CIPP/US Exam UPDATED ACTUAL Exam
Questions and CORRECT Answers
Types of Privacy (4 types) - CORRECT ANSWER - 1. Information Privacy
2. Bodily Privacy
3. Communication Privacy
4. Territorial Privacy
Personal vs. Non-personal Information - CORRECT ANSWER - Personal Information is
any information that relates to or describes an individual. Non personal information is any data
that couldn't reasonably relate to an identified or identifiable individual.
Sensitive Data (According to the EU Data Protection Directive) - CORRECT ANSWER -
Referred to as "Special Categories of Data", this is information that reveals racial origin, political
opinions, religious or philosophical beliefs, trade union membership, or data concerning health
or sex life. Noted that health data is classified as sensitive in most countries.
Source of Information (3 types and what they are) - CORRECT ANSWER - 1. Public
Records are information collected by and maintained by government and available to the public
2. Publicly available data is data in any form that is accessible to the interested public
3. Non-public information is data that has not been made available to the public.
Data Controller - CORRECT ANSWER - Person or entity that determines the purpose and
means of the processing of personal data.
Data Processor - CORRECT ANSWER - The person or entity that processes personal data
on behalf of the controller.
Data Subject - CORRECT ANSWER - The person about whom the personal data relates or
describes.
,Privacy Policy - CORRECT ANSWER - An internal statement that describes an
organization's information handling practices and procedures. Directed at employees and agents
of the organization.
Privacy Notice - CORRECT ANSWER - AN external statement that is directed to an
organization's potential and actual customers or users. Describes how the organization will
process personal information and typically describes options a data subject has with respect to
the organization's processing of personal information.
Administrative Safeguards (and examples) - CORRECT ANSWER - Management related
policies and procedures for protecting personal information. An incident management plan and
privacy policy are examples.
Physical Safeguards - CORRECT ANSWER - Mechanisms that physically protect or
prevent access to a resource. Examples include cable locks for laptops and security guards to
prevent unauthorized access.
Technical Safeguards - CORRECT ANSWER - Information technology Measures that
protect personal information. Examples include password authentication schemes, encryption,
and smart cards.
Privacy Impact Assessment (PIA) (What is it and when should it occur) - CORRECT
ANSWER - A systematic process for identifying potential privacy related risks of a
proposed system. When conducting, an organization analyzes how information is collected,
stored, protected, shared, and managed to ensure that an organization has consciously
incorporated privacy protection measures throughout the lifecycle of the data. It should be
carried out whenever a new data processing system or project is proposed or when there are
revisions to existing data practices.
Privacy Audit or Assessment (What is it, when does it happen and who performs it) - CORRECT
ANSWER - A systematic examination of an organization's compliance with its privacy
policy and procedures, applicable laws, and other agreements and contracts concerning personal
information. Audits should be conducted on a regular basis or at the request of a regulatory
authority. Typically conducted by internal taskforce, but if they were the ones that developed the
program it may make sense to have a third party.
,Data Lifecycle (4 stages) - CORRECT ANSWER - 1. Collection 2. Use 3. Disclosure 4.
Retention or destruction
FIPS (Fair Information Principles) (Description and 5 Core principles) - CORRECT
ANSWER - Guidelines that represent widely accepted doctrines concerning fair
processing information. It is the foundation of many international privacy initiatives like OECD
guidelines for Protection of Privacy and Trans-border flows of Personal Data. The core principles
of privacy are:
1. Notice and awareness (customers should be given notice of the practices before information is
collected)
2. Choice and Consent (consumers should have options)
3. Access and participation (Customers should have the ability to view and contest information
collected about them
4. Integrity and Security (Organizations should ensure data collected is accurate and secure)
5. Enforcement and Redress (Enforcement measures should be implemented to ensure
organizations follow FIP)
Opt-in consent - CORRECT ANSWER - Occurs when a data subject affirmatively and
explicitly indicates the desire to have his data processed by an organization. Usually reserved for
more intrusive processing.
Opt-out consent - CORRECT ANSWER - Occurs when a data subject implicitly consents
by not indicating their disapproval of the requested processing.
4 Major Models of Privacy Protection - CORRECT ANSWER - 1. Comprehensive Model
2. Co-Regulatory 3. Sectoral 4. Self-regulatory
Comprehensive Model of Data Protection (and countries who have adopted it) - CORRECT
ANSWER - In many countries, like those in the EU, there is a comprehensive or general
law that governs the collection, use, and dissemination of personal information in both private
and public sectors. An oversight body ensures compliance with general privacy law. In the EU,
each country has a national data protection authority responsible for ensuring compliance with
, the country's privacy law, modeled after EU Protection directive. Most countries in Europe adopt
this model.
Co-Regulatory Model of Data Protection (and countries who adopt it) - CORRECT
ANSWER - A variant of the comprehensive model in which specific industries develop
rules for the protection of privacy within that industry that are enforced by the industry and
overseen by a privacy agency. Canada, Australia, and New Zealand employ a co-regulatory
model of privacy.
Sectoral Model of Data Protection (and countries who adopt it) - CORRECT ANSWER -
Some countries enact sector specific laws instead of a general data protection law. In these
countries, enforcement is achieved by various mechanisms, including regulatory bodies such as
FTC in the US. The US and Japan adopt this model.
Self Regulatory Model of Data Protection (and Countries who adopt it) - CORRECT
ANSWER - Industry associations establish rules or regulations that are adhered to by
industry participations. Examples include PCI DSS and the privacy seal programs administered
by the Online Privacy Alliance. An organization's privacy policy is also a form of self regulation.
OECD Guidelines (Description and 8 Principles) - CORRECT ANSWER - Organization
for Economic Cooperation and Development in 1980 created guidelines that set forth eight
privacy principles derived partly from the fairness information principles. These eight principles
are:
1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use limitation Principle
5. Security Safeguards Principle
6. Openness Principle
7. Individual Participation Principle
8. Accountability Principle
Questions and CORRECT Answers
Types of Privacy (4 types) - CORRECT ANSWER - 1. Information Privacy
2. Bodily Privacy
3. Communication Privacy
4. Territorial Privacy
Personal vs. Non-personal Information - CORRECT ANSWER - Personal Information is
any information that relates to or describes an individual. Non personal information is any data
that couldn't reasonably relate to an identified or identifiable individual.
Sensitive Data (According to the EU Data Protection Directive) - CORRECT ANSWER -
Referred to as "Special Categories of Data", this is information that reveals racial origin, political
opinions, religious or philosophical beliefs, trade union membership, or data concerning health
or sex life. Noted that health data is classified as sensitive in most countries.
Source of Information (3 types and what they are) - CORRECT ANSWER - 1. Public
Records are information collected by and maintained by government and available to the public
2. Publicly available data is data in any form that is accessible to the interested public
3. Non-public information is data that has not been made available to the public.
Data Controller - CORRECT ANSWER - Person or entity that determines the purpose and
means of the processing of personal data.
Data Processor - CORRECT ANSWER - The person or entity that processes personal data
on behalf of the controller.
Data Subject - CORRECT ANSWER - The person about whom the personal data relates or
describes.
,Privacy Policy - CORRECT ANSWER - An internal statement that describes an
organization's information handling practices and procedures. Directed at employees and agents
of the organization.
Privacy Notice - CORRECT ANSWER - AN external statement that is directed to an
organization's potential and actual customers or users. Describes how the organization will
process personal information and typically describes options a data subject has with respect to
the organization's processing of personal information.
Administrative Safeguards (and examples) - CORRECT ANSWER - Management related
policies and procedures for protecting personal information. An incident management plan and
privacy policy are examples.
Physical Safeguards - CORRECT ANSWER - Mechanisms that physically protect or
prevent access to a resource. Examples include cable locks for laptops and security guards to
prevent unauthorized access.
Technical Safeguards - CORRECT ANSWER - Information technology Measures that
protect personal information. Examples include password authentication schemes, encryption,
and smart cards.
Privacy Impact Assessment (PIA) (What is it and when should it occur) - CORRECT
ANSWER - A systematic process for identifying potential privacy related risks of a
proposed system. When conducting, an organization analyzes how information is collected,
stored, protected, shared, and managed to ensure that an organization has consciously
incorporated privacy protection measures throughout the lifecycle of the data. It should be
carried out whenever a new data processing system or project is proposed or when there are
revisions to existing data practices.
Privacy Audit or Assessment (What is it, when does it happen and who performs it) - CORRECT
ANSWER - A systematic examination of an organization's compliance with its privacy
policy and procedures, applicable laws, and other agreements and contracts concerning personal
information. Audits should be conducted on a regular basis or at the request of a regulatory
authority. Typically conducted by internal taskforce, but if they were the ones that developed the
program it may make sense to have a third party.
,Data Lifecycle (4 stages) - CORRECT ANSWER - 1. Collection 2. Use 3. Disclosure 4.
Retention or destruction
FIPS (Fair Information Principles) (Description and 5 Core principles) - CORRECT
ANSWER - Guidelines that represent widely accepted doctrines concerning fair
processing information. It is the foundation of many international privacy initiatives like OECD
guidelines for Protection of Privacy and Trans-border flows of Personal Data. The core principles
of privacy are:
1. Notice and awareness (customers should be given notice of the practices before information is
collected)
2. Choice and Consent (consumers should have options)
3. Access and participation (Customers should have the ability to view and contest information
collected about them
4. Integrity and Security (Organizations should ensure data collected is accurate and secure)
5. Enforcement and Redress (Enforcement measures should be implemented to ensure
organizations follow FIP)
Opt-in consent - CORRECT ANSWER - Occurs when a data subject affirmatively and
explicitly indicates the desire to have his data processed by an organization. Usually reserved for
more intrusive processing.
Opt-out consent - CORRECT ANSWER - Occurs when a data subject implicitly consents
by not indicating their disapproval of the requested processing.
4 Major Models of Privacy Protection - CORRECT ANSWER - 1. Comprehensive Model
2. Co-Regulatory 3. Sectoral 4. Self-regulatory
Comprehensive Model of Data Protection (and countries who have adopted it) - CORRECT
ANSWER - In many countries, like those in the EU, there is a comprehensive or general
law that governs the collection, use, and dissemination of personal information in both private
and public sectors. An oversight body ensures compliance with general privacy law. In the EU,
each country has a national data protection authority responsible for ensuring compliance with
, the country's privacy law, modeled after EU Protection directive. Most countries in Europe adopt
this model.
Co-Regulatory Model of Data Protection (and countries who adopt it) - CORRECT
ANSWER - A variant of the comprehensive model in which specific industries develop
rules for the protection of privacy within that industry that are enforced by the industry and
overseen by a privacy agency. Canada, Australia, and New Zealand employ a co-regulatory
model of privacy.
Sectoral Model of Data Protection (and countries who adopt it) - CORRECT ANSWER -
Some countries enact sector specific laws instead of a general data protection law. In these
countries, enforcement is achieved by various mechanisms, including regulatory bodies such as
FTC in the US. The US and Japan adopt this model.
Self Regulatory Model of Data Protection (and Countries who adopt it) - CORRECT
ANSWER - Industry associations establish rules or regulations that are adhered to by
industry participations. Examples include PCI DSS and the privacy seal programs administered
by the Online Privacy Alliance. An organization's privacy policy is also a form of self regulation.
OECD Guidelines (Description and 8 Principles) - CORRECT ANSWER - Organization
for Economic Cooperation and Development in 1980 created guidelines that set forth eight
privacy principles derived partly from the fairness information principles. These eight principles
are:
1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use limitation Principle
5. Security Safeguards Principle
6. Openness Principle
7. Individual Participation Principle
8. Accountability Principle
