CIPM Free Practice Test

In privacy protection, what is a "covered entity"?

1. A. Personal data collected by a privacy organization.
2. B. An organization subject to the privacy provisions of HIPAA.
3. C. A privacy office or team fully responsible for protecting personal information.
4. D. Hidden gaps in privacy protection that may go unnoticed without expert analysis.

Correct Answer: B

SCENARIO
Please use the following to answer the next QUESTION:
For 15 years, Albert has worked at Treasure Box – a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the 48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change.
He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company’s privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company’s outdated policies and procedures.
For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Box’s ability to protect personal data. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available.
Albert does want to show a positive outlook during his interview. He intends to praise the company’s commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures.
In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover. He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the company’s insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail.
In addition to his suggestions for improvement, Albert believes that his knowledge of the company’s recent business maneuvers will also impress the interviewers. For example, Albert is aware of the company’s intention to acquire a medical supply company in the coming weeks.
With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job.
In consideration of the company’s new initiatives, which of the following laws and regulations would be most appropriate for Albert to mention at the interview as a priority concern for the privacy team?

1. A. Gramm-Leach-Bliley Act (GLBA)
2. B. The General Data Protection Regulation (GDPR)
3. C. The Telephone Consumer Protection Act (TCPA)
4. D. Health Insurance Portability and Accountability Act (HIPAA)

Correct Answer: B

Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC), established?

1. A. To promote consumer confidence in the Internet industry.
2. B. To improve the user experience during online shopping.
3. C. To protect civil liberties and raise consumer awareness.
4. D. To promote security on the Internet through strong encryption.

Correct Answer: C

SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What element of the Privacy by Design (PbD) framework might the Handy Helper violate?

1. A. Failure to obtain opt-in consent to marketing.
2. B. Failure to observe data localization requirements.
3. C. Failure to implement the least privilege access standard.
4. D. Failure to integrate privacy throughout the system development life cycle.

Correct Answer: B

Under the General Data Protection Regulation (GDPR), when would a data subject have the right to require the erasure of his or her data without undue delay?

1. A. When the data subject is a public authority.
2. B. When the erasure is in the public interest.
3. C. When the processing is carried out by automated means.
4. D. When the data is no longer necessary for its original purpose.

Correct Answer: A