CIPT Study Set Exam Questions and Answers with Complete Solutions

CIPT Study Set Exam Questions and Answers with Complete Solutions AICPA definition of privacy - answerThe rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information IAPP definition of Privacy - answerThe appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individuals expectations; also, the right of an individual to control the collection, use, and disclosure of personal information Data Protection - answerThe management of personal information. In the United States, "privacy" is the term that is used in policies, laws and regulations, However, in the EU and other countries, this term often identifies privacy related laws and regulations. Processes in an organization where privacy is important - answerHuman resource management, Finance and accounting, Procurement, Marketing, Sales, Customer Support, Technical support, retail operations, research and development, regulatory reporting. Common challenges with privacy - answerLost or stolen media, over-sharing of personal information, good intentions but misused data, third party service provider weaknesses, regulatory isolations, website leakage, hackers, unwanted marketing communications, fraudulent transactions, social engineering If Privacy is compromised, what is the result - answeridentity theft, brand and reputation damage, litigation, regulatory action, direct financial loss, loss of market value, loss of consumer and business partner confidence, becoming an example of what could go wrong What are the different types of information about people - answerPersonal information, personal data, PII, individually identifiable information Types of personal information - answersensitive information, PII, protected health information (PHI) and electronic (ePHI), non-public personal financial information (NPI) Types of non-personal information - answernon-personally identifiable information (non- PII), de-identified or anatomized information, statistical and aggregate information, household data, demographic data European categories of sensitive data - answerracial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, offenses or criminal convictions, genetic data US categories of sensitive data - answersocial security numbers financial information drivers license numbers medical records Personal information data elements - answerName, gender, age/date of birth, martial status, citizenship, nationality, languages spoken, veteran status, disabled status, addresses, phone numbers, email addresses, Govt-issued Id's, identity verification information, internal id numbers Employee related data elements - answeremployment history, job-related history, employee relations, compensations, payroll, background checks, benefits, heath, labor relations Customer related data elements - answeraccount numbers, personal financial information, credit score, transaction, income, assets, credit information Ways of processing personal information - answercollection, recording, organization, storage, updating or modifying, retrieval, consultation, use, disclosure by transmission, linking, alignment or combinations, blocking, erase or destruction List of Data Protection Authorities around the World - answerCanadian federal and provincial privacy commissioners, Hong Kong, Australia, New Zealand national privacy commissioners EU UK Information commissioner German federal and state level data protection commissioners Under GDPR, EU nations will have supervisor authorities obliged to work together US there is no national data protection authority Japan has a similar protection stance and multiple regulators Controller - answerDetermines the purposes and means of processing Every instance of processing personal data has a minimum of one of these May be joint responsibility of two or more There can be 2 of them if they share a pool of personal information, each processing independently of the other The responsibility of the data always sits with this person Processor - answerprocesses personal data on behalf of the controller ie a vendor like a cloud provider providing space for the client They rely on the instructions from the controller Types of rights of the indivual - answerNotice Choice and consent Data Subject Access Information life cycle - answerCollection Use of internal sharing disclosure retention and disposal Types of Controls on the Data - answerInformation Security Quality controls Management elements of data - answermanagement and admin monitoring and enforcement powers of the regulators penalties and sanctions Notice - answerThe organization provides ____ about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed i.e. website privacy statements, employee privacy notice marketing emails notice and choice statements, Examples of notice - answerWebsite privacy statements, employee privacy notice marketing emails notice and choice statements, privacy statements provided by healthcare providers, employment contract terms, Choice and consent - answerThe organization describes the ___ available to the individual and obtains ____ with respect to the collection, use, retention, and disclosure of personal information Examples of choice and consent - answerOpt-in Opt-out completing and signing an application to seek consent to use the information of the user provided the individual is giving consent to the collection and the specified uses, consent given orally over the phone Data Subject Access - answerThe organization provides individuals with access to their personal information for review and update Examples of data subject access - answersubject access request form, request reasoning behind automated decisions such as grant deny credit based on computer calculations, request to a credit reference agency fir information about financial standings Information Security - answerThe organization uses reasonable measures to protect personal information against unauthorized access, use, disclosure, modification and destruction Examples of Information security - answerPhysical storage, access control, de-identification of data, electronic storage, employee training, paper shredder, utility wipe program Data Quality - answerThe organization maintains accurate, complete, and relevant personal information for the purposes identified in the notice Examples of data quality - answerincorrect personal information (i.e. name, SSN, DOB etc) inconsistent data across different IT environments US Privacy frameworks - answerUS Department of Health, Education, Welfare Fair Information Practices (FIPs) (1973) US Privacy Act (1974) US Privacy Protection Commissions Fair Information Practices (1977) OECD - answerOrganization for the economic cooperation and development (OECD)Guidelines on the protection of privacy and trans-border Flows of personal Data (1980) Council of Europe - answerCouncil of Europe Convention for the protection of individuals with regard to automatic processing of personal data (1981)