatbots is related to the data they handle and how it is processed:

Option A: While code audits are important, this is not the most significant privacy concern for users.

Option B: Chatbots typically do not have robust identity verification mechanisms, but this is not the primary privacy issue.

Option C: Encryption in transit is crucial, but many modern chatbots do encrypt data during transmission.

Option D: Chatbot technology providers may be able to read chatbot conversations with users.

This is the most significant privacy concern because it involves the potential access and misuse of personal data by the service providers. The conversations can include sensitive information that users may not expect to be accessible to third parties.

Question 5

Which of the following statements is true regarding software notifications and agreements?

AWebsite visitors must view the site's privacy statement before downloading software.

BSoftware agreements are designed to be brief, while notifications provide more details.

CIt is a good practice to provide users with information about privacy prior to software installation.

D''Just in time'' software agreement notifications provide users with a final opportunity to modify the agreement.

Answer : C

The practice of providing users with privacy information before they install software aligns with the principle of transparency, a key concept in information privacy. This principle dictates that users should be fully informed about what personal data is being collected and how it will be used before they engage with software or services. Providing this information up front helps users make informed decisions about their data and ensures compliance with privacy laws and regulations. This approach is often outlined in guidelines from privacy frameworks such as the General Data Protection Regulation (GDPR) and reflected in the practices advocated by the International Association of Privacy Professionals (IAPP).

Question 6

SCENARIO

You have just been hired by Ancillary.com, a seller of accessories for everything under the sun, including waterproof stickers for pool floats and decorative bands and cases for sunglasses. The company sells cell phone cases, e-cigarette cases, wine spouts, hanging air fresheners for homes and automobiles, book ends, kitchen implements, visors and shields for computer screens, passport holders, gardening tools and lawn ornaments, and catalogs full of health and beauty products. The list seems endless. As the CEO likes to say, Ancillary offers, without doubt, the widest assortment of low-price consumer products from a single company anywhere.

Ancillary's operations are similarly diverse. The company originated with a team of sales consultants selling home and beauty products at small parties in the homes of customers, and this base business is still thriving. However, the company now sells online through retail sites designated for industries and demographics, sites such as ''My Cool Ride" for automobile-related products or ''Zoomer'' for gear aimed toward young adults. The company organization includes a plethora of divisions, units and outrigger operations, as Ancillary has been built along a decentered model rewarding individual initiative and flexibility, while also acquiring key assets. The retail sites seem to all function differently, and you wonder about their compliance with regulations and industry standards. Providing tech support to these sites is also a challenge, partly due to a variety of logins and authentication protocols.

You have been asked to lead three important new projects at Ancillary:

The first is the personal data management and security component of a multi-faceted initiative to unify the company's culture. For this project, you are considering using a series of third- party servers to provide company data and approved applications to employees.

The second project involves providing point of sales technology for the home sales force, allowing them to move beyond paper checks and manual credit card imprinting.

Finally, you are charged with developing privacy protections for a single web store housing all the company's product lines as well as products from affiliates. This new omnibus site will be known, aptly, as ''Under the Sun.'' The Director of Marketing wants the site not only to sell Ancillary's products, but to link to additional products from other retailers through paid advertisements. You need to brief the executive team of security concerns posed by this approach.

What technology is under consideration in the first project in this scenario?

AServer driven controls.

BCloud computing

CData on demand

DMAC filtering

Answer : B

The technology under consideration in the first project is cloud computing.

Cloud Computing: This involves using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer. This technology provides flexibility, scalability, and cost-effectiveness.

Data Management and Security: Cloud services can unify data management across the company by providing a centralized platform where all employees can access approved applications and data securely.

Third-Party Servers: Using third-party servers, a characteristic feature of cloud computing, aligns with the project's goal to provide company data and approved applications to employees.

Security Considerations: While cloud computing offers many advantages, it also requires careful attention to data security, including encryption, access controls, and regular security audits to protect sensitive information.

IAPP Privacy Management, Information Privacy Technologist Certification Textbooks

NIST SP 800-145: The NIST Definition of Cloud Computing

Question 7

Which of the following is considered a client-side IT risk?

ASecurity policies focus solely on internal corporate obligations.

BAn organization increases the number of applications on its server.

CAn employee stores his personal information on his company laptop.

DIDs used to avoid the use of personal data map to personal data in another database.

Answer : C

Client-side IT risks refer to vulnerabilities or threats that originate from the end-user's side. When an employee stores personal information on a company laptop, it poses a security risk as this data can be exposed through loss, theft, or improper handling of the device.

IAPP CIPT Study Guide: IT Risks and Mitigation.

IAPP Certified Information Privacy Technologist (CIPT) Handbook: Section on Client-Side Risks.

IAPP Certified Information Privacy Technologist CIPT Exam Practice Test