CIPP Class Questions Flashcards Preview

CIPP-US > CIPP Class Questions > Flashcards

Flashcards in CIPP Class Questions Deck (113)
Loading flashcards...
1

True or false? The word privacy is not mentioned in the U.S. Constitution

True

2

Which of the following sources of law affect privacy for private-sector employees? Select all that apply.

A. Federal constitutional law B. Contract law
C. Torts
D. Statutes

B. Contract law
C. Torts
D. Statutes

3

True or false?

Federal law mandates substance use testing for certain positions.

True

4

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:

2. School Instruction Improvement Company, Inc. accesses school records to verify the demographics of the student body.

Disclosure allowed: Disclosing information to organizations on the behalf of schools for test development, student aid programs or instruction improvement is acceptable.

5

What are the advantages and disadvantages of BYOD programs in the workplace?

Advantages:
• Same home/work technology
• More flexibility • Efficiency and productivity
• Employer increased accessibility to employee

• Disadvantages:
• Lack of employer control
• Exposure of organization to security vulnerabilities and threats

6

In addition to the Americans with Disabilities Act, which federal laws* prohibit discrimination in the workplace?

Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin
• The Equal Pay Act of 1963 bars wage disparity based on sex
• The Age Discrimination Act bars discrimination against individuals over 40
• The Discrimination Act bars discrimination due to pregnancy, childbirth and related medical conditions
• The Americans with Disabilities Act of 1990 bars discrimination against qualified individuals with disabilities
• The Genetic Information Nondiscrimination Act of 2008 bars discrimination based on individuals’ genetic information
• The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have filed for bankruptcy
• Some ambiguity on whether the statute applies to discrimination prior to the extension of an offer of employment; courts have read the statute both ways

7

True or false?

Health insurance providers may, under some circumstances, implement higher premiums based on genetic information.

False

8

What is COIT?

Consumerization of information technology (COIT): Use of personal computing devices in the workplace and online services (webmail, cloud storage, social media)

9

Which act was passed as part of the ECPA to address interception of electronic communications in facilities where electronic communication service is provided?

A. Privacy Protection Act (PPA)

B. Stored Communications Act (SCA)

C. Communications Assistance to Law Enforcement Act (CALEA)

D. Electronic Communications Privacy Act (ECPA)

B. Stored Communications Act (SCA)

10

Which act requires giving a privacy notice to subscribers at the time of the initial agreement (and annually thereafter) including the nature of personal information collected, how it is used, and retention period, as well as how to access and correct information?

A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
B. Telecommunications Act
C. Cable Communications Policy Act
D. Video Privacy Protection Act (VPPA)

C. Cable Communications Policy Act

11

Which of the following terms specifically means removing or blocking information from court documents?

A. Protective order
B. Protecting publicly available information (PPAI)
C. Electronic discovery
D. Redaction

D. Redaction

12

Which of the following are required for an entity to be considered a “business” under the California Consumer Privacy Act? Select all that apply.

A. An entity that makes $10 million in annual revenue

B. An entity that holds the personal information of 50,000 people, households or devices

C. An entity that makes at least half of its revenue from the sale of personal information

B. An entity that holds the personal information of 50,000 people, households or devices

C. An entity that makes at least half of its revenue from the sale of personal information

13

Which are exceptions to state breach notification laws? Select all that apply.

A. Entities subject to other, more stringent data breach notification laws

B. Entities that already follow breach notification procedures that are compatible with state law

C. Entities enrolled in self-certification programs that meet industry security standards

A. Entities subject to other, more stringent data breach notification laws

B. Entities that already follow breach notification procedures that are compatible with state law

14

True or false?

Technology companies that provide free teaching materials are subject to the laws and regulations of FERPA, PPRA and NCLBA.

True

15

Is there an overarching employment privacy law in the U.S.?

EXAMPLE ANSWER: There is no overarching law for employment privacy.

• Some constitutional, federal, state, tort and statutory laws impact privacy
• Contracts between employer and employee may impact privacy agreements
• There is considerable local variation and complexity on employment privacy issues
• Many U.S. labor laws mandate employee data collection and management practices, such as conducting background checks and ensuring and documenting a safe workplace environment
• Organizations also have incentives to gather information about employees and monitor the workplace to reduce the risk of being sued for negligent hiring or supervision

16

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:

5. Anystate University is putting together a financial aid proposal for a student who applied to the school and reviews their records to determine if the student is eligible for an academic scholarship.

ANSWER: Disclosure allowed: As it’s in connection with financial aid for which the student has applied.

17

Which state data security law is generally considered the most prescriptive in the nation?

A. California AB 1950 (2004)
B. Massachusetts 201 CMR 17
C. Washington state security law, HB 1149

B. Massachusetts 201 CMR 17

18

Under the Fair Credit Reporting Act (FCRA), which are employer requirements for obtaining a consumer report on an applicant? Select all that apply.

A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency
F. Provide notice to the credit reporting agency outlining the intended purpose of the report
G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action

A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency

G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action

19

What are the four steps involved in the development of a privacy program?

A. Discover, build, communicate, evolve
B. Research, design, build, audit
C. Brainstorm, propose, implement, follow-through
D. Test, learn, revise, monitor

A. Discover, build, communicate, evolve

20

Which authorities oversee privacy-related issues in the U.S.? Select all that apply.

A. The Federal Trade Commission (FTC)
B. State attorneys general
C. The national data protection authority
D. Federal financial regulators

A. The Federal Trade Commission (FTC)
B. State attorneys general

D. Federal financial regulator

21

Under what circumstances do limitations and exceptions to the HIPAA Privacy Rule apply?

De-identification: Information does not identify an individual via:
1. Removing data elements listed in the rule (name, address)

2. An expert certifying that the risk of re-identifying is small

• Research: Can occur with the consent of the individual or without consent if an authorized entity approves it

• Other: Public health activities, such as reporting abuse or neglect, judicial and administrative proceedings, specialized government functions

• Entity must release PHI to the individual to whom it pertains or their rep. and to the secretary of HHS

22

Which is a provision of the Cybersecurity Information Sharing Act (CISA)? Select all that apply.

A. Companies must remove personal information before sharing

B. Companies are protected from liability for monitoring activities

C. Companies that process the personal information of 100,000 individuals or more are required to participate

D. Sharing information with the federal government does not waive privileges

E. Shared information is exempt from federal and state Freedom of Information laws

A. Companies must remove personal information before sharing

B. Companies are protected from liability for monitoring activities

D. Sharing information with the federal government does not waive privileges

E. Shared information is exempt from federal and state Freedom of Information laws

23

Rules that govern the collection and handling of personal information regarding internet activity can be categorized as what type of privacy?

Information privacy

24

True or false?

Most U.S. states have laws limiting the use of Social Security numbers.

True

25

True or false?

When federal laws do not provide a consumer protection that a state believes is necessary, the state may enact a law to provide the protection for its citizens.

True

26

Which of the following federal laws ensures that employee benefits programs are created fairly and administered properly?

A. The Health Insurance Portability and Accountability Act (HIPAA)

B. The Consolidated Omnibus Budget Reconciliation Act (COBRA)

C. The Employee Retirement Income Security Act (ERISA)

D. The Family and Medical Leave Act (FMLA)

C. The Employee Retirement Income Security Act (ERISA)

27

What are the DPO’s responsibilities?

To monitor compliance with the GDPR
• Advise controller and processors
• Manage risk
• Cooperate with supervisory authorities
• Communicate with data subjects and supervisory authorities
• Exercise professional secrecy

28

examples of business activities that would cause a U.S. organization to fall under the scope of the GDPR

U.S. company offers a consumer cloud service in the EU

• U.S. company expresses its intention to deal with EU users (e.g., offering services via a European domain, local currency payment, shipment to the EU, local telephone hotline numbers)

• “U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1.”

• The processor is a sub-processor of a principal processor based in the EU

29

Which of the examples of personal information may qualify as sensitive personal information? Select all that apply.

A. Social Security number
B. Bank account number
C. Driver’s license number D. Home phone number
E. Professional membership F. Medical history
G. Business email address

A. Social Security number
B. Bank account number
C. Driver’s license number
F. Medical history

30

Which are provisions of the Fair Credit Reporting Act (FCRA)?
Select all that apply.
A. Consumers have the ability to access and correct their information
B. Consumers may request annual updates and alerts
C. Use of consumer reports is limited to “permissible purposes”
D. Use of consumer reports is limited to three instances per six months

A. Consumers have the ability to access and correct their information

C. Use of consumer reports is limited to “permissible purposes