CIPP/US Exam REVISED ACTUAL Exam
Questions and CORRECT Answers
Types of Privacy (4 types) - CORRECT ANSWER - 1. Information Privacy
2. Bodily Privacy
3. Communication Privacy
4. Territorial Privacy
Personal vs. Non-personal Information - CORRECT ANSWER - *Personal Information*
is any information that relates to or describes an individual.
*Non personal information* is any data that couldn't reasonably relate to an identified or
identifiable individual.
Ex: Pseudonymized information, which can be reversed, reidentify.
Q: Not PI but nevertheless a key part of the information assets of the organization?
1. Financial data
2. Operational data
3. IP
4. Info about the org's products and services
Q: IP Address?
A: EU通常認為是Personal Data、US通常認為未受法律規範。然而,涉及Healthcare的資料
,FCC認為是PI。
區別實益:HIPAA只適用covered entities and personal health information。
Source of Personal information - CORRECT ANSWER - *Categories*
1. Public records
,information collected by and maintained by government and available to the public
ex: Real estate records
2. Publicly available information
data in any form that is accessible to the interested public
ex: newspaper
3. nonpublic information
data that has not been made available to the public
ex: medical records, financial information
*Note*
Restrictions may apply to use of the name and address in the patient file, but not to public
records or publicly available information.
來源很重要,有時候因為來源不同而異其使用權限
Sensitive Personal Information - CORRECT ANSWER - That which is more significantly
related to the notion of a reasonable expectation of privacy. One's medical or financial
information is often considered sensitive personal information (SPI), but other types of personal
information might be as well.
Examples:
1. Social Security number
2. Bank account number
3. Driver's license number
4. Home phone number
5. Professional membership
6. Medical history
,Requires additional privacy and security limitations to safeguard its collection, use, and
disclosure
Sensitive Data (According to the EU Data Protection Directive) - CORRECT ANSWER -
Referred to as "Special Categories of Data", this is information that reveals racial origin, political
opinions, religious or philosophical beliefs, trade union membership, or data concerning health
or sex life. Noted that health data is classified as sensitive in most countries.
Data Controller - CORRECT ANSWER - Person or entity that determines the purpose and
means of the processing of personal data.
Data Processor - CORRECT ANSWER - The person or entity that processes personal data
on behalf of the controller.
Data Subject - CORRECT ANSWER - The person about whom the personal data relates or
describes.
Consent Decree - CORRECT ANSWER - *Definition*
CD is a judgment entered by consent of the parties whereby the defendant agrees to stop alleged
illegal activity, typically without admitting guilt or wrongdoing. Once approved, the consent
decree has the effect of a court decision.
A formal document stating specific steps the entity needs to perform to rectify the violation.
Sometimes includes monetary fine.
One of the sources of law
*Definition*
A judgment entered by consent of the parties (a federal or state agency and an adverse party)
whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or
wrongdoing.
, *Website*
Consent decrees are posted publicly on the FTC's website, and the details of these decrees
provide guidance about what practices the FTC considers inappropriate.
*Enforcement*
The FTC's Enforcement Division, within the Bureau of Consumer Protection (BCP), monitors
and litigates violations of consent decrees in cooperation with DOJ.
*Effect*
When entering into a consent decree, the charged entity does not admit fault or liability. Cannot
be used as evidence of fault in any other civil action that may be brought by those harmed by the
unfair or deceptive practice.
*Example*
The FTC has entered into numerous consent decrees with companies as a result of alleged
violations of privacy laws, such as the Children's Online Privacy Protection Act (COPPA).
Privacy Policy - CORRECT ANSWER - An internal statement that describes an
organization's information handling practices and procedures. Directed at employees and agents
of the organization.
Privacy Policies and Disclosure - CORRECT ANSWER - 1. If an organization violates a
promise made in a privacy policy that is also communicated in the privacy notice, then the FTC
or state attorney general may bring an enforcement
2. One or Multiple Privacy Policies
3. Policy Review and Approval
Revised → announce to employees through its privacy notice
4. Communication of Privacy Policy Through a Notice
Questions and CORRECT Answers
Types of Privacy (4 types) - CORRECT ANSWER - 1. Information Privacy
2. Bodily Privacy
3. Communication Privacy
4. Territorial Privacy
Personal vs. Non-personal Information - CORRECT ANSWER - *Personal Information*
is any information that relates to or describes an individual.
*Non personal information* is any data that couldn't reasonably relate to an identified or
identifiable individual.
Ex: Pseudonymized information, which can be reversed, reidentify.
Q: Not PI but nevertheless a key part of the information assets of the organization?
1. Financial data
2. Operational data
3. IP
4. Info about the org's products and services
Q: IP Address?
A: EU通常認為是Personal Data、US通常認為未受法律規範。然而,涉及Healthcare的資料
,FCC認為是PI。
區別實益:HIPAA只適用covered entities and personal health information。
Source of Personal information - CORRECT ANSWER - *Categories*
1. Public records
,information collected by and maintained by government and available to the public
ex: Real estate records
2. Publicly available information
data in any form that is accessible to the interested public
ex: newspaper
3. nonpublic information
data that has not been made available to the public
ex: medical records, financial information
*Note*
Restrictions may apply to use of the name and address in the patient file, but not to public
records or publicly available information.
來源很重要,有時候因為來源不同而異其使用權限
Sensitive Personal Information - CORRECT ANSWER - That which is more significantly
related to the notion of a reasonable expectation of privacy. One's medical or financial
information is often considered sensitive personal information (SPI), but other types of personal
information might be as well.
Examples:
1. Social Security number
2. Bank account number
3. Driver's license number
4. Home phone number
5. Professional membership
6. Medical history
,Requires additional privacy and security limitations to safeguard its collection, use, and
disclosure
Sensitive Data (According to the EU Data Protection Directive) - CORRECT ANSWER -
Referred to as "Special Categories of Data", this is information that reveals racial origin, political
opinions, religious or philosophical beliefs, trade union membership, or data concerning health
or sex life. Noted that health data is classified as sensitive in most countries.
Data Controller - CORRECT ANSWER - Person or entity that determines the purpose and
means of the processing of personal data.
Data Processor - CORRECT ANSWER - The person or entity that processes personal data
on behalf of the controller.
Data Subject - CORRECT ANSWER - The person about whom the personal data relates or
describes.
Consent Decree - CORRECT ANSWER - *Definition*
CD is a judgment entered by consent of the parties whereby the defendant agrees to stop alleged
illegal activity, typically without admitting guilt or wrongdoing. Once approved, the consent
decree has the effect of a court decision.
A formal document stating specific steps the entity needs to perform to rectify the violation.
Sometimes includes monetary fine.
One of the sources of law
*Definition*
A judgment entered by consent of the parties (a federal or state agency and an adverse party)
whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or
wrongdoing.
, *Website*
Consent decrees are posted publicly on the FTC's website, and the details of these decrees
provide guidance about what practices the FTC considers inappropriate.
*Enforcement*
The FTC's Enforcement Division, within the Bureau of Consumer Protection (BCP), monitors
and litigates violations of consent decrees in cooperation with DOJ.
*Effect*
When entering into a consent decree, the charged entity does not admit fault or liability. Cannot
be used as evidence of fault in any other civil action that may be brought by those harmed by the
unfair or deceptive practice.
*Example*
The FTC has entered into numerous consent decrees with companies as a result of alleged
violations of privacy laws, such as the Children's Online Privacy Protection Act (COPPA).
Privacy Policy - CORRECT ANSWER - An internal statement that describes an
organization's information handling practices and procedures. Directed at employees and agents
of the organization.
Privacy Policies and Disclosure - CORRECT ANSWER - 1. If an organization violates a
promise made in a privacy policy that is also communicated in the privacy notice, then the FTC
or state attorney general may bring an enforcement
2. One or Multiple Privacy Policies
3. Policy Review and Approval
Revised → announce to employees through its privacy notice
4. Communication of Privacy Policy Through a Notice
