IAPP - CIPP/US Exam Questions and
Answers
Which of the following types of information should be protected by privacy program? -
Answer- Customer records.
All of these records are important to a business and may be considered sensitive.
However, this does not mean that they would fall into the scope of a privacy program.
Privacy programs are specifically intended to protect personal information and, of the
information presented here, only customer records fall into that category. A
cybersecurity program would be interested in protecting all these elements of
information.
Barry is consulting with his organization's cybersecurity team on the development of
their cybersecurity program. Which one of the following would not be a typical objective
of such a program? - Answer- Privacy.
The three main goals of a cybersecurity program are confidentiality, integrity, and
availability. Although privacy and security objectives are often linked and
interdependent, privacy is not one of the three cybersecurity objectives.
Howard is assisting his firm in developing a new privacy program and wants to
incorporate a privacy risk assessment process into the program. If Howard wishes to
comply with industry best practices, how often should the firm conduct these risk
assessments? - Answer- Annually.
Industry best practice calls for an annual privacy risk assessment designed to analyze
the organization's current practices in light of the evolving privacy environment.
Of the following fields, which fits into the "special categories of personal data" under
GDPR? - Answer- Union membership records.
The special categories of information under GDPR include information about racial and
ethnic origin, political opinions, religious or philosophical beliefs, trade union
membership, genetic information, biometric information, health data, and data about a
person's sex life or sexual orientation. Other categories of information may be sensitive
but do not fit into this definition.
Katie is assessing her organization's privacy practices and determines that the
organization previously collected customer addresses for the purpose of shipping goods
and is now using those addresses to mail promotional materials. If this possibility was
not previously disclosed, what privacy principle is the organization most likely violating?
- Answer- Notice.
Answers
Which of the following types of information should be protected by privacy program? -
Answer- Customer records.
All of these records are important to a business and may be considered sensitive.
However, this does not mean that they would fall into the scope of a privacy program.
Privacy programs are specifically intended to protect personal information and, of the
information presented here, only customer records fall into that category. A
cybersecurity program would be interested in protecting all these elements of
information.
Barry is consulting with his organization's cybersecurity team on the development of
their cybersecurity program. Which one of the following would not be a typical objective
of such a program? - Answer- Privacy.
The three main goals of a cybersecurity program are confidentiality, integrity, and
availability. Although privacy and security objectives are often linked and
interdependent, privacy is not one of the three cybersecurity objectives.
Howard is assisting his firm in developing a new privacy program and wants to
incorporate a privacy risk assessment process into the program. If Howard wishes to
comply with industry best practices, how often should the firm conduct these risk
assessments? - Answer- Annually.
Industry best practice calls for an annual privacy risk assessment designed to analyze
the organization's current practices in light of the evolving privacy environment.
Of the following fields, which fits into the "special categories of personal data" under
GDPR? - Answer- Union membership records.
The special categories of information under GDPR include information about racial and
ethnic origin, political opinions, religious or philosophical beliefs, trade union
membership, genetic information, biometric information, health data, and data about a
person's sex life or sexual orientation. Other categories of information may be sensitive
but do not fit into this definition.
Katie is assessing her organization's privacy practices and determines that the
organization previously collected customer addresses for the purpose of shipping goods
and is now using those addresses to mail promotional materials. If this possibility was
not previously disclosed, what privacy principle is the organization most likely violating?
- Answer- Notice.
