
(2022) CIPP-C Exam Dumps, Practice Test Questions BUNDLE PACK
Certified Information Privacy Professional Certification CIPP-C Sample Questions Reliable
NEW QUESTION 55
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/C) all had in common but largely failed to achieve in Canada?
- A. The creation of legally binding data protection principles
- B. The restriction of cross-border data flow
- C. The synchronization of approaches to data protection
- D. The establishment of a list of legitimate data processing criteria
Answer: B
NEW QUESTION 56
Which entities must comply with the Telemarketing Sales Rule?
- A. For-profit organizations calling businesses when a binding contract exists between them
- B. For-profit and not-for-profit organizations when selling additional services to establish customers
- C. Nonprofit organizations calling on their own behalf
- D. For-profit organizations and for-profit telefunders regarding charitable solicitations
Answer: B
NEW QUESTION 57
SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
Based on the scenario, what is the most likely way Declan's supervisor would answer his question about the hospital's use of a billing company?
- A. By describing how the billing system is integrated into the hospital's electronic health records (EHR) system
- B. By pointing out that contracts are in place to help ensure the observance of minimum security standards
- C. By suggesting that Declan look at the hospital's publicly posted privacy policy
- D. By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)
Answer: B
NEW QUESTION 58
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?
- A. Develop security protocols for the vendor and mandate that they be deployed
- B. Implement a more comprehensive suite of information security controls than the one used by the vendor
- C. Insist on an audit of the vendor's privacy procedures and safeguards
- D. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified
Answer: D
NEW QUESTION 59
Which of the following does Title VII of the Civil Rights Act prohibit an employer from asking a job applicant?
- A. Questions about a national origin
- B. Questions about intended pregnancy
- C. Questions about a disability
- D. Questions about age
Answer: A
NEW QUESTION 60
What was the original purpose of the Federal Trade Commission Act?
- A. To protect consumers
- B. To negotiate consent decrees with companies violating personal privacy
- C. To enforce antitrust laws
- D. To ensure privacy rights of U.S. citizens
Answer: A
NEW QUESTION 61
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?
- A. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
- B. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
- C. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate
- D. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
Answer: B
Explanation:
notification to individuals in the state of New York.
NEW QUESTION 62
What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?
- A. Describing the policy changes on its website.
- B. Publicizing the policy changes through social media.
- C. Reassuring customers of the security of their information.
- D. Obtaining affirmative consent from its customers.
Answer: D
NEW QUESTION 63
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?
- A. Include appropriate language about privacy protection in vendor contracts
- B. Perform a privacy audit on any vendor under consideration
- C. Require that a person trained in privacy protection be part of all vendor selection teams
- D. Do business only with vendors who are members of privacy trade associations
Answer: C
NEW QUESTION 64
What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?
- A. The ability to correct inaccurate credit information.
- B. The ability to receive reports from multiple credit reporting agencies.
- C. The ability to appeal negative credit-based decisions.
- D. The ability to investigate incidents of identity theft.
Answer: D
NEW QUESTION 65
Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?
- A. The U.S. social security number of an American citizen living in France
- B. The payment card number of a Dutch citizen
- C. The unlinked aggregated data used for statistical purposes by an Italian company
- D. The identification number of a German candidate for a professional examination in Germany
Answer: D
NEW QUESTION 66
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B.
Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:
* Name
* Address
* Date of Birth
* Payroll number
* National Insurance number
* Sick pay entitlement
* Maternity/paternity pay entitlement
* Holiday entitlement
* Pension and benefits contributions
* Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?
- A. Requesting advice and technical support from Company A's IT team.
- B. Hiring companies whose measures are consistent with recommendations of accrediting bodies.
- C. Vetting companies' measures with the appropriate supervisory authority.
- D. Avoiding the use of another company's data to improve their own services.
Answer: B
NEW QUESTION 67
Which of the following is most likely to provide privacy protection to private-sector employees in the United States?
- A. Amendments one, four, and five of the U.S. Constitution
- B. State law, contract law, and tort law
- C. The Federal Trade Commission Act (FTC Act)
- D. The U.S. Department of Health and Human Services (HHS)
Answer: B
NEW QUESTION 68
Under the Fair and Accurate Credit Transactions Act (FACTA), what is the most appropriate action for a car dealer holding a paper folder of customer credit reports?
- A. To follow the Safeguards Rule by transferring the reports to a secure electronic file
- B. To follow the Disposal Rule by having the reports shredded
- C. To follow the Red Flags Rule by mailing the reports to customers
- D. To follow the Privacy Rule by notifying customers that the reports are being stored
Answer: D
NEW QUESTION 69
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
- A. Data subject rights
- B. Special categories of data
- C. Cross-border processing
- D. Data access disputes
Answer: C
NEW QUESTION 70
An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?
- A. Identify uses of data in a privacy notice mailed to the data subject.
- B. Use a layered privacy notice on its website and in its email communications.
- C. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.
- D. Provide only general information about its processing activities and offer a toll-free number for more information.
Answer: A
NEW QUESTION 71
......
Prepare for the Actual Certified Information Privacy Professional CIPP-C Exam Practice Materials Collection: https://www.vceengine.com/CIPP-C-vce-test-engine.html
Certified Information Privacy Professional Certified Official Practice Test CIPP-C: https://drive.google.com/open?id=1ox1H7A8x7xmZ7Hit29h-DMwqWDNQeeRZ
