CIPP/US Exam UPDATED Study Guide
QUESTIONS AND CORRECT ANSWERS
Types of Privacy (4 types) - CORRECT ANSWERS 1. Information
Privacy
2. Bodily Privacy
3. Communication Privacy
4. Territorial Privacy
Personal vs. Non-personal Information - CORRECT ANSWERS
Personal Information is any information that relates to or describes an
individual. Non personal information is any data that couldn't reasonably relate
to an identified or identifiable individual.
Sensitive Data (According to the EU Data Protection Directive) - CORRECT
ANSWERS Referred to as "Special Categories of Data", this is
information that reveals racial origin, political opinions, religious or
philosophical beliefs, trade union membership, or data concerning health or sex
life. Noted that health data is classified as sensitive in most countries.
Source of Information (3 types and what they are) - CORRECT ANSWERS
1. Public Records are information collected by and maintained by
government and available to the public
2. Publicly available data is data in any form that is accessible to the interested
public
3. Non-public information is data that has not been made available to the public.
Administrative Safeguards (and examples) - CORRECT ANSWERS
Management related policies and procedures for protecting personal
information. An incident management plan and privacy policy are examples.
,Physical Safeguards - CORRECT ANSWERS Mechanisms that
physically protect or prevent access to a resource. Examples include cable locks
for laptops and security guards to prevent unauthorized access.
Technical Safeguards - CORRECT ANSWERS Information technology
Measures that protect personal information. Examples include password
authentication schemes, encryption, and smart cards.
Data Lifecycle (4 stages) - CORRECT ANSWERS 1. Collection 2. Use
3. Disclosure 4. Retention or destruction
FIPS (Fair Information Principles) (Description and 5 Core principles) -
CORRECT ANSWERS Guidelines that represent widely accepted
doctrines concerning fair processing information. It is the foundation of many
international privacy initiatives like OECD guidelines for Protection of Privacy
and Trans-border flows of Personal Data. The core principles of privacy are:
1. Notice and awareness (customers should be given notice of the practices
before information is collected)
2. Choice and Consent (consumers should have options)
3. Access and participation (Customers should have the ability to view and
contest information collected about them
4. Integrity and Security (Organizations should ensure data collected is accurate
and secure)
5. Enforcement and Redress (Enforcement measures should be implemented to
ensure organizations follow FIP)
4 Major Models of Privacy Protection - CORRECT ANSWERS 1.
Comprehensive Model 2. Co-Regulatory 3. Sectoral 4. Self-regulatory
Comprehensive Model of Data Protection (and countries who have adopted it) -
CORRECT ANSWERS In many countries, like those in the EU, there is
a comprehensive or general law that governs the collection, use, and
,dissemination of personal information in both private and public sectors. An
oversight body ensures compliance with general privacy law. In the EU, each
country has a national data protection authority responsible for ensuring
compliance with the country's privacy law, modeled after EU Protection
directive. Most countries in Europe adopt this model.
Co-Regulatory Model of Data Protection (and countries who adopt it) -
CORRECT ANSWERS A variant of the comprehensive model in which
specific industries develop rules for the protection of privacy within that
industry that are enforced by the industry and overseen by a privacy agency.
Canada, Australia, and New Zealand employ a co-regulatory model of privacy.
Sectoral Model of Data Protection (and countries who adopt it) - CORRECT
ANSWERS Some countries enact sector specific laws instead of a
general data protection law. In these countries, enforcement is achieved by
various mechanisms, including regulatory bodies such as FTC in the US. The
US and Japan adopt this model.
Self Regulatory Model of Data Protection (and Countries who adopt it) -
CORRECT ANSWERS Industry associations establish rules or
regulations that are adhered to by industry participations. Examples include PCI
DSS and the privacy seal programs administered by the Online Privacy
Alliance. An organization's privacy policy is also a form of self regulation.
Countries deemed adequate by the EU to transfer personal data out of and to
that country - CORRECT ANSWERS Andorra, Argentina, Canada,
Iceland, Israel, Liechtenstein, Switzerland, and Uruguay
Model Contracts - CORRECT ANSWERS One option for transferring
personal data out of the EU per EU Protection Directive, these are drafted by
the European Commission and when executed by an organization importing
data from the EU, ensures an adequate level of protection through contractual
provisions in the contract.
, Safe Harbor Program - CORRECT ANSWERS One option for
transferring personal data out of the EU per EU Protection Directive, the US
Department of Commerce in consultation with the European Commission
developed this program which permits transfer of personal data out of the EU
for companies that have agreed in program participation. Declared invalid in
October 2015 and replaced by the EU US Privacy Shield.
EU US Privacy Shield - CORRECT ANSWERS Replaced the Safe
Harbor Program in 2016, provides a method for transferring personal data out of
the EU, it provides stronger obligations on companies in the US to protect
personal data of Europeans and stronger monitoring and enforcement by the US
Department of Commerce and the FTC. This new framework also restricts US
public authorities from accessing personal data transferred under the program
unless subject to clear conditions, limitations, and oversight, thereby preventing
generalized access. Europeans will also have the possibility to raise any inquiry
or complaint with the new program with a dedicated ombudsperson.
Unambiguous Consent - CORRECT ANSWERS One option for
transferring personal data out of the EU per EU Data Protection Directive. The
data subject may do this to the transfer, specifically in accordance with the
directive, the data subject may provide any freely given specific and informed
indication of his wishes to have the data transferred.
General Data Protection Regulation - CORRECT ANSWERS Adopted
by the European council, this law replaces EU Data Protection Directive and
took effect in 2018. This aims to strengthen and unify data protection for
individuals within the EU. Like the Directive, this also addresses export of
personal data outside of the EU. However GDPR requires data processors to
maintain a written record of processing activities carried out on behalf of each
data controller.
European Convention on Human Rights (ECHR) (What it is and Article 8) -
CORRECT ANSWERS All member states of the EU are signatories of
this. Article 8 provides that every individual has the right to respect for his
private and family life, his home and his correspondence, subject to certain
QUESTIONS AND CORRECT ANSWERS
Types of Privacy (4 types) - CORRECT ANSWERS 1. Information
Privacy
2. Bodily Privacy
3. Communication Privacy
4. Territorial Privacy
Personal vs. Non-personal Information - CORRECT ANSWERS
Personal Information is any information that relates to or describes an
individual. Non personal information is any data that couldn't reasonably relate
to an identified or identifiable individual.
Sensitive Data (According to the EU Data Protection Directive) - CORRECT
ANSWERS Referred to as "Special Categories of Data", this is
information that reveals racial origin, political opinions, religious or
philosophical beliefs, trade union membership, or data concerning health or sex
life. Noted that health data is classified as sensitive in most countries.
Source of Information (3 types and what they are) - CORRECT ANSWERS
1. Public Records are information collected by and maintained by
government and available to the public
2. Publicly available data is data in any form that is accessible to the interested
public
3. Non-public information is data that has not been made available to the public.
Administrative Safeguards (and examples) - CORRECT ANSWERS
Management related policies and procedures for protecting personal
information. An incident management plan and privacy policy are examples.
,Physical Safeguards - CORRECT ANSWERS Mechanisms that
physically protect or prevent access to a resource. Examples include cable locks
for laptops and security guards to prevent unauthorized access.
Technical Safeguards - CORRECT ANSWERS Information technology
Measures that protect personal information. Examples include password
authentication schemes, encryption, and smart cards.
Data Lifecycle (4 stages) - CORRECT ANSWERS 1. Collection 2. Use
3. Disclosure 4. Retention or destruction
FIPS (Fair Information Principles) (Description and 5 Core principles) -
CORRECT ANSWERS Guidelines that represent widely accepted
doctrines concerning fair processing information. It is the foundation of many
international privacy initiatives like OECD guidelines for Protection of Privacy
and Trans-border flows of Personal Data. The core principles of privacy are:
1. Notice and awareness (customers should be given notice of the practices
before information is collected)
2. Choice and Consent (consumers should have options)
3. Access and participation (Customers should have the ability to view and
contest information collected about them
4. Integrity and Security (Organizations should ensure data collected is accurate
and secure)
5. Enforcement and Redress (Enforcement measures should be implemented to
ensure organizations follow FIP)
4 Major Models of Privacy Protection - CORRECT ANSWERS 1.
Comprehensive Model 2. Co-Regulatory 3. Sectoral 4. Self-regulatory
Comprehensive Model of Data Protection (and countries who have adopted it) -
CORRECT ANSWERS In many countries, like those in the EU, there is
a comprehensive or general law that governs the collection, use, and
,dissemination of personal information in both private and public sectors. An
oversight body ensures compliance with general privacy law. In the EU, each
country has a national data protection authority responsible for ensuring
compliance with the country's privacy law, modeled after EU Protection
directive. Most countries in Europe adopt this model.
Co-Regulatory Model of Data Protection (and countries who adopt it) -
CORRECT ANSWERS A variant of the comprehensive model in which
specific industries develop rules for the protection of privacy within that
industry that are enforced by the industry and overseen by a privacy agency.
Canada, Australia, and New Zealand employ a co-regulatory model of privacy.
Sectoral Model of Data Protection (and countries who adopt it) - CORRECT
ANSWERS Some countries enact sector specific laws instead of a
general data protection law. In these countries, enforcement is achieved by
various mechanisms, including regulatory bodies such as FTC in the US. The
US and Japan adopt this model.
Self Regulatory Model of Data Protection (and Countries who adopt it) -
CORRECT ANSWERS Industry associations establish rules or
regulations that are adhered to by industry participations. Examples include PCI
DSS and the privacy seal programs administered by the Online Privacy
Alliance. An organization's privacy policy is also a form of self regulation.
Countries deemed adequate by the EU to transfer personal data out of and to
that country - CORRECT ANSWERS Andorra, Argentina, Canada,
Iceland, Israel, Liechtenstein, Switzerland, and Uruguay
Model Contracts - CORRECT ANSWERS One option for transferring
personal data out of the EU per EU Protection Directive, these are drafted by
the European Commission and when executed by an organization importing
data from the EU, ensures an adequate level of protection through contractual
provisions in the contract.
, Safe Harbor Program - CORRECT ANSWERS One option for
transferring personal data out of the EU per EU Protection Directive, the US
Department of Commerce in consultation with the European Commission
developed this program which permits transfer of personal data out of the EU
for companies that have agreed in program participation. Declared invalid in
October 2015 and replaced by the EU US Privacy Shield.
EU US Privacy Shield - CORRECT ANSWERS Replaced the Safe
Harbor Program in 2016, provides a method for transferring personal data out of
the EU, it provides stronger obligations on companies in the US to protect
personal data of Europeans and stronger monitoring and enforcement by the US
Department of Commerce and the FTC. This new framework also restricts US
public authorities from accessing personal data transferred under the program
unless subject to clear conditions, limitations, and oversight, thereby preventing
generalized access. Europeans will also have the possibility to raise any inquiry
or complaint with the new program with a dedicated ombudsperson.
Unambiguous Consent - CORRECT ANSWERS One option for
transferring personal data out of the EU per EU Data Protection Directive. The
data subject may do this to the transfer, specifically in accordance with the
directive, the data subject may provide any freely given specific and informed
indication of his wishes to have the data transferred.
General Data Protection Regulation - CORRECT ANSWERS Adopted
by the European council, this law replaces EU Data Protection Directive and
took effect in 2018. This aims to strengthen and unify data protection for
individuals within the EU. Like the Directive, this also addresses export of
personal data outside of the EU. However GDPR requires data processors to
maintain a written record of processing activities carried out on behalf of each
data controller.
European Convention on Human Rights (ECHR) (What it is and Article 8) -
CORRECT ANSWERS All member states of the EU are signatories of
this. Article 8 provides that every individual has the right to respect for his
private and family life, his home and his correspondence, subject to certain
