CIPT EXAM QUESTIONS WITH 100%
CORRECT ANSWERS LATEST VERSION
2025/2026.
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable
information from a student's educational record requires written permission from the parent or
eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena. - ANS A. Released to
a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20parent%20
or,not%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the following
authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,d) Radio frequency identification. - ANS c) Biometric data, Biometric recognition systems are
generally user-friendly and designed for ease of use, as they rely on inherent physical or
behavioral traits like fingerprints or facial features. The other options, such as requiring more
maintenance and support (A), being expensive (B), and having limited compatibility across
systems (C), are well-documented drawbacks of biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty. - ANS D. It is a good way to
achieve de-identification and unlinkabilty. Data aggregation involves collecting and summarizing
data from multiple sources, which can help protect individual privacy by presenting information
in a consolidated form. This process can effectively de-identify data by removing or obscuring
individual-level details, making it more difficult to link specific information back to particular
individuals35. By aggregating data, organizations can preserve privacy and security while still
gaining valuable insights from the summarized information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
D. Perform privacy reviews on new projects. - ANS A. Create a privacy standard that applies
to all projects and services. The first activity in a Privacy by Design program should involve
conducting a Privacy Impact Assessment (PIA) to identify existing privacy practices, risks, and
compliance gaps12. This foundational step allows the organization to understand how personal
data is handled and ensures privacy considerations are integrated into the design of systems
and processes from the outset. Creating a privacy standard (A) is important but typically comes
after assessing current practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure privacy?
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding. - ANS B. Noise addition
What term describes two re-identifiable data sets that both come from the same unidentified
individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data. - ANS A. Pseudonymous data.Pseudonymous data refers to information
that does not directly identify an individual but can be linked back to them through additional
information or by combining multiple data sets5. This type of data retains a unique identifier
that allows for re-identification when combined with other information, which aligns with the
scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the server.
B. An electronic teddy bear with built-in voice recognition that only responds to its owner's
voice.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.
D. A website that has an opt-in form for marketing emails when registering to download a
whitepaper. - ANS C. An internet forum for victims of domestic violence that allows
anonymous posts without registration.This best embodies the principle of Data Protection by
Default because it prioritizes user privacy by minimizing data collection and ensuring anonymity
by default. Under this principle, only the necessary data for the intended purpose should be
processed, and privacy-friendly settings should be enabled automatically, as seen in this
example where no registration or personal data is required to participate.
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their
biometric and demographic data. The data is collected by the Unique Identification Authority of
India. The Aadhaar database contains the Aadhaar number, name, date of birth, gender and
address of over 1 billion individuals. Which of the following datasets derived from that data
would be considered the most de-identified? A. A count of the years of birth and hash of the
personג€™ s gender. B. A count of the month of birth and hash of the person's first name. C. A
count of the day of birth and hash of the personג€™s first initial of their first name. D. Account
of the century of birth and hash of the last 3 digits of the person's Aadhaar number. - ANS A.
A count of the years of birth and hash of the person's gender.This option provides the highest
level of de-identification among the given choices because:
It uses only aggregated data (count of years of birth) rather than individual birth dates, which
reduces the risk of identifying specific individuals.
The gender information is hashed, which further obscures the original data while still allowing
for some analysis.
It retains the least amount of potentially identifying information compared to the other options,
making it more difficult to link back to individuals in the original Aadhaar database.
Options B, C, and D all contain more granular or specific information (like month of birth, day of
birth, or parts of the Aadhaar number) that could potentially be used in combination with other
data to re-identify individuals, especially given the large scale of the Aadhaar database
What has been identified as a significant privacy concern with chatbots?
A. Most chatbot providers do not agree to code audits
B. Chatbots can easily verify the identity of the contact.
C. Usersג€™ conversations with chatbots are not encrypted in transit.
D. Chatbot technology providers may be able to read chatbot conversations with users. -
ANS D. Chatbot technology providers may be able to read chatbot conversations with users.
What is the term for information provided to a social network by a member?
A. Profile data.
B. Declared data.
C. Personal choice data.
4 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
CORRECT ANSWERS LATEST VERSION
2025/2026.
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable
information from a student's educational record requires written permission from the parent or
eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena. - ANS A. Released to
a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20parent%20
or,not%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the following
authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,d) Radio frequency identification. - ANS c) Biometric data, Biometric recognition systems are
generally user-friendly and designed for ease of use, as they rely on inherent physical or
behavioral traits like fingerprints or facial features. The other options, such as requiring more
maintenance and support (A), being expensive (B), and having limited compatibility across
systems (C), are well-documented drawbacks of biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty. - ANS D. It is a good way to
achieve de-identification and unlinkabilty. Data aggregation involves collecting and summarizing
data from multiple sources, which can help protect individual privacy by presenting information
in a consolidated form. This process can effectively de-identify data by removing or obscuring
individual-level details, making it more difficult to link specific information back to particular
individuals35. By aggregating data, organizations can preserve privacy and security while still
gaining valuable insights from the summarized information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
D. Perform privacy reviews on new projects. - ANS A. Create a privacy standard that applies
to all projects and services. The first activity in a Privacy by Design program should involve
conducting a Privacy Impact Assessment (PIA) to identify existing privacy practices, risks, and
compliance gaps12. This foundational step allows the organization to understand how personal
data is handled and ensures privacy considerations are integrated into the design of systems
and processes from the outset. Creating a privacy standard (A) is important but typically comes
after assessing current practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure privacy?
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding. - ANS B. Noise addition
What term describes two re-identifiable data sets that both come from the same unidentified
individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data. - ANS A. Pseudonymous data.Pseudonymous data refers to information
that does not directly identify an individual but can be linked back to them through additional
information or by combining multiple data sets5. This type of data retains a unique identifier
that allows for re-identification when combined with other information, which aligns with the
scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the server.
B. An electronic teddy bear with built-in voice recognition that only responds to its owner's
voice.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.
D. A website that has an opt-in form for marketing emails when registering to download a
whitepaper. - ANS C. An internet forum for victims of domestic violence that allows
anonymous posts without registration.This best embodies the principle of Data Protection by
Default because it prioritizes user privacy by minimizing data collection and ensuring anonymity
by default. Under this principle, only the necessary data for the intended purpose should be
processed, and privacy-friendly settings should be enabled automatically, as seen in this
example where no registration or personal data is required to participate.
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their
biometric and demographic data. The data is collected by the Unique Identification Authority of
India. The Aadhaar database contains the Aadhaar number, name, date of birth, gender and
address of over 1 billion individuals. Which of the following datasets derived from that data
would be considered the most de-identified? A. A count of the years of birth and hash of the
personג€™ s gender. B. A count of the month of birth and hash of the person's first name. C. A
count of the day of birth and hash of the personג€™s first initial of their first name. D. Account
of the century of birth and hash of the last 3 digits of the person's Aadhaar number. - ANS A.
A count of the years of birth and hash of the person's gender.This option provides the highest
level of de-identification among the given choices because:
It uses only aggregated data (count of years of birth) rather than individual birth dates, which
reduces the risk of identifying specific individuals.
The gender information is hashed, which further obscures the original data while still allowing
for some analysis.
It retains the least amount of potentially identifying information compared to the other options,
making it more difficult to link back to individuals in the original Aadhaar database.
Options B, C, and D all contain more granular or specific information (like month of birth, day of
birth, or parts of the Aadhaar number) that could potentially be used in combination with other
data to re-identify individuals, especially given the large scale of the Aadhaar database
What has been identified as a significant privacy concern with chatbots?
A. Most chatbot providers do not agree to code audits
B. Chatbots can easily verify the identity of the contact.
C. Usersג€™ conversations with chatbots are not encrypted in transit.
D. Chatbot technology providers may be able to read chatbot conversations with users. -
ANS D. Chatbot technology providers may be able to read chatbot conversations with users.
What is the term for information provided to a social network by a member?
A. Profile data.
B. Declared data.
C. Personal choice data.
4 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
