CIPT Exam 2025 Questions and
Answers
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally
identifiable information from a student's educational record requires written permission
from the parent or eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena. -
....ANSWER ...-A. Released to a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20pare
nt%20or,not%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the
following authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 1
,d) Radio frequency identification. - ....ANSWER ...-c) Biometric data, Biometric
recognition systems are generally user-friendly and designed for ease of use, as they rely
on inherent physical or behavioral traits like fingerprints or facial features. The other
options, such as requiring more maintenance and support (A), being expensive (B), and
having limited compatibility across systems (C), are well-documented drawbacks of
biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty. - ....ANSWER ...-
D. It is a good way to achieve de-identification and unlinkabilty. Data aggregation
involves collecting and summarizing data from multiple sources, which can help protect
individual privacy by presenting information in a consolidated form. This process can
effectively de-identify data by removing or obscuring individual-level details, making it
more difficult to link specific information back to particular individuals35. By
aggregating data, organizations can preserve privacy and security while still gaining
valuable insights from the summarized information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 2
,D. Perform privacy reviews on new projects. - ....ANSWER ...-A. Create a privacy
standard that applies to all projects and services. The first activity in a Privacy by Design
program should involve conducting a Privacy Impact Assessment (PIA) to identify
existing privacy practices, risks, and compliance gaps12. This foundational step allows
the organization to understand how personal data is handled and ensures privacy
considerations are integrated into the design of systems and processes from the outset.
Creating a privacy standard (A) is important but typically comes after assessing current
practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure
privacy?
A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding. - ....ANSWER ...-B. Noise addition
What term describes two re-identifiable data sets that both come from the same
unidentified individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data. - ....ANSWER ...-A. Pseudonymous data.Pseudonymous data
refers to information that does not directly identify an individual but can be linked back
to them through additional information or by combining multiple data sets5. This type
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 3
, of data retains a unique identifier that allows for re-identification when combined with
other information, which aligns with the scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the
server.
B. An electronic teddy bear with built-in voice recognition that only responds to its
owner's voice.
C. An internet forum for victims of domestic violence that allows anonymous posts
without registration.
D. A website that has an opt-in form for marketing emails when registering to download
a whitepaper. - ....ANSWER ...-C. An internet forum for victims of domestic
violence that allows anonymous posts without registration.This best embodies the
principle of Data Protection by Default because it prioritizes user privacy by minimizing
data collection and ensuring anonymity by default. Under this principle, only the
necessary data for the intended purpose should be processed, and privacy-friendly
settings should be enabled automatically, as seen in this example where no registration
or personal data is required to participate.
Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on
their biometric and demographic data. The data is collected by the Unique Identification
Authority of India. The Aadhaar database contains the Aadhaar number, name, date of
birth, gender and address of over 1 billion individuals. Which of the following datasets
derived from that data would be considered the most de-identified? A. A count of the
years of birth and hash of the personג€™ s gender. B. A count of the month of birth and
hash of the person's first name. C. A count of the day of birth and hash of the
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 4
Answers
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally
identifiable information from a student's educational record requires written permission
from the parent or eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena. -
....ANSWER ...-A. Released to a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20pare
nt%20or,not%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the
following authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 1
,d) Radio frequency identification. - ....ANSWER ...-c) Biometric data, Biometric
recognition systems are generally user-friendly and designed for ease of use, as they rely
on inherent physical or behavioral traits like fingerprints or facial features. The other
options, such as requiring more maintenance and support (A), being expensive (B), and
having limited compatibility across systems (C), are well-documented drawbacks of
biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty. - ....ANSWER ...-
D. It is a good way to achieve de-identification and unlinkabilty. Data aggregation
involves collecting and summarizing data from multiple sources, which can help protect
individual privacy by presenting information in a consolidated form. This process can
effectively de-identify data by removing or obscuring individual-level details, making it
more difficult to link specific information back to particular individuals35. By
aggregating data, organizations can preserve privacy and security while still gaining
valuable insights from the summarized information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 2
,D. Perform privacy reviews on new projects. - ....ANSWER ...-A. Create a privacy
standard that applies to all projects and services. The first activity in a Privacy by Design
program should involve conducting a Privacy Impact Assessment (PIA) to identify
existing privacy practices, risks, and compliance gaps12. This foundational step allows
the organization to understand how personal data is handled and ensures privacy
considerations are integrated into the design of systems and processes from the outset.
Creating a privacy standard (A) is important but typically comes after assessing current
practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure
privacy?
A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding. - ....ANSWER ...-B. Noise addition
What term describes two re-identifiable data sets that both come from the same
unidentified individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data. - ....ANSWER ...-A. Pseudonymous data.Pseudonymous data
refers to information that does not directly identify an individual but can be linked back
to them through additional information or by combining multiple data sets5. This type
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 3
, of data retains a unique identifier that allows for re-identification when combined with
other information, which aligns with the scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the
server.
B. An electronic teddy bear with built-in voice recognition that only responds to its
owner's voice.
C. An internet forum for victims of domestic violence that allows anonymous posts
without registration.
D. A website that has an opt-in form for marketing emails when registering to download
a whitepaper. - ....ANSWER ...-C. An internet forum for victims of domestic
violence that allows anonymous posts without registration.This best embodies the
principle of Data Protection by Default because it prioritizes user privacy by minimizing
data collection and ensuring anonymity by default. Under this principle, only the
necessary data for the intended purpose should be processed, and privacy-friendly
settings should be enabled automatically, as seen in this example where no registration
or personal data is required to participate.
Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on
their biometric and demographic data. The data is collected by the Unique Identification
Authority of India. The Aadhaar database contains the Aadhaar number, name, date of
birth, gender and address of over 1 billion individuals. Which of the following datasets
derived from that data would be considered the most de-identified? A. A count of the
years of birth and hash of the personג€™ s gender. B. A count of the month of birth and
hash of the person's first name. C. A count of the day of birth and hash of the
…FOR STUDENTS ONLY…©️2025 ALL RIGHTS RESERVED… 4
